Privacy Statement
Privacy Statement for processing personal data on LEEd (including the LEEd mobile application)
This privacy statement, in line with Articles 15 and 16 of Regulation (EU) 2018/1725* , provides information to the data subjects relating to the processing of personal data of individuals carried out by the European Union Agency for Law Enforcement Training (CEPOL) in fulfilling its tasks.
The purpose of this document is to describe how CEPOL complies with its obligations to protect personal data under Regulation (EU) 2018/1725 and to provide individuals with information about CEPOL’s processing of personal data and their rights under the Regulation.
What is the purpose of the processing?
CEPOL’s core business is training and for that purpose a Learning Management System (LMS) is in place to support the preparation, design, implementation and evaluation of CEPOL learning interventions and supplies training and user data to management and involved decision makers. The LMS is a restricted online learning platform called LEEd (Law Enforcement Education). LEEd supports all training activities including onsite and various types of online events, project spaces and access to reading materials. The LEEd Platform shall also be accessible through the LEEd mobile application. The mobile application is meant to provide access to already registered users.
Processing is necessary for user administration (approval, rejection actions), registration, exchange requests, nominations and event management.
Personal data is necessary for the performance of a task carried out by CEPOL as foreseen in Article 4, (2) and (3) of the Regulation (EU) 2015/2219 of the European Parliament and the Council of 25 November 2015 on the European Union Agency for Law Enforcement Training (CEPOL) and replacing and repealing Council Decision 2005/681/JHA.
What is the legal basis for the processing of personal data?
Regulation (EU) 2018/1725 and in particular Article 5(1)(a) and (d).
Regulation (EU) 2015/2219 of the European Parliament and of the Council of 25 November 2015 on the European Union Agency for Law Enforcement Training (CEPOL) and replacing and repealing Council Decision 2005/681/JHA and in particular Article 4(2)(a) (d) and 4(3) thereof.
Who is the data controller?
The data controller is the Head of EU Training Hub Unit, headofeuth@cepol.europa.eu.
In case of activities related to capacity building projects in third countries implemented by the International Cooperation Unit, the data controller is the Head of the International Cooperation Unit, HeadofICU@cepol.europa.eu
Who are the data subjects?
All users registered in LEEd.
Which types of data are being processed?
LEEd facilitates different purposes and the data fields involving personal data have been set in line with the so-called principle of ‘data minimisation’. In other words, the personal data required each time are adequate, relevant and limited to what is necessary in relation to the purpose for which they are processed.
Data fields in LEEd
| General |
|
|---|---|
| Travel information |
|
| Other fields |
|
1. For the purposes of LEEd user management
All the data that users are requested to provide during their registration application process to LEEd. More specifically:
Country/ Organisation, E-mail, First Name, Last Name, Date of birth, Gender, Law Enforcement domain, Organisation / Department / Unit , Job Title / Rank, Office Phone
The users can decide to (optionally) complete their individual profile with: a profile picture, office address, second e-mail, travel management details (incl. travel document information) and a personal description.
2. For the purposes of the CEPOL Exchange Programme (‘CEP’)
All the data that users are requested to provide when applying to participate to CEP. More specifically:
Have you taken part in a CEPOL Exchange Programme the last 3 years? Select Language, Language Level (Required level Proficient), Current Position (at least 3 years), Institution, Duration of Exchange (Days), Select countries (max 4 countries), Thematic Area, Subthematic Area, Select Organisation, Select Section. Short summary, Europass CV
3. For the purposes of organizing travel and accommodation arrangements for CEP purposes
Full name, Email, Date of travel, Date of return, Destination Country, Booking Status, Hotel
4. For the purposes of the LEEd mobile application
Email, password of registered user
The platform stores learning progress (e.g. certificates of completion, grades obtained if relevant, assessment of learners' results and grades, module completion status, learner experience (feedback forms/anonymised), time spent on the LMS, module enrolments) and learning paths (e.g. activities attended) of the active users as well as activity log files (fist and last access to the platform, IP address from which the user is accessing the system). Other logs kept refer to: User registration status for LEEd (registered (active), pending), EU-GDPR consent status (date and time given).
How is the data processed?
The data is processed on the platform via electronic workflows. For the purposes of LEEd user administration, depending on the origin (country/ organisation) of the data subject, registrations are processed by the appointed LEEd managers of the CEPOL National Units or designated CEPOL staff having the role of administrator.For attendance to webinars, personal data is processed via the ‘LogMeIn’ plugin that provides seamless integration (i.e name and email of the user are automatically provided by the platform). Data of past webinars is processed in the ‘Bridge/ Instilled’ plugin that enables video repository. Access to e-journals and e-books is a service provided by the EBSCO Discovery Service and is triggered via the use of the e-mail address of the user.
Who are the recipients of the data being processed?
CEPOL staff:
- Dedicated CEPOL staff members, including staff responsible for preparing, designing, implementing and evaluating the learning and training activities subject to this privacy statement;
- CEPOL staff working for CEP (for exchange programme only);
- CEPOL staff working in the Travel team (if relevant);
- Actors in the financial workflow (if relevant);
- Communications Team (if relevant);
- CEPOL Internal Audit Panel and/or the Internal Control Officer (if relevant);
- Relevant managers at a Member State level (originating from the CEPOL National Units) of learning and training activities subject to this privacy statement;
- CEPOL National Units or National Contact Points or Organisational Contact Points (for data linked to users from their own country or organisation);
- EU institutions, agencies and bodies co-organising training activities.
