The European School Education Platform (referred here as ‘the Platform’) is the successor of the School Education Gateway and the eTwinning platforms. Launched in 2022, this multilingual online platform aims to be the meeting point for all school staff (from early childhood education and care, to primary and secondary levels, including initial vocational education and training), researchers, policy makers and other stakeholders in the school education field.
Personal data are provided in 2 layers:
- Registration with EU login ad “general” users, in order to participate in the activities (such as taking part in the online courses or submit listings) and to be able to use all the features of the platform (such as commenting articles, adding items in favourites, or saving searches).
- Additional registration as eTwinning user (eTwinner):
NB. At the moment of launching the European School Education Platform, existing users of eTwinning and/or of the School Education Gateway must create an EU Login account with the same email address used when registering in eTwinning or on the School Education Gateway in order to synchronise their old and new accounts, including migration of personal data to the new account.
1. Who is responsible for processing your personal data?
The data controller is the European Education and Culture Executive Agency (EACEA).
The person designated as being in charge of the processing operations is:
Head of Unit A6 of EACEA
European Education and Culture Executive Agency
Avenue du Bourget 1, BE-1049 Brussels
In addition, EACEA works with the following processors:
EUN Partnership AISBL (hereinafter called European Schoolnet) runs the eTwinning Central Support Service as a contractor of EACEA.
Rue de Trèves, 61 (3rd floor)
Tel: +32 2/790 75 75
Tremend Software Consulting SRL provides the digital services needed to manage and maintain the Platform as a contractor of EACEA.
83 Cluj Stroot, bl. 8B, sc. 1, floor 7, ap.32
RO-030134 Bucuresti (Bucharest)
The EU Commission Directorate-General for informatics (DG DIGIT) provides the IT hosting service for the Platform.
2. Which personal data are processed and how?
The data subjects are complainants, correspondents and enquirers and individuals who decide to register on the European School Education Platform as a “general user”.
To register as a “general user”, users must use an EU Login account and therefore “first name”, “last name” and “email address” already used in the EU Login account, will be re-used for the account of the Platform.
Description of personal data categories:
- Concerning the physical characteristics of persons as well as the image, voice or fingerprints (optional). Optional personal information is collected for the member profile and a registrant can decide whether to give that data or not. The optional information entails images.
- Concerning the data subject's private sphere (optional): Information from forums and other online communication tools: the Platform offers public forums (or similar third-party communication tools) as part of its collaborative spaces. On these online tools the users may share comments, thoughts, photos, videos and other resources on a voluntary basis.
- Concerning the data subject's career (optional): The Platform may receive personally identifiable information when information is provided in response to a survey (in this case the user is asked to provide consent for sharing such information). If the person participates in an online course or in a project, we may collect certain student-generated content, such as assignments submitted, peer-graded assignments and peer grading student feedback. Course data is also collected, such as student responses to quizzes, forum entries and surveys.
- Concerning missions and journeys: Participants may take part in events onsite in their country or another one. They may submit information for the purpose of participating in such initiatives.
- Concerning names and addresses, including email addresses (mandatory)
NB. Unsolicited personal data revealing racial or ethnic origin, political opinions, revealing religious or philosophical beliefs, trade-union membership, concerning health, genetic data, biometric data for the purpose of uniquely identifying a natural person, concerning sex life or sexual orientation or of this nature can be submitted by the data subjects, which will however be disregarded and not processed.
The Platform offers users the opportunity to participate in online courses through the EU Academy. Enrolment for an online course requires creating a user account at the European School Education Platform (see above), but no additional personal information is required.
3. For which purposes do we process your data?
The processing of personal data in the Platform is necessary to:
- Allow users to use platform’s services such as:
- posting comments and listings,
- using different platform features such as favourites or saved searches,
- enriching users’ profiles,
- handle helpdesk inquiries,
- follow up on posts and messages which were ‘reported’ by other users, etc.,
- allow Platform users to communicate and collaborate in the spirit of mutual trust and respect,
- allow and facilitate monitoring and research activities,
- develop outreach and communication purposes within the framework of the Platform and its services,
- send registered users updates and relevant information related to the Platform, and to inform registered users of other related activities they might be interested in within European Commission’s initiatives,
- enable online course administration and implementation,
- enable and improve the user experience within this and similar future projects developed by the European Commission via access control, tracking usage frequency, search behaviours, preferences and settings,
- allow for collection, categorisation and summary of user contributions in the forums and other discussion tools,
- provide aggregated statistics, including, but not limited to, the number of users during a specific period, the preferred subjects and/or countries chosen by users and account usage.
Finally, and limited to participation in the courses taking place on the EU Academy, the processing of data (which will take place at the EU Academy) is necessary to: enrol the user to the course selected and allow users to access the course in the EU Academy keeping his/her credentials.
