User policies and agreements

Download pdf

The EU Academy Privacy Statement



PROTECTION OF YOUR PERSONAL DATA

This privacy statement provides information about
the processing and the protection of your personal data.

 

Processing operation: EU Academy e-learning platform

Data Controller: JRC.S.4

Record reference: DPR-EC-05546.2

 

Table of Contents

1.       Introduction

2.       Why and how do we process your personal data?

3.       On what legal ground(s) do we process your personal data?

4.       Which personal data do we collect and further process?

5.       How long do we keep your personal data?

6.       How do we protect and safeguard your personal data?

7.       Who has access to your personal data and to whom is it disclosed?

8.       What are your rights and how can you exercise them?

9.       Contact information

10.     Where to find more detailed information?


Introduction

The European Commission (hereafter ‘the Commission’) is committed to protect your personal data and to respect your privacy. The Commission collects and further processes personal data pursuant to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data (repealing Regulation (EC) No 45/2001).

This privacy statement explains the reason for the processing of your personal data, the way we collect, handle and ensure protection of all personal data provided, how that information is used and what rights you have in relation to your personal data. It also specifies the contact details of the responsible Data Controller with whom you may exercise your rights, the Data Protection Officer and the European Data Protection Supervisor.

The information in relation to processing operation “EU Academy e-learning platform” undertaken by JRCS.4 is presented below.

       2. Why and how do we process your personal data?

Purpose of the processing operation: JRC.S.4 collects and uses your personal information to ensure the functioning, management and promotion of the information and education platform called EU Academy. In particular, data is collected and processed for the following specific purposes:

Automated processing operations: 

  • To identify returning visitors to ensure a good user experience. 

  • To identify logged in users and provide them with necessary tools and dashboards. 

  • To provision learning content appropriate to the role of the user. 

  • To provision learning content appropriate to the interest of the user. 

  • To deliver on-platform personalised recommendations and learner journeys. 

  • To ensure that the user history of activity is easily accessible to the user in his or her role. 

  • To generate or make available to users certificates and badges related to learning progress. 

  • To manage online subscription to and dissemination of newsletters. 

  • To manage generation and transmission of automated messages.

Manual processing operations: 

  • To ensure a satisfactory user experience when using the platform. 

  • To ensure satisfactory individual and social learning experiences when consuming platform content. 

  • To collect information related to use of the platform by individuals and groups for the purposes of compiling aggregated reports. 

  • To ensure correct management and monitoring of educational objectives of EU programmes and initiatives. 

  • To monitor the type of users enrolled in learning content. 

  • To monitor the number or types of users registered on the platform. 

  • To monitor the number or types of users registered to EU programmes and initiatives. 

  • To organise trainings, including management of participants lists. 

  • To ensure efficient management and resolution of platform incidents, user-reported issues and associated helpdesk operations. 

  • To perform backup and restore operations related to the platform or its content.

  • To resolve platform or content technical issues reported by users involving configurations at user level. 

  • To generate individual or aggregated reporting related to user behaviour and content adoption on the platform. 

  • To communicate through the platform with users regarding content they are enrolled to or granted access to or related initiatives of potential interest to users.

The EU Academy is a modern online learning platform designed for external stakeholders, working and aspiring professionals, and public and third sector organisations and businesses, involved in the implementation of EU policies in Member States and regions, and beyond. The platform offers state of the art tools for delivery of learning materials and resources (e.g. online courses and events, interactive live classroom experiences, skills assessments, and learning community management services). For the purpose of delivering learning services, the platform brings together content providers/publishers, teachers, mentors, learning managers, programme and platform administrators, who collectively deliver the learning experience on the platform to its learners and visitors. The various roles that convene to design, deliver and manage the learning experiences on the platform are performed either by staff of the EU Institutions or by approved contractors subject to confidentiality requirements.

Your personal data will not be used for an automated decision-making including profiling.

  1. On what legal ground(s) do we process your personal data?

We process your personal data, because, according to Article 5(1)(d) of Regulation (EU)2018/1725, you have given consent to the processing of your personal data for specific purposes. We do not process special categories of personal data, therefore Article 10 of Regulation (EU) 2018/1725 does not apply.

In addition, we process your personal data for the purpose of creating and maintaining log files, under Article 5(1)(a) and 5(2) and in line with the EC Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission and the Commission Information Systems Security Policy C(2006)3602. 

