Privacy Statement for processing personal data on LEEd (including the LEEd mobile application)

This privacy statement, in line with Articles 15 and 16 of Regulation (EU) 2018/1725* , provides information to the data subjects relating to the processing of personal data of individuals carried out by the European Union Agency for Law Enforcement Training (CEPOL) in fulfilling its tasks.

The purpose of this document is to describe how CEPOL complies with its obligations to protect personal data under Regulation (EU) 2018/1725 and to provide individuals with information about CEPOL’s processing of personal data and their rights under the Regulation.

What is the purpose of the processing?

CEPOL’s core business is training and for that purpose a Learning Management System (LMS) is in place to support the preparation, design, implementation and evaluation of CEPOL learning interventions and supplies training and user data to management and involved decision makers. The LMS is a restricted online learning platform called LEEd (Law Enforcement Education). LEEd supports all training activities including onsite and various types of online events, project spaces and access to reading materials. The LEEd Platform shall also be accessible through the LEEd mobile application. The mobile application is meant to provide access to already registered users.

What is the legal basis for the processing of personal data?

Regulation (EU) 2018/1725 and in particular Article 5(1)(a) and (d).

Regulation (EU) 2015/2219 of the European Parliament and of the Council of 25 November 2015 on the European Union Agency for Law Enforcement Training (CEPOL) and replacing and repealing Council Decision 2005/681/JHA and in particular Article 4(2)(a) (d) and 4(3) thereof.

Who is the data controller?

The data controller is the Head of Training and Research Unit, headoftru@cepol.europa.eu

In case of activities related to capacity building projects in third countries implemented by the International Cooperation Unit, the data controller is the Head of the International Cooperation Unit, HeadofICU@cepol.europa.eu

Who are the data subjects?

All users registered in LEEd.

Which types of data are being processed?

LEEd facilitates different purposes and the data fields involving personal data have been set in line with the so-called principle of ‘data minimisation’. In other words, the personal data required each time are adequate, relevant and limited to what is necessary in relation to the purpose for which they are processed.

1. For the purposes of LEEd user management

All the data that users are requested to provide during their registration application process to LEEd. More specifically:

Country/ Organisation, E-mail, First Name, Last Name, Date of birth, Gender, Law Enforcement domain, Organisation / Department / Unit , Job Title / Rank, Office Phone

The users can decide to (optionally) complete their individual profile with: a profile picture, office address, second e-mail, travel management details (incl. travel document information) and a personal description.

2. For the purposes of the CEPOL Exchange Programme (‘CEP’)

All the data that users are requested to provide when applying to participate to CEP. More specifically:

Have you taken part in a CEPOL Exchange Programme the last 3 years? Select Language, Language Level (Required level Proficient), Current Position (at least 3 years), Institution, Duration of Exchange (Days), Select countries (max 4 countries), Thematic Area, Subthematic Area, Select Organisation, Select Section. Short summary, Europass CV

3. For the purposes of organizing travel and accommodation arrangements for CEP purposes

Full name, Email, Date of travel, Date of return, Destination Country, Booking Status, Hotel

4. For the purposes of the LEEd mobile application

Email, password of registered user

The platform stores learning progress (e.g. certificates of completion, grades obtained if relevant, etc.) and learning paths (e.g. activities attended) of the active users as well as activity log files (fist and last access to the platform, IP address from which the user is accessing the system). Other logs kept refer to: User registration status for LEEd (registered (active), pending), EU-GDPR consent status (date and time given). CEPOL may also process user’s data and historical data from the previous e-Net platform.

How is data processed?

Processing happens in the platform via electronic workflows. For the purposes of LEEd user administration, depending the origin of the data subject, registrations are processed by the LEEd managers of the CEPOL National Units or CEPOL staff having the role of administrator.

Attendance to webinars is possible via the ‘LogMeIn’ plugin that provides a seamless integration (i.e name and email of the user are automatically provided by the platform). Storing of past webinars is based on the ‘GOMO’ plugin that enables video repository. Access to e-journals and e-books is a service provided by the EBSCO Discovery Service and is triggered via the use of the e-mail address of the user.

Who are the recipients of the data being processed?

CEPOL staff:

• CEPOL staff responsible for preparing, design, implementing and evaluating the learning and training activities subject to this privacy statement;
• CEPOL staff working for CEP (for exchange programme only);
• CEPOL staff working in the Travel team (if relevant);
• Actors in the financial workflow (if relevant);
• Communications Team (if relevant);
• CEPOL staff responsible for the migration of e-Net data to LEEd platform;
• CEPOL Internal Audit Panel and/or the Internal Control Officer (if relevant);

• Relevant managers at a Member State level (originating from the CEPOL National Units) of learning and training activities subject to this privacy statement;
• CEPOL National Units or National Contact Points or Organisational Contact Points (for data linked to users from their own country or organisation);
• EU institutions, agencies and bodies co-organising training activities.
• - Service providers for the CEPOL LEEd (including WIDE, the provider of the LogMeIn plug-in, the GOMO plug-in, the EBSCO services only in relation to specific data that are required for providing the service, running maintenance or troubleshooting and the services provider in relation to the migration of old e-net data to the LEEd platform); Other service providers if necessary to involve for the delivery of services (e.g. evaluation)
• General public primarily through the CEPOL website and social media channels (if relevant and upon explicit consent of the data subject).
• EU bodies: European Court of Justice, European Ombudsman, European Data Protection Supervisor, European Anti-Fraud Office (OLAF), Internal Audit Service of the European Commission, European Court of Auditors (upon request).