The names, email addresses and course selection of European School Education Platform “general users” who decide to follow training courses will be shared with and process by the EU Academy following the EU Academy privacy policies (see record of data processing here) to achieve the purposes above. Data on the progress of learners and the outcome of the training course will be shared with the European School Education Platform.
Personal data can never be used for marketing purposes.
4. On which legal basis do we process your personal data?
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body (to be laid down in Union Law) (Article 5(1)(a) of Regulation 2018/1725);
- Regulation (EU) 2021/817 of the European Parliament and of the Council of 20 May 2021 establishing Erasmus+: the Union Programme for education and training, youth and sport and repealing Regulation (EU) No 1288/2013 (OJ L 189, 28.5.2021, p. 1–33),
- Commission Implementing Decision (EU) 2021/173 of 12 February 2021 establishing the European Education and Culture Executive Agency.
- Commission Decision C(2021)951 and its annexes delegating powers to EACEA for the management of programmes in the MFF 2021-2027.
Processing that is not covered by the above legal bases is based on consent of the data subject (Article 5(1)(d) of Regulation 2018/1725).
5. How long do we keep your personal data?
For the general user registered in the European School Education Platform the data related to the profile of the user are kept for three years after the user’s last login. After three years from the last login, the user profile will automatically be set to anonymous, i.e. the personal data will be erased.
Two weeks before three years of no login, a notification is sent to the user to inform her/him that her/his profile is about to be set as anonymous and that he/she can avoid this by logging in again within two weeks. If the user does not login within two weeks, his/her profile will be deleted permanently. In case of no login, all personal information is then made anonymous.
Any personal data the user may have inserted through third parties’ tools (e.g. during an online course when using an external online tool, such as Facebook, Twitter) is not under the responsibility of the data controller and is therefore not concerned by the anonymisation.
In the event that users ask for the anonymisation of their account or the account is automatically anonymised, no data will be visible to other European School Education Platform users.
Data will be kept only in an anonymous form that does not allow for personal identification. If users with an anonymised account want to continue using the platform, they will need to register again.
The anonymised data (non-personal data) remain solely for research and monitoring purposes at the disposal of the EACEA, the EC, national or regional school authorities, authorities in charge of implementing the European School Education Platform and other third parties (see Point 6) under the authorisation of the data controller in an aggregated format.
In order to deactivate or delete an account, please contact the Helpdesk at: email@example.com
6. Who has access to your personal data and to whom are they disclosed?
For the purposes detailed above, access to the full data is strictly limited to:
- EACEA designated staff,
- European Commission designated staff, in particular DG EAC and DG DIGIT designated staff and, for personal data of users following training courses on the EU Academy platform, JRC designated staff.
- Authorised staff of the organisation contracted by and working on behalf of EACEA to implement the European School Education Platform, i.e. Central Support Service (European Schoolnet) and digital service provider (Tremend Software Consulting SRL)
General Public: Some data submitted by users will be displayed on the public area of the Platform, which means that such information is freely accessible on the Internet. In this case, users can delete if they wish their data. The data which may be, upon a user’s decision, public are in particular the following:
a) Organisation data of the user is visible to all users through the organisation’s page:
- name, address, city, country, picture, Facebook URL, Twitter URL, LinkedIn URL and website,
- registrants affiliated to the organisation (first name, last name, country, picture),
- courses and Erasmus+ postings created by the members of the organisation.
b) Platform’s “general user” data:
- the following user data are visible to all users only on the public organisation’s page (if the user is affiliated to one or several organisations): first name, last name, country, a thumbnail of the picture (if provided),
- user’s profile page is accessible only to other logged-in users, including the following information: first name, last name, country, picture, organisation(s), user type, comments made by the registrant, articles ‘favourited’ by the user, and whether the registrant is eTwinning validated,
- any posting, comment, voluntarily made by a registered user is public, i.e. visible to the website users when viewing the commented or reviewed item and also retrievable through search engines,
- user activity on the online courses is viewable only by the registered users who have also signed up to the specific online course.
The transfer of specific data to other third parties (e.g., research centres and universities) can be permitted under specific authorisation of the data controller, and in such cases any data will be transferred in an anonymous format.
Some personal data will be accessible within the restricted area of eTwinning, of the eTwinning Groups and TwinSpaces only to the respective members of these areas.
