Table of content – Register of Data treatment activity ... · Activity 5 Management, publication of the ESF TP Newsletter and of the mailing list. ESF TP – Register of Data treatment

ESF TP – Register of Data treatment activity v03 – 29/01/2019 1

Table of content – Register of Data treatment activity – ESF TP (v03 – 29/01/2019)

1 REGISTER OF DATA TREATMENT ACTIVITY IN RELATION TO GDPR FOR THE ESF TRANSNATIONALITY PLATFORM – ESF TP (CONTRACTED BY DG EMPL TO AEIDL AISBL) ............................................................................................................................. 2

2 ACTIVITIES INVOLVING PROCESSING OF PERSONAL DATA ................................................................................................. 2

3 ACTIVITY DESCRIPTION ..................................................................................................................................................... 3

3.1 ACTIVITY 1 – PUBLICATION OF THE LIST OF THE MANAGING AUTHORITIES AND NATIONAL CONTACT POINTS .......................................... 3 3.1.1 Purpose(s) ...................................................................................................................................................................... 3 3.1.2 Category(ies) of concerned people ................................................................................................................................ 3 3.1.3 Type of data collected ................................................................................................................................................... 3 3.1.4 Duration of data storage of the categories ................................................................................................................... 4 3.1.5 Categories of recipients of the data .............................................................................................................................. 4 3.1.6 Transfer of data outside the EU ..................................................................................................................................... 4 3.1.7 Security measures .......................................................................................................................................................... 4

3.2 ACTIVITY 2 – MANAGEMENT AND PUBLICATION OF ORGANISATIONS, PROJECTS AND TRANSNATIONAL COOPERATION AGREEMENTS (TCAS) 6 3.2.1 Purpose(s) ...................................................................................................................................................................... 6 3.2.2 Category(ies) of concerned people ................................................................................................................................ 7 3.2.3 Type of data collected ................................................................................................................................................... 7 3.2.4 Duration of data storage of the categories ................................................................................................................. 10 3.2.5 Categories of recipients of the data ............................................................................................................................ 11 3.2.6 Transfer of data outside the EU ................................................................................................................................... 11 3.2.7 Security measures ........................................................................................................................................................ 11

3.3 ACTIVITY 3 – MANAGEMENT AND PUBLICATION OF THEMATIC NETWORK FORUMS AND LIBRARIES ..................................................... 13 3.3.1 Purpose(s) .................................................................................................................................................................... 13 3.3.2 Category(ies) of concerned people .............................................................................................................................. 14 3.3.3 Type of data collected ................................................................................................................................................. 14 3.3.4 Duration of data storage of the categories ................................................................................................................. 15 3.3.5 Categories of recipients of the data ............................................................................................................................ 15 3.3.6 Transfer of data outside the EU ................................................................................................................................... 16 3.3.7 Security measures ........................................................................................................................................................ 16

3.4 ACTIVITY 4 – MANAGEMENT AND PUBLICATION OF EVENTS (CONFERENCES, MEETINGS, SEMINARS, WORKSHOPS) ................................. 17 3.4.1 Purpose(s) .................................................................................................................................................................... 17 3.4.2 Category(ies) of concerned people .............................................................................................................................. 18 3.4.3 Type of data collected ................................................................................................................................................. 18 3.4.4 Duration of data storage of the categories ................................................................................................................. 18 3.4.5 Categories of recipients of the data ............................................................................................................................ 18 3.4.6 Transfer of data outside the EU ................................................................................................................................... 19 3.4.7 Security measures ........................................................................................................................................................ 19

3.5 ACTIVITY 5 – MANAGEMENT, PUBLICATION OF THE ESF TP NEWSLETTER AND THE MAILING LIST ....................................................... 21 3.5.1 Purpose(s) .................................................................................................................................................................... 21 3.5.2 Category(ies) of concerned people .............................................................................................................................. 21 3.5.3 Type of data collected ................................................................................................................................................. 21 3.5.4 Duration of data storage of the categories ................................................................................................................. 22 3.5.5 Categories of recipients of the data ............................................................................................................................ 22 3.5.6 Transfer of data outside the EU ................................................................................................................................... 22 3.5.7 Security measures ........................................................................................................................................................ 22


1 REGISTER OF DATA TREATMENT ACTIVITY IN RELATION TO GDPR for the ESF Transnationality Platform – ESF TP (contracted by DG EMPL to AEIDL aisbl)

Contact details of the responsible person in the organisation

technically in charge

Name: Caimi First name: Valentina Function: Team Leader Postal address:

AEIDL asbl Chaussée Saint-Pierre, 260 1040 Bruxelles/Brussel Belgium

Phone: +32 2 736 1890 e-mail address: [email protected]

Name and contact details of the person in charge of the data

protection

Name: KROEGER First name: Martin Function: DPO European Commission Postal address:

Data Protection Officer European Commission 1049 Bruxelles/Brussel Belgium

Phone: +32 2 299 11 11 (Commission switchboard) e-mail address: [email protected] General EC DPO information: https://ec.europa.eu/info/departments/data-protection-officer_en Complaints, in case of conflict, can be addressed to the European Data Protection Supervisor: https://edps.europa.eu

2 Activities involving processing of personal data

Activities Description

Activity 1 Publication of the list of the Managing Authorities and National Contact points and contact persons in the framework of the activities of the ESF TP.

Activity 2 Management and publication of the list of Organisations, national projects and Transnational Cooperation Projects (TCAs) and of their contact persons created, uploaded and maintained by the users/beneficiaries.

Activity 3 Management and publication of Thematic Network forums and libraries using the EU-Login user account management (into which users can join/resign and contribute on a voluntary basis, the information may include project examples, cases and testimonies and may include contact persons or contact details).

Activity 4 Management and publication of events (conferences, meetings, seminars, workshops) related to the ESF TP, including participants information in some cases.

Activity 5 Management, publication of the ESF TP Newsletter and of the mailing list.


