DiscoverEU Data Protection Notice
The European Education and Culture Executive Agency ("EACEA") is committed to preserving your privacy. All personal data are dealt with in accordance with Regulation (EU) No 2018/1725 on the protection of personal data by the Union institutions, bodies, offices and agencies (1) ("the Data Protection Regulation").
The following Data Protection Notice outlines the policies governing the EACEA's collection, management and use of personal data of the individuals participating in DiscoverEU.
1. Who is responsible for processing your personal data (data controller)?
The controller is the European Education and Culture Executive Agency, BE-1049 Brussels. The person designated as being in charge of the processing operation is the Head of Unit A5: Youth, EU
Solidarity Corps and Aid Volunteers.
Email: eacea-a5@ec.europa.eu.
DG EAC and EACEA act as joint controllers in relation to DiscoverEU because they jointly process the personal data of applicants submitting an application on the European Youth Portal in order to receive the DiscoverEU travel passes.
2. Which personal data are processed?
The following personal data are processed and all are mandatory, except when specified that they are optional:
• in the form of personal identification numbers (ID card number or passport number or legal residence number)
• concerning the physical characteristics of persons as well as the image, voice or fingerprints (ID card picture or passport picture or legal residence picture)
• concerning the data subject's private sphere (nationality, legal residence, date of birth, email address, first name, last name, gender (optional), region of residence (optional) telephone number, occupation (e.g. schooling, employment…), disability or health problem (optional and when there is a request for special support), country issuing the national ID card / passport / legal residence proof
• concerning pay, allowances and bank accounts (source to finance non covered costs)
• concerning the data subject's family (level of education of the parents/legal guardians (optional))
• concerning the data subject's career (previous occupation (e.g. schooling, employment),
(previous) involvement in a youth organisation (optional)), envisaged future occupation (e.g. studies, work)
• concerning telephone numbers and communications (telephone number, email address)
• concerning names and addresses (including email addresses) (first name, last name, email address, national ID card / passport / legal residence proof, region of residence (optional)).
• concerning health (optional in cases where the participant is requesting specific support due to health condition).
3. For which purpose do we process your data?
• To organise selection and award procedures for DiscoverEU travel passes and related services: launching rounds on the European Youth Portal inviting applicants to reply to a questionnaire. For that purpose, applicants have to submit certain personal data in order to allow the joint controllers to assess whether they meet the eligibility conditions. Participants are selected if they meet the eligibility conditions, if they answer correctly the Quiz questions and if they answer in the most correct way the subsidiary question (tiebreaker).
• Once selected, the contractor verifies the actual eligibility of the selected candidates by checking the validity of personal documents (proof of nationality, proof of legal residence).
• After this, the travel pass and the accompanying discount card are awarded to participants by the contractor. Participants using the pass are in contact with the contractor to prepare their travel and if they need support to use the pass.
• Booking train, coach or plane tickets for applicants awarded a DiscoverEU travel pass.
• Monitoring and reporting: EACEA can also process the personal data of participants for monitoring and reporting purposes.
Personal data of non-selected applicants may be transmitted by DG EAC (joint controller) to their
contractor for the purpose of receiving the discount card of the European Youth Card Association.
4. Who has access to your personal data and to whom is it disclosed?
Access to your personal data may be given on a need-to know basis to the following recipients:
• Authorised staff of the EACEA (based in EU)
• Authorised staff of the European Commission
• Authorised staff of the contractor and their subcontractors (based in EU/EEA countries)
• The contractor operates its DiscoverEU using services from the following third parties’ tools:
o Adobe Campaign & Mandrill (e-mail confirmation)
o AWS Cognito & CommerceTools (account and order management)
o AWS Dynamo DB (mobile pass)
o Chatlayer (chatbot)
o Dune (database)
o Flexmail (e-mail system)
o Insided (community)
o Mailchimp & IRIS/Intersystems (reservations)
o MessageBird (SMS system)
o Netigate (post-travel survey)
o Shufti Pro (ID verification)
o SQL Datawarehouse (archiving & reporting)
o Zendesk (helpdesk)
For a very limited number of cases (fixed train tickets, exceptional bus or plane trips), limited personal data (name, first name, date of birth) are transferred to a travel agency based in Belgium, with whom the DiscoverEU contractor has a data protection agreement (DPA) in place. Depending on the itinerary requested by the participant, the travel agency may book trips to transport operators in countries in the EU/EEA or outside the EU/EEA that are part of DiscoverEU (North Macedonia, Serbia, Türkiye).