In addition, data may be disclosed to public authorities, and processed by these authorities in compliance with the applicable data protection rules according to the purpose of the processing, including inter alia:
- The European Court of Justice or a national judge or authority as well as the lawyers and the agents of the parties in case of a legal procedure;
- The competent Appointing Authority in case of a request or a complaint lodged under Articles 90 of the Staff Regulations;
- OLAF in case of an investigation conducted in application of Regulation (EC) No 1073/1999;
- The Internal Audit Service of the Commission within the scope of the tasks entrusted by article 118 of the Financial Regulation and by article 49 of the Regulation (EC) No 1653/2004;
- IDOC in line with Commission Decision of 12 June 2019 laying down general implementing provisions on the conduct of administrative inquiries and disciplinary proceedings - C(2019)4231 and Commission Decision (EU) 2019/165 of 1 February 2019 Internal rules concerning the provision of information to data subjects and the restriction of certain of their data protections rights in the context of administrative inquiries, pre-disciplinary, disciplinary and suspension proceedings;
- The Court of Auditors within the tasks entrusted to it by Article 287 of the Treaty on the Functioning of the European Union of the EC Treaty and Article 20, paragraph 5 of Regulation (EC) No 58/2003;
- The European Ombudsman within the scope of the tasks entrusted to it by Article 228 of the Treaty on the Functioning of the European Union;
- The European Public Prosecutor’s Office within the scope of Article 4 of Council Regulation (EU) 2017/1939 of 12 October 2017 implementing enhanced cooperation on the establishment of the European Public Prosecutor’s Office.
7. How do we protect your personal data?
The Platform servers are hosted on Amazon Web Services in the European Data Centres. DG DIGIT manages the cloud infrastructure in a highly secured environment. Only authorised personnel have access to the storage media at the Data Centres and the sites are subject to strict physical security.
DG DIGIT ensures the security of the IT hosting service in conformance with the Commission's Information Security Policy and Framework and DG DIGIT's complementary Information Security Policy Framework. See also Commission Decision C(2006)3602 of 16 August 2006 concerning the "Security of information systems used by the European Commission" and "Implementing rules of 16.8.2006 concerning the security of information systems used by the European Commission".
Personal data is only communicated using HTTPS encryption. No personal data is transported using storage media. Additionally, any database backups are sanitised and user information is anonymised.
DG DIGIT provides to the Central Support Service technical team anonymised database dumps. The database back-up service is behind a password-protected system. The anonymised database is used for platform development. All development servers are utilising strong password access and where required VPN encrypted connection, and in many cases biometric access. Online platforms used as part of the project use password protected access, permission systems to prevent anyone but those authorised any access to personal data. No database back-ups containing personal data is stored on any removable storage devices.
Only a limited number of named individuals (maximum 3) from the development team in Tremend Consulting have access to the highest level of permission in information systems, and where personal data is stored in a document or database, it is only on a needs-access basis. By ensuring that the lowest number of users have access to the information systems, the data processor ensures the lowest level of risk.
Data in transit is encrypted via SSL/TLS, management access and data transfers on platforms are done securely.
A contractual clause about data protection is included in the contract with the processors (service providers) EUN Partnership AISBL and Tremend Software Consulting, to ensure that personal data are processed in compliance with the applicable legislation.
8. What are your rights concerning your personal data and how can you exercise them?
You have the right to:
- Request to access the personal data we keep on you;
- Request a rectification of your personal data or make the correction yourself in your profile;
- Request, under certain conditions, the erasure of your personal data;
- Request, under certain conditions, the restriction of the processing of your personal data;
- Object to the processing of your personal data on grounds relating to your particular situation;
- Request for your data to be transferred to another organisation in commonly used machine-readable standard format (data portability);
You have the right to object to processing of your personal data on grounds relating to your particular situation under the provisions of Article 23 of Regulation 2018/1725.
You also have the right not to be subject to automated decisions (made solely by machines) affecting you, as defined by law.
In addition, as this processing of your personal data is based on your consent [Article 5(1)(d) or Article 10(2)(a) of the data protection regulation], please note that you can withdraw it at any time by sending an email to firstname.lastname@example.org, and this will have effect from the moment of your retraction. The processing based on your consent before its withdrawal will remain lawful.
Article 25 of Regulation (EU) 2018/1725 provides that, in matters relating to the operation of EU institutions and bodies, the latter can restrict certain rights of individuals in exceptional circumstances and with the safeguards laid down in that Regulation. Such restrictions are provided for in internal rules adopted by EACEA and published in the Official Journal of the European Union (https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32021Q0317%2801%29).
Any such restriction will be limited in time, proportionate and respect the essence of the above-mentioned rights. It will be lifted as soon as the circumstances justifying the restriction are no longer applicable. You will receive a more specific data protection notice when this period has passed.
As a general rule you will be informed on the principal reasons for a restriction unless this information would cancel the effect of the restriction as such.
You have the right to make a complaint to the EDPS concerning the scope of the restriction.
9. Your right to have recourse in case of conflict on any personal data issue
In case of conflict on any personal data protection issue you can address yourself to the data controller at the above-mentioned address and functional mailbox (Point 1).
You can also contact EACEA’s Data Protection Officer at the following email address: email@example.com.
You may lodge a complaint with the European Data Protection Supervisor at any time: https://edps.europa.eu/.
[i] Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC Text with EEA relevance, OJ L 295, 21.11.2018, p. 39.