eTwinning Privacy Policy
The European School Education Platform (referred here as ‘the Platform’) is the successor of the School Education Gateway and the eTwinning platforms. Launched in 2022, this multilingual online platform aims to be the meeting point for all school staff (from early childhood education and care, to primary and secondary levels, including initial vocational education and training), researchers, policy makers and other stakeholders in the school education field.
Personal data are provided in 2 layers:
- Registration with EU login as “general” users, in order to participate in the activities (such as taking part in the online courses or submit listings) and to be able to use all the features of the platform (such as commenting articles, adding items in favourites, or saving searches).
- Additional registration as eTwinning user (eTwinner): A specific area of the Platform is ‘eTwinning’ which offers a restricted area for staff working in a school (teachers, head teachers, librarians, etc.), in one of the countries involved, to communicate, collaborate, develop projects, share and engage in the online community. Users who apply to eTwinning have to be validated by National Support Organisations of their countries to become an eTwinner and have access to the restricted eTwinning area, where they can communicate, collaborate, meet, chat, develop projects, participate in professional development activities, etc.
The present privacy policy corresponds to the “eTwinning users” of the platform, which are already register as “general users” and therefore have already accepted the “general users” privacy policy.
NB. At the moment of launching the European School Education Platform, existing users of eTwinning and/or of the School Education Gateway must create an EU Login account with the same email address used when registering in eTwinning or on the School Education Gateway in order to synchronise their old and new accounts, including migration of personal data to the new account.
Personal data collected when registering in eTwinning and through the participation in eTwinning activities are either processed at national level, where the National Support Organisations (NSO) are the Data Controllers, or at European Union level, where EACEA is the Data Controller.
All personal data are dealt with in accordance with the applicable data protection legislation.
- At EU level, the Regulation (EU) No 2018/1725 (1) on the protection of personal data by the Union institutions and bodies applies.
- At the national level, for members of the European Union (EU) and the European Economic Area (EEA), the General Data Protection Regulation ('GDPR') applies (2). All data processing operations under the control of the NSO comply with its provisions.
- For countries which are not members of the EU or of the EEA, personal data is processed according to the applicable national legislation, except if personal data from persons in the EU Member States or the EEA is processed. In this case, the GDPR applies.
The following Privacy Statement outlines the policies by which EACEA collect, manage and use the personal data of the concerned individuals in eTwinning. It also gives information about some processing of personal data by NSO.
1. Who is responsible for processing your personal data?
At EU level – eTwinning area in the European School Education Platform
When data are processed at EU level the Data Controller is the European Education and Culture Executive Agency.
The person designated as being in charge of the processing operations is:
Head of Unit A6 of EACEA
European Education and Culture Executive Agency
Avenue du Bourget 1, BE-1049 Brussels
Email: eacea-eplus-etwinning@ec.europa.eu
In addition, EACEA works with the following processors:
EUN Partnership AISBL (hereinafter called European Schoolnet) runs the eTwinning Central Support Service as a contractor of the European Education and Culture Executive Agency.
Rue de Trèves, 61 (3rd floor)
1040 Brussels
Belgium
Tel: +32 2/790 75 75
Email: info@eun.org
Website: www.eun.org
Tremend Software Consulting SRL provides the digital services needed to manage and maintain school-education.ec.europa.eu also as contractor of EACEA.
83 Cluj Stroot, bl. 8B, sc. 1, floor 7, ap.32
RO-030134 Bucuresti (Bucharest)
Romania
Tel: +40-21-223-7700
Email: hello@tremend.com
Website: https://tremend.com/
The EU Commission Directorate-General for informatics (DG DIGIT) provides the IT hosting service for the European School Education platform, including the eTwinning area.
At a national level – eTwinning national portals
When data are processed at a national level (for instance to organise national activities, see below), the Data Controllers are the specific support services (NSO).
See the list of the persons in charge of the processing operations with each NSO.
2. Which personal data are processed and how?
At EU level – eTwinning area in the European School Education Platform
The data subjects are complainants, correspondents and enquirers and individuals who decide to register in the eTwinning restricted area (validated school staff) after having registered as a “general user” on the European School Education Platform. Also and any person participating in the activities organised by the eTwinning users.
The following personal data are processed in the context of eTwinning.