- Service providers for the CEPOL LEEd (including WIDE Services, the providers of the LogMeIn plug-in, the Bridge/ Instilled plug-in, the EBSCO services only in relation to specific data that are required for providing the service, running maintenance or troubleshooting); Other service providers if necessary to involve for the delivery of services (e.g. evaluation)
- General public primarily through the CEPOL website and social media channels (if relevant and upon explicit consent of the data subject).
- EU bodies: European Court of Justice, European Ombudsman, European Data Protection Supervisor, European Anti-Fraud Office (OLAF), Internal Audit Service of the European Commission, European Court of Auditors (upon request).
Is data transferred to third countries or international organisations?
Project activities in the context of International Cooperation may take place outside the EU/EEA. As a result, transfer of data to the respective counterparties of CEPOL might take place. In such cases, Chapter V of Regulation (EU) 2018/1725 in relation of personal data to third countries or international organisations applies. In particular, in absence of adequacy decision, CEPOL controls whether any of the appropriate safeguards listed in Article 48 of Regulation (EU) 2018/1725 are in place. In absence of appropriate safeguards, CEPOL request the explicit consent of the data subjects concerned, in line with Article 50(1)(a) of Regulation (EU) 2018/1725.
CEPOL has concluded working arrangements/memoranda of understanding with some countries outside of the European Union/European Economic Area as well as with some international organisations. An exhaustive list of these arrangements can be found here: https://www.cepol.europa.eu/who-we-are/partners-and-stakeholders/external-partners
Moreover, by virtue of Article 4(4) of Regulation (EU) 2015/2219 CEPOL supports capacity-building in third countries via implementing projects funded by the European Commission. Currently, these projects concern the MENA region, countries that participate in the Eastern Partnership initiative, Euro Mediterranean counties and countries in the Western Balkans. In certain occasions, cooperation with the countries and/or international organisation listed above may entail access to the LEEd platform. Due to the fact that for the time being there are no adequacy decisions issued by the European Commission in relation to the level of data protection in the third countries and international organisations listed above, the Agency is aware that appropriate safeguards within the meaning of Article 48 (3) of Regulation (EU) 2018/1725 are required to enable any transfer of data to take place. For this reason, the Agency shall start discussions with the parties concerned in the coming months.
In the meantime, as a mitigation measure, the access rights of the respective users (i.e users coming from third countries and/or international organisations) shall be set by default to ‘Restricted’. This means that access shall be limited only to accessing training material and that profiles of the other LEEd users shall not be visible.
Please note that the LEEd mobile application is distributed via the mainstream app stores via Apple and Google. Any personal data exchanged between your device and these platforms going beyond the actual use of the LEEd mobile application cannot be controlled by CEPOL and is subject to the agreement between you and the respective app store.
What rights do data subjects have?
Data subjects have the right to access their personal data and the right to request from the controller rectification or erasure of personal data.. Data subjects have the right to request restriction of processing of personal data concerning them or to object to the processing of their data.
Data subjects can refuse and/or withdraw their consent with respect to further processing of their data. In addition, data subjects have the right to receive their personal data in a structured, commonly used and machine-readable format.
Data subjects can request the exercise of their rights to the data controller or DPO.
Substantiated requests should be emailed to headofeuth@cepol.europa.eu. A data extraction or deletion request can be initiated by the user in the LEEd. Once the request has been submitted by the user, the time limit to extract/erase data on justified grounds at the request of data subjects is 15 working days from the date of receipt of such a request. The data controller shall notify the data subject once the erasure of the data has been completed.
General requests can be emailed to the CEPOL Data Protection Officer at dpo@cepol.europa.eu. Data subjects have the right to lodge a complaint to the EDPS.
How long is your data retained by CEPOL?
Personal data of the LEEd users are stored for as long as the users are registered and remain active. Active users are those who have logged on LEEd within the last twenty-four months at any given date of the year. The LEEd accounts of inactive users are then suspended for an additional period of twelve months. At the end of this period of suspension, the LEEd accounts of inactive users are deleted. This deletion extends to the learning path and learning progress of the users.
Who should you contact for more information on the processing of your personal data by the Agency?
Data Protection Officer (DPO)
Within CEPOL, there is a data protection officer. This person is independently responsible for ensuring the internal application of Regulation (EU) 2018/1725 and that the rights and freedoms of the data subjects are not likely to be adversely affected by the processing operations. The DPO keeps a register of all processing operations of personal data carried out by the Agency.
The DPO also provides advice and makes recommendations on rights and obligations of data controllers and data subjects. CEPOL’s DPO can be contacted at dpo@cepol.europa.eu.
European Data Protection Supervisor (EDPS)
The European Data Protection Supervisor is an independent supervisory authority with responsibility for monitoring and ensuring the application of data protection rules by EU Institutions and Bodies, which includes CEPOL. The EDPS provides advice to EU Institutions and Bodies on all matters relating to the processing of personal information and cooperates with national supervisory authorities to improve protection of personal information.
What should you do if you believe your data is being misused by the Agency?
If you believe your data is being misused by CEPOL, or is otherwise not compliant with your rights and freedoms under Regulation (EU) 2018/1725, you should notify the data controller, in this case the Head of EU Training Hub Unit, via headofeuth@cepol.europa.eu. In the case of activities related to capacity building projects in third countries, please contact the Head of International Cooperation Unit, headoficu@cepol.europa.eu
You may also contact the Agency’s DPO to inform him/her of any issues related to the processing of your data. If the problem is not rectified after contact with the data controller and DPO, every data subject has the right to lodge a complaint with the EDPS, as provided for by Article 63 of Regulation (EU) 2018/1725.
* Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC, OJ L 295, 21.11.2018, p. 39–98.