Use and Management Policy


This policy outlines the rules, responsibilities, and acceptable use requirements for accessing and using the Moodle learning platform. By proceeding, users agree to comply with these guidelines to ensure a secure, respectful, and effective learning environment.

Europol’s Collaborative Learning and Information Platform for Secure Education Learning Management System 

 

Use and Management Policy

 
 
 
 
 

TABLE OF CONTENTS

 
Abbreviations and terminology 3
1. INTRODUCTION 6
1.1. Purpose and scope of the Policy 6
1.2. Target Group 7
1.3. Owner, approval and management of the Policy 7
1.4. Related Policies and documents 7
2. POLICY STATEMENTS 7
2.1. Intended use of ECLIPSE 7
2.2. Copyright and other Intellectual Property Rights 8
2.3. Confidentiality Regulations 8
2.4. User Roles and Responsibilities 8
2.5. Access to ECLIPSE 9
2.6. User access provisioning 9
2.7. Conditions for terminating access 10
2.8. Review of access rights 10
2.9. Protection of authentication information 10
2.10. Security awareness training for Europol Users 10
2.11. Monitoring the use of ECLIPSE by the ECLIPSE Business Product Manager 10
2.12. Training 11
2.13. Audit of system use 11
2.14. Protection of log information 11
2.15. Data retention and deletion 11
2.16. Unacceptable use 11
2.17. Handling of security breaches 12
3. POLICY ENFORCEMENT 12
4. REVIEW OF THE POLICY 12
5. ENTRY INTO FORCE 12
 
 
 
Abbreviations and terminology
The table below shows the commonly used abbreviations and terminology used within ECLIPSE.
Term/ Abbreviation Definition
Access: Ability to make use of an ICT resource and/or data.
Access Control: Software mechanism for granting or denying access and certain privileges to ICT resources and data processed in them. 
AmER: Amended Europol Regulation.
Application: Software that provides functions required by one or more ICT services implemented to satisfy business needs. 
Authentication: Process of establishing confidence in a claimed identity. Authentication can occur through a variety of mechanisms including password, challenge-response, time-based code sequences, biometric comparison, or other techniques.
BPL: Basic Protection Level. All information processed by or through Europol shall be subject to a basic protection level unless specifically marked or clearly recognisable as Europol Public Information.
EDOC: Electronic document.
ECLIPSE: Europol’s Collaborative Learning and Information Platform for Secure Education. This is the Learning Management System of Europol.
ECLIPSE Course Manager: An individual who manages the creation, maintenance and scheduling of courses.
ECLIPSE Operations Manager: This person oversees the day-to-day operational activities of ECLIPSE and acts as a liaison between different user groups.
ECLIPSE SysAdmin: System Administrator – individual responsible for the technical management and maintenance of ECLIPSE.
ECLIPSE User: All individuals holding an ECLIPSE account. 
EPE: Europol Platform for Experts.
EPE User Account: A unique user profile on EPE that allows an individual to access, participate in, and track his/her activities and progress.
EPE User Authoriser: Each Europol National Unit/National Contact Point (ENU/NCP) appoints EPE User Authorisers and is responsible for validating the creation of new accounts and changes to them from experts in their Member States and Europol Third Parties.
Europol National Unit (ENU): Europol National Unit in a Member State.
Identification: Act of presenting information to claim an identity.
Identity: Fundamental concept of uniquely determining an entity (person, computer, etc.) within a context (which may be local, corporate, national, etc.).
 
International organisations: As referred to in Article 2(e) of Europol Regulation, they include organisations and their subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.
Member State: European Union Member State bound by the Europol Regulation.
Privileged User: User entrusted with permissions to modify group memberships and/or other configuration and metadata settings in ECLIPSE.
SaaS: Software as a Service. SaaS is a method for delivering software applications over the Internet where cloud providers host and manage the software.
Third countries: It refers to non-EU States and EU Member States that are not bound by the Europol Regulation or subject to its application, with which there is established cooperation through a cooperation agreement or administrative arrangements in accordance with Article 25(1) of Europol Regulation.
 