3 ACTIVITY DESCRIPTION 3.1 ACTIVITY 1 – Publication of the list of the Managing Authorities and National Contact points

Description created on: 5 May 2018

Last update date: 10 January 2019

Software or application name (if relevant)

- Office documents (Word, Excel…) for daily management (stored on the internal ESF TP server) - ESF TP website (simple html page): https://ec.europa.eu/esf/transnationality/whoswho

3.1.1 Purpose(s) Describe the objectives of the personal data processing and its functions.

• To promote the official contact points (Managing Authorities and National Contacts points) related to the implementation of the ESF and ESF transnational dimension.

• This is official and public information provided by the Member States and by the DG EMPL. o In many cases the related contact and the corresponding email address are a functional mailbox not

directly connected to an identified person. o GDPR Status of the data: contractual type.

Personal related information which may appear in this activity is therefore contractual for the official part of the data. For any data which could be considered as private data related to a person (i.e. not corporate-like such as a personal mailbox or personal mobile phone, upon request it can be replaced in the corresponding lists with the data to be provided by the concerned corporate/organisation or person).

3.1.2 Category(ies) of concerned people List the types of persons of whom the data are collected or used.

1. Contact person of ESF Managing Authority or Intermediate Body in the European Union countries. 2. Contact person of National Contact Points in charge of the ESF or ESF Networks in Europe.

3.1.3 Type of data collected þ personal identity data, images (e.g. name, first name, address, pictures, birth date and place, etc.)

• Name + First name ☐ Private life data (e.g. life behaviours, Family status, etc.) þ Professional life (e.g. CV, professional status, studies, training, rewards, diplomas, etc.)

• Relation to / Involvement in a Managing Authority or National Contact point • E-mail address (in principle professional email, that email has been provided by the e-mail owner side).

☐ Financial or economical information (e.g. incomes, financial status, banking information, etc.) ☐ Connection data (e.g. IP addresses, logs, equipment identifiers, connection credentials, timestamp data, etc.) ☐ Localisation data (e.g. travels, GPS data, mobile/GSM, …) ☐ Internet (e.g. cookies, tracking information, browsing data, web analytics, …) ☐ Other categories of data (please detail): Are sensitive data processed? Data related to: racial or ethnic aspect; political opinions; religious or philosophical convictions; union registration; genetical or biometric data; sexual behaviour; health; judicial or criminal records; National identification number or social security number. ☐ Yes þ No


3.1.4 Duration of data storage of the categories How long data are kept?

• The Office documents is updated at the request of the Managing Authority, National Contact point or contact person. The latest version of the table is kept for the duration of the ESF TP contract1 + the legal duration of the data for audit purposes imposed by the contract with the European Commission. After the end of the contact, that information is archived or deleted and not accessed/exploited further.

• The web page https://ec.europa.eu/esf/transnationality/whoswho is directly updated when a request or new information is made. The latest version of this information is kept on the ESF TP website in principle for the duration of the ESF TP contract. The web page, as the rest of the ESF TP, will be managed by the DG EMPL after the end of the ESF TP contract and then be probably archived (duration to keep the corresponding data on the website will then be the decision of the services of the European Commission).

3.1.5 Categories of recipients of the data Internal recipients

1. ESF TP team (in the case of the Office documents) 2. IT services of the AEIDL (for internal servers and in the case of the Office documents) 3. Editing mode: Administrators of the Webgate servers of the European Commission (DIGIT services) 4. Editing mode: Administrators, Webmasters and publishers of the ESF TP platform (ESF TP team + some DG

EMPL team members involved in the management or implementation of the ESF TP contract). External Organisations

1. Display mode: Any visitor of the ESF TP website (in the case of the web page). Sub-contractors

1. Editing mode: TIPIK’s development team. 3.1.6 Transfer of data outside the EU Are personal data transferred outside the European Union? ☐ Yes þ No

3.1.7 Security measures Measures implemented to ensure security and privacy of data. þ Controlled access of users Describe the measures:

• For the internally stored data: credentials of the AEIDL servers and user groups. • For the Editing functions on the corresponding on-line data: EU-Login credentials and management of roles

allocated to users. • For public access: no control, data are public.

þ Tracking/traceability measures Describe the nature of the measures (example: logs of user accesses), the stored data (example: identifiers, connection timestamp, etc.) and the duration of storage:

• For the internally stored version: indication of the last user having saved the document + timestamp • For the on-line edited version: initial author and of the last user (EU-Login) having saved the information +

timestamp. þ Measures to protect data (antivirus, update, security patch, tests, etc.) Describe the measures:

• For the internally stored version: anti-virus and updated operating system is managed by the IT team of AEIDL centrally.

• For the on-line version: the security and patches of the web server are directly managed and planned by the IT services of the European Commission (DIGIT).

1 “ESF TP contract” refers to the contract between the DG EMPL of the European Commission and AEIDL association; contract “2015/S 196-354142” related to the tender “EU-level platform to facilitate the setting up of a transnational partnership, the exchange of experiences, capacity building and networking, and the capitalisation and dissemination of relevant outcomes”.


þ Backup of data Describe the measures:

• For the internally stored version: back-ups are managed by the IT team of AEIDL centrally. • For the on-line version: back-ups are directly managed by the IT services of the European Commission (DIGIT).

þ Data encryption Describe the measures (example: website accessible using https, TLS, etc.):

• For the internally stored version: no-data encryption. • For the on-line version: the ESF TP website is under https (Webgate servers managed by DIGIT).

þ Control of sub-contractors Describe the measures:

• For the internally stored version: no-access. • For the on-line version: no direct control on the internal activity of the sub-contractor. Accesses to the on-line

information are managed by the EU Login/ECAS system of the European institutions. Only indication of the last connection activity of the user accounts used by the contractor.

