The European Commission (hereafter ‘the Commission’) is committed to protect your personal data and to respect your privacy. The Commission collects and further processes personal data pursuant to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data. The data controller and the processors listed in this privacy statement follow the rules of the Regulation.
This privacy statement explains the reason for the processing of your personal data, the way we collect, handle and ensure protection of all personal data provided, how that information is used and what rights you have in relation to your personal data. It also specifies the contact details of the responsible Data Controller with whom you may exercise your rights, the Data Protection Officer and the European Data Protection Supervisor.
The information in relation to processing operation Youthpass, undertaken by the unit EAC.B.3 in the European Commission, is presented below.
2. Why and how do we process your personal data?
European Commission collects and uses your personal information to enable the issuing of Youthpass certificates through the Youthpass database. Youthpass certificates help to document and validate the non-formal and informal learning experiences gained in the frames of participation in the EU Erasmus+ Youth and the European Solidarity Corps programmes.
We process your personal information for the following reasons:
- Allow organisations and representatives of informal groups to register an account and get access to the protected area of the Youthpass IT tool. The main purpose of this function is to ensure the appropriate level of security in using the Youthpass database. We also use this function to identify the National Agency users and authorise them with specific roles related to the Youthpass statistics and translations. In this case, we collect information about the organisation’s contact person; in some cases, the organisation data may reveal identifiable data of a physical person.
- Send e-mails to the contact person of the organisation or of the informal group. These e-mails include a confirmation of organisation registration, an e-mail invitation in case a project partner invites you to contribute to editing a project, notifications about the progress made by learners when editing their data, and messages sent by the learners via Youthpass system. The e-mail notifications include information about the approaching end of the retention period of the project, and thereby the approaching deletion of the individual information related to a project. On a voluntary opt-in basis, contact persons may receive instruction e-mails to implement the Youthpass process during project activities.
- Facilitate the issuing of Youthpass certificates. We collect the information that is displayed on the Youthpass certificates, and that is necessary for facilitating the process of inserting the data and displaying the information on the certificate in a correct manner.
- Send e-mails to the learners. These e-mails include invitations by the organisation to edit your individual data, and notifications about the changed status of your certificates data in the Youthpass database.
- Fulfil the obligations and responsibilities related to monitoring, analytical and statistical reporting, where the processing of personal data is required to analyse the data on the level of individuals.
- Enable scientific insights into the learning value of the EU youth programmes.
- Fulfil the obligation to validate the authenticity of the Youthpass certificates.
- Guarantee an error free provision of the Youthpass website and further develop its functionalities, following the principles of user-friendliness and accessibility.
- Monitor the use and accessibility of the information and educational materials provided through the Youthpass website.
Your personal data will not be used for an automated decision-making, including profiling.
Your personal data is introduced directly by you or your organisation (for example, your hosting or sending organisation) in the Youthpass IT tool to which access is given to different processors, as described later in this document. Other, technical data shall be recorded by our IT systems automatically or after you consent to its recording during your website visit. More details about collecting the technical data are included in chapter 5 below.
Your data will be processed by the European Commission's and the processors' IT systems. The processing of your data by the processors is in line with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018. The processors' obligations are described in Articles 29, 30 and 31 of the Regulation.
3. On what legal ground(s) do we process your personal data
We process your personal data, because processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body (Article 5(1)(a) of the Regulation).
The implementation of Youthpass is established within the legal bases of the Erasmus+ and European Solidarity Corps programmes, respectively:
- Regulation (EU) 2021/817 of the European Parliament and of the Council of 20 May 2021 establishing Erasmus+: the Union Programme for education and training, youth and sport and repealing Regulation (EU) No 1288/2013, in particular its Article 11(b), and
- Regulation (EU) 2021/888 of the European Parliament and of the Council of 20 May 2021 establishing the European Solidarity Corps Programme and repealing Regulations (EU) 2018/1475 and (EU) No 375/2014, in particular its Article 5(2)(b) and Article 17(8).
4. Which personal data do we collect and further process?
Organisation’s or informal group’s contact person
The data required to register an organisation or informal group in the Youthpass database includes the following mandatory personal information:
- first name
- last name
- language of communication
- professional e-mail
Additionally, we collect the organisation’s street address and phone number, which may in some cases include personal data.