 
 

1. INTRODUCTION

The Europol’s Collaborative Learning and Information Platform for Secure Education Learning Management System (hereinafter “ECLIPSE”) provides an online learning environment to enhance training efficiency, consistency, and accessibility through a modern, centralised platform at Europol. 
The Operations Directorate (OD) at Europol is tasked with creating, organising, and coordinating training programs for OD staff and external stakeholders.
1.1. Purpose and scope of the Policy 
The aim of this document (hereinafter the “policy”) is to define the rules, regulations and limitations governing the use, management and administration of ECLIPSE by the stakeholders. Where appropriate, it identifies specific responsibilities and accountabilities. 
The policy focuses on giving direction about what can be done, when and where it must take place, and who is responsible, rather than how things should be done. The ‘how’ is detailed in User guides, process descriptions, training materials and other business documentation.
The policy covers the aspects of the current implementation of ECLIPSE under the Europol legal and security framework:
  1. Background
ECLIPSE falls under the following strategic and regulatory documents/objectives:
  • Amended Europol Regulation (“AmER”) and the associated implementing rules, support the implementation of ECLIPSE: Art 4 (1): “Europol shall perform the following tasks in order to achieve the objectives set out in Article 3: provide specialised training and assist Member States in organising training, including with the provision of financial support, within the scope of its objectives and in accordance with the staffing and budgetary resources at its disposal in coordination with the European Union Agency for Law Enforcement Training (CEPOL);”.
 
  • Europol Programming Document 2023 – 2025 (under “Analysis Coordination, A.7.3 Reinforce analysis training capabilities at Europol to ensure full coverage of training needs on the new analysis environment: Further develop the analysis training environment and a learning management solution for assessing the impact of training on quality”).
2. Intended Use
Explaining the intended and correct use of ECLIPSE.
2. Tasks and Responsibilities
Summarising the tasks and responsibilities of ECLIPSE community, including Europol staff and external Users, as to the use and management of ECLIPSE.

3. Access Control and Configurations

Describing the access authorisation for the end Users, User roles, access rights and conditions for granting and terminating access.

4. Security

Explaining the rules and regulations governing the system and data security.
 
5. System Specific Administration
Explaining the rules and regulations governing ECLIPSE administration, including the technical and business support arrangements.
 
1.2. Target Group
The policy is written for:
• Those Europol staff members who are directly responsible and involved in the management of ECLIPSE; 
• Users: Europol staff and ECLIPSE community members from the EU Member States, Third Countries, EU institutions and bodies, private parties, and International Organisations;
• Interested Parties: For general transparency purposes, the policy can be consulted by Europol officials, as well as officials from Member States having an interest in this domain and by any relevant oversight body such as for instance the European Data Protection Supervisor (EDPS) and national data protection authorities of Member States.
The following personal data of ECLIPSE Users are collected through the registration process:
Name, Gender, Phone Number, Personnel Number, Email Address, Name Employer, Function, Nationality, Law Enforcement Domain, Department/Unit/Team, Educational/learning data (enrolled courses, coursework submissions and assignments, grades, assessments, course completion status, certificates awarded), Activity logs (IP address logs, login and access times).
1.3. Owner, approval and management of the Policy
This policy is owned and managed by the ECLIPSE Business Product Manager within O1-24 Team.
The current and future updated versions of this policy shall be approved by the Deputy Executive Director for Operations.
1.4. Related Policies and documents
The following documents should be read in conjunction with this policy:
• Amended Europol Regulation (“AmER”) - EDOC#1237223
• Regulation 2018/1725 (the EUDPR) on the protection of natural persons with regard to the processing of personal data
• Europol Programming Document 2023 – 2025 - EDOC#1192222
• Record of processing activities - EDOC#1344887Privacy notice   EDOC#1524922
 

2. POLICY STATEMENTS

2.1. Intended use of ECLIPSE
ECLIPSE provides adequate functionality to support the following tasks: 
 
  •  Centralised delivery and management of digital learning content (courses, modules, multimedia materials)
  • •User enrolment, role-based access control, and learner lifecycle management
  • Course creation, configuration, scheduling and curriculum structuring
  • Assessment management, including quizzes, assignments, grading, and feedback
  • Progress tracking, completion monitoring, and learner analytics/reporting
  • Communication tools such as announcements and discussion forums
  • Compliance, certification tracking, and automated credential issuance
  • ECLIPSE administration, configuration, and ongoing system optimisation
 
The following principles and assumptions apply to ECLIPSE:
 
