Privacy Policy

Privacy Policy








2023 Rotaract Model United Nations

Asociatia Rotaract Club TEAM Baia Mare

Baia Mare, Maramures, Romania

8 – 11 june 2023


  1. Introduction

1.1 Privacy of personal data represents one of the main concerns for the Organizers. As such, we aspire to provide the highest standards of privacy and transparency for the personal data we’re processing in our current activity.

1.2 Since for conducting our business we are required to process a series of personal data, especially in relation to the specifics of our line of business, we wish to provide assurances that the processing will take place in compliance with the principles of transparency and security of personal data. This privacy policy is meant to help you understand what data we’re collecting, why we’re collecting it and what we’re doing with it.

  1. Information on controllership

2.1 The organizing entity of the ROTARACT MUN 2023 BAIA MARE is ASOCIATIA ROTARACT CLUB TEAM BAIA MARE, a Romanian non-profit organization, established in BAIA MARE, VICTOR BABES, no. 62A, registered as non-profit organization no. 12 on 15.02.2011, Fiscal Registration Code: 28172774 (hereinafter referred to as the Organizer or ROTARACTMUN),

2.2. ROTARACT MUN is required to manage safely and solely for specified purposes, the personal data that the users of the website are providing.

2.3. The essence of the processing of personal data by the parties is the Agreement of joint controllers concluded in accordance with Article 26 GDPR by which the parties have transparently established the responsibilities of each regarding the fulfilment of obligations, in particular respecting the provisions of Articles 13 and 14.

2.4. ROTARACT MUN process personal data according to the obligations resulting from the Agreement concluded between them, but also from the obligations imposed by the specific legal provisions. The purpose of the data processing by us is to organise of the ROTARACT MUN 2023 event in Baia Mare at the highest level, contributing through the object of activity to its realization.

2.5. Main attributions of the Joint Controllers:

  • Asociatia Rotaract Club TEAM Baia Mare will have the following main role: owning and managing the existing database, managing the BaiaMare2023.RotaractMUN page, the ROTARACT MUN 2023 application and online platforms, organizing marketing campaigns, ensuring communication with the consumer.
  • Asociatia Rotaract Club TEAM Baia Mare will have the following main role: ticket sales, marketing and advertising activities to promote the event and / or the products and services of the ROTARACT MUN 2023 event in Baia Mare.

2.6. We shall ensure that information on the processing of personal data is made available to data subjects in accordance with Article 12-14 GDPR.

2.7. We will comply with all legal requirements regarding the confidentiality in processing of personal data, including the obligation to carry out risk assessments and to conclude data processing agreements with its suppliers who process personal data.

2.8. We confirm that, in accordance with Article 32 of the GDPR, we have taken appropriate technical, physical and organizational security measures to protect personal data against unauthorized or illegal access, alteration, deletion, damage, loss or inaccessibility.

2.9. We will respect the principles of personal data processing as they are mentioned in art. 5 of the GDPR, respectively within the processing activities. We will process the personal data, which are the subject of this contract:

(a) lawfully, fairly and transparently to the data subject;

(b) for specified, explicit and legitimate purposes and not in a manner incompatible with the purposes stated at the time of collection of personal data;

(c) ensuring their adequacy, relevance, limiting processing to what is necessary in relation to the purposes for which they are processed;

(d) ensuring that personal data which are inaccurate are deleted or rectified without delay;

(e) storing personal data in a form which permits identification of data subjects for a period not exceeding the period necessary for the purposes for which the data are processed;

(f) processing personal data in a manner that ensures adequate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by taking appropriate technical or organizational measures.



  1. How are we collecting your personal data?

4.1 We are collecting your personal data either directly from you, e.g. when you’re creating an account on our website/App, you’re sending us an e-mail at, in which you’re requesting us an offer / information, and you’re giving your consent for communication of commercial messages, your enrolment as a Ambassador in the United Nations program, etc., or indirectly, e.g. when you’re sending this information to the platforms of other collaborators for our company, such as:,, etc., in the process of purchasing the ticker/pass.