☐ Other measures: none


3.2 ACTIVITY 2 – Management and publication of Organisations, Projects and Transnational Cooperation Agreements (TCAs)




ESF TP website: - Partner search section mainly: https://ec.europa.eu/esf/transnationality/partners-search - Input and editing facility under myTNC: https://ec.europa.eu/esf/transnationality/my-tnc

3.2.1 Purpose(s) Describe the objectives of the personal data processing and its functions. To ease transnational cooperation activities in the ESF initiative and support Managing Authorities and their national ESF projects to find partners and promote their transnational cooperation activities. This activity provides the following opportunities:

• For the project promotors: o To create an organisation profile and attach users who have right to edit the organisation and related

project descriptions and TCAs2. o To create one or more national project descriptions by the project promotors themselves on a

voluntary basis. When published by decision of the project promotor, the project description becomes searchable and is integrated in the list of projects displayed in the partner search section of the ESF TP website. It can then be added to an on-line TCA.

o To create one or several TCA records by regrouping projects published on the ESF TP website. Any project promotor or contact person of an organisation involved in a partnering national project can edit the TCA record, validate its content and decide to submit for approval the TCA to the Managing Authorities of the involved national projects.

• For the Managing Authorities or Intermediate bodies: o to promote calls for proposals they publish/manage nationally. References to a call for proposals is

required for a national project to be part of TCA which can then be send for submission to the corresponding Managing Authorities or Intermediate Bodies.

o To on-line approve or reject their national projects in the submitted TCAs. o Some Managing Authorities uses this facility in the official submission process to a national call.

• Input and usage of this information are made on a voluntary basis and can be done by visitors having a registered and validated user account on the ESF TP website (based the EU-Login system).

• Users have the possibility to request the deletion of the corresponding information at any time (see as well point “3.2.4 - Duration of data storage of the categories”).

• Users are not obliged to provide all the data (or even, in some cases, nearly no data). It is up to the user to decide which data to provide depending on the usage the user wants to make of platform for communicating with other users or potential partners).

• Users can access the input and edition functions via their workbench (myTNC) from where all the contents he/she can edit are also regrouped. The edit button is displayed on a content when the user has editing rights on that content.

• GDPR Status of the data: o Type of data for the Organisations, Projects and TCAs NOT involved in a submission process to a

Managing Authority: Voluntary provided by the users and therefore on a “legitimate interest” for the prospective partner search done by the user.

§ This information is provided and input on a voluntary basis.

2 TCA relates to “Transnational Cooperation Agreements” and corresponding records on the ESF TP website. See https://ec.europa.eu/esf/transnationality/content/template-transnational-cooperation-agreement-tca and related support topics in the Technical Support Forum https://ec.europa.eu/esf/transnationality/forums/technical-support


§ This information can be asked for deletion at any time by the involved users and stakeholders. § Stakeholders who may be enrolled in an organisation or project record are notified

automatically to provide them the possibility delete any corresponding information and also to approve their profile/involvement or not into the system (consent request). Once approved, the profile of the person can then be contacted via the ESF TP website.

o Type of data for the organisations, projects and TCAs WHICH ARE involved in a submission process to a Managing Authority: provided and stored on “contractual” basis due to the mandatory process imposed by some Managing Authorities to obtain ESF support. Personal related information which may appear in this activity is therefore a contractual type of information for the official part of the data. For any data which could be considered as private data related to a person (i.e. not corporate-like such as a personal mailbox or personal mobile phone) it can be replaced in the corresponding lists with the data to be provided by the concerned corporate/organisation or person and approved by the involved Managing Authorities). In any case, the involved stakeholders can request to delete any information at any time. In that case, the team in charge of the ESF TP website consults the concerned Legal contacts of the involved project organisations and Managing Authorities before proceeding. In any case, the ESF TP team also acts as a facilitator in the process of uploading, updating and deleting any of those data. The stakeholders involved directly in an organisation, project or TCA record can modify the content of the concerned records.


1. Users (EU-Login) having created or edited an Organisation, a national Project and/or a TCA record. 2. Users added to an organisation record:

a. Registered and validated users (based on the EU-Login + a first and validated connection to the ESF TP website using the EU-Login system).

b. Simple email address + person name + function for people added to an organisation without having a user record yet on the ESF TP website. In that case the email of that person remains hidden and the person is notified by email to create a corresponding user profile on the ESF TP website and/or to contact the person in charge of the data processing.

3. Users added to a national project record (only validated users of the ESF TP website can be added to a project description).

4. Users representing a Managing Authority or an Intermediate Body.

3.2.3 Type of data collected Mandatory information is indicated by an asterisk (*) and information required for publication and/or TCA submission is indicated by (‡). þ personal identity data, images (e.g. name, first name, address, pictures, birth date and place, etc.)

• For the USER account (managed by the EU-Login system the update/management of the corresponding data is therefore independent from the ESF TP website.)

o First name * o Last name * o Username * (not editable – automatically generated by the EU-Login system) o E-mail address *

§ Keep my email private * (Yes/No, it is private by default) § Allow personal contact form (Yes/No, it is not-allowed by default)

o Language(s) o Picture o Time zone o Gender * (Female, Male, Other) o Title/Function * o Phone (Work) o Phone (Home)


o Phone (Mobile) o Skype ID o Country * o Subscriptions to notifications on new or updated content. (the user can fully set up the notification

process, including blocking it) o Sections (Forums) - the user can see the forums he/she is registered to and can un-subscribe directly

from any or all of the ones he/she asked to join. o Advanced access rights to private folders of the library.

☐ Private life data (e.g. life behaviours, Family status, etc.) þ Professional life (e.g. CV, professional status, studies, training, rewards, diplomas, etc.)

• Relation to an organisation record on-line as a legal contact, an operational contact or a project promotor (mandatory information at free input stage is indicated by *; and mandatory information for a TCA submission is indicated by ‡)

o For an organisation record: § Type of organisation § Organisation Name in English * (only mandatory information to start input on the

organisation) § Country * § Call for projects (‡ for TCA submission) § ESF region § Acronym or short denomination ‡ § Name in national language ‡ § Organisation department § Address § Country § Phone number § Legal contact ‡

• User name/id for an existing user in the ESF TP website • If the user doesn’t exist in the ESF TP website yet (then that person is notified as

explained above, and the data below can then be replaced by the data of the EU Login system or be deleted by the invited user):

o Name of the person o E-mail address o Role

§ Notification ‡ (for partner search and transnational cooperation), a choice is proposed: • Notification messages are sent to the Legal contact's email address (by default) • Notification messages are sent to another email address (this email address is not

displayed and can be removed at any time by any user involved as a contact of the organisation).

