Privacy Policy Statement European Student Think Tank (EST)


In this privacy policy, the Stitching European Student Think Tank, hereinafter EST, states its compliance with EU and national legislation regarding the protection of data. More specifically, the EST processes personal data in compliance with the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) and the Dutch GDPR Implementation Act (available in Dutch here).

This privacy policy describes how and why the EST registers, processes, and stores different types of personal data. This will help you understand exactly how we operate. The privacy policy covers all offline and online systems that involve personal data. We respect the privacy of all individuals involved in our offline and online activities and ensure that the personal data you provide to us is treated confidentially. The EST is responsible for the processing of personal data as described in this privacy policy.

Processing of Personal Data

We process personal data when you provide your information to us for purposes that will benefit our relationship and our activities for the benefit of our relationship. The main purpose (not exclusive) of processing your date is the optimisation of the coordination and communication of our activities. Below is an overview of the personal data that we may process given the nature of our relationship:

  • First and last name
  • Personal email address
  • Phone number
  • Nationality
  • Age
  • Country and city of residence
  • Image in photo and/or video format
  • Voice or audio

Other personal data that you actively provide, for example by providing information on one of our online services, via (electronic) correspondence, over the phone and/or in person (Personal) data for a purpose that benefits you and/or the organisation.

  • Data about your browsing behaviour on our online services
  • List of contact details of individuals via one of our online services
  • Bank account number
  • A copy of an identity document
  • Curriculum vitae

Personal data of individuals under the age of 16. Our online services do not intend to collect data about website visitors under the age of 16 if it is not relevant to our activities and the nature of our activities unless these young people have obtained permission from their caregivers. However, we cannot verify whether a website visitor on one of our online services is over 16 years old, and therefore, we are not liable for processing incorrect information provided to us through one of our online services. We recommend that caregivers of children under 16 be involved in their children’s online activities to prevent data from being collected about children without their caregivers’ consent. If you believe that we have collected personal data about a person under the age of 16 without their permission, please contact us at

Purpose and legal basis for processing personal data

Based on our relationship and if you provide us with these personal data, we may process your personal data for the following purposes:

  • Handling a payment.
  • Sharing mail, an update, a newsletter, or other forms of information sharing that reasonably justifies the purpose.
  • Being able to call and/or email you if necessary to carry out our services and tasks properly.
  • Informing you about changes related to our relationship and our activities.
  • We may analyse your behaviour on one of our online services to improve our (online) services and align our work with your preferences.
  • We process personal data when legally required to do so.

Rights of Data Subjects

Individuals with whom we have, want to establish, or have had a direct or indirect relationship have rights that they can invoke. These individuals have various rights that they can exercise. Data subjects may at any time submit a request to us to exercise their rights. Data subjects have the following rights:

  • The right to information: We do everything we can to inform individuals who have, had, or will have a relationship with us about the fact that we process their personal data, why and how we process personal data, unless we were not reasonably able to do so, see no reason to do so, or were not planning to do so at a time that is reasonably appropriate.
  • The right to data portability: This right means that the data subject has the right to obtain the personal data we have about them in a structured format. Additionally, this right allows the data subject to easily transfer, copy, or forward their personal data from one IT environment to another. To exercise this right, the data subject must submit a request to
  • The right to be forgotten: This right means that data subjects can request to be forgotten, that is, to have the personal data we have about them deleted. In some cases, we must delete personal data if the data subject requests it. The data subject has the right to be forgotten in the following situations:
    • When the personal data is no longer necessary for the purposes for which they were collected or processed.
    • When the data subject withdraws their previous consent to the organization for the use of their data.
    • When the data subject objects to the processing.
    • When the personal data has been processed unlawfully.
    • When we are legally required to delete the data after a certain period.
    • When the data subject is under sixteen years old and the personal data has been collected, for example, through an app or website without the consent of the data subject’s caregivers.
    • The right to be forgotten does not apply if personal data is processed in the context of one or more of the following circumstances:
      • When our processing of personal data is necessary to exercise the right to freedom of expression and information.
      • When we process personal data because we have a legal obligation to do so.
      • When we process personal data to exercise public authority or an (legally established) task of public interest.
      • When we process personal data for a task of general interest in the field of public health.
      • When we need to archive personal data for the general interest.
      • When the personal data is necessary for a legal claim.
  • The right to access: Data subjects have the right to access their personal data that we process about them. If there is such a request, we will always explain why we process personal data, what type of personal data we collect, if applicable: to which organizations and/or organizational units we forward the personal data, how long we store the personal data, what privacy rights data subjects have, that data subjects have the right to file a complaint with the Dutch Data Protection Authority, if applicable: from which organization and/or organizational units we have received personal data if we have not collected it ourselves from the data subjects, and if applicable: on what logic we make an automated decision about someone.
  • The right to rectification and supplementation of personal data: The data subject has the right to rectify inaccurate personal data concerning them or to provide additional information when processing is based on incomplete data. 
  • The right to restriction of processing: In certain cases, data subjects have the right to restrict the processing of personal data. Restriction of processing personal data means that the personal data may not be processed or modified. If the personal data is incorrect, the processing is unlawful, the personal data is no longer necessary, and/or the data subject objects to the processing of their personal data, the data subject can invoke this right. Unless we have compelling legitimate grounds for the processing of personal data that outweigh the interests, rights, and freedoms of the data subject and as long as we do not have clarity that our grounds outweigh the interests, we must recognize the data subject’s request for restriction of the processing of personal data as valid and take reasonable measures for it.
  • The right to human intervention in automated decision-making: We do not make decisions about matters that can have (significant) consequences for data subjects based on automated processing. This concerns actions taken by computer programs or systems without any human involvement (e.g., a EST Board Member). We will not make a decision based solely on automated processing of personal data unless we have the explicit consent of the data subject.
  • The right to object: Data subjects can object to the processing of their personal data by us. Unless we have compelling legitimate grounds for the processing of personal data that outweigh the interests, rights, and freedoms of the data subject and/or the processing is related to a legal claim, we will stop processing this personal data once we have recognized the data subject’s objection to the processing of the personal data as valid.

