Loading content
Loading content
GDPR & Privacy
Last updated: April 22, 2026
The controller for the data processing activities carried out through www.sastipen.ro is the SASTIPEN Association – Roma Center for Health Policies, tax identification code (CUI) 22386469, headquartered in Bucharest, Str. Triunghiului nr. 40, email office@sastipen.ro, telephone 0214560321. This policy applies to data submitted through the contact form, the discrimination reporting form, the reporting form for Roma health mediators, browsing on the public pages, and authentication in the website’s administrative area.
Depending on the interaction, we may process identification and contact data, professional or institutional details, the content of messages and reports, descriptions of incidents, information on measures already taken, and preferred types of support. Reports concerning discrimination or access to health services may also include special categories of data within the meaning of Article 9 GDPR, including health data or information that may reveal ethnic origin. For the security of the website and the admin panel, we also process limited technical data such as IP address, user agent, hashed identifiers used for rate limiting, and strictly necessary cookies for administrator authentication. The website does not offer public user accounts.
We process data in order to answer requests, assess and document reports, provide guidance or support, manage our relationship with the data subject, and, where appropriate, prepare institutional, administrative, or legal follow-up. The main legal bases are Article 6(1)(f) GDPR for handling communications and website security, Article 6(1)(a) and Article 9(2)(a) GDPR for sensitive data submitted with explicit consent through the forms, and, where the information is necessary for the establishment, exercise, or defence of legal claims, Article 9(2)(f) GDPR together with applicable Romanian law, including Law No. 190/2018.
Access to data is limited to authorized SASTIPEN staff and collaborators on a need-to-know basis. We do not sell or rent personal data. We may use technical providers for hosting, managed database infrastructure, web infrastructure, IT maintenance, email, or security, acting as processors. We may disclose data to relevant authorities, institutions, or partners only when necessary for handling the case, when requested by the data subject, or when required by law. If, exceptionally, a provider involves transfers outside the European Economic Area, we rely on appropriate safeguards recognized by GDPR.
We keep data only for as long as necessary for the stated purposes, after which it is deleted, anonymized, or archived in line with legal obligations and applicable limitation periods. Messages and reports remain active while they are being handled. In the current implementation of the website, records marked as resolved may be archived after at least 180 days of inactivity and scheduled for deletion 365 days after archival, unless the law, the defence of legal claims, or case documentation requires longer retention. We apply reasonable technical and organizational measures, including access control, restricted authentication, security logging, rate limiting, and separation between the public website and the administrative area.
Data subjects have the right to information, access, rectification, erasure, restriction of processing, data portability, objection, withdrawal of consent, and the right not to be subject to a decision based solely on automated processing, under the conditions of GDPR. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal, but it may limit our ability to continue reviewing a report. At present, the website does not use profiling and does not make solely automated decisions producing legal or similarly significant effects on users. Rights requests may be sent to office@sastipen.ro, and SASTIPEN will respond without undue delay and, as a rule, within no more than one month, in line with Article 12 GDPR. Data subjects also have the right to lodge a complaint with the Romanian supervisory authority, the National Supervisory Authority for Personal Data Processing (ANSPDCP), available at www.dataprotection.ro, and to seek a judicial remedy.
Because the reporting forms may contain sensitive information, please submit only the data strictly necessary for assessing the case and avoid excessive information about third parties. If you report a case on behalf of another person, you should have a legitimate basis to provide that information or anonymize the data where identification is not necessary. At present, the public pages of the website do not use analytics or marketing cookies; we use only technical mechanisms that are strictly necessary for operation and security. If this changes, the policy and any required information or consent mechanisms will be updated in line with applicable law, including Article 5(3) of Directive 2002/58/EC and Romanian Law No. 506/2004.