 
Guiding Principles
  • Purpose & Educational Value: ECLIPSE is intended to support effective, high-quality learning, teaching, and assessment. The use of ECLIPSE must align with the organisation’s educational, training, and strategic objectives.
  • Accessibility & Inclusivity: ECLIPSE will be designed and managed to ensure adequate access for all Users, including compliance with accessibility standards. Learning materials should follow organisational design and usability best practices.
  • Data Protection & Privacy: personal data will be collected, stored, and processed in accordance with applicable data protection regulations and only insofar as necessary for the purposes of ECLIPSE. Users’ privacy and confidentiality shall be respected at all times Users’ privacy and confidentiality shall be respected at all times, and appropriate safeguards shall be in place to ensure the lawful, fair and secure processing of personal data.
  • Security & System Integrity: ECLIPSE must be used in a manner that protects system security, availability, and integrity. Unauthorised access, misuse, or disruption of ECLIPSE is prohibited.
  • Accountability & Appropriate Use: Users are responsible for their actions within ECLIPSE. All activity must comply with organisational policies, codes of conduct, and acceptable use standards.
  • Quality & Consistency: Learning content and system configurations should meet agreed quality standards. Consistent structures and processes are encouraged to enhance User experience.
  • Continuous Improvement: ECLIPSE will be regularly reviewed and enhanced based on User feedback, analytics, and evolving needs. Policies and procedures will be updated as required.
 
Key Points
  • User Roles & Responsibilities: Users will be assigned roles (e.g., learners, instructors, administrators) with defined permissions. Role-based access governs what Users can view, create, modify, or manage
  • User Competency & Support: Users are expected to have basic digital literacy. 
  • Content Ownership & Responsibility: content creators are responsible for the accuracy, legality, and appropriateness of materials uploaded. Intellectual property rights must be respected.
  • Security Management: As a general principle, no operational data shall be exchanged in ECLIPSE; all ECLIPSE Users work in strict compliance with information security and personal data protection rules – both of Europol and their respective places of origin. In addition, all data which falls under the scope of ECLIPSE is considered transmitted by Europol to ECLIPSE Users according to their access privileges at the moment of granting access to ECLIPSE. Any file uploaded to ECLIPSE that contains viruses or any other possible malicious content, will be discarded automatically. Users must ensure that any files downloaded from ECLIPSE are scanned in compliance with their organisation's security policies before opening or distributing them.

2.2. Copyright and other Intellectual Property Rights

ECLIPSE is an ICT solution using Moodle Workplace that is offered as a SaaS solution provided by a private party, Avetica B.V. (the “Vendor”). No title to or ownership of Moodle Workplace is transferred by the Vendor, who shall retain all right, title in and to all intellectual property rights in the software. 
Title and ownership rights in and to the configuration and content accessed through ECLIPSE are the property of Europol. 
Europol acts as controller for the processing carried out in ECLIPSE; the vendor acts only under documented instructions, subject to an appropriate contractual framework and technical and organisational safeguards.
 

2.3. Confidentiality Regulations

ECLIPSE shall be used for exchange and visualisation of strategic, non-operational data up to and including Basic Protection Level (BPL).
 

2.4. User Roles and Responsibilities

ECLIPSE Privileged Users:
  • ECLIPSE SysAdmin: the responsible person for maintaining the module from a technical perspective. This role is with Europol C1-ICT Department. Since ECLIPSE is delivered as a SaaS solution, the SysAdmin role will be fulfilled by the Technical Product Manager (TPM); and
  • ECLIPSE Operations Manager: the responsible person for overseeing the enforcement of the policy from a business perspective and for approving new User accounts, managing User access, folder permissions and files within ECLIPSE. 
ECLIPSE Users:
  • Europol - All Staff 
  • Europol - Contractors 
  • Europol - Law Enforcement Officers 
  • Europol - Liaison Officers 
  • Europol - Seconded National Experts 
  • Europol - Task Force Officers 
  • Europol - Trainees & Interns 
  • External Users from:
o Other EU institutions and bodies (e.g. Frontex, European Commission, Eurojust)
o MS Law enforcement 
o Private parties, such as training companies
o International organisations (e.g. UN, ICC, NATO)
 
ECLIPSE Auditors: 
Europol Data Protection and Information Security staff designated to review the use and configuration of the system, in the context of their areas of competence.
 

2.5. Access to ECLIPSE

ECLIPSE Users
ECLIPSE is accessible via the open internet and requires prior user enrolment via EPE. User credentials are set and provided via EPE.
Access to the Users shall be granted only to designated ECLIPSE members.
Europol Data Protection Function: staff members, authorised and appointed by the Head of the Data Protection Function, for the purpose of auditing the use of ECLIPSE;
Europol Information Security: staff members, authorised and appointed by the Head of Security, for the purpose of security auditing in relation to compliance with the information security framework;
ECLIPSE Business Product Manager: for the purposes of overseeing the enforcement of the policy, facilitating the business processes, retrieving statistics and providing end-User support.
 

