Privacy Statement – Mobility Tool+
This privacy statement provides information about the processing and the protection of your personal data.
- Why and how do we process your personal data?
- On what legal ground(s) do we process your personal data?
- Which personal data do we collect and further process?
- How long do we keep your personal data?
- How do we protect and safeguard your personal data?
- Who has access to your personal data and to whom is it disclosed?
- What are your rights and how can you exercise them?
- Contact information
- Where to find more detailed information?
Please also see the related privacy statement "Erasmus+ and European Solidarity Corps participants affected by COVID-19 situation".
The European Commission (hereafter ‘the Commission’) is committed to protect your personal data and to respect your privacy. The Commission collects and further processes personal data pursuant to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data (repealing Regulation (EC) No 45/2001).
This privacy statement explains the reasons for the processing of your personal data, how we collect, handle and ensure the protection of all personal data provided, how that information is used and what rights you have in relation to your personal data. It also specifies the responsible Data Controller's contact details with whom you may exercise your rights, the Data Protection Officer and the European Data Protection Supervisor’s contact details.
Purpose of the processing operation:
- manage details of the projects funded by its programmes Erasmus+, European Solidarity Corps and Life Long Learning (such as mobility projects, cooperation projects, policy support actions), including the achievement of the project objectives, the number and type of participants and budgetary and financial aspects;
- manage participating organisations in the project to ensure monitoring and follow up;
- provide reporting and accountability via statistics collected from the project and the answers provided by the beneficiary or participants as part of surveys
- manage the individual participant surveys and provide statistics on the answers provided, which is essential to demonstrate how the project funds have been used and how the programme objectives have been achieved
- provide support to future participants in the programmes (based on consent, i.e. on a voluntary ‘opt-in’ basis)
- provide testimonials on participation in the programmes to the general public (based on consent, i.e. on a voluntary ‘opt-in’ basis)
- facilitate participation in further studies regarding the programmes and EU issues (based on consent, i.e. on a voluntary ‘opt-in’ basis)
- allow the Erasmus+ Student and Alumni networks to contact Erasmus+ participants to take part in their activities (based on consent, i.e. on a voluntary ‘opt-in’ basis)
- provide participant feedback on courses followed (based on consent)
- allow RAY Network (Research-based analysis of European youth programmes) contact participants to take part in a research survey (based on consent, i.e. on a voluntary ‘opt-in’ basis);
- ensure accuracy of the Commission’s statistical information on the achievement of the programme objectives
We will not use your personal data for automated decision-making, including profiling.
Your personal data is introduced by your organisation (e.g. the sending institution) in an IT tool to which access is given to different processors, as described under point 7. The access by another entity, such as the National Agency or receiving institution, to this data to ensure data quality and consistency is considered a ‘data transfer’. The types of transfers are described in section 7.
We process your personal data because:
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
The processing operations are necessary for the fulfilment of the Commission obligations and responsibilities of monitoring and reporting established in:
- Decision No 1720/2006/EC of the European Parliament and of the Council of 15 November 2006 establishing an action programme in the field of lifelong learning
- Regulation (EU) No 1288/2013 of the European Parliament and of the Council of 11 December 2013 establishing 'Erasmus+': the Union programme for education, training, youth and sport and repealing Decisions No 1719/2006/EC, No 1720/2006/EC and No 1298/2008/EC
- Regulation (EU) 2018/1475 of the European Parliament and of the Council of 2 October 2018 laying down the legal framework of the European Solidarity Corps and amending Regulation (EU) No 1288/2013, Regulation (EU) No 1293/2013 and Decision No 1313/2013/EU
The processed data do not fall within the scope of the stipulations on Restrictions (art. 25) and Prior Consultation (art. 40) embedded in Regulation (EU) 2018/1725.
In order to carry out this processing operation, the following categories of personal data are collected.
Data of contact persons and legal representatives in participating organisations:
- First name
- Last name
- Legal address
Data of National Agency staff:
- First name
- Last name
Data of person participating in an Erasmus+ activities or European Solidarity Corps project:
- Participant ID
- Participant registration Number (ESC portal)
- First name
- Last name
- Date of birth
- Support for special needs (yes/no) – this is collected when it could have an impact on the arrangements that are necessary to enable the applicant to take part in the project or in the additional amounts received as part of the grant and for statistics
- Disadvantaged background/fewer opportunities (yes/no) - this is collected when it could have an impact on the additional amounts received as part of the grant and for statistics
The provision of personal data is mandatory for the management of projects and associated activities/mobilities.
DG EAC processes your personal data for the duration of your grant project, which can be up to 36 months maximum.
After that, DG EAC has to retain your personal data as long as it is required by the Financial Regulation (that establishes the financial rules for the EU budget) for audit purposes, because checks or fraud investigations are routinely carried out after completion of actions, and the data must be available so that issues such as fake participation and double funding can be ruled out.
Ultimately, we will delete data maximum 10 years after the end of the year of closure of the agreement (so-called delegation or contribution agreement) between the National Agency and the Commission. These agreements normally last 3-4 years.
All data is stored by the European Commission in a datacentre located inside the EU.
All processing operations are carried out under the European Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission.
To protect your personal data, the European Commission has put technical and organisational measures in place. Technical measures include:
- appropriate actions to address online security,
- minimised risk of data loss,
- prevention of alteration of data or unauthorised access.
Organisational measures include restricting access to personal data solely to authorised persons with a legitimate "need to know" requirement for this processing operation.
The transfer of your personal data is necessary for the conclusion or performance of an agreement concluded in your interest between the controller (European Commission) and another natural or legal person (National Agencies in EU Member States, EEA countries, as well as programme countries Turkey, Serbia and North Macedonia). The transfer is done by providing access to your personal data to different organisations, as described below.
