PROTECTION OF YOUR PERSONAL DATA
This privacy statement provides information about the processing and the protection of your personal data.
Processing operation: CultureXchange collaborative online platform
Data Controller: Directorate – General for International Cooperation and Development Culture, Education, Health Unit (DEVCO B4)
Record reference: [DPR-EC-01447.1]
Table of Contents
- Introduction
- Why and how do we process your personal data?
- On what legal ground(s) do we process your personal data?
- Which personal data do we collect and further process?
- How long do we keep your personal data?
- How do we protect and safeguard your personal data?
- Who has access to your personal data and to whom is it disclosed?
- What are your rights and how can you exercise them?
- Contact information
- Where to find more detailed information?
1. Introduction
The European Commission (hereafter ‘the Commission’) is committed to protect your personal data and to respect your privacy. The Commission collects and further processes personal data pursuant to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data (repealing Regulation (EC) No 45/2001).
This privacy statement explains the reason for the processing of your personal data, the way we collect, handle and ensure protection of all personal data provided, how that information is used and what rights you have in relation to your personal data. It also specifies the contact details of the responsible Data Controller with whom you may exercise your rights, the Data Protection Officer and the European Data Protection Supervisor.
The information in relation to processing operation “CultureXchange platform” – the network for cultural operators and investors- undertaken by Directorate – General for International Cooperation and Development Culture, Education, Health Unit (DEVCO B4) is presented below.
2. Why and how do we process your personal data?
Purpose of the processing operation: Directorate – General for International Cooperation and Development Culture, Education, Health Unit (DEVCO B4) collects and uses your personal information to ensure the registration to, functioning and management of the online CultureXchange platform. In particular, processing of personal data is necessary in order to allow you to become part of the CultureXchange community (a member-restricted area) to access to message functionalities, to access to the match-making functionalities, connect with other members (networking functionality), create groups, events, receive the CultureXchange email alerts for notifications. Being a member of the community of users will equally allow you to publish news, events and inspiring information, as well as success stories on the CultureXchange platform.
To complete registration on the platform, users must indicate a set of mandatory information (the detail of which is listed in section 4 of this privacy statement). Additional optional information can be indicated by the user at registration process. Please note that not replying to optional field will not put you in any disadvantaged position. Registration through other social networks (i.e. Facebook, LinkedIn, twitter) is equally possible, and will allow user to automatically fill some of the fields. While doing so, no data are collected by the social network used to sign in, nor is any sent to it by CultureXchange platform.
Master administrators of the site can view the e-mail and username through the backend administration panel. Access to these details may be necessary to provide troubleshooting. The password is never visible, and remains encrypted, even for those who manage the infrastructure and development of the platform.
The system collects additional data that is visible to administrators of the platform; this information includes: Last time/date of login Last time/date of access This data provides an understanding of authenticated activity on the website, and allows the identification of inactive accounts.
All data can be modified at later stage, on the “user setting” section of the website.
At any time, users can choose to delete their account, using either the specific “delete account” section, or through the contact form. Deleting your account will result in immediate deletion of your personal data from the platform. Deletion from the platform will lead to erasure of all data from the hosting server within a month (mandatory period of data retention for backups and server logs).
In specific cases, the data processor itself can initiate the process of deleting your data. Upon a period of two years of inactivity on the platform, users are sent a mail first mail notification to resume activity or have their account deleted, initiating the deletion process. In the eventuality that the user has not been active for the subsequent year, a second mail notification is sent, informing that in the in the eventuality that you do not log in on the network, the data will be erased within 40 days.
Your personal data will not be used for an automated decision-making including profiling.
3. On what legal ground(s) do we process your personal data
We process your personal data, because it is necessary for the performance of a task carried out in the public interest:
Article 11 of the consolidated European Treaty on the European Union states: “The institutions shall, by appropriate means, give citizens and representative associations the opportunity to make known and publicly exchange their views in all areas of Union action. The institutions shall maintain an open, transparent and regular dialogue with representative associations and civil society”.
