GDPR Compliance

Our commitment to data protection under the EU General Data Protection Regulation.

← Back to Home

Last updated: April 2026

Our Commitment

The OCTOPUS project (KA220-SCH-063BB39C) is fully committed to complying with the EU General Data Protection Regulation (Regulation 2016/679, “GDPR”) and the applicable national data protection laws of all partner countries: Hungary, Greece, Türkiye, and Poland.

As an Erasmus+ co-funded project, we follow the data protection standards set by the European Commission and the Erasmus+ Programme Guide, ensuring that all personal data collected during the project lifecycle is processed lawfully, fairly, and transparently.

Data Controller

Rogers Foundation for Person-Centred Education
Budapest, Hungary
Email: info@rogersalapitvany.hu
Website: www.rogersalapitvany.hu

Each partner organisation acts as a joint data processor for data collected and shared within the scope of the project activities.

Principles We Follow

In accordance with Article 5 of the GDPR, we apply the following principles to all personal data processing:

Lawfulness, fairness, and transparency: we process data only on a valid legal basis (consent or legitimate interest), and we clearly inform individuals about how their data is used through this page and our Privacy Policy.

Purpose limitation: data is collected only for specific, explicit purposes related to the OCTOPUS project — communication, feedback collection, project evaluation, and dissemination. We never use data for unrelated purposes.

Data minimisation: we collect only the minimum amount of personal data necessary for each purpose. Our forms ask only for essential fields.

Accuracy: we take reasonable steps to ensure data is accurate and up to date. Users can request corrections at any time.

Storage limitation: personal data is retained only for as long as necessary to fulfil its purpose, and in accordance with Erasmus+ audit requirements (up to 5 years post-project). After that, data is securely deleted.

Integrity and confidentiality: we implement technical and organisational security measures to protect data against unauthorised access, loss, or destruction.

Accountability: the project coordinator maintains records of processing activities and ensures all partners comply with these principles.

Data Processing Activities

The OCTOPUS project processes personal data in the following contexts:

Website forms (contact, feedback, newsletter)
Legal basis: Consent. Data collected: name, email, role, message/feedback. Purpose: communication, project evaluation, and dissemination. Retention: project duration + 5 years.

Website analytics (Google Analytics 4)
Legal basis: Legitimate interest. Data collected: anonymised usage data (pages, sessions, device, approximate location). Purpose: website improvement and impact measurement. Retention: 14 months.

Teacher training and piloting (WP5)
Legal basis: Consent. Data collected: names, contact details, professional information of participating teachers and trainers. Purpose: training coordination, evaluation, and certification. Retention: project duration + 5 years.

Student pilot data (WP5)
Legal basis: Consent (with parental/guardian authorisation for minors). Data collected: anonymised learning outcomes, feedback surveys. Purpose: methodology evaluation. Retention: project duration + 5 years. Individual student names are not collected through this website.

Technical Measures

We protect personal data through the following technical and organisational measures:

Encryption in transit: all data transmitted between your browser and our servers is encrypted using TLS/HTTPS.

Secure hosting: our website frontend is hosted on Vercel and our CMS on Render, both of which maintain SOC 2 compliance and implement industry-standard security practices.

Access control: access to the content management system and database is restricted to authorised project team members only, with individual authentication credentials.

API security: all API communications between the website and CMS use scoped authentication tokens with the minimum required permissions (read-only for content, create-only for form submissions).

Data backup: database backups are maintained on encrypted storage with access restricted to the platform development partner (Narratologies P.C.).

International Transfers

The OCTOPUS project involves four partner organisations across three EU member states (Hungary, Greece, Poland) and one EU candidate country (Türkiye). Personal data may be transferred between partner countries for legitimate project purposes.

For transfers to Türkiye, which is not currently within the European Economic Area, the partnership relies on Standard Contractual Clauses (SCCs) approved by the European Commission under Decision 2021/914.

Hosting services (Vercel, Render) may process data in the United States under the EU-US Data Privacy Framework and/or Standard Contractual Clauses.

Your Rights Under GDPR

As a data subject, you have the right to:

  • Access your personal data and obtain a copy.
  • Rectify inaccurate or incomplete data.
  • Erase your data (“right to be forgotten”).
  • Restrict processing of your data.
  • Port your data to another service in a structured format.
  • Object to processing based on legitimate interest.
  • Withdraw consent at any time.

To exercise these rights, email info@rogersalapitvany.hu. We will respond within 30 days as required by Article 12 of the GDPR.

Data Protection Authorities

If you believe your data protection rights have been violated, you may lodge a complaint with the supervisory authority in your country of residence:

  • Hungary: National Authority for Data Protection and Freedom of Information (NAIH) — www.naih.hu
  • Greece: Hellenic Data Protection Authority (HDPA) — www.dpa.gr
  • Poland: Personal Data Protection Office (UODO) — uodo.gov.pl
  • Türkiye: Personal Data Protection Authority (KVKK) — www.kvkk.gov.tr

Erasmus+ Programme Obligations

As a project co-funded by the European Union under the Erasmus+ programme, OCTOPUS complies with the data protection obligations outlined in the Grant Agreement and the Erasmus+ Programme Guide. This includes maintaining records of processing activities, implementing data protection impact assessments where necessary, and ensuring that all dissemination activities respect the privacy of project participants.

The European Commission and the Tempus Public Foundation (National Agency) may request access to aggregated, anonymised project data for monitoring, evaluation, and audit purposes. Individual personal data is not shared with these bodies unless specifically required by law.

Contact

For GDPR-related questions, data access requests, or complaints:

Rogers Foundation for Person-Centred Education
Budapest, Hungary
Email: info@rogersalapitvany.hu

See also: Privacy Policy · Accessibility Statement