Such trips are always booked at the request of the participant. Such transfer of personal data will be based on Article 50.1(c) (transfer necessary for the conclusion or performance of a contract concluded in the interest of the data subject).
In case of control or dispute, access to your personal data may be given on a need-to-know basis to the bodies charged with a monitoring or inspection task in application of Union law (e.g. Internal Audit Service, European Commission, OLAF, EU Courts etc.).
5. How long do we keep your personal data?
Personal data contained within non-selected user applications for DiscoverEU will be deleted two years after applicant submitted their application unless they have expressed interest in being informed about / involved in other European Youth Portal services in which case the data are kept for a maximum of 5 years. After that time, their personal data will be anonymised and only be kept for statistical purposes.
Personal data contained within selected user applications for DiscoverEU will be deleted 5 years from the travel booking date according to the common retention list unless the user has expressed their interest in withdrawing from the ‘selected user’ status and has not benefited from EU funding through the initiative, in which case the data are kept for a maximum of 2 years.
However, we may keep information identifying you for a longer period for historical, statistical or
scientific purposes with the appropriate safeguards in place.
6. What are your rights concerning your personal data and how can you exercise them?
Under the provisions of the data protection regulation, you have the right to request:
• to access the personal data EACEA holds about you;
• a rectification of your personal data where necessary;
• the erasure of your personal data;
• the restriction of the processing of your personal data;
• to receive or to have your data transferred to another organization in commonly used machine readable standard format (data portability).
NB: Considering the competitive nature of the selection process, the right to rectify information can only apply to the factual data processed under the grant award procedure concerned. The right to rectify these data can only be exercised up to the closing date for submission of applications.
However, inaccurate identification factual data may be rectified at any time during and after the grant award procedure.
As this processing of your personal data is based on point of Article 5(1)(a) of the Data Protection Regulation, please note that you have the right to object to processing of your personal data on grounds relating to your particular situation under the provisions of Article 23 of the Data Protection Regulation.
Article 25 of Regulation (EU) 2018/1725 provides that, in matters relating to the operation of EU institutions and bodies, the latter can restrict certain rights of individuals in exceptional circumstances and with the safeguards laid down in that Regulation. Such restrictions are provided for in internal rules adopted by EACEA and published in the Official Journal of the European Union: (https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32021Q0317%2801%29)
Any such restriction will be limited in time, proportionate, and respect the essence of the above-mentioned rights. It will be lifted as soon as the circumstances justifying the restriction are no longer applicable. You will receive a more specific data protection notice when this period has passed.
As a general rule you will be informed on the principal reasons for a restriction unless this information would cancel the effect of the restriction as such.
You have the right to make a complaint to the EDPS concerning the scope of the restriction.
7. Your right to have recourse in case of conflict on any personal data issue
In case of conflict on any personal data protection issue you can contact the Controller at the above-mentioned address and functional mailbox.
You can also contact the Data Protection Officer of EACEA at the following email address: eacea-data protection@ec.europa.eu.
You may lodge a complaint with the European Data Protection Supervisor at any time: http://www.edps.europa.eu.
8. On which legal basis are we processing your personal data?
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body (to be laid down in Union Law):
- The Commission Implementing Decision 2021/173 establishing the EACEA;
- The Commission Decision C(2021)951 and its annexes delegating powers to EACEA for the management of programmes in the MFF 2021-2027,
- Regulation (EU) 2021/817 of the European Parliament and of the Council of 20 May 2021 establishing Erasmus+: the Union Programme for education and training, youth and sport and repealing Regulation (EU) No 1288/2013 (OJ L 189, 28.5.2021, p. 1–33) (Text with EEA relevance).
(1) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC Text with EEA relevance, OJ L 295, 21.11.2018, p. 39.