Youth Security Europe Logo

Youth Security Europe Privacy Policy

Last Updated: 2026-03-02 | Version: 2.0

This Privacy Policy explains how Youth Security Europe collects, uses, stores, and protects personal data in accordance with Regulation (EU) 2016/679, General Data Protection Regulation (GDPR).

Youth Security Europe (hereafter referred to as "YSE" or "We", "Us", "Our") is an independent, non-profit and non-partisan organization of young Europeans with the purpose of increasing youth engagement in security policy and decision-making on both European and national levels. YSE aims to create opportunities for young professionals, students, and experts to contribute to discussions and initiatives related to security, defense, and international affairs.

1. Data Controller

Youth Security Europe is the data controller responsible for your personal data.

If you wish to contact YSE directly on data protection questions, you may do it at the following email and address: gdpr@youthsecurity.eu

A registered postal address will be made available upon request.

2. Personal Data

Personal data, in accordance with Article 4(1) of the GDPR refers to any information that, directly or indirectly, can be used to identify a natural person.

Such information may include, for example, a name, postal address, telephone number or email address. It may also encompass technical details, such as IP addresses, or visual material, such as photographs, when these can be linked to a specific person in combination with other data.

The term "processing" of personal data covers, in accordance with Article 4(2) of the GDPR any activity carried out on such information, including but not limited to collection, registration, organization, analysis, adaptation, storage, and erasure.

3. What Personal Data We Collect

YSE may collect, store, and process your personal data in connection to carrying out the activities stated in the organization's agenda

Depending on your interaction with us, we may collect and process the following information:

  • Identification details: Name, age/date of birth, nationality, gender.
  • Contact details: Email address, phone number, postal address (if required).
  • Membership details: Type of membership, national chapter, activities/events participation.
  • Other voluntary information: Skills, interests, or professional background (if you apply for roles within YSE).

4. Purpose and Legal Basis for Processing

We process personal data only for specified, explicit, and legitimate purposes, and in accordance with the principles set out in Article 5 GDPR.

For each processing activity, YSE relies on one or more lawful bases as defined in Article 6 GDPR. Personal data is not processed in a manner incompatible with the purposes described below.

Overview of Processing Purposes

YSE processes personal data for the following purposes:

  • Membership administration, including registering members and verifying eligibility
  • Communication, including sharing organizational updates, invitations, newsletters, and event-related information
  • Legal compliance, including age verification and statutory reporting obligations
  • Organizational development, including statistical analysis, anonymized reporting, and funding applications
  • Website operation and analytics, including browser information and approximate location data, using third-party services (e.g., Google Analytics, Hotjar) to improve website functionality and user experience
  • Video calls and online events, including recordings of meetings and events where applicable
  • Recruitment, including handling applications and conducting selection processes
  • Detailed information on each processing activity is provided below.

Detailed Description of Processing Activities

Membership Administration

Purpose of processing: to administer memberships, including registration, eligibility verification, participation tracking, and internal organizational management.

Legal basis: Article 6(1)(b) GDPR, processing is necessary for the performance of the membership relationship

Categories of personal data:

  • Identification details: name, age/date of birth, nationality, gender (optional)
  • Contact details: email address, phone number, postal address (if required)
  • Membership details: membership type, national chapter, participation in activities or events
  • Voluntary information: skills, interests, or professional background (where provided)

Retention period: membership data is retained for the duration of the membership. Following termination, personal data is deleted within 12 months, unless a longer retention period is required by law (e.g. accounting or grant-related obligations).

Communication

Purpose of processing: to communicate with members regarding organizational matters, events, activities, and internal updates.

Legal basis:

  • Article 6(1)(b) GDPR, processing necessary for the membership relationship
  • Article 6(1)(a) GDPR, where communications (e.g., newsletters) are based on explicit consent

Categories of personal data:

  • Identification details: name, age/date of birth, nationality, gender (optional)
  • Contact details: email address, phone number, postal address (if required)

Retention period: communication-related data is retained for the duration of membership and deleted within 12 months after termination, unless otherwise required by law.

Legal Compliance

Purpose of processing: to comply with applicable legal and regulatory obligations, including age verification, grant conditions, reporting, and record-keeping duties.

Legal basis: Article 6(1)(c) GDPR, processing necessary to comply with a legal obligation

Retention period: personal data is retained for the duration required under applicable laws and regulations and deleted thereafter.

Organizational Development

Purpose of processing: to support organizational planning, statistical analysis, reporting, and funding applications, primarily using aggregated or anonymized data.

Legal basis: Article 6(1)(f) GDPR, legitimate interest in developing and managing the organization effectively.

Retention period: personal data is retained only as long as necessary for the relevant organizational purpose and is anonymized or deleted thereafter.

Video Calls and Online Events

Purpose of processing: to organize and conduct online meetings and events, including recordings where applicable.

Legal basis: Article 6(1)(a) GDPR, consent for recordings

Retention period: recordings are retained only for as long as necessary for the stated purpose and deleted thereafter.

Recruitment

Purpose of processing: to manage recruitment processes, assess applications, conduct interviews, and make selection decisions based on competence.

Legal basis:

  • Article 6(1)(f) GDPR, legitimate interest in conducting a fair and effective recruitment process
  • Article 6(1)(a) GDPR, consent, where required

Categories of personal data:

  • Identification details: name, age/date of birth, nationality, gender (optional)
  • Contact details: email address, phone number, postal address (if required)
  • Professional details: CV, cover letter, references, job title, social media links (if voluntarily provided)

Special categories of data:

YSE does not request or require special categories of personal data (Article 9 GDPR), such as information on trade union membership, religious beliefs, political opinions, health data, or sexual orientation. Applicants are requested not to provide such information. Where a background check is required for certain positions, this is conducted only with separate, explicit consent.