§ Additional contacts • User name/id for an existing user in the ESF TP website • If the user doesn’t exist in the ESF TP website yet (then that person is notified as

explained above, and the data below can then be replaced by the data of the EU Login system or be deleted by the invited user):

o Name of the person o E-mail address o Role

§ Main activity of the organisation – Free text box. § Languages spoken in the organisation § Experience & current activities of the organisation (in relation to TNC) – Free text box. § Organisation logo § Highlight / promotion text – Free text box. § Organisation logo (for the promotional section) § Highlight / promotion text (for the promotional section) – Free text box.


§ Links + Title § Attachments § Notes § Involvement in TCA (automatic information based on the TCA records).

o For a project record: § Title in English * § Country of submission * § Call for projects‡ § Title in the national language § Acronym or short denomination ‡ § Measure under which the project is presented in English § Measure under which the project is presented in the National language § Project submitted to the MA/IB responsible for the call § Project national number § Project lead organisation ‡ (from already registered and published organisations on the ESF

TP website) § Project manager ‡ (from registered and activated users on the ESF TP website) § Operational contact (from registered and activated users on the ESF TP website) § Languages spoken by the project team § Themes (from the list of themes) § Project Idea summary § Problem addressed § Objectives § Results and deliverables § Activities § Experience and facilities available § Expected partners and their roles § General comments on expectations, priorities re transnationality § Indicative budget for transnational activities § Activities (from list) + Other activity § Target groups § Links + Title § Attachments § End date of transnational activity § Project logo § Highlight / promotion text § Project logo (for the promotional section) § Highlight / promotion text (for the promotional section) § Searching * (Yes/No for partners, yes by default) § Involvement in TCA (automatic information based on the TCA records).

o For a TCA record: § TCA Title in English * § TCA Title in another language § Main contact organisation (from registered organisations) § Rationale & objectives § Work programme and working methodology § Organisation & decision-making § Partnering projects ‡ (at least 1 project listed & validated for submission to MAs), per project:

• Partner project (from list of published projects) • MAs approval status (automated data based on Decisions made by the Managing

Authority in charge of the call of the project). • Budget for Transnational cooperation activities (in €) of the project in the TCA.

§ Budget (overridden or calculated based on the budget information of the partnering projects) § Attached budget table


§ Date of signature of TCA § Attached full TCA agreement ‡ § TCA status § Other notes § Other attachments

o For a Call for proposal record: § No direct personal information is recorded. § Only indirect link to the Managing Authority organisation contractually responsible of the

corresponding call. ☐ Financial or economical information (e.g. incomes, financial status, banking information, etc.) þ Connection data (e.g. IP addresses, logs, equipment identifiers, connection credentials, timestamp data, etc.)

• Initial author of every record (automated information based on the EU-Login user account) + Timestamp • Last editor of every record (automated information based on the EU-Login user account) + Timestamp

☐ Localisation data (e.g. travels, GPS data, mobile/GSM, …) þ Internet (e.g. cookies, tracking information, browsing data, web analytics, …)

• PIWIK analytics is enabled on the ESF TP website in a basic configuration (service provided by DIGIT). ☐ Other categories of data (please detail) Are sensitive data processed? Data related to: racial or ethnic aspect; political opinions; religious or philosophical convictions; union registration; genetical or biometric data; sexual behaviour; health; judicial or criminal records; National identification number or social security number. ☐ Yes þ No 3.2.4 Duration of data storage of the categories How long data are kept?

• The content of the users, organisations, projects and TCA records on the ESF TP website reflects the latest version of the information as input by one of the users involved in the corresponding organisation, projects and/or TCAs, or as validated or rejected by a Managing Authority or Intermediate body. The latest version of this information is kept on the ESF TP website in principle for the duration of the ESF TP contract3. The web page, as the rest of the ESF TP, will be managed by the DG EMPL after the end of the ESF TP contract and then be probably archived (duration to keep the corresponding data on the website will then be the decision of the services of the European Commission).

• Any user (author, lead/operational contact) of an organisation can request the deletion of the organisation record: o The request is sent to the [email protected] mailbox o We (AEIDL) send an email back to the lead contact person and to the requesting user to make sure they

effectively want to delete the organisation. o After confirmation, if the organisation is not linked to any project/TCA, we delete the organisation. If there

are links, then we inform them that we may delete the corresponding projects and remove them from the TCA before proceeding to deleting the organisation.

• Any user (author, project manager or lead and operational contacts of the lead organisation) of a project can request the deletion of the project record:

o The request is sent to the [email protected] mailbox o We (AEIDL) send an email back to the lead contact person, to the project manager and to the requesting

user to make sure they effectively want to delete the project o After confirmation, if the project is not linked to any TCA, we delete the project. If there are links, then we

inform them that we may remove their project from the TCA before proceeding to deleting the project. • Any user (author; users involved in the optional coordination organisation of the TCA; and the project manager or

lead and operational contacts of the lead organisation of each of the partnering projects in the TCA) of a TCA can request the deletion of the TCA record:

o The request is sent to the [email protected] mailbox o We (AEIDL) send an email back to the lead contact person of each partnering project, to the project

manager of each partnering project, to the lead contact of the optional coordinating organisation of the TCA and to the requesting user to make sure they effectively want to delete the TCA.



o After confirmation, and if the TCA has not passed the green validation yet by all the concerned Managing Authorities, then we delete the TCA. If the TCA has been considered as "green" once by the Managing Authorities, we will also consult the Managing Authorities before deleting the TCA.

• Some contents on the ESF TP website are managed via cache systems of the Drupal Webgate servers on which the ESF TP has not always an influence. Therefore, when a content is created or updated, it may still visible for half a day or a day before being updated or deleted.


