Facebook-f Linkedin-in Twitter

Privacy Policy

Privacy Policy

Last updated: November 2025

1. Controller and contact details

This Privacy Policy explains how we process personal data when you visit our website, contact us or work with us.

Controller

European Funds Recovery Initiative – EFRI
ZVR: 1493630560
Registered seat: Vienna, Austria

E-mail: [email protected]

2. Scope – who this notice applies to

This Privacy Policy applies to:

  • visitors of our website (including contact form users),

  • individuals who contact EFRI by e-mail or other channels (e.g. victims, supporters, whistleblowers, journalists),

  • persons whose data we process in the context of our consumer-protection activities, including case handling, litigation, advocacy and communication.

Depending on the situation, you may be our direct contact (e.g. victim or supporter) or an indirect data subject (e.g. representative of a bank, payment service provider, law firm, regulator or alleged fraudster named in a case).

3. Definitions

For the purposes of this Privacy Policy:

“GDPR” means the EU General Data Protection Regulation (Regulation (EU) 2016/679).

“Personal data” means any information relating to an identified or identifiable natural person.

“Processing” means any operation performed on personal data (such as collection, storage, use, disclosure or deletion).

“Controller” means the natural or legal person who determines the purposes and means of the processing of personal data.

“Processor” means a natural or legal person who processes personal data on behalf of the controller.

“Data subject” means any living individual whose personal data we process.

4. Categories of personal data we process

Depending on how you interact with us, we may process the following categories of personal data:

4.1 Basic contact and identification data

  • First name and last name

  • Contact details (e-mail address, telephone number, postal address)

  • Language, country of residence

  • Job title, organisation (for professional contacts)

4.2 Case-related information (victims, witnesses, involved parties)

If you contact EFRI in relation to an investment, payment or crypto-fraud case, we may additionally process:

  • information about your case (e.g. name of platforms, intermediaries, payment service providers, timelines and circumstances),

  • financial information such as transaction records, payment details, amounts lost or recovered,

  • copies of correspondence with scammers, providers, banks, payment processors or authorities,

  • documentation you provide (e.g. contracts, screenshots, invoices, account statements, KYC documents),

  • information relating to legal steps taken or planned (e.g. complaints, court filings, representation).

We ask you not to send us more information than necessary. However, our work often requires detailed documentation to assess cases and pursue claims.

4.3 Communication data

  • Content of e-mails and messages you send to us and our responses,

  • metadata such as date and time of communication,

  • notes we create in the course of case handling.

4.4 Website and technical data

When you visit our website, we may process:

  • IP address and approximate location (country / city level),

  • date and time of access,

  • pages visited, referrer URL,

  • browser type, operating system, device information,

  • cookie identifiers and similar online identifiers (if cookies/analytics are used; see Section 10).

We do not use this information to identify you directly unless this is necessary for security reasons or legal obligations.

4.5 Donation and payment data (if applicable)

If you make a donation or pay fees to EFRI, we may process:

  • payment information (e.g. IBAN, payment service provider, transaction reference),

  • amount, date and purpose of payment,

  • tax-relevant data where required by law.

5. Purposes and legal bases of processing

We process personal data only when we have a legal basis under Article 6 (and where applicable Articles 9 and 10) GDPR. In particular:

5.1 Handling enquiries, victim cases and advocacy work

Purposes

  • answering your enquiries and requests,

  • assessing and documenting fraud and loss situations,

  • organising and coordinating collective action (e.g. complaints, litigation, regulatory engagement),

  • communicating with you about your case and EFRI activities,

  • representing and defending the interests of affected consumers and small investors.

Legal bases

  • Article 6(1)(b) GDPR – performance of a contract or steps prior to entering into a contract (where we work with you based on an agreement),

  • Article 6(1)(f) GDPR – our legitimate interest in organising our consumer-protection work and supporting victims,

  • Article 6(1)(c) GDPR – compliance with legal obligations (e.g. documentation and reporting duties),

  • Article 9(2)(f) GDPR – establishment, exercise or defence of legal claims, where case documentation incidentally contains special categories of data,

  • Article 10 GDPR in conjunction with national law, where we process information relating to suspected criminal offences (e.g. details about alleged fraudsters) for the purpose of legal action and reporting to authorities.

5.2 Running and securing our website

Purposes

  • providing our website and its content,

  • maintaining IT security and preventing misuse (e.g. fraud detection, access logs),

  • improving website functionality and user experience (e.g. aggregated statistics).

Legal bases

  • Article 6(1)(f) GDPR – our legitimate interest in operating a secure and functional website,

  • for non-essential cookies/analytics (if used): Article 6(1)(a) GDPR – your consent (see Section 10).

5.3 Communication, newsletters and updates

If you sign up for newsletters or explicitly ask us to keep you informed:

  • we use your contact data to send you updates about our work, cases and relevant developments.

Legal bases

  • Article 6(1)(a) GDPR – your consent (subscribe/opt-in),

  • Article 6(1)(f) GDPR – our legitimate interest in communicating with stakeholders, where local law allows communication without prior consent (e.g. existing supporter relationship).