2.6. User access provisioning

ECLIPSE Users shall be given the least privileged User role and access rights required to perform their tasks and duties on a need-to-know principle. 
 
ECLIPSE account creation and authentication are currently facilitated by Europol Platform for Experts (EPE). 
 
If the ECLIPSE User has already an EPE User Account, the registration of a new User to ECLIPSE is triggered by an EPE e-mail invitation issued by the ECLIPSE Operations Managers. Existing EPE User Account holders need to be invited by ECLIPSE Operations Managers because they cannot self-request access to ECLIPSE through EPE, being ECLIPSE not visible for regular EPE Users.
 
Conversely, if the ECLIPSE User does not have an EPE User Account yet, the registration of a new User to ECLIPSE is triggered by an EPE e-mail invitation issued by the ECLIPSE Operations Managers, which includes the creation of an EPE User Account as an intermediate step, through an invitation to EPE to be validated by authorised persons from the ENU or Liaison Bureau who have the role of EPE User Authoriser.
 
ECLIPSE Operations Managers are responsible for inviting and authorising their own Users to ECLIPSE (not to EPE).
 
After the EPE User Account is authorised by an EPE Authoriser, an approval shall be provided by the ECLIPSE Operations Managers before the account is created in ECLIPSE.
 
For Europol internal Users, invitations shall be initiated and approved by the ECLIPSE Operations Managers. 
 
After the confirmation of the ECLIPSE Account creation, the new ECLIPSE Users will be able to access the Application on the browser at: https://eclipse.europol.europa.eu  
 
Users are strongly advised not to record additional personal information such as photos, addresses, or social media accounts, in order to minimise unnecessary data processing within the Application. 
 

2.7. Conditions for terminating access

ECLIPSE access can be revoked by ECLIPSE Operations Managers. 
Access to members shall be terminated in the following cases:
  • Closure of ECLIPSE.
  • Breach of information security rules.
  • Breach of the terms of use of ECLIPSE.
  • Termination of appointment of the ECLIPSE member.
 

2.8. Review of access rights

ECLIPSE Business Product Managers shall ensure that User access rights are regularly reviewed and that unnecessary access rights are revoked in a timely manner. 
The DPF and Information Security auditors may also perform a review of access rights at their own discretion.
 

2.9. Protection of authentication information

ECLIPSE shall be accessed by means of EPE credentials and two-factor authentication. 
ECLIPSE Users shall:
  • Not disclose his/her login credentials to any other party;
  • Not allow another party to use his/her login credentials;
  • Not attempt to discover any other User’s login credentials; and
  • Take all precautions to ensure that his/her login credentials are adequately secured.
In case an ECLIPSE User becomes aware that the security of their login credentials might have been compromised, the matter must be reported in accordance with section 2.17 of this policy. 
 

2.10. Security awareness training for Users

In accordance with EDOC-#904163-Europol Security Awareness Policy, all Europol Users are required to follow security awareness training on confidentiality, information security and physical security.
Failure to take the required training may lead to denegation of access to Europol ICT services.
 
External users, including Third-country or other third-party users (including at Member States), are made aware of relevant security implications and expected conduct applicable to the use of ECLIPSE by a welcome message, listing basic rules , which is display when they connect for the first time, along with another message, which requires the users to read and accept, announcing the security rules summarizing the content of the security awareness training.
 

2.11. Monitoring the use of ECLIPSE by the ECLIPSE Business Product Manager 

ECLIPSE Business Product Manager shall be responsible for monitoring the overall proper use and management of ECLIPSE and should therefore have access to all the necessary information in order to fulfil this role, using tools such as User usage report.
Access to user-level information should be limited to what is strictly necessary, proportionate, and role-based, and is recommended that the policy defines more clearly what monitoring may entail and under which safeguards it is performed.
For the purpose of ensuring the proper use and management of ECLIPSE, the ECLIPSE Business Product Manager may consult relevant administrative personal data included in the usage-related information, such as user access data, account status, enrolment information, course participation data and system usage reports, insofar as necessary for platform administration, user support, compliance verification and misuse prevention
Should the ECLIPSE Business Product Manager identify any inconsistencies, they shall report them to concerned party/parties, in order for them to correct the information or practices as necessary. 
 

2.12. Training

Trainings will be coordinated by different ECLIPSE Course Managers. Successful completion of the course will be recorded in the dedicated field linked to authorisation approval. 
In addition, ECLIPSE Users will have access to relevant training materials, including the User manual for ECLIPSE.
 