- Concerning the physical characteristics of persons as well as the image, voice or fingerprints (optional). Optional personal information is collected for the member profile and a registrant can decide whether to give that data or not. The optional information entails images.
- Concerning the data subject's private sphere (optional): Information from forums and other online communication tools: the Platform offers public forums (or similar third-party communication tools) as part of its collaborative spaces. On these online tools the users may share comments, thoughts, photos, videos and other resources on a voluntary basis.
- Concerning the data subject's career (optional): The Platform may receive personally identifiable information when information is provided in response to a survey (in this case the user is asked to provide consent for sharing such information). If the person participates in an online course or in a project, we may collect certain student-generated content, such as assignments submitted, peer-graded assignments and peer grading student feedback. Course data is also collected, such as student responses to quizzes, forum entries and surveys.
- Concerning missions and journeys: Participants may take part in events onsite in their country or another one. They may submit information for the purpose of participating in such initiatives.
- Concerning names and addresses, including email addresses (mandatory)
- The school and the professional role in the school (mandatory)
- For NSO representatives they upload themselves their personal data (contact details and name of the organisation)
NB. Unsolicited personal data revealing racial or ethnic origin, political opinions, revealing religious or philosophical beliefs, trade-union membership, concerning health, genetic data, biometric data for the purpose of uniquely identifying a natural person, concerning sex life or sexual orientation or of this nature can be submitted by the data subjects, which will however be disregarded and not processed.
The Platform offers users the opportunity to participate in online courses restricted to eTwinning users through the EU Academy. Enrolment for an online course requires creating a user account in eTwinning after having registered as a general user on the European School Education Platform (see above), but no additional personal information is required.
More in particular for eTwinning at European level, this means:
a) Mandatory data
- Registrant data: role at school (if a teacher: the subjects taught), communication language(s), age range of pupils;
- User’s school data: official school name, address, town, email address, region and country.
- User’s school Principal’s data: name, surname, professional email address.
b) Optional data (these data may be provided only in case you are further involved in eTwinning activities):
- Registrant data: User’s description, list of contacts within the eTwinning area, list of projects, picture of the registrant, photos and other information related to the usage of the platform.
- Other data: Registrants may also participate in projects’ TwinSpaces, eTwinning Groups and (online) events. In these cases, registrants can submit information for the purpose of participating in such initiatives. Access to such platforms is restricted to their registered and validated members only ("eTwinners").
They can also submit other information in the context of the use of the restricted space of the platform as well as post messages and other material in forums, blogs and other sections of the restricted space of the platform.
In TwinSpaces and Groups, users may use and embed third party tools. These tools apply their own privacy policies which are clearly shared with end-users. By using such third party tools, users accept that their personal data will be processed by these third parties (as controllers).
For eTwinning at a national level – eTwinning national portals:
The following personal data are processed in the context of eTwinning.
a) Mandatory data - provided by EACEA to the NSO via the eTwinning area in the Platform
- Registrant data: username, email address, name, surname, role at school (if a teacher, the subjects taught), communication language(s), age range of pupils, user’s description.
- User’s school data: official school name, address, town, email address, region and country
- School Principal’s data: name, surname, professional email address.
b) Technical information: Data related to the eTwinning Community are provided by the users themselves by submitting online forms in the dedicated eTwinning areas of the Platform and accessible by the various national services.
c) Specific data for on-site initiatives: Participants may take part in on-site Professional Development activities. In this case, they may be requested additional information (for instance to arrange travels) for the purpose of participating in such initiatives.
3. For which purpose do we process your data?
At EU level – eTwinning area in the European School Education Platform
The processing of data is necessary to:
- Allow users to use platform’s services such as:
- posting comments and listings,
- using different platform features such as favourites or saved searches,
- enriching users’ profiles,
- handle helpdesk inquiries, follow up on posts and messages which were ‘reported’ by other users, etc,
- allow Platform users to communicate and collaborate in the spirit of mutual trust and respect,
- allow and facilitate monitoring and research activities,
- develop outreach and communication purposes within the framework of the Platform and its services,
- send registered users updates and relevant information related to the Platform, and to inform registered users of other related activities they might be interested in within European Commission’s initiatives,
- enable online course administration and implementation,
- enable and improve the user experience within this and similar future projects developed by the European Commission via access control, tracking usage frequency, search behaviours, preferences and settings,
- allow for collection, categorisation and summary of user contributions in the forums and other discussion tools,
- provide aggregated statistics, including, but not limited to, the number of users during a specific period, the preferred subjects and/or countries chosen by users and account usage,
- provide information about registrants’ activities within and outside eTwinning to establish and maintain online community’s activities;
- allow registrants to find partners and set up projects;
- provide information about their eTwinning projects;
- in general, allow eTwinning registrants to communicate and collaborate in the spirit of mutual trust and respect; and,
- allow and facilitate monitoring and research activities.