1. ESF TP team (including Publisher, webmaster and web Administrator roles) 2. Editing mode: Administrators of the Webgate servers of the European Commission (DIGIT services) 3. Editing mode: Administrators, Webmasters and publishers of the ESF TP platform (ESF TP team + some DG


1. Display mode: Any visitor of the ESF TP website for the web page. a. Directly in the lists generated by the Partner database section for the records which have been duly

published and/or validated. b. Indirectly (using the URL and not as part of the standard search results) for the records which in draft

mode or not fully validated. 2. Edit mode: Any author of a record can edit his/her own record. 3. Edit mode: Any ESF TP activated user under the EU-Login system who has been added as a contact of an

organisation can edit the organisation and the project and TCA records into which the organisation is part of the TCA or related projects.

4. Edit mode: Any ESF TP activated user under the EU-Login system who has been added as a Project manager or operational of a project can edit the project and related TCA records.

5. Validation mode of TCAs: Any ESF TP activated user under the EU-Login system who has been added as a contact of a Managing Authority/Intermediate Body has access to the “Accept” and “Reject” buttons displayed for the projects related to the Managing Authority in a submitted which are listed in a TCA. In a TCA, a Managing Authority/Intermediate Body can only validate the projects related to its country/call for proposals; it cannot validate the other projects involved in the same TCA.

Sub-contractors 1. Editing mode: TIPIK’s development team.

3.2.6 Transfer of data outside the EU Are personal data transferred outside the European Union? ☐ Yes þ No


• For the Editing functions on the on-line data: EU-Login credentials and management of roles allocated to users. • For public access: no control, data are public.


• For web content: initial author and of the last user (EU-Login) having saved the information + timestamp. þ Measures to protect data (antivirus, update, security patch, tests, etc.) Describe the measures:

• For the web content: the security and patches of the web server are directly managed and planned by the IT services of the European Commission (DIGIT).



• For the web content: back-ups are directly managed by the IT services of the European Commission (DIGIT). þ Data encryption Describe the measures (example: website accessible using https, TLS, etc.):

• For the web content: the ESF TP website is under https (Webgate servers managed by DIGIT). þ Control of sub-contractors Describe the measures:

• For the web content: no direct control on the internal activity of the sub-contractor. Only indication of the last connection activity of the user accounts used by the contractor.



3.3 ACTIVITY 3 – Management and publication of Thematic Network forums and libraries




ESF TP website (simple html page): - https://ec.europa.eu/esf/transnationality/forum - https://ec.europa.eu/esf/transnationality/library


• To provide a place for the ESF Thematic Networks4 via a forum tool complemented by a library repository space, and to encourage exchanges and contributions open to any contributor identified via an activated EU-Login user account.

• Each Thematic Network forum is moderated by a Thematic Network Expert designed by the ESF TP team. • When a visitor is accepted on the ESF TP website as a user (i.e. when he/she has logged into the ESF TP website

using an EU -Login account and after his/her user account has been granted access by a website administrator), he/she is automatically registered to 3 transversal forums (ESF Transnationality, Technical support of the website and the forum about the discussion on projects and partner search).

• Visitors/users can ask to join a Thematic Network forum and their request is then reviewed by moderator. • Once a user becomes a member of a Thematic Network forum, then he/she can post messages (public or

private messages) to the forum and can comment on the posts of the forum. • A member has the possibility to ask to delete a post he/she made and can edit it. • A member can unsubscribe from a forum he/she asked to join. • The list of members to a forum is public (first name + name). A logged-in user with a validated EU-Login user

account has the possibility to contact any user via the internal contact form system provided by the EU-Login system (if the recipient user has allowed to be contacted by email).

• In addition to the forum tool, each Thematic Network also have a corresponding folder at the root level of the library on the ESF TP website. The library also provides the possibility of private or public sub-folders.

• As the Thematic Networks aim at outreaching a wider audience of contributors and, at the same, being a place where a core group of key identified contributors or communities of practice, two levels of membership exist for each Thematic Network: the general Thematic Network members (the wide audience) and the core members of the Thematic Network (restricted group). These two types of members have the same rights in the forum tool, but the difference is made in the library folders as some folders can be private to the core members group only if decided by the moderator of the corresponding Thematic Network.

• Different notification systems are implemented, and users can configure the notification process as they want (even blocking any message, except the contractual or security ones, if any).

• GDPR Status of the data: o Type of data for the documents uploaded in the library relating to before GDPR enforcement: People

or personal data were provided on a voluntary basis and in most of the cases in relation to a voluntary or contractual (with a related indemnity, funding or contribution) basis. In addition, minutes of Thematic Networks or communities of practices have been validated/approved by the concerned persons. Any future related GDPR request will then be dealt with in relation to the corresponding data status at the time of the event.

o Type of data for documents uploaded in the library after the GDPR enforcement (May 2018): § Data related to workshops, publications and participation lists provided by the Thematic

Networks in the framework of the ESF TP activities are provided and stored on “contractual” basis due to the ESF support provided contractually.

§ In case a person doesn’t want to appear in future publications or minutes of a Thematic Network, that person has:

4 Thematic Networks are presented under “Networking” of the ESF TP website: https://ec.europa.eu/esf/transnationality/forum


• To unsubscribe from the corresponding Thematic Network (can be done at any time by the user on-line; or it can also be notified to the AEIDL and to the ESF TP support team by email or via usual mail at AEIDL’s or at the European Commission’s DPO).

• To inform his/her Thematic Network expert (or group) that he/she doesn’t want to be formally part of the corresponding working group and that he/she should not appear in the future corresponding minutes or publication without a formal consent from his/her side. In that case, the corresponding removed person from the Thematic Network group may not be entitled of receiving related support, funding or reimbursement of costs without re-establishing a contractual formal consent.

§ In case of participation to other activities than the contractually or already covered Thematic Network activities via a planned/agreed schedule with the participant, and when no binding/contractual relationship is engaged between the participant and the organiser, personal data asked for the organisation of the activity will be processed only in the context of the ESF Transnational Platform based on the legitimate interest the participant has in the programme. Participants will always receive the information about personal data process and can refuse before the beginning of the event/action that the ESF team keep their data for another purpose than the organisation of this specific event.