Retention period: recruitment data is retained for up to 24 months after completion of the recruitment process to address potential discrimination claims. Where consent is provided, data may be retained for an additional 24 months for future recruitment opportunities.

5. How We Store and Protect Your Data

Data is stored securely in encrypted digital systems (e.g., Google Workspace/Drive).

Access is restricted to authorized YSE officers handling membership matters.

We apply appropriate technical and organizational measures to prevent unauthorized access, loss, or misuse.

6. International Data Transfers

To provide our services, we use third-party providers such as Google Workspace. This may involve transferring your personal data to countries outside the European Economic Area (EEA), including the United States.

For any such transfers, YSE ensures that your data is protected by implementing appropriate safeguards, primarily through the use of Standard Contractual Clauses (SCCs) approved by the European Commission, which contractually oblige the receiving party to protect your data with a standard equivalent to that of the EU.

You may request further information about these safeguards and obtain a copy of the applicable Standard Contractual Clauses by contacting us at gdpr@youthsecurity.eu.

7. Data Sharing

We do not sell your personal data. The recipients of your personal data include only:

  • YSE staff and officers for organizational purposes.
  • Partner organizations or funding bodies, acting as processors on our behalf, only in anonymized or aggregated form.
  • Competent legal authorities, where required to comply with a legal obligation.

Any sharing of personal data takes place only insofar as necessary for the purposes described in Section 4 "Purposes and Legal Basis for Processing", and always under the corresponding legal bases.

If personal data is transferred outside the European Economic Area (EEA), this will be done only as described in Section 6 "International Data Transfers" of this Policy.

8. Data Retention

We carry out periodic reviews of the personal data we retain to verify whether it continues to be necessary in relation to the purposes for which it was collected.

9. Your Rights Under GDPR

You have the following rights regarding your personal data:

Access your data (Article 15 GDPR)

YSE is open and transparent regarding how it processes your personal data. If you want greater insight into which personal data YSE processes regarding you specifically, you can request access to this data. To ensure efficient handling of your request and that the information is being provided to the right person, we may need to request further information about you.

Rectify inaccurate data (Article 16 GDPR)

You have the right to request the rectification of any inaccurate personal data concerning you. Within the context of the purpose stated, you also have the right to provide additional information in the case of any incomplete personal data.

Erase your data ("right to be forgotten," Article 17 GDPR)

You can request erasure of personal data that relates to you and that YSE processes, if:

  • The personal data are no longer needed for the purpose for which they were collected or processed.
  • You object to the balancing of interests that YSE has performed based on a legitimate interest and your reasons for objection outweigh our legitimate interest.
  • You revoke your consent to processing that is based on consent and there is no other legal basis for the processing.
  • The personal data have been unlawfully processed.
  • The personal data must be erased to fulfill a legal obligation by which YSE is encompassed.

Please note that YSE reserves the right to reject your request if there are legal obligations preventing YSE from immediately erasing certain personal data (e.g., legislation on discrimination, bookkeeping) or for the establishment, exercise, or defence of legal claims, in accordance with Article 17(3) GDPR.

Restrict processing (Article 18 GDPR)

You have the right to request restriction of processing where:

  • You contest the accuracy of the personal data (for a period allowing us to verify accuracy).
  • Processing is unlawful, and you oppose erasure, requesting restriction instead.
  • We no longer need the data for processing purposes but you require them to establish, exercise, or defend legal claims.
  • You have objected to processing based on legitimate interests, pending verification of whether our interests override yours.

Data portability (Article 20 GDPR)

In cases where YSE processing of personal data is based on your consent or the fulfillment of a contract, you have the right to request that the information that concerns you and that you have provided us with is transferred to another data controller. However, this is provided that the transfer is technically possible and that it can be performed in an automated manner.

Object to processing (Article 21 GDPR)

You have the right to object, at any time, to YSE processing of your personal data based on our legitimate interests. We will no longer process your data for these purposes unless we demonstrate compelling legitimate grounds for the processing that override your interests or where processing is necessary for the establishment, exercise, or defence of legal claims. You may also object to processing for direct marketing purposes at any time, in which case your data will no longer be processed for such purposes.

Withdraw consent at any time (Article 7(3) GDPR)

You may withdraw any consent you have given to YSE for the processing of your personal data at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal. Upon withdrawal, we will stop any processing based solely on consent, without undue delay. Other lawful bases for processing, where applicable, remain unaffected, and we may continue to retain or process data where necessary for compliance with legal obligations or for the establishment, exercise, or defence of legal claims.

For further information about the rights of data subjects under the GDPR, please visit the website of the Swedish Authority for Privacy Protection (IMY): https://www.imy.se/verksamhet/dataskydd/det-har-galler-enligt-gdpr/de-registrerades-rattigheter/

To exercise these rights, please contact us at gdpr@youthsecurity.eu. We may ask you to identify yourself in connection to exercise your rights

10. Complaints to the Competent Supervisory Authority

If you have any questions about our processing of personal data or believe that your personal data is being misused in accordance with the GDPR, you can first contact YSE at gdpr@youthsecurity.eu.

You also have the right to file a complaint to the competent Supervisory Authority - the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) that can can be reached at www.imy.se.

11. Updates to this Privacy Policy

This Privacy Policy may be updated to reflect changes in how we process personal data or to comply with legal requirements. The most recent version, in English, is available on the as-is and as accessible basis at www.youthsecurity.eu.

If we make changes that are of significant importance for how we process your personal data, or which we consider to be of significant importance for you and your rights, we will inform you through email. For other updates, we will indicate the date of the latest version on our website.