Article 21(1) of the Treaty on European Union (TEU): overall mandate and guiding principles in the field of EU development cooperation;
Articles 4(4) and 208 to 211 of the Treaty on the Functioning of the European Union (TFEU);
SabinaFurthermore, the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
4. Which personal data do we collect and further process?
In order to carry out this processing operation, the Directorate – General for International Cooperation and Development Culture, Education, Health Unit (DEVCO B4) collects the following categories of personal data:
- Mandatory data: Name; Contact details (e-mail address, country of residence) ; Geographical area of interest; Area of expertise or skills that the user may offer to the community to develop project or organize events; Short biography of the user;
- Optional data: (not replying to optional field will not put users in any disadvantage position): Profile picture, Banner image, Function and / or organization.
- Account data: log-in mail address/password.
- Data related to the activity of the user: log-in/log off time.
- User-uploaded/created data: content or files (images, text, videos) uploader, edited or created by the user.
5. How long do we keep your personal data?
Directorate – General for International Cooperation and Development Culture, Education, Health Unit (DEVCO B4) only keeps your personal data for the time necessary to fulfil the purpose of collection or further processing, namely for the registration to, functioning and management of the online CultureXchange platform.
At any time, users can choose to delete their account, either by using the specific “delete account” section, or by contacting the administrator through the contact form available online. Deleting your account will result in immediate deletion of your personal data from the platform. This includes all content created by the user (publications or else) and past activities (attendance to event, etc). All user data will be deleted from server within a month following deletion of the account (mandatory retention period for backups and server logs).
In specific cases, the data processor itself can initiate the process of deleting your data. Upon a period of two years of continuous inactivity on the platform, a first e-mail notification will be sent to users requesting them to resume activity and informing them that they will have their account deleted, initiating the deletion process. In the eventuality that the user has not been active for the subsequent year, he/she will receive a second mail notification, informing that in the in the eventuality that he/she does not log in on the network, the data will be erased within 40 days. Pending deletion of the user account, user data will be deleted within a month (mandatory retention period for backups and server logs).
Please note that the creation and functioning of the CultureXchange platform takes place in the context of the ACP EU Culture programme the implementation period of which is planned for 6 years. Under current state of affairs, no more activity will be possible on the website beyond implementation period of the ACP EU programme. Cessation of all activities will mark the beginning of the retention period, lasting up to two years as per cf. Commission Retention list , point 9.4.2.
6. How do we protect and safeguard your personal data?
All personal data in electronic format (e-mails, documents, databases, uploaded batches of data, etc.) are stored either on the servers of the European Commission or of its contractors, B&S Europe s.a.. All processing operations are carried out pursuant to the Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission.
The Commission’s contractors are bound by a specific contractual clause for any processing operations of your data on behalf of the Commission, and by the confidentiality obligations deriving from the transposition of the General Data Protection Regulation in the EU Member States (‘GDPR’ Regulation (EU) 2016/679.]
In order to protect your personal data, the Commission has put in place a number of technical and organisational measures in place. Technical measures include appropriate actions to address online security, risk of data loss, alteration of data or unauthorised access, taking into consideration the risk presented by the processing and the nature of the personal data being processed. Organisational measures include restricting access to the personal data solely to authorised persons with a legitimate need to know for the purposes of this processing operation.
7. Who has access to your personal data and to whom is it disclosed?
Access to your personal data is provided to the Commission staff responsible for carrying out this processing operation and to authorised staff according to the “need to know” principle. Such staff abide by statutory, and when required, additional confidentiality agreements.
B&S Europe s.a. is acting as data processor of CultureXchange platform, through a service contract with the Directorate – General for International Cooperation and Development Culture, Education, Health Unit (DEVCO B4) . As such, B&S Europe is responsible for managing and promoting the CultureXchange e-platform and its community, replying to your enquiries, for technical matters, access to your personal data as "Admin" of the CultureXchange website and its Directory, and for managing CultureXcahnge email alerts and user surveys.
B&S Europe s.a., data processor of CultureXchange data, shall have an access to user data framed by the same principle mentioned before.
