GDPR & Privacy
The controller for the data processing activities carried out through www.sastipen.ro is the SASTIPEN Association – Roma Center for Health Policies, headquartered in Bucharest, Str. Triunghiului nr. 40, email office@sastipen.ro, telephone 0214560321. This policy applies to data submitted through the contact form, the discrimination reporting form, the reporting form for Roma health mediators, and other interactions initiated through the website.
Depending on the form used, we may process identification and contact data, information about the institution or community involved, the content of the report, descriptions of incidents, details of measures already taken, and possible supporting evidence. In reports concerning access to health services or discrimination, users may also submit special categories of data within the meaning of Article 9 GDPR, such as health data, elements that may reveal ethnic origin, or other sensitive information included by the person completing the form.
We process data in order to answer requests, assess reports, document reported cases, provide guidance or support, and, where appropriate, prepare institutional or legal steps requested by the data subject. For messages sent through the general contact form, the main legal basis is the legitimate interest of the organization to respond to communications received, under Article 6(1)(f) GDPR. For forms involving sensitive data or an express request for intervention, the legal basis is the explicit consent provided through the form, under Article 6(1)(a) and Article 9(2)(a) GDPR; where the information is necessary for the establishment, exercise, or defence of legal claims, processing may also continue to the extent permitted by Article 9(2)(f) GDPR and applicable Romanian law, including Law No. 190/2018.
Access to data is limited to authorized SASTIPEN staff and collaborators on a need-to-know basis. We may use technical providers for hosting, IT maintenance, email, or web infrastructure, acting as processors. We may disclose data to relevant authorities, institutions, or partners only when necessary for handling the case, when requested by the data subject, or when required by law. If, exceptionally, a provider involves transfers outside the European Economic Area, we rely on appropriate safeguards recognized by GDPR, such as standard contractual clauses or another applicable legal mechanism.
We keep data only for as long as necessary for the purpose for which it was collected. General contact messages are stored for the time needed to reply and for a reasonable follow-up period. Reports and case submissions are stored for the duration of the assessment and intervention and afterwards according to internal archiving criteria, legal obligations, and applicable limitation periods. We apply reasonable technical and organizational measures designed to limit access, prevent unauthorized disclosure, and reduce the risk of loss, alteration, or misuse.
Data subjects have the right to information, access, rectification, erasure, restriction of processing, data portability, objection, and the right to withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal. These rights may be exercised by contacting office@sastipen.ro. Data subjects also have the right to lodge a complaint with the Romanian supervisory authority, the National Supervisory Authority for Personal Data Processing (ANSPDCP), available at www.dataprotection.ro, and to seek a judicial remedy.
Because the reporting forms may contain sensitive information, please submit only the data strictly necessary for assessing the case and avoid excessive information about third parties. If you report a case on behalf of another person, you should have a legitimate basis to provide that information or anonymize the data where identification is not necessary. SASTIPEN may request clarifications, may limit the use of excessive information, and may anonymize data where this is possible and compatible with the purpose of the report.