You can withdraw your consent or object to further communication at any time (see Section 9).

5.4 Administration, accounting and legal obligations

Purposes

  • internal administration (e.g. donor records, contracts, board decisions),

  • accounting, auditing and tax purposes,

  • compliance with record-keeping, reporting and association law obligations,

  • responding to lawful requests from courts, regulators or authorities.

Legal bases

  • Article 6(1)(c) GDPR – compliance with legal obligations,

  • Article 6(1)(f) GDPR – our legitimate interest in proper management and defence of our organisation and its activities.

6. Recipients and categories of recipients

We only share personal data where this is necessary and lawful. Possible recipients include:

  • Law firms and legal representatives supporting EFRI and/or individual victims in civil, criminal or administrative proceedings;

  • Courts, prosecutors, supervisory and regulatory authorities (e.g. financial regulators, police), where necessary to file complaints, pursue claims or respond to official requests;

  • IT and communication service providers (hosting providers, e-mail and case-management tools, newsletter services) acting as processors under Article 28 GDPR;

  • Auditors, tax advisers and accountants, where legally required;

  • Banks and payment service providers, in connection with payments or when clarifying transactions;

  • Other NGOs, partner organisations or experts, where cooperation is necessary for a specific project and only to the extent compatible with the original purpose.

All processors are bound by contracts and may only process personal data according to our instructions. We do not sell personal data

7. International data transfers

Where service providers or cooperation partners are located outside the European Economic Area (EEA), we only transfer personal data if:

  • the European Commission has decided that the third country ensures an adequate level of protection (adequacy decision), or

  • we have concluded Standard Contractual Clauses (SCCs) or other appropriate safeguards under Articles 46 ff. GDPR and – where necessary – implemented additional technical and organisational measures.

You can request more information on international transfers and a copy of the relevant safeguards by contacting us (see Section 1).

8. Retention periods

We store personal data only for as long as necessary for the purposes described above and/or as required by law.

In particular:

  • Case files and related communications are retained for as long as the case, proceedings or follow-up actions may reasonably continue, plus any applicable statutory limitation periods.

  • Accounting and donation records are usually stored for up to 7 years (or longer where required by tax or association law).

  • Log data and technical records are generally kept for a short period to ensure security and may be stored longer if needed to investigate security incidents or misuse.

  • If processing is based on consent and you withdraw your consent, we will stop processing for that purpose. We may, however, retain minimal information to document your withdrawal and comply with legal obligations.

When data is no longer required, it will be deleted or anonymised in accordance with our internal policies

9. Your rights as a data subject

Under the GDPR, you have the following rights in relation to your personal data, subject to the statutory requirements and limitations:

  • Right of access (Article 15 GDPR): to obtain confirmation as to whether we process personal data about you and to receive a copy of such data and further information.

  • Right to rectification (Article 16 GDPR): to request correction of inaccurate or incomplete data.

  • Right to erasure (Article 17 GDPR): to request deletion of your personal data, particularly where it is no longer necessary or processing is based on consent and you withdraw that consent.

  • Right to restriction of processing (Article 18 GDPR): to request that we temporarily or permanently restrict processing.

  • Right to data portability (Article 20 GDPR): to receive personal data you have provided to us in a structured, commonly used, machine-readable format and to transmit it to another controller where processing is based on consent or contract and carried out by automated means.

  • Right to object (Article 21 GDPR): to object at any time to processing based on our legitimate interests, especially in relation to direct communications and certain advocacy activities. We will then stop processing unless we can demonstrate compelling legitimate grounds or need the data for legal claims.

  • Right to withdraw consent (Article 7(3) GDPR): where processing is based on your consent, you may withdraw that consent at any time with effect for the future.

To exercise your rights, please contact us at [email protected]

10. Cookies and online tracking

Our website may use cookies and similar technologies:

  • Essential cookies are necessary for basic website functions (e.g. language settings, security). They are processed on the basis of our legitimate interest (Article 6(1)(f) GDPR).

  • Analytics or performance cookies (if used) help us understand how visitors use our website in aggregated form. These cookies are only set with your prior consent (Article 6(1)(a) GDPR), which you can withdraw at any time via the cookie settings on our website.

Detailed information on the specific cookies used, their purpose and storage duration is provided in our Cookie Notice (if available on the website). You can configure your browser to block or delete cookies. Please note that this may affect the functionality of the website.

11. Data security

We use appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.

However, no method of transmission over the Internet or method of electronic storage can be absolutely secure. When you send information to us via e-mail or through the website, you do so at your own risk. If you have security concerns, please contact us to discuss alternative communication channels.

12. Copyright and intellectual property

Unless otherwise stated, all content on this website (including text, images, graphics and layout) is protected by copyright and other intellectual-property rights.

© EFRI – European Funds Recovery Initiative, 2025. All rights reserved.
Any reproduction or distribution of content requires our prior written consent, unless permitted by mandatory law.