      4. Which personal data do we collect and further process?

In order to carry out the processing operations described in this privacy statement, JRC.S.4 collects and processes the following categories of mandatory and non-mandatory personal data:

Mandatory data collection

Data provided required by EU Login: 

  • First name, last name, email address.

Data pertaining to individual and group user behaviour and content-related activity: 

  • Content enrolled, started, finished, certificates and badges awarded, grades attained, log files.

Data pertaining to the capture of personal data (image/video and/or voice) in the delivery of educational content: 

Recording and storing of data pertaining to image/video and/or voice.

Data pertaining to the collection of consent of users who are 13 years of age or above, including adults

Name, surname, birthdate, birthplace, signature.

Data pertaining to users who under EU Regulation 2018/1725 are considered minors (under 13 years of age):

Name, surname, age, place and date of birth, parental / legal consent to access content, signature of parents / legal guardians.

Non-mandatory data collection

Data pertaining to participation of certain users in EU programmes or projects and necessary to provide a satisfactory user experience to these programme participants: 

EU programme and project related data. This data is provided by Content Development and Delivery Service Providers under the authorisation of their respective EU programmes or activities.

Identification data used to facilitate the experience of returning users: 

Cookies, IP address.

Identification data used to provide a seamless user experience related to content provisioning on the platform: 

City, country, preferred language of communication, topics of interest, professional summary, occupation, experience level, highest level of education attained, employer, organisation type, industry, motivation for learning.

Identification data used to provide services in conjunction with other EU platforms and initiatives: 

Users who have given consent to receive newsletters, share progress information, badges, certificates awarded with other EU web sites and platforms, identified by first name, last name and email address.

Other types of data specific to the processing operation: 

Educational or instructive videos and capture of image and/or voice for which the provision of personal data is not mandatory and collection or processing of this data will be based on prior consent.

Data collected for the purposes of providing helpdesk services. 

First name, last name, email address.

  1. How long do we keep your personal data?

JRC.S.4 only keeps your personal data for the time necessary to fulfil the purpose of collection or further processing, namely:

Data provided required by EU Login: EU login data is collected upon first registration/first use of the platform. Data will be stored on the site as long as the registered user is active, and no request has been made by the registered user to the data controller to remove him/her from the platform and service. 

After five years of continuous inactivity or upon email request from the user, his/her data and any related user generated data will be anonymised.

Data pertaining to users who under EU Regulation 2018/1725 are considered minors: Data will be stored on the site as long as the registered user is active, and no request has been made by the registered user or consent giver to the data controller to remove him/her from the platform and service. After five years of continuous inactivity or upon email request from the user, his/her data and any related user generated data will be anonymised.

Data pertaining to the capture of personal data (image/video and/or voice) in the delivery of educational content: Data will be stored on the site as long as the registered user is active, and no request has been made by the registered user to the data controller to remove him/her from the platform and service. After five years of continuous inactivity or upon email request from the user, his/her data and any related user generated data will be anonymised

Data pertaining to participation of certain users in EU programmes or projects and necessary to provide a satisfactory user experience to these programme participants: Data will be stored on the site as long as the registered user is active, and no request has been made by the registered user to the data controller to remove him/her from the platform and service. After five years of continuous inactivity or upon email request from the user, his/her data and any related user generated data will be anonymised

Identification data used to facilitate the experience of returning users: Data will be stored on the site as long as the registered user is active, and no request has been made by the registered user to the data controller to remove him/her from the platform and service. After five years of continuous inactivity or upon email request from the user, his/her data and any related user generated data will be anonymised.

Identification data used to provide a seamless user experience related to content provisioning on the platform: Data will be stored on the site as long as the registered user is active, and no request has been made by the registered user to the data controller to remove him/her from the platform and service. After five years of continuous inactivity or upon email request from the user, his/her data and any related user generated data will be anonymised.

Identification data used to provide services in conjunction with other EU platforms and initiatives: Data will be stored on the site as long as the registered user is active, and no request has been made by the registered user to the data controller to remove him/her from the platform and service. After five years of continuous inactivity or upon email request from the user, his/her data and any related user generated data will be anonymised.

Automatically generated log data related to user, application and data access: All data access information is stored in log files that are kept during a period of 12 Months, and personal data is encrypted after 6 months. Log files pertaining to user and application access is kept for two months by DG DIGIT B1 and DG DIGIT S.