1. Any user with an EU-Login user account which has been validated by an administrator of the ESF TP website. 2. Thematic Network Experts who have been granted a moderator role by the ESF TP team.


• For the USER account (managed by the EU-Login system the update/management of the corresponding data is therefore independent from the ESF TP website.)

o First name * o Last name * o Username * (not editable – automatically generated by the EU-Login system) o E-mail address *

§ Keep my email private * (Yes/No, it is private by default) § Allow personal contact form (Yes/No, it is not-allowed by default)

o Language(s) o Picture o Time zone o Gender * (Female, Male, Other) o Title/Function * o Phone (Work) o Phone (Home) o Phone (Mobile) o Skype ID o Country * o Subscriptions to notifications on new or updated content. (the user can fully set up the notification

process, including blocking it) o Sections (Forums) - the user can see the forums he/she is registered to and can un-subscribe directly

from any or all of the ones he/she asked to join. o Advanced access rights to private folders of the library.


• The Thematic Networks forum and library folders may include minutes of meetings with list of participants. Information included in these minutes is approved by the participants before further dissemination).

☐ Financial or economical information (e.g. incomes, financial status, banking information, etc.)


þ Connection data (e.g. IP addresses, logs, equipment identifiers, connection credentials, timestamp data, etc.) • Initial author of every record (automated information based on the EU-Login user account) + Timestamp

o Topic posted in a forum o Comment or reply to a comment on a topic in a forum o Document uploaded in the library

• Last editor of every record (automated information based on the EU-Login user account) + Timestamp (as well for the topics, comments and documents).

☐ Localisation data (e.g. travels, GPS data, mobile/GSM, …) þ Internet (e.g. cookies, tracking information, browsing data, web analytics, …)

• PIWIK analytics is enabled on the ESF TP website (service provided by DIGIT). ☐ Other categories of data (please detail) Are sensitive data processed? Data related to: racial or ethnic aspect; political opinions; religious or philosophical convictions; union registration; genetical or biometric data; sexual behaviour; health; judicial or criminal records; National identification number or social security number. ☐ Yes þ No 3.3.4 Duration of data storage of the categories How long data are kept?

• The content of the web pages related to a forum topic, comment or library document are directly updated when a request or new information is made. The latest version of this information is kept on the ESF TP website in principle for the duration of the ESF TP contract5. The web page, as the rest of the ESF TP, will be managed by the DG EMPL after the end of the ESF TP contract and then be probably archived (duration to keep the corresponding data on the website will then be the decision of the services of the European Commission).

• Some contents on the ESF TP website are managed via cache systems of the Drupal Webgate servers on which the ESF TP has not always an influence. Therefore, when a content is created or updated, it may still visible for half a day or a day before being updated or deleted.




1. Display mode: Any anonymous visitor of the ESF TP website can access: a. The public content of the forums except any comment b. The list of members of a forum, but not the possibility to access the profile of a user and not the

possibility to contact a user. c. The public folders of the library and their content (possibility to download only).

2. Display mode: Any logged in ESF TP website user with a validated EU-Login account can access: a. The public content of the forums including any comment attached to a public topic. b. The list of members of a forum with the possibility to access the profile of a user and to contact a user

via the internal mailing system of the website (if the recipient allows it). c. The public folders of the library and their content (possibility to download and/or upload documents

depending on forum membership and if the moderator of a forum enabled the possibility to specific groups or users to upload documents).

d. The private folders of the library corresponding to their membership rights on a forum. 3. Edit mode: Any author of a record can edit his/her own record.



4. Edit mode: Any ESF TP activated user under the EU-Login system who has been added as a member of a forum can post a topic in a forum, add comments to a topic he/she has access to. He/she can also edit his/her own topic or comment and can ask to delete them.

5. Edit mode: Any ESF TP activated user under the EU-Login system who has been granted the moderator role of a forum can:

a. Manage the requests of users to join a forum, b. Edit the content a topic or a comment c. Create sub-folders in the library and manage access rights per folder (including the possibility to

implement a moderation on the upload of files). Sub-contractors

1. Editing mode: TIPIK’s development team.



• For the Editing functions on the on-line data: EU-Login credentials and management of roles allocated to users. • For public access: no control, data are public.


• For web content: initial author and of the last user (EU-Login) having saved the information + timestamp. þ Measures to protect data (antivirus, update, security patch, tests, etc.) Describe the measures:

• For the web content: the security and patches of the web server are directly managed and planned by the IT services of the European Commission (DIGIT).


• For the web content: back-ups are directly managed by the IT services of the European Commission (DIGIT). þ Data encryption Describe the measures (example: website accessible using https, TLS, etc.):

• For the web content: the ESF TP website is under https (Webgate servers managed by DIGIT). þ Control of sub-contractors Describe the measures:

• For the web content: no direct control on the internal activity of the sub-contractor. Only indication of the last connection activity of the user accounts used by the contractor.



3.4 ACTIVITY 4 – Management and publication of events (conferences, meetings, seminars, workshops)




- Events: https://ec.europa.eu/esf/transnationality/events - News: https://ec.europa.eu/esf/transnationality/news (+ publication on forums and in the library see point 3.3) - Temporary Office documents (Word, Excel…) for the management and contractual reporting on events (stored on the internal ESF TP server)


• To promote the activities and outcomes related to the ESF initiative and transnational cooperation. • In a few cases a contact point information or contributors to an event (speakers, facilitators) are included in

agendas of event on the basis of the information provided to the ESF TP. This information can be edited at any time by the ESF TP team. This information contributes to capitalisation of contributions and outcomes to the various works of the Thematic Networks and ESF and social innovation communities in general.

• In some cases, participant lists can be displayed on the pages of the events or in the corresponding library folder or forum topic. Especially for the ESF TP events and the Thematic Networks workshops, the participants to an event have generally agreed to be part of the event and to the dissemination of the resulting documents. A participant can contact the ESF TP by several means (phone, email, visit, post) to get the information corrected when needed.

