Privacy Notice
This Privacy Notice explains how we collect, use, store, and protect your personal data when you use ECLIPSE learning platform. It also outlines your rights regarding your personal information and how you can contact us with any privacy-related questions.
Europol’s Collaborative Learning and Information Platform for Secure Education Learning Management System
Privacy Notice
The purpose of this Privacy Notice is to inform about the collection and use of personal data (hereinafter the processing of personal data) within the Europol’s Collaborative Learning and Information Platform for Secure Education (ECLIPSE) Learning Management System (hereinafter ECLIPSE).
What is the purpose of the processing of personal data?
Personal data is processed to ensure User management and provide appropriate access rights for the ECLIPSE community members (training participants and trainers) to the respective modules of the ECLIPSE in accordance with their roles in the implementation of learning activities.
Personal data of training participants is processed for the performance of the training courses, for understanding which training participant has participated in which course, and for tracking progress and providing personalised certificates of completion.
Personal data of trainers is processed to assign trainers to specific courses and manage their teaching schedules effectively, and to issue certificates for participants with trainers' signatures.
Personal data is also processed to support governance processes, support information security and audit log activity.
What is the legal basis for the processing of personal data?
Europol is committed to User privacy. All personal data processed by Europol are handled in accordance with the provisions of Regulation 2018/1725 (the EUDPR).
The legal basis for processing is provided in Article 5(1)(a) of Regulation 2018/1725, namely because the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body. Article 4 (1) of the Amended Europol Regulation provides that “Europol shall perform the following tasks in order to achieve the objectives set out in Article 3: provide specialised training and assist Member States in organising training, including with the provision of financial support, within the scope of its objectives and in accordance with the staffing and budgetary resources at its disposal in coordination with the European Union Agency for Law Enforcement Training (CEPOL)”. Processing of personal data of trainers and training participants is required for this task.
In addition, processing is necessary for the performance of a contract to which EUROPOL is part, specifically Addendum nr. 12 to the agreement on cooperation concerning training activities organised jointly by Europol and CEPOL (#1439188), as well as contracts with universities or private companies for providing training.
Which personal data are collected?
Personal data shall mean any information relating to an identified or identifiable natural person; where "identifiable person" means a person that can be identified, directly or indirectly.
ECLIPSE will process personal data of trainers and training participants for the purpose of managing, creating and delivering courses and for participating in courses.
The following personal data of ECLIPSE Users are collected through the registration process:
Name, Gender, Phone Number, Personnel Number, Email Address, Name Employer, Function, Nationality, Law Enforcement Domain, Department/Unit/Team, Educational/learning data (enrolled courses, coursework submissions and assignments, grades, assessments, course completion status, certificates awarded), Activity logs (IP address logs, login and access times).
The source of information is EPE where personal data are stored.
Personal data are considered sensitive and subject to specific processing conditions:
o personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs;
o trade-union membership;
o genetic data, biometric data processed solely to identify a human being;
o health-related data;
o data concerning a person’s sex life or sexual orientation.
o References
No sensitive data will be collected.
Which non-personal data are collected?
For historical, statistical or scientific purposes, only non-personal data such as the number of courses given in a certain year, the number of participants in a course, nationality and gender of participants, will be kept and stored.
Which categories of Users’ personal data are collected?
Data on the following categories of persons are collected and stored:
• Europol - All Staff
• Europol - Contractors
• Europol - Law Enforcement Officers
• Europol - Liaison Officers
• Europol - Seconded National Experts
• Europol - Task Force Officers
• Europol - Trainees & Interns
• External Users from:
o Other EU institutions and bodies (e.g. Frontex, European Commission, Eurojust)
o MS Law enforcement
o Private parties, such as training companies
o International organisations (e.g. UN, ICC, NATO)
Who can access personal data and to whom can they be disclosed?
FULL ACCESS
• Europol (O1-24 and O1-25 Teams, Europol ICT Support Team, Europol DPF)
Who are the Data Controller and the Data Processor?
The Data Controller is the legal person who determines the purposes and means of the processing of personal data. In particular, the Data Controller has the duties of ensuring the quality of data on computer or in structured manual files.
The Data Controller is the Deputy Executive Director Operations –ODMO@europol.europa.eu
The Data Processors are Avetica B.V., TrueFullstaq (registered in The Netherlands) and Microsoft Azure as sub-processor (registered in United States of America, with offices in the EU).
How long are personal data kept?
• Personal data of Europol Users are kept for 5 years starting at the end of their contract.
• Personal data of external Users, such as, – training participants are kept for 2 years after their last login activity.
• Personal data of external Users, such as, – trainers from other EU institutions, agencies and bodies, MS Law enforcement and international organisations are kept for 5 years after their last login activity.
• Personal data of external Users, such as, – trainers from Private Parties are kept for six months after the expiry of the framework contract with the private party that provided the trainer.
• As long as a User is active personal data is needed and maintained for identification process.
• All data related to the Users who lost their active roles in ECLIPSE will be erased within 1 year after the termination of such a role meaning that they will no longer receive ECLIPSE notifications or be able to connect to ECLIPSE; they will no longer be visible in the User directory of the module they had a membership to.
• Administrative personal data (stored for User Access) are reviewed every two years.
Personal data can be rectified, deleted or access restricted on request via the following email address: ECLIPSE@europol.europa.eu
How does the controller ensure data accuracy?
ECLIPSE has the following capabilities:
• Data Registry: to view which personal data are stored across the solution, define retention periods, and see which plugins handle User data.
• Data Requests (Export & Delete): Users (or admins on their behalf) can request exports of all stored personal data or request its deletion (“right to be forgotten”).
• Plugin Privacy Reports: to see what personal data each plugin stores, how it is used, and whether it supports export/deletion.
What security measures are in place?
The ICT solution is based on Moodle Workplace instance offered by Avetica, hosted in a public cloud, using a shared tenant setup. The solution benefits of redundant WAF/DDoS protection for incoming traffic.
ADFS federation via the EPE is used for authenticating and authorizing Users accessing ECLIPSE.
In addition, the solution foresees three security components:
1. Data control: the solution has the data security capability to prevent unauthorised reading, copying, modification or removal of personal data.
2. Storage control: the solution has the data security capability to prevent unauthorised input, inspection, modification or deletion of personal data.
3. Data retention: the solution provides a proper data retention mechanism for personal data in line with Europol's data retention policy.
Moreover, any Artificial Intelligence (AI) functionality is by default disabled.
Are data transferred to a third-party?
Yes
Where are personal data stored?
Data are stored at:
1) EUROPOL premises in the Netherlands for User enrolment purposes in EPE, and synchronised with the Moodle Workplace SaaS infrastructure for authentication and authorisation purposes; and
2) the data centre of the hosting party, i.e. Microsoft Azure, region West Europe. Hosting provided by TrueFullStaq.
The software solution in the cloud is provisioned as SaaS in a European data centre. The Vendor, Avetica, maintains Moodle Workplace, TrueFullStaq, manages the Cloud environment and Microsoft maintains the underlying infrastructure.
What are the rights of a data subject?
A data subject has the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object and the right not to be subject to a decision based solely on automated processing.
This can be requested via the following email address: ECLIPSE@europol.europa.eu
Who to contact for queries concerning the processing of personal data?
Europol Data Protection Function (DPF) is the initial point of contact for all data protection issues.
Address: DPF, PO Box 90850, 2509LW The Hague
E-Mail: DPF@europol.europa.eu
You also have the right of recourse at any time to the European Data Protection Supervisor (edps@edps.europa.eu).