2.13. Audit of system use

With the purpose of solving technical or security issues such as bugs or hacking, ECLIPSE shall generate logs for the collection, alteration, access, consultation, disclosure, including transfers, combination and erasure of personal data. The logs of consultation and disclosure shall make it possible to establish the justification for, and the date and time of, such operations, the identification of the person who consulted or disclosed personal data, and, as far as possible, the identity of the recipients of such personal data.
The logs shall be used solely for verification of the lawfulness of processing, self-monitoring, ensuring the integrity and security of the personal data, and for criminal proceedings. Such logs shall be deleted after three years, unless they are required for ongoing control.
The controller shall make the logs available to its data protection officer and to the European Data Protection Supervisor on request. 
The generation of audit logs is not based on Art. 88 EUDPR (processing of operational personal data), but is rather an appropriate technical measure to ensure the lawfulness of processing, self-monitoring, ensuring the integrity and security of the administrative personal data and files (content) of ECLIPSE.
 

2.14. Protection of log information

System logs must be protected against unauthorised access, modification and deletion in order to ensure accountability and attribution of actions. Unauthorised modification of system logs will be handled as a security incident.

2.15. Data retention and deletion

Personal data, including account data and training results, shall be retained in ECLIPSE for the following periods:
  • Personal data of Europol Users are kept for 5 years from the end of their contract.
  • Personal data of external Users, such as, – training participants are kept for 2 years after their last login activity.
  • Personal data of external Users, such as, – trainers from other EU institutions, agencies and bodies, MS Law enforcement and international organisations are kept for 5 years after their last login activity.
  • Personal data of external Users, such as, – trainers from Private Parties are kept for six months after the expiry of the framework contract with the private party that provided the trainer.
  • As long as a User is active personal data is needed and maintained for identification process.
  • All data related to the Users who lost their active roles in ECLIPSE will be erased within 1 year after the termination of such a role meaning that they will no longer receive ECLIPSE notifications or be able to connect to ECLIPSE; they will no longer be visible in the User directory of the module they had a membership to. 
  • Administrative personal data (stored for User Access) are reviewed every two years.
When the data retention period is reached, data will expire and will be automatically erased from ECLIPSE. 
Meta-data not containing any personal data shall be kept for statistical purposes for an indefinite period. 

 

2.16. Unacceptable use

The following activities shall constitute unacceptable use of ECLIPSE and shall be treated as policy violations and/or potential security breaches. The list below is by no means exhaustive, but attempts to provide a framework for activities, which fall into the category of unacceptable use:
• Dissemination of any information contained in ECLIPSE to unauthorised persons.
• Disclosure of identification and authentication credentials.
• Introducing malicious programs into the network or server (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.).
• Malicious activities such as unauthorised vulnerability scanning, and web Application attacks such as password hacking, denial of service, SQL injection, buffer overflow, cross-site scripting, etc.
• Deliberate misuse of ECLIPSE or disregard of this Use and Management policy.
• Misuse of tags by User authorisers, e.g., discriminatory terms or sensitive data.
• Shared accounts.
 

2.17. Handling of security and personal data breaches

Europol Users of ECLIPSE who have a reason to suspect that there has been a security breach or a personal data breach, shall report this according to the provisions of the Information Security Incident Management process (EDOC#732030- Information Security Incident Management process). 
External Users (non-Europol) of ECLIPSE who have a reason to suspect that there has been a security breach or a of personal data breach, shall report this without delay at ECLIPSE@europol.europa.eu ECLIPSE Operation Managers will immediately inform Europol Data Protection Officer. 
Information relating to security incidents that have the potential to interfere with the security of Member States shall be reported to the appropriate national Authorities as soon as possible by the Europol Security Coordinator.
In case of a security breach or personal data breach, the Europol Security Coordinator may decide to temporarily or permanently terminate a User’s access to ECLIPSE.
 

3. POLICY ENFORCEMENT

The general supervision of the application of this policy lies with ECLIPSE Operations Managers and ECLIPSE Business Product Manager. Data Protection Function and G5 Information Security shall be responsible in their respective fields of competence for monitoring and auditing compliance with this policy and the Europol Security Rules.
 

4. REVIEW OF THE POLICY

This policy shall be reviewed yearly in order to verify its correctness and validity and reviewed every time there is a technical, organisational or legal change that affects it.
Updates of this policy shall be communicated to all concerned parties in a timely manner.

5. ENTRY INTO FORCE

This policy shall be published in the Europol Vademecum and shall enter into force the day after its publication.
 
Done at The Hague on 26th March 2026