Data generated as a result of helpdesk operations: Data collected for the purposes of analysing and resolving technical platform and content issues is collected on an as needed basis and kept for a period of 1 year after closure of the incident, after which it is removed from the . Statistical, monitoring and reporting exercises will rely on aggregated data.

Data related to the provision of consent: consent forms are stored for as long as users are active and are deleted as soon as users delete / request deletion of their account.

  1. How do we protect and safeguard your personal data?

Provisions are in place to ensure professional management of the IT related assets (hardware, software, cloud infrastructure) underpinning the correct delivery of the EU Academy platform and the services outlined in section II. The following policies apply:

  • Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission. 

  • Information Security Policy and Internal Rules for handling ICT Information Security Incidents; the Commission Information Systems Security Policy C(2006)3602. 

  1. Who has access to your personal data and to whom is it disclosed?

Access to aggregated and individualised learner data may be granted to the staff of the Union institutions, bodies, offices and agencies on a “need to know” basis for the purposes of any processing operations in which they are involved (including managing platform and helpdesk operations, managing content, providing training services and reporting related to learners, groups of learners, and learning taking place on the platform and other services described in section II). These staff include platform managers, content owners, programme managers, learning managers, mentors, teachers and assistants, where tasked to follow or report on the progress of learners. Such staff abide by statutory, and when required, additional confidentiality agreements.

Access to aggregated and individualised learner data may be granted on a “need to know” basis to approved contractors of the Union institutions, bodies, offices and agencies where necessary for the provision of programme management and content delivery services related to learners and learning taking place on the platform and other services described in section II. The roles undertaken by approved contractors may include platform and helpdesk management, content management, programme management, learning management, mentoring, teaching, reporting and assistance. Such contractors abide by contractual confidentiality agreements.

Data recipients have access only to data categories necessary for the processing operations they undertake, according to their role in the project. For example, Data Hosting Service Providers will have access to all platform data, while other service providers, i.e. those providing Platform Development and Maintenance Services, Content Development and Delivery Services, Daily Platform Administration Services or External Helpdesk Services will have access only to the data necessary to fulfil their assigned role.

A full description of all platform roles and the data categories to which they have access is provided in the data record accompanying this privacy statement (DPR-EC-05546). Learning resources such as videos and documents containing personal data provided for the purposes of delivering learning content and for which prior consent has been granted (name and username of speakers/moderators) are accessible to users registered to this learning content. 

  1. What are your rights and how can you exercise them?
You have specific rights as a ‘data subject’ under Chapter III (Articles 14-25) of Regulation (EU) 2018/1725, in particular the right to access, rectify or erase your personal data and the right to restrict the processing of your personal data. Where applicable, you also have the right to object to the processing or the right to data portability.

You have consented to provide your personal data to JRC.S.4 for the present processing operation. You can withdraw your consent at any time by notifying the Data Controller. The withdrawal will not affect the lawfulness of the processing carried out before you have withdrawn the consent.

You can exercise your rights by contacting the Data Controller, or in case of conflict the Data Protection Officer. If necessary, you can also address the European Data Protection Supervisor. Their contact information is given under Heading 9 below.

Where you wish to exercise your rights in the context of one or several specific processing operations, please provide their description (i.e. their Record reference(s) as specified under Heading 10 below) in your request. 


  1. Contact information

  • The Data Controller

If you would like to exercise your rights under Regulation (EU) 2018/1725, or if you have comments, questions or concerns, or if you would like to submit a complaint regarding the collection and use of your personal data, please feel free to contact the Data Controller: 

  • The Data Protection Officer (DPO) of the Commission

You may contact the Data Protection Officer (DATA-PROTECTION-OFFICER@ec.europa.eu) with regard to issues related to the processing of your personal data under Regulation (EU) 2018/1725.

  • The European Data Protection Supervisor (EDPS)

You have the right to have recourse (i.e. you can lodge a complaint) to the European Data Protection Supervisor (edps@edps.europa.eu) if you consider that your rights under Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal data by the Data Controller.

  1. Where to find more detailed information?

The Commission Data Protection Officer (DPO) publishes the register of all processing operations on personal data by the Commission, which have been documented and notified to him. You may access the register via the following link: http://ec.europa.eu/dpo-register.

This specific processing operation has been included in the DPO’s public register with the following Record reference: DPR-EC-05546.2 - EU Academy e-learning platform.