• GDPR Status of the data: o Type of data for the documents uploaded in the library relating to before GDPR enforcement: People

or personal data were provided on a voluntary basis and in most of the cases in relation to a voluntary or contractual (with a related indemnity, funding or contribution) basis. In addition, minutes of Thematic Networks or communities of practices have been validated/approved by the concerned persons. Any future related GDPR request will then be dealt with in relation to the corresponding data status at the time of the event.

o GDPR Type of data for documents uploaded in the library after the GDPR enforcement (May 2018): § Data related to workshops, publications and participation lists provided by the Thematic

Networks in the framework of the ESF TP activities are provided and stored on “contractual” basis due to the ESF support provided contractually.

§ In case a person doesn’t want to appear in future publications, minutes, or participant list, that person has:

• To unsubscribe from the corresponding Thematic Network or forum if relevant (can be done at any time by the user on-line; or it can also be notified to the AEIDL and to the ESF TP support team by email or via usual mail at AEIDL’s or at the European Commission’s DPO).

• To inform his/her Thematic Network expert/group or the contact points of the event or action that he/she doesn’t want to be formally part of the programme/activities, and that he/she should not appear in the future corresponding minutes or publication without a formal consent from his/her side. In that case, the corresponding removed person may not be entitled of receiving related support, funding or reimbursement of costs without re-establishing a contractual formal consent.

§ In case of participation to other events (or actions) than the Thematic Network activities, and when no binding/contractual relationship is engaged between the participant and the organiser, personal data asked for the organisation of the event/action will be processed only in the context of the ESF Transnational Platform based on the legitimate interest the participant has in the programme. Participants will always receive the information about


personal data process and can refuse before the beginning of the event/action that the ESF team keep their data for another purpose than the organisation of this specific event.


1. Contributors to events (speakers, facilitators, contributors, contact points) of an event (wide sense). 2. Participants to an event or to a key outcome.


• Name + First name • Title / function • Contribution role to an event or key outcome (speaker, facilitator, contact point…)


• Depending on cases/events (information provided by the person on a voluntary basis): o E-mail o Phone o Address o Picture (mainly for contributor roles to an event).

☐ Financial or economical information (e.g.. incomes, financial status, banking information, etc.) ☐ Connection data (e.g. IP addresses, logs, equipment identifiers, connection credentials, timestamp data, etc.) ☐ Localisation data (e.g. travels, GPS data, mobile/GSM, …) þ Internet (e.g. cookies, tracking information, browsing data, web analytics, …)

• PIWIK analytics is enabled on the ESF TP website (service provided by DIGIT). ☐ Other categories of data (please detail): Are sensitive data processed? Data related to: racial or ethnic aspect; political opinions; religious or philosophical convictions; union registration; genetical or biometric data; sexual behaviour; health; judicial or criminal records; National identification number or social security number. ☐ Yes þ No 3.4.4 Duration of data storage of the categories How long data are kept?

• The web pages on the News and Events (+ related posts in the forums and library folders) are directly updated when a request or new information is made. The latest version of this information is kept on the ESF TP website in principle for the duration of the ESF TP contract6. The web page, as the rest of the ESF TP, will be managed by the DG EMPL after the end of the ESF TP contract and then be probably archived (duration to keep the corresponding data on the website will then be the decision of the services of the European Commission).




1. Display mode: Any anonymous visitor of the ESF TP website can access:



a. The public content of a news or of an event (for information documents can also be attached in a web page using the private functions of the Drupal editor and the access rights; however, that function has rarely been used on the ESF TP news or events types of content).

b. The public content of the forums except any comment c. The list of members of a forum, but not the possibility to access the profile of a user and not the

possibility to contact a user. d. The public folders of the library and their content (possibility to download only).

2. Display mode: Any logged in ESF TP website user with a validated EU-Login account can access: a. The public content of the forums including any comment attached to a public topic (for information

documents can also be attached in a web page using the private functions of the Drupal editor and the access rights; however, that function has rarely been used on the ESF TP news or events types of content).

b. The list of members of a forum with the possibility to access the profile of a user and to contact a user via the internal mailing system of the website (if the recipient allows it).

c. The public folders of the library and their content (possibility to download and/or upload documents depending on forum membership and if the moderator of a forum enabled the possibility to specific groups or users to upload documents).

d. The private folders of the library corresponding to their membership rights on a forum. 3. Edit mode: Any author of a record can edit his/her own record. 4. Edit mode: Any ESF TP activated user under the EU-Login system who has been added as a member of a forum

can post a topic in a forum, add comments to a topic he/she has access to. He/she can also edit his/her own topic or comment and can ask to delete them.

5. Edit mode: Any ESF TP activated user under the EU-Login system who has been granted the moderator role of a forum can:

a. Manage the requests of users to join a forum, b. Edit the content a topic or a comment c. Create sub-folders in the library and manage access rights per folder (including the possibility to

implement a moderation on the upload of files). Sub-contractors

• Editing mode: TIPIK’s development team. 3.4.6 Transfer of data outside the EU Are personal data transferred outside the European Union? ☐ Yes þ No 3.4.7 Security measures Measures implemented to ensure security and privacy of data. þ Controlled access of users Describe the measures:

• For the internally stored data: credentials of the AEIDL servers and user groups. • For the Editing functions on the corresponding on-line data: EU-Login credentials and management of roles

allocated to users. • For public access: no control, data are public.


• For the internally stored version: indication of the last user having saved the document + timestamp • For the on-line edited version: initial author and of the last user (EU-Login) having saved the information +

timestamp. þ Measures to protect data (antivirus, update, security patch, tests, etc.) Describe the measures:

• For the internally stored version: anti-virus and updated operating system is managed by the IT team of AEIDL centrally.


• For the on-line version: the security and patches of the web server are directly managed and planned by the IT services of the European Commission (DIGIT).


• For the internally stored version: back-ups are managed by the IT team of AEIDL centrally. • For the on-line version: back-ups are directly managed by the IT services of the European Commission (DIGIT).

þ Data encryption Describe the measures (example: website accessible using https, TLS, etc.):

• For the internally stored version: no-data encryption. • For the on-line version: the ESF TP website is under https (Webgate servers managed by DIGIT).