Response time for handling individual requests about their rights

We respond immediately to all individual requests from data subjects about their rights, and in any case within one month of receiving the request, indicating the outcome of the request. If the nature of the request is complex or if we are dealing with many other requests, this period can be extended by another two months if necessary. We will inform the data subject within one month of receiving the request whether we are extending our response time. If the data subject submits a request via email, we will respond to this request via email, unless the data subject wishes us to respond in a different way than by email.

How long we retain personal data

We do not retain your personal data longer than is strictly necessary and/or required by law to achieve the purposes for which your personal data is collected. The retention periods of the various categories of processed personal data depend on the relevant laws and regulations that we comply with and the purposes for which they have been collected. 

Sharing of personal data with third parties

We never sell your personal data to third parties and will only provide it if necessary for the performance of our agreement or to comply with a legal obligation. Moreover, we only do this if sharing your data is consistent with our usual activities and does not have any purpose other than the initial relationship we have with each other. Unless this is reasonable based on the nature of our activities or if we are legally required to do so, we do not intend to transfer personal data outside the European Union (EU) or to an international organisation. 

Cookies, or similar techniques, that we use

We only use technical and functional cookies, as well as analytical cookies that do not infringe on your privacy. A cookie is a small text file that is stored on your computer, tablet, or smartphone when you first visit our website The cookies we use are necessary for the technical operation of the aforementioned website and your convenience in using this website. They ensure that the website functions properly and remember your preferences, for example. Additionally, we can optimize our website with them. You can opt out of cookies by adjusting your internet browser settings to no longer store cookies. Additionally, you can also delete any information previously stored through your browser’s settings.

How we secure personal data

We take the protection of your data seriously and take appropriate measures to prevent misuse, loss, unauthorized access, unwanted disclosure, and unauthorized modification. If you believe that your data is not properly secured or if there are indications of abuse, please contact us at

Data breaches

If there is a data breach or if it is reasonably plausible that a data breach may occur, we take the necessary measures to address a data breach. The failure or refusal of an individual or a third party to report a data breach does not prevent us from continuously taking the necessary security measures that we, as an organisation, strive to take. If we become aware of a data breach, we will take measures in line with the criteria of the relevant laws and regulations, as well as what you can reasonably expect from us and what is desirable according to the unwritten law of social interaction.

In addition to reporting a data breach and addressing a data breach, we will also register a data breach and maintain a dedicated register for it. The following information per data breach is important to include in the dedicated register:

  • Facts and data about the nature of the data breach.
  • The categories of affected data subjects and personal data, and if possible, the number of data subjects.
  • The consequences of the data breach.
  • The measures taken to address the data breach.
  • Whether the data breach has been reported to the Dutch Data Protection Authority.
  • Whether the data breach has been reported to the data subject(s).


Concerning our processing of personal data, data subjects can file a complaint with the relevant privacy regulator, the Dutch Data Protection Authority.

Data Protection Officer (DPO)

Our Data Protection Officer (DPO) is Olivia Serra Calvo. You can contact our DPO through the following email address

Intellectual Property Agreement

All of the content created by our members and published on our social media and website should be considered property of the author and the EST. Therefore, our status (and that of any identified contributors) as the authors of content on our site must always be acknowledged.

Reproduction and dissemination of any of the information contained on this website is encouraged, provided that EST is acknowledged as the source of the material and direct link to the original piece is provided. 

All our members are committed to produce original content no matter its format. The contributions of our members will be acknowledged in all our publications and the person would have the right to reproduce and disseminate their work as long as the original source is provided (EST’s website and social media).

Changes to Privacy Policy

The EST reserves the right to make changes to our privacy statement and privacy policy. Therefore, we recommend that you regularly consult this privacy policy to stay informed of any changes. You can save or consult this privacy policy in our website.