Who has access to your personal data and to whom it is disclosed depends on where your personal data are transferred. There are currently two types of data transfers which ensure different level of protection:
- Data transfers to the European Union Member States, to countries of the European Economic Area, or to countries for which the Commission adopted an adequacy decision ensuring an adequate level of protection.
- Data transfers to third countries for which there is no Commission adequacy decision and the level of protection of your rights with respect to your personal data might not be equivalent to the EU legislation.
In case of transfers of personal data inside EU/EEA and to countries with an adequacy decision:
Access to your personal data is provided to the European Commission staff responsible for carrying out this processing operation and authorised staff according to the “need to know” principle. Such staff abide by statutory, and when required, additional confidentiality agreements.
Outside the European Commission, access to your personal data is provided to:
- Staff of beneficiary organisations managing the grant project, mobilities and other project activities such as cooperation projects
- Authorised staff of project partner organisations
- Authorised staff of the National Agencies
- Relevant volunteers from organisations that are part of the Erasmus+ Student and Alumni Alliance (ESAA), and staff from the consortium appointed by the European Commission to support ESAA
- Authorised users in external companies contracted by the European Commission or by the National Agencies for the delivery of services, for example, development and support of Mobility Tool+
- Authorised staff of the European Education and Culture Executive Agency maintaining the School Education Gateway course catalogue service
- When an audit or investigation takes place, external auditors may need access to your data to ensure the legality and regularity of the project implementation
- The designated insurance company, which needs to know the individuals it needs to cover as part of its contract (for the European Solidarity Corps)
- EU Delegation in the participant's sending countries
- Staff of the Finnish National Agency for Education – EDUFI, Internationalisation Services for Youth, Culture, Sport (where it is acting in their role as coordinator of Research-based Analysis of Erasmus+ Youth in Action (RAY) Network)
The information we collect will not be given to any third party, except to the extent and for the purposes which may be required to do so by national law.
In case of transfers of personal data to third countries:
Your personal data is transferred to a third country outside EU/EEA for which there is no adequacy decision (including to programme countries – Turkey, Serbia and North Macedonia) if you are in one of the following situations:
- you carry out a mobility to the third country
- you participate in a project with a partner organisation from a third country
- you participate in a project managed by the National Agencies in Turkey, Serbia or North Macedonia
- you participate in a project with a beneficiary organisation or coordinator (for schools to schools projects only) from Turkey, Serbia or North Macedonia
- beneficiary organisation provides access to the project data to an authorised person from a third country
Access to your personal data is provided to the following organisations from the third country:
- Staff of beneficiary organisations from Turkey, Serbia, or North Macedonia managing the grant project, mobilities and other project activities such as cooperation projects (if you participate in a project with a beneficiary organisation or coordinator from these countries)
- Authorised staff of the National Agencies, national authorities and EU Delegations from Turkey, Serbia or North Macedonia (if you participate in a project managed by the National Agencies from these countries)
- Authorised staff of project partner organisations from third country (if you participate in a project with a partner organisation from a third country)
- Authorised staff of the National Erasmus+ Offices in the receiving third country (for statistical purposes, if you carry out a mobility to a third country)
- An authorised person from a third country organisation (if a beneficiary organisation in your project has provided access to your personal data).
In this case, the level of protection of your personal data will depend on the law or practice of that third country. However, your rights as regards data protection might not be equivalent to those in and EU/EEA country or a country with an adequacy decision. If your sending institution is located in an EU/EEA country, the transfer has to comply with the conditions laid down in Chapter V of Regulation (EU) 2018/1725.
The information we collect will not be given to any other party located in a third country outside EU/EEA, except to the extent and for the purpose, which may be required by the national law of the country in question.
You have specific rights as a ‘data subject’ under Chapter III (Articles 14-25) of Regulation (EU) 2018/1725, particularly the right to access or rectify your personal data and the right to restrict the processing of your personal data.
You can exercise your rights by contacting the Data Controller or, in case of conflict, the Data Protection Officer of the European Commission. If necessary, you can also address the European Data Protection Supervisor. Their contact information is given under Section 9 below.
Where you wish to exercise your rights in the context of one or several specific processing operations, please provide their description (i.e. their Record reference(s) as specified under Section 10 below) in your request.
The Data Controller
Directorate-general for Education, Youth, Sport and Culture, Unit B.4 - Erasmus+ Coordination
If you would like to exercise your rights under Regulation (EU) 2018/1725 or if you have comments, questions or concerns related to the processing of your personal data, or if you would like to submit a complaint regarding the collection and use of your personal data, please send an email to the Data Controller at EU-ERASMUS-ESC-PERSONAL-DATA@ec.europa.eu.
Further to the above you can contact:
The Data Protection Officer (DPO) of the European Commission
You may contact the Data Protection Officer DATA-PROTECTION-OFFICER@ec.europa.eu with regard to issues related to the processing of your personal data under Regulation (EU) 2018/1725.
The European Data Protection Supervisor (EDPS)
You have the right to have recourse (i.e. you can lodge a complaint) to the European Data Protection Supervisor if you consider that your rights under Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal data by the Data Controller.
The European Commission Data Protection Officer (DPO) publishes the register of all processing operations on personal data by the European Commission. You may access the register via the following link: http://ec.europa.eu/dpo-register.
This specific processing operation has been included in the DPO’s public register with the following Record reference: DPR-EC-01069.
More information about processing of personal data in Erasmus+ and European Solidarity Corps can be found on the Erasmus+ and data protection page.