þ Control of sub-contractors Describe the measures:

• For the internally stored version: no-access. • For the on-line version: no direct control on the internal activity of the sub-contractor. Accesses to the on-line

information are managed by the EU Login/ECAS system of the European institutions. Only indication of the last connection activity of the user accounts used by the contractor.



3.5 ACTIVITY 5 – Management, publication of the ESF TP Newsletter and the mailing list




- Registration to the newsletter: http://eepurl.com/c0vEXn - Newsletter repository: https://ec.europa.eu/esf/transnationality/filedepot/folder/39 - Mailing list management via MailChimp


• To keep ESF related audience and communities of practice informed about ESF TP activities and on transnational cooperation and social innovation news or practices.

• To promote the technical contributions and publications produced by the ESF TP team, the European Commission or any related community of practice.

• To inform users about events or workshops organised by the ESF TP • The MailChimp mailing list system

o is independent from the database of users registered to the ESF-TP website via the EU-Login system. o The GDPR function has been activated in the MailChimp mailing lists o The users in the MailChimp mailing lists are registered on voluntary basis and can unsubscribe from

the corresponding mailing-list at any time by clicking the unsubscribe link included in every related email (automated process without the need of an intervention by the ESF TP team). In addition, a user/registered member of a mailing-list can directly ask us by email, phone or post to be removed from all the mailing lists.

o The unsubscribe automated link is included in each mailing done via the MailChimp general mailing list.

• The mailing-list are the ESF TP (and DG EMPL related unit) use only. The list is not shared with other entities and is not used for other usages.

• GDPR Status of the data: o The general mailing list has been built based on legitimate interest identified by the usage of the ESF

TP website or partner search tools, by the participation to related events, by the direct requests of users to receive the ESF TP newsletter.

o Other mailing lists are maintained in relation to formal roles which constitute a contractual consent, especially for activities related to Call for proposals, Managing Authorities, National Networks or Thematic Networks. Any request in relation to GDPR enforcement in those contexts are dealt with in relation to the involved stakeholders and contractual representatives.


1. Any person willing to be kept informed about ESF TP related activities. 2. Managing Authorities contact persons officially involved in the ESF activities. 3. European Commission representatives directly involved in the ESF or ESF TP activities (at the request of the

DG EMPL in the case of specific events for instance). 4. Thematic Network experts in charge of the moderation of the Thematic Networks.


• Optional: Name + First name ☐ Private life data (e.g. life behaviours, Family status, etc.) þ Professional life (e.g. CV, professional status, studies, training, rewards, diplomas, etc.)


• Optional: Organisation name • Optional: Country. • Mandatory: e-mail address (usually professional email, that email has been provided by the e-mail owner side).

☐ Financial or economical information (e.g. incomes, financial status, banking information, etc.) ☐ Connection data (e.g. IP addresses, logs, equipment identifiers, connection credentials, timestamp data, etc.) ☐ Localisation data (e.g. travels, GPS data, mobile/GSM, …) ☐ Internet (e.g. cookies, tracking information, browsing data, web analytics, …) ☐ Other categories of data (please detail): Are sensitive data processed? Data related to: racial or ethnic aspect; political opinions; religious or philosophical convictions; union registration; genetical or biometric data; sexual behaviour; health; judicial or criminal records; National identification number or social security number. ☐ Yes þ No 3.5.4 Duration of data storage of the categories How long data are kept?

• The newsletter is a published in a paper copy version. Therefore, the content of the newsletter is usually frozen as it has been officially published. An electronic version (pdf) of the newsletter is published on-line in the library repository of the ESF TP website. If some content effectively requires an update related to GDPR issues, the request can be made to the ESF TP which will consider the best solution to address the issue.

• The latest version of this information is kept on the ESF TP website in principle for the duration of the ESF TP contract7. The web page, as the rest of the ESF TP, will be managed by the DG EMPL after the end of the ESF TP contract and then be probably archived (duration to keep the corresponding data on the website will then be the decision of the services of the European Commission).

• The general mailing list on MailChimp is automatically managed via the unsubscribe and automated tools provided by MailChimp.



EMPL team members involved in the management or implementation of the ESF TP contract). 4. In addition for the email of a mailing campaign, any user of the above recipients who registered to the mailing-

list. External Organisations

1. Display mode – recipient of an email of a mailing campaign: any user who registered to the mailing-list. 2. Edit mode – Unsubscribe from or profile editing in the MailChimp system: any user registered to the mailing-

list who has received an email due to a mailing campaign and who as clicked on the unsubscribe link included of the email.

Sub-contractors • None


3.5.7 Security measures Measures implemented to ensure security and privacy of data. 7 “ESF TP contract” refers to the contract between the DG EMPL of the European Commission and AEIDL association; contract “2015/S 196-354142” related to the tender “EU-level platform to facilitate the setting up of a transnational partnership, the exchange of experiences, capacity building and networking, and the capitalisation and dissemination of relevant outcomes”.


þ Controlled access of users Describe the measures:

• For access to the content and usage of the Mailchimp mailing list: o Via the MailChimp user accounts o Administration of the accesses to the MailChimp mailing list and tools are granted by the ESF TP team

(only the ESF TP team has access to it). þ Tracking/traceability measures Describe the nature of the measures (example: logs of user accesses), the stored data (example: identifiers, connection timestamp, etc.) and the duration of storage:

• MailChimp implement the following statistics: o If the email has been read/clicked (for audience measurement). o Type of device of the recipient (to assess needs of the readers) o Country of the recipient (to assess language and cultural needs)

þ Measures to protect data (antivirus, update, security patch, tests, etc.) • MailChimp as a sub-contractor has the obligation to ensure the security of the data • In case of security breach, MailChimp are obliged to inform the concerned people and client.

☐ Backup of data ☐ Data encryption Describe the measures (example: website accessible using https, TLS, etc.): ☐ Control of sub-contractors ☐ Other measures: none

Documents

Table of content – Register of Data treatment activity ... · Activity 5 Management, publication of the ESF TP Newsletter and of the mailing list. ESF TP – Register of Data treatment