When users register in eTwinning they can also sign up for the eTwinning newsletters sent at central and national level. By signing up, users accept to share their email address for this purpose.
Registrants’ data is validated at national level by the respective NSO.
At a national level – eTwinning national portals
The eTwinning NSO use the personal data submitted when registering for the European School Education Platform and for eTwinning to:
- validate the personal information submitted by the user;
- promote eTwinning national activities;
- dissemination of national newsletters and notifications;
- registration for courses and events;
- participation in surveys.
Users may also choose to contact directly the NSO to stay informed of eTwinning activities. If users choose to contact the NSO directly, personal data will be solely used for the purposes of responding to messages or managing registrations.
Personal data can never be used for marketing purposes.
4. On which legal basis do we process your personal data?
At EU level
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body (to be laid down in Union Law) (Article 5(1)(a) of Regulation (EU) 2018/1725):
- Regulation (EU) 2021/817 of the European Parliament and of the Council of 20 May 2021 establishing Erasmus+: the Union Programme for education and training, youth and sport and repealing Regulation (EU) No 1288/2013 (OJ L 189, 28.5.2021, p. 1–33).
- Commission Implementing Decision (EU) 2021/173 of 12 February 2021 establishing the European Education and Culture Executive Agency.
- Commission Decision C(2021)951 and its annexes delegating powers to EACEA for the management of programmes in the MFF 2021-2027.
Processing that are not covered by the above legal bases are based on consent of the data subject (Article 5(1)(d) of Regulation (EU) 2018/1725).
At national level
The legal basis is performance of a contract signed between EACEA and EU/EEA NSO (Article 6 (1)(b) of Regulation (EU) 2016/679: Grant agreement signed between EACEA and NSO (Invitation to Submit and Activity Plan EACEA 17/2018, EACEA 18/2018 and EACEA ERASMUS-EDU-2022-ETWIN-NSO-IBA).
For NSO based on third countries their national legislation applies.
You can contact the respective NSO for information on the legislation applicable to each country.
5. How long do we keep your personal data?
At EU and national levels
Regarding the data related to the profiles of eTwinning users, the personal data related to the profile of the eTwinning users are kept for a maximum of three years after the user's last login in the eTwinning area. After one year from the last login, the user profile will automatically be set to inactive, i.e., no longer visible to other users or the outside world. The user can re-activate her/his account by logging in again. A reminder is sent after two additional years informing the user that, three years after her/his last login, his/her profile will be anonymised.
In the event that users ask for the anonymisation of their account or the account is automatically anonymised, the personal data will be erased.
Data will be kept only in an anonymous form that does not allow for personal identification. If users with a deleted profile want to continue using the platform, they will need to register again. The data remain solely for research and monitoring purposes at the disposal of EACEA, the European Commission, national or regional school authorities, authorities in charge of implementing eTwinning (Central Support Service and National Support Organisations) and other third parties (see point 6) under the authorisation of the Data Controller in an aggregated format.
To deactivate or delete an account, please contact the Central Support Service (see point 6 below) at: privacy@esep-support.eu.
6. Who has access to your personal data and to whom is it disclosed?
At EU level – eTwinning area in the European School Education Platform
For the purposes detailed above, access to the eTwinner data is strictly limited to:
Access to the eTwinners data is strictly limited to:
- eTwinning validated users (upon login) can see the following data of other users: full set of data except users' email address and school leader’s data,
- authorised staff of EACEA and the European Commission (DG EAC and DG DIGIT): full set of data,
- Authorised staff of the organisation contracted by EACEA to implement the eTwinning component of the ESEP platform, i.e. Central Support Service (European Schoolnet) and digital service provider (Tremend Software Consulting SRL): full set of data,
- National Support Organisations: have access to registrant data submitted on eTwinning.net in order to validate/manage their registration and certain activities (NSO have only access to the data of users of their respective countries).