The personal data that you filled upon registration (be it mandatory or optional) or at any latter stage through the “profile editing” section will only be visible to members of the community, i.e. other registered user of the platform. Note that the visibility of certain information provided (personal mail address) by other members of the community can be adjusted. By default, your personal mail address is not visible to other users. Personal data (both mandatory and optional) are not visible beyond of the community of user. Specific categories of user-created content (“event” and “stories”) can be visible in the signed out-accessible area of the website, for visibility-purpose. Note however that in the website’s section accessible in log off mode, the creator of the content displayed is anonymised (only visible is the user “first name” and first letter of his/her “last name”).
To constantly improve the platform and your experience of it, CultureXchange relies on the collection of cookies, allowing the website to remember your preferences and setting, and evolve according to user traffic.
CultureXchange website uses MATOMO in order to track the information of visitors described above. For this purpose, the before-mentioned data (consisting of technical and tracking cookies) are transmitted to MATOMO. Any data collected by MATOMO is stored on servers owned by ICF Next and not transferred to third parties.
Enabling these cookies is not strictly necessary for the website to work but it will provide you with a better browsing experience. You can delete or block these cookies, but if you do that some features of this site may not work as intended.
The cookie-related information is not used to identify you personally and the pattern data is fully under the control of ICF Next.
These cookies are not used for any purpose other than those described here.
You can control and/or delete cookies as you wish – for details, see AllAboutCookies.org. You can delete all cookies that are already on your computer and you can set most browsers to prevent them from being placed.
If you do this, however, you may have to manually adjust some preferences every time you visit a site and some services and functionalities may not work.
Additionally, as indicated above master administrators of the site can view the e-mail and username through the backend administration panel. Access to these details may be necessary to provide troubleshooting. The password is never visible, and remains encrypted, even for those who manage the infrastructure and development of the platform.
The system collects additional data that is visible to administrators of the platform; this information includes: Last time/date of login Last time/date of access This data provides an understanding of authenticated activity on the website, and allows the identification of inactive accounts.
8. What are your rights and how can you exercise them?
You have specific rights as a ‘data subject’ under Chapter III (Articles 14-25) of Regulation (EU) 2018/1725, in particular the right to access, your personal data and to rectify them in case your personal data are inaccurate or incomplete. Where applicable, you have the right to erase your personal data, to restrict the processing of your personal data, to object to the processing, and the right to data portability.
You have consented to provide your personal data to Directorate – General for International Cooperation and Development Culture, Education, Health Unit (DEVCO B4) for the present processing operation. You can withdraw your consent at any time by notifying the Data Controller. The withdrawal will not affect the lawfulness of the processing carried out before you have withdrawn the consent.
You can exercise your rights by contacting the Data Controller, or in case of conflict the Data Protection Officer. If necessary, you can also address the European Data Protection Supervisor. Their contact information is given under Heading 9 below.
Where you wish to exercise your rights in the context of one or several specific processing operations, please provide their description (i.e. their Record reference(s) as specified under Heading 10 below) in your request.
9. Contact information
- The Data Controller
If you would like to exercise your rights under Regulation (EU) 2018/1725, or if you have comments, questions or concerns, or if you would like to submit a complaint regarding the collection and use of your personal data, please feel free to contact the Data Controller, to Directorate – General for International Cooperation and Development Culture, Education, Health Unit (DEVCO B4), EUROPEAID-B4@ec.europa.eu
- The Data Protection Officer (DPO) of the Commission
You may contact the Data Protection Officer (DATA-PROTECTION-OFFICER@ec.europa.eu) with regard to issues related to the processing of your personal data under Regulation (EU) 2018/1725.
- The European Data Protection Supervisor (EDPS)
You have the right to have recourse (i.e. you can lodge a complaint) to the European Data Protection Supervisor (edps@edps.europa.eu) if you consider that your rights under Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal data by the Data Controller.
10. Where to find more detailed information?
The Commission Data Protection Officer (DPO) publishes the register of all processing operations on personal data by the Commission, which have been documented and notified to him. You may access the register via the following link: http://ec.europa.eu/dpo-register.
This specific processing operation has been included in the DPO’s public register with the following Record reference: DPR-EC-01447.
The platform’s management reserves the right to remove any posted content not compliant with the objectives of the platform.