Is data transferred to third countries or international organisations?

CEPOL has concluded working arrangements/memoranda of understanding with some countries outside of the European Union/European Economic Area as well as with some international organisations. An exhaustive list of these arrangements can be found here: https://www.cepol.europa.eu/who-we-are/partners-and-stakeholders/external-partners

Moreover, by virtue of Article 4(4) of Regulation (EU) 2015/2219 CEPOL supports capacity-building in third countries via implementing projects funded by the European Commission. Currently, these projects concern the MENA region, countries that participate in the Eastern Partnership initiative, Euro Mediterranean counties and countries in the Western Balkans. In certain occasions, cooperation with the countries and/or international organisation listed above may entail access to the LEEd platform. Due to the fact that for the time being there are no adequacy decisions issued by the European Commission in relation to the level of data protection in the third countries and international organisations listed above, the Agency is aware that appropriate safeguards within the meaning of Article 48 (3) of Regulation (EU) 2018/1725 are required to enable any transfer of data to take place. For this reason, the Agency shall start discussions with the parties concerned in the coming months.

In the meantime, as a mitigation measure, the access rights of the respective users (i.e users coming from third countries and/or international organisations) shall be set by default to ‘Restricted’. This means that access shall be limited only to accessing training material and that profiles of the other LEEd users shall not be visible.

Please note that the LEEd mobile application is distributed via the mainstream app stores via Apple and Google. Any personal data exchanged between your device and these platforms going beyond the actual use of the LEEd mobile application cannot be controlled by CEPOL and is subject to the agreement between you and the respective app store.

What rights do data subjects have?

Data subjects have the right to access their personal data and the right to request from the controller a copy or the deletion of their personal data. Data subjects have the right to request restriction of processing of personal data concerning them or to object to the processing of their data.

Data subjects can refuse and/or withdraw their consent with respect to further processing of their data. In addition, data subjects have the right to receive their personal data in a structured, commonly used and machine-readable format.

A data extraction or deletion request can be initiated by the user in the LEEd. Once the request has been submitted by the user, the time limit to extract/erase data on justified grounds at the request of data subjects is 15 working days from the date of receipt of such a request.

General requests can be emailed to the CEPOL Data Protection Officer at DPO@cepol.europa.eu or be submitted directly via the LEEd platform.

How long is your data retained by CEPOL?

Data of the LEEd users are stored for as long as the users are registered and remain active. Active users are those who have logged on LEEd within the last twenty-four months at any given date of the year. The LEEd accounts of inactive users are then suspended for an additional period of twelve months. At the end of this period of suspension, the LEEd accounts of inactive users are deleted. This deletion extends to the learning path and learning progress of the users.

Who should you contact for more information on the processing of your personal data by the Agency?

Data Protection Officer (DPO)

Within CEPOL, there is a data protection officer. This person is independently responsible for ensuring the internal application of Regulation (EU) 2018/1725 and that the rights and freedoms of the data subjects are not likely to be adversely affected by the processing operations. The DPO keeps a register of all processing operations of personal data carried out by the Agency.

The DPO also provides advice and makes recommendations on rights and obligations of data controllers and data subjects. CEPOL’s DPO can be contacted at dpo@cepol.europa.eu.

European Data Protection Supervisor (EDPS)

The European Data Protection Supervisor is an independent supervisory authority with responsibility for monitoring and ensuring the application of data protection rules by EU Institutions and Bodies, which includes CEPOL. The EDPS provides advice to EU Institutions and Bodies on all matters relating to the processing of personal information and cooperates with national supervisory authorities to improve protection of personal information.

What should you do if you believe your data is being misused by the Agency?

If you believe your data is being misused by CEPOL, or is otherwise not compliant with your rights and freedoms under Regulation (EU) 2018/1725, you should immediately notify the data controller, Head of Training and Research Unit, headoftru@cepol.europa.eu. In the case of activities related to capacity building projects in third countries, please contact the Head of International Cooperation Unit, headoficu@cepol.europa.eu

You may also contact the Agency’s DPO to inform him/her of any issues related to the processing of your data. If the problem is not rectified after contact with the data controller and DPO, every data subject has the right of recourse to lodge a complaint with the EDPS, as provided for by Article 63 of Regulation (EU) 2018/1725.