- JRC designated staff for personal data of eTwinners who decide on a voluntary basis to follow training courses on the EU Academy platform.
The transfer of specific data to other third parties (e.g., research centres and universities) can be permitted under specific authorisation of the data controller, and in such cases any data will be transferred in an anonymous format.
Some personal data will be accessible within the restricted area of eTwinning, of the eTwinning Groups and TwinSpaces only to the respective members of these areas.
In addition, data may be disclosed to public authorities, and processed by these authorities in compliance with the applicable data protection rules according to the purpose of the processing, including inter alia:
- The European Court of Justice or a national judge or authority as well as the lawyers and the agents of the parties in case of a legal procedure;
- The competent Appointing Authority in case of a request or a complaint lodged under Articles 90 of the Staff Regulations;
- OLAF in case of an investigation conducted in application of Regulation (EC) No 1073/1999;
- The Internal Audit Service of the Commission within the scope of the tasks entrusted by article 118 of the Financial Regulation and by article 49 of the Regulation (EC) No 1653/2004;
- IDOC in line with Commission Decision of 12 June 2019 laying down general implementing provisions on the conduct of administrative inquiries and disciplinary proceedings - C(2019)4231 and Commission Decision (EU) 2019/165 of 1 February 2019 Internal rules concerning the provision of information to data subjects and the restriction of certain of their data protections rights in the context of administrative inquiries, pre-disciplinary, disciplinary and suspension proceedings;
- The Court of Auditors within the tasks entrusted to it by Article 287 of the Treaty on the Functioning of the European Union of the EC Treaty and Article 20, paragraph 5 of Regulation (EC) No 58/2003;
- The European Ombudsman within the scope of the tasks entrusted to it by Article 228 of the Treaty on the Functioning of the European Union;
- The European Public Prosecutor’s Office within the scope of Article 4 of Council Regulation (EU) 2017/1939 of 12 October 2017 implementing enhanced cooperation on the establishment of the European Public Prosecutor’s Office.
Personal data can never be used for marketing purposes.
Transfers of personal data into third countries: certain NSO are based outside the European Union or the European Economic Area in the following third countries: Albania, Algeria, Armenia, Azerbaijan, Bosnia and Herzegovina, Georgia, Jordan, Lebanon, Moldova, Montenegro, North Macedonia, Serbia, Tunisia, and Turkey. Please note that for these countries, the EU has not adopted an adequacy decision pursuant to Article 47 of Regulation (EU) 2018/1725, hence certifying that your personal data once transferred, will benefit from an adequate level of protection in the third country of destination. Therefore, the level of protection of your personal data transferred will depend on the law or practice of that third country and, as a result, your rights as regards data protection might not be equivalent to those in and EU/EEA country or a country with an adequacy decision. However, the NSO is bound by data protection clauses, with technical and organisational security obligations, under a grant agreement signed with the EACEA. The users may request to obtain a copy of these clauses by contacting the controller. The Central Support Service is bound by data protection clauses under a service contract signed with the EACEA.
Some data submitted by users will be displayed, only after having given their explicit consent, on the Networking area of the Platform, which means that such data are freely accessible on the Internet. In this case the user has the right to delete their data. The data which becomes public is the following:
- Registrant data: first name, last name, belonging school, also the picture of the user will be publicly displayed.
- School data: official school name, town, region, country.
- Project data: name, description, languages, age range of pupils, partner details, registration date and closing data (if available).
Other data submitted by users on the eTwinning area (e.g., messages in forums, online discussions and threads, files and pictures) are only visible to other registered users related to the eTwinning areas of the Platform where they have been uploaded (e.g., eTwinning Groups, TwinSpace).
At a national level – eTwinning national portals
For the purposes detailed in point 3, access to the data is strictly limited to:
- National Support Organisations: national or regional school authorities in charge of implementing eTwinning at national level and keeping contact with the users of their respective countries. Each NSO can access the personal data of the users of its respective country.
See the list of the persons in charge of the processing operations with each NSO.
7. How do we protect your personal data?
At EU level – eTwinning area in the European School Education Platform
The Platform servers are hosted on Amazon Web Services in the European Data Centres. DG DIGIT manages the cloud infrastructure in a highly secured environment. Only authorised personnel have access to the storage media at the Data Centres and the sites are subject to strict physical security.
