Privacy and Personal Data Protection Notice

Pursuant to Article 2 of the Law and Article 4(2)(A) of the Regulation, the Controller of the personal data we process is identified below:

• Controller: Youth Federation (umbrella civil society organisation registered in the TRNC)
• Legal/Registration Details: [TBD]
• Address: [TBD]
• E-mail: [TBD] (e.g. [email protected])
• Telephone: [TBD]
• Data Protection Officer (Article 10 of the Law): [TBD] — e-mail: [TBD]

The following categories of personal data may be processed in connection with our website and the Federation's activities:

• Website usage data (via Cloudflare Web Analytics, aggregated and anonymous): pages visited, time of visit, coarse geographic location (country/city level), browser type and referring URL. This data is not linked to an identified or identifiable individual; Cloudflare uses neither cookies nor device fingerprinting.
• Application and event-registration data (e.g. Youth Assembly candidacy forms, congress/event registrations): full name, TRNC/TR identity number, date of birth, contact details (e-mail, phone), education and occupation information, and CV/motivation details where requested.
• Communication data: name, e-mail and message content you provide when you contact us via e-mail or a contact form.
• Public role information for member-association representatives and Federation organ members (full name, role, and any publicly disclosed contact links).

Your personal data is processed in line with the specific, explicit and legitimate purpose principle of Article 5 of the Law, solely for the purposes listed below. In accordance with Article 5(8) of the Regulation, vague or generic formulations have been avoided:

• Operating the website, ensuring its security and producing aggregated/anonymous usage statistics (page views, country distribution, etc.).
• Receiving and assessing applications to Federation programmes (e.g. Youth Assembly, Congress, events) and communicating with participants.
• Responding to information requests, feedback and complaints.
• Publicly announcing the Federation's organs (Central Council, Commissions, Assembly, Senate, audit/disciplinary boards) and ensuring transparency.
• Fulfilling legal obligations (e.g. statutory reporting and audits).

The legal basis under Article 6 of the Law for each processing activity is set out below:

• Website usage measurement via Cloudflare Web Analytics: Article 6(5) — legitimate interests of the Controller and the public (site improvement, abuse prevention). As no cookies are used and no identifiable data is collected, this falls outside the definition of "personal data" in Article 2 of the Law.
• Application forms and event registrations: Article 6(1) — explicit consent of the data subject (granted by submitting the form).
• Processing arising from membership/contract: Article 6(2) — performance of, or pre-contract measures for, a contract.
• Processing required by law: sub-paragraph of Article 6(1) — fulfilling a legal obligation to which the Controller is subject.

Personal data is collected by the partially automated and partially non-automated means clearly identified below, as required by Article 5(12) of the Regulation:

• Automated means: through our website server infrastructure and the Cloudflare Web Analytics beacon during your visit.
• Non-automated means: electronic forms, e-mails and physical application/contract documents that you submit to us yourself.

Your personal data may be transferred to the following recipient categories for the purposes set out below, in accordance with Article 5(10) of the Regulation:

• Cloudflare, Inc. (USA): as the website analytics service provider, for the processing of aggregated and anonymous traffic data.
• Member associations and Federation organs (Commissions, Assembly, etc.) of the Federation: for application and event coordination, limited to the data strictly necessary for the relevant persons.
• Competent public authorities: where a legal obligation, court order or official request requires disclosure.
• Our e-mail and hosting providers: strictly for the technical purposes necessary to operate the service.

In accordance with Article 11 of the Law, instances of international transfer and their legal basis are explained below:

Because the Cloudflare Web Analytics beacon connects directly to Cloudflare's global infrastructure, anonymous traffic data may be processed outside the TRNC, including in the United States. Cloudflare does not use cookies or fingerprinting for this service; as the data collected cannot be linked to an identified or identifiable person, it does not meet the definition of "personal data" under Article 2 of the Law. As an additional legal basis pursuant to Article 5(11) of the Regulation, we also rely on Article 6(5) (legitimate interest) and Article 11(2)(A) of the Law (implicit consent given by using the site).

Other data collected through application and contact forms is, as a rule, processed within the TRNC. If a transfer abroad becomes necessary, it will be carried out only in accordance with the conditions of Article 11 of the Law (Transfer Permit or explicit consent), and you will be separately informed.

Pursuant to Article 5(1)(Ç) of the Law, data is not kept for longer than necessary for the purposes for which it was collected. As a general rule:

• Cloudflare anonymous analytics: in line with Cloudflare's retention policy (maximum 6 months).
• Application form data: retained throughout the relevant programme/event and the subsequent statutory/legal retention period, then deleted or anonymised.
• Communication data: deleted within a reasonable period after the matter is concluded and there is no longer a need for contact.
• Public role information of Federation organ members: published during the term of office and may remain public after the term for archival/historical purposes.

You have the following rights, set out in Part Four of the Law:

• Right to be informed (Article 13): receiving clear and intelligible information on processing, as in this notice.
• Right of access (Article 14): learning which data about you is processed, its source, purpose and recipients; and requesting a copy.
• Right to rectification (Article 14): requesting the correction of incomplete or inaccurate data.
• Right to object (Article 15): objecting to processing or direct marketing.
• Right to compensation (Article 18): seeking compensation for damage suffered as a result of unlawful processing.
• Right to lodge a complaint with the Personal Data Protection Board (Article 34): contacting the Board if you believe your rights have been infringed.

To exercise your rights under Article 16 of the Law, please submit a written request to the Controller at the e-mail address above or by post. Including your identification information, the request itself and any supporting documents in full will help us resolve your request as quickly as possible.

The Controller will assess and respond to your request within a reasonable and lawful period. Pursuant to Article 5(6) of the Regulation, the burden of proving that the information obligation has been fulfilled rests with the Controller; communications are retained for this purpose.

As required by Article 12 of the Law, appropriate technical and organisational measures are in place to protect personal data against unintended loss, unauthorised access, alteration or disclosure. These include HTTPS encryption, access controls, the principle of least privilege, regular backups, security updates and confidentiality obligations imposed on staff.

Our website does not use cookies beyond strictly necessary technical storage required for operation. Our analytics provider Cloudflare Web Analytics is cookieless and does not perform device fingerprinting. For this reason, no separate cookie consent banner is shown.

Our site may include links to our social media accounts (Facebook, Instagram) and to other organisations' pages. When you follow such links, the privacy policy of the third-party provider applies. The Federation is not responsible for the content or privacy practices of those sites.

Pursuant to Article 5(2) of the Regulation, if the purpose of processing changes, the information obligation will be performed again for the new purpose. The current version of this notice is always published on this page; the "Last updated" date at the top indicates the most recent revision.

For any questions, requests or complaints about this notice or the processing of your personal data, please contact us through the following channels:

• E-mail: [TBD]
• Postal address: [TBD]
• TRNC Personal Data Protection Board (Article 20 of the Law): the competent independent authority for statutory complaints.