4.2 Also, the ROTARACT MUN App / ROTARACT MUN website includes the top-up option, context in which Europayment Services SRL, the euplă payment platform provider, a personal data operator, collects and processes the user data necessary to process the payments required for topping up the bracelets. For details regarding the category of data processed in this regard, the purpose of the processing and how this operator processes the data of the Buyers please consult their Privacy Policy by accessing the following link –

4.3 We collect your personal data automatically, when you use our services from the website or the ROTARACT MUN application, we collect information through cookies and by logging your activity. For more information on the use of cookies, please refer to Art. 6 of this Policy.

4.4. If you choose to provide us with the personal data of others, such as when you purchase tickets on behalf of others, you are responsible for how you obtained these data and that you have a legal basis for processing them. We cannot be held liable for the violation of the rights of the respective persons.

  1. How are we storing the personal data?

5.1 For storing the personal data you’re providing as a user of our website / App, a cloud service provided by Amazon Web Services EMEA S.A.R.L. is used.

5.2 Also, the data collected in the context of on-site check-in is stored by us, on their servers in the European Union.


6.1 The website contains cookies (very small files are sent to the computers of website users or to other access devices).

6.2 There are two types of these cookies: • Functionality cookies: These types of cookies improve the users’ website navigation experience and allow them to benefit from various features; • Performance Cookies: These types of cookies are used to measure and analyze how ROTARACT MUN customers are using the Website. These cookies can continually improve the functionality of the website and the user experience.

6.3 Accessing the website implies the agreement of the users regarding placing these types of cookies on their device and access them on their next visit to the site.

6.4 Information on deleting and controlling cookies is available at Deleting or blocking the cookies may prevent access to certain areas or features of the site. 6.5 For more information, please consult our Cookie Policy.

  1. To whom we’re disclosing your personal data?

7.1 For fulfilling the processing purposes, we may disclose your personal data to partners, third parties or entities supporting us in the conduct of their business, or to central / local public authorities, in the following cases listed as examples:

  1. To our service providers and contractual partners, for example: marketing and advertising service providers; to our partner in charge of ensuring access to the ROTARACT MUN Event venue; to IT service provider; to courier services, payment services, banking services, etc. This data will be provided to the extent necessary and only on the basis of a confidentiality agreement from the contractual partners, which guarantees that this data is kept safe and that its processing is done according to the legislation in force;
  2. To the accountants, auditors, lawyers, insurers or other such external advisers Operator might employ. This data will be provided to the extent necessary and only on the basis of a confidentiality agreement from the contractual partners, which guarantees that this data is kept safe and that its processing is done according to the legislation in force;
  3. Authorities, institutions and public bodies, if there is a legal request from them or to the extent that there is a legal obligation from us;
  4. The operator will be able to disclose this data whenever the law requires it, or in the case in which this action is necessary to allow the exercise of the rights provided by the law and / or to be able to take legal action against any illegal activity;
  5. Your personal data may be transferred to third countries, based on the contractual relationships we have with our partners (both affiliates and other entities in the European Union) in order to compile statistics and other types of reports;
  6. How long do we store your personal information?

8.1 As a matter of principle, we will process your personal only to the extent necessary to achieve the processing purposes mentioned above. Please note that for most processing purposes, data about the Participants at the event will be deleted within 20 days from the end of the Event, unless the Participant has an account on our website or has given us the consent to retain the data in order to be contacted for certain, clearly defined, purposes. For further details about our Data Retention Policy for certain specific data processing please review column 3 of the Table in Art. 3.

  1. Your rights related to personal data processing:

9.1 If you have consented to processing activities, you may withdraw this consent at any time. This withdrawal will only take effect for the future and will not affect the legality of the processing prior to its withdrawal.

9.2 To the extent that your consent is withdrawn, we will prohibit the processing of your personal data and will take all actions to delete all records containing this data.

9.3 However, if processing is compulsory for the provision of services by the Joint Controllers and this can be performed on the basis of other legal provisions, we will carry out such processing and will notify you to this regard.

9.4 In accordance with the data protection legislation, you have the following rights:

1) Right to information This right provides the data subject with the ability to ask a company for information about what personal data (about him or her) is being processed and the rationale for such processing. For example, a customer may ask for the list of processors with whom his or her personal data is shared.