DG DIGIT ensures the security of the IT hosting service in conformance with the Commission's Information Security Policy and Framework and DG DIGIT's complementary Information Security Policy Framework. See also Commission Decision C(2006)3602 of 16 August 2006 concerning the "Security of information systems used by the European Commission" and "Implementing rules of 16.8.2006 concerning the security of information systems used by the European Commission".
Personal data is only communicated using HTTPS encryption. No personal data is transported using storage media. Additionally, any database backups are sanitised and user information is anonymised.
DG DIGIT provides to the CSS technical team anonymised database dumps. The database back-up service is behind a password-protected system. The anonymised database is used for platform development. All development servers are utilising strong password access and where required VPN encrypted connection, and in many cases biometric access. Online platforms used as part of the project use password protected access, permission systems to prevent anyone but those authorised any access to personal data. No database back-ups containing personal data is stored on any removable storage devices.
Only a limited number of named individuals (maximum 3) from the development team in Tremend have access to the highest level of permission in information systems, and where personal data is stored in a document or database, it is only on a needs-access basis. By ensuring that the lowest number of users have access to the information systems, the data processor ensures the lowest level of risk.
Data in transit is encrypted via SSL/TLS, management access and data transfers on platforms are done securely.
A contractual clause about data protection is included in the contract with the processors (service providers) EUN and Tremend to ensure that personal data are processed in compliance with the applicable legislation.
NSO that wish to process data for national activities access the information stored at central level.
8. What are your rights concerning your personal data and how can you exercise them?
You have the right to:
- Request to access the personal data we keep on you;
- Request a rectification of your personal data or make the correction yourself in your profile;
- Request, under certain conditions, the erasure of your personal data;
- Request, under certain conditions, the restriction of the processing of your personal data;
- Object at any time to the processing of your personal data on grounds relating to your particular situation;
- Request for your data to be transferred to another organisation in commonly used machine-readable standard format (data portability);
You have the right to object to processing of your personal data on grounds relating to your particular situation under the provisions of Article 23 of the Regulation (EU) 2018/1725.
You also have the right not to be subject to automated decisions (made solely by machines) affecting you, as defined by law.
In addition, as this processing of your personal data is based on your consent [Article 5(1)(d) or Article 10(2)(a) of the data protection regulation], please note that you can withdraw it at any time, and this will have effect from the moment of your retraction. The processing based on your consent before its withdrawal will remain lawful.
Article 25 of Regulation (EU) 2018/1725 provides that, in matters relating to the operation of EU institutions and bodies, the latter can restrict certain rights of individuals in exceptional circumstances and with the safeguards laid down in that Regulation. Such restrictions are provided for in internal rules adopted by EACEA and published in the Official Journal of the European Union.
Any such restriction will be limited in time, proportionate and respect the essence of the above-mentioned rights. It will be lifted as soon as the circumstances justifying the restriction are no longer applicable. You will receive a more specific data protection notice when this period has passed.
As a general rule you will be informed on the principal reasons for a restriction unless this information would cancel the effect of the restriction as such.
You have the right to make a complaint to the EDPS concerning the scope of the restriction.
At EU level – eTwinning area in the European School Education Platform
To exercise your rights at European level, in most cases (access, rectify, request the restriction, object the processing of your data) you can contact the European Data Controller (EACEA), see point 1.
If you would like to erase your data from eTwinning, you can contact the Central Support Service at: privacy@esep-support.eu.
At a national level – eTwinning national portals
For any questions on your rights and the exercise of your rights related to the processing of personal data by the support services at national level (via their national eTwinning websites and/or newsletters and notifications) you may contact the Data Controllers of each country (see the list of contacts in point 1).
9. Your right to have recourse in case of conflict on any personal data issue
At EU level – eTwinning area in the European School Education Platform
In case of any concern or issue on any personal data protection issue you can address yourself to the controllers at the above mentioned address and functional mailbox.
You can also contact EACEA's Data Protection Officer at the following email address: eacea-data-protection@ec.europa.eu.
You may lodge a complaint with the European Data Protection Supervisor at any time: https://edps.europa.eu/.
At a national level – eTwinning national portals
In case of conflict on any personal data protection issue you can address yourself to the responsible national controllers.
If you feel that your data protection rights have been infringed, you may contact the Data Protection Authorities in the country where you or the NSO are based.
Комментариев нет:
Отправить комментарий