2) Right to access This right provides the data subject with the ability to get access to his or her personal data that is being processed. This request provides the right for data subjects to see or view their own personal data, as well as to request copies of the personal data.

3) Right to rectification This right provides the data subject with the ability to ask for modifications to his or her personal data in case the data subject believes that this personal data is not up to date or accurate.

4) Right to withdraw consent This right provides the data subject with the ability to withdraw a previously given consent for processing of their personal data for a purpose. The request would then require the company to stop the processing of the personal data that was based on the consent provided earlier.

5) Right to object This right provides the data subject with the ability to object to the processing of their personal data. Normally, this would be the same as the right to withdraw consent, if consent was appropriately requested and no processing other than legitimate purposes is being conducted. However, a specific scenario would be when a customer asks that his or her personal data should not be processed for certain purposes while a legal dispute is ongoing in court.

6) Right to object to automated processing This right provides the data subject with the ability to object to a decision based on automated processing. Using this right, a customer may ask for his or her request (for instance, a loan request) to be reviewed manually, because he or she believes that automated processing of his or her loan may not consider the unique situation of the customer.

7) Right to be forgotten Also known as right to erasure, this right provides the data subject with the ability to ask for the deletion of their data. This will generally apply to situations where a customer relationship has ended. It is important to note that this is not an absolute right and depends on your retention schedule and retention period in line with other applicable laws.

8) Right for data portability This right provides the data subject with the ability to ask for transfer of his or her personal data. As part of such request, the data subject may ask for his or her personal data to be provided back (to him or her) or transferred to another controller. When doing so, the personal data must be provided or transferred in a machine-readable electronic format.

9.5 According to the law, you can exercise your rights under GDPR against any of the joint controllers. However, according to the agreement between the parties, ROTARACT MUN has been designated as the responsible operator and single point of contact for the handling of requests for the exercise of the rights of data subjects.

 If you wish to exercise the rights mentioned above, please contact the person responsible for the protection of personal data using the following contact details:

9.6 You can also file a complaint regarding the processing of your data with the National Authority for the Processing and Supervision of Personal Data (B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, postal code 010336, Bucharest, Romania,,


  1. Information security

10.1 We are working hard to protect our website, App and users, as well as all personal data collected in accordance with this Policy, from any unauthorized access or from the modification, unauthorized disclosure or destruction of the information we hold.

10.2. The Joint Controllers guarantee that they have implemented technical and organizational measures appropriate to the processing activities they perform, in order to protect personal data against accidental or unlawful destruction, loss, alteration, disclosure or unauthorized access to, transmission, storage or processing in any other illegal ways.

10.3. In this regard:

  1. ROTARACT MUN 2023 certify that they meet the minimum requirements for the security of personal data, the data being processed in a way that provides protection against unauthorized or illegal processing and against accidental loss, destruction or damage, by taking appropriate technical or organizational measures;
  2. or the data collected through the website and the App, in order to ensure access to the event, we use a cloud service provided by Amazon Web Services EMEA SARL. Therefore, the security settings provided by Amazon are used. Access to data is done in a whitelist of security groups, which means that data can only be accessed from certain pre-defined IP addresses. Access is based on username and password, and within the organizing entities access to the database is allowed to a limited number of persons.
  3. The used data storage systems have implemented back-up mechanisms to ensure the redundancy of the stored data.
  4. We are regularly reviewing the practices for collecting, storing and processing information, including physical information, as well as security measures, to prevent unauthorized access to the systems.
  5. We are restricting the access of our employees and contractors to your personal information, and the contractual relations with these persons are subject to strict rules regarding contractual confidentiality obligations, including under the sanction of termination of contracts.
  6. When does this Privacy Policy apply?

11.1. Our privacy policy applies to all services provided by our company and excludes services that have separate privacy policies and do not contain the provisions of this privacy policy.

  1. Amendments

12.1 Our privacy policy may change, but we promise not to reduce your rights under these changes without your explicit consent. We will publish any amendment to the privacy policy on our webpage, amendment which will come into effect within one day and, if the changes are significant, we will provide more prominent notification (including, for some services, email notification of privacy policy changes). We will also store earlier versions of this Privacy Policy in the archive so that it can be reviewed by you at any time.

12.2 The latest update of this policy was made on the 23rd of March, 2023