Person signing the certificate
To confirm the data displayed on the certificate, it is signed, by hand or electronically, by various people: by the persons responsible for the organisation and for the project, and by the dialogue partners of the learners. It is mandatory to indicate at least one responsible for the organisation; indicating a dialogue partner is optional. Regarding these persons, the following information is collected:
- first name
- last name
- position in the organisation or role in the project
- gender (only for the dialogue partner, to support correct language formulations in standard text translations)
- in case signed electronically, the signature of the person
To testify the description of the learning outcomes described in the Youthpass certificate, and to provide further context information, organisations and learners can add personal details about a referee who is willing to be contacted for further information. The following information is contacted:
- first and last name
- reference person’s connection to the project
- reference person’s contact information
Learner (participant or team member that receives a Youthpass certificate)
The following personal information is mandatory:
- first name
- last name
- country of residence
Additionally, the following optional information is collected:
- date of birth
- place of birth
- e-mail address
- preferred language of communication
5. How long do we keep your personal data?
European Commission, EAC.B.3 only keeps your personal data for the time necessary to fulfil the purpose of collection or further processing. Personally identifiable data linked to a project (that of learners, signees and referees) will be deleted 6 years after the end date of the project. The personal data collected for user access are kept until the user account’s deactivation. You can deactivate your account by contacting the Youthpass Helpdesk on email@example.com, as a rule the deactivation follows on the next working day.
For statistical and analytical purposes, as well as for the purpose of validating the authenticity or Youthpass certificates, some of the individual data is kept in the database also after the retention period, in a anonymised manner that excludes the possibility to identify individual persons.
6. How do we protect and safeguard your personal data?
The European Commission stores all data in a datacentre located inside the EU.
All processing operations by the Commission are carried out according to the Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission.
A specific contractual clause binds the Commission's contractors for any processing operations of your data on behalf of the Commission and by the confidentiality obligations deriving from the transposition of the General Data Protection Regulation in the EU Member States ('GDPR' Regulation (EU) 2016/679).
The Commission has put several technical and organisational measures in place to protect your personal data. Technical measures include appropriate actions to address online security, risk of data loss, alteration of data or unauthorised access, taking into consideration the risk presented by the processing and the nature of the personal data being processed. Organisational measures include restricting access to personal data solely to authorised persons with a legitimate need to know for this processing operation.
In the Youthpass database, specific technical measures are in place that ensure that the personal data that is kept beyond the retention period does not allow identifying individual persons. For the purpose of verifying the authenticity of the certificates, the names of the learners get saved in the Youthpass database as salted hashes, that ensures one-way encryption of the data that cannot be unencrypted. The data kept for the statistical and research purposes excludes the fields intended for personal data. Name and email address of a learner that may accidentally be included in other text elements that are kept for the research purpose get automatically replaced with a placeholder that is identical for all learners.
7. Who has access to your personal data and to whom is it disclosed?
Access to your personal data is provided to the Commission staff responsible for carrying out this processing operation and to authorised staff according to the “need to know” principle. Such staff abide by statutory, and when required, additional confidentiality agreements.
The European Commission acts as a controller in this processing.
Outside the European Commission, access to your personal data is provided to the following categories of processors:
Authorised staff in SALTO Training and Cooperation Resource Centre (located in the German National Agency, JUGEND für Europa), maintaining the Youthpass service;
Authorised staff in external companies contracted by the European Commission or by SALTO Training and Cooperation Resource Centre for the delivery of services, for example, development and support of IT tools.
Your individual data about the participation and development of learning outcomes in a project are disclosed to the users who act as editors of the project in the Youthpass database. This normally includes a representative of the main organiser of the project, but may also include
representatives of the partner organisations or facilitators of learning (trainers, mentors) in the project.
The information we collect will not be given to any third party, except to the extent and for the purposes which may be required to do so by national law.
Analysis tool Matomo
The Youthpass website uses the open-source web analysis service Matomo, in order to optimise our web service. Matomo uses technologies that enable the recognition of the user across pages for the analysis of user behaviour (e.g. cookies or device fingerprinting). We host Matomo exclusively on our own servers so that all analysis data remains with us and is not passed on.
Through Matomo, we collect and analyze data about the use of our website. This enables us to find out, for instance, when which page views occurred and from which region they came. In addition, we collect various log files (e.g. IP address, referrer, browser, and operating system used) and can measure whether our website visitors perform certain actions (clicks).
We use IP anonymisation for the analysis with Matomo. This means that your IP address is shortened before analysis so that it can no longer be clearly assigned to you.
You may opt out of using Matomo on your computer:
YouTube with expanded data protection integration
To pass on educational content, the Youthpass website embeds videos of the website YouTube. The website operator is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.
The embedded videos on the Youthpass website are not automatically loaded, they do not pass on personal information to YouTube when you visit one of the sites with an embedded YouTube video. Only when you start to play a YouTube video on this website, a connection to YouTube’s servers will be established. As a result, the YouTube server will be notified, which of our pages you have visited. If you are logged into your YouTube account while you visit our site, you enable YouTube to directly allocate your browsing patterns to your personal profile. You have the option to prevent this by logging out of your YouTube account.
Furthermore, after you have started to play a video, YouTube will be able to place various cookies on your device or comparable technologies for recognition (e.g. device fingerprinting). In this way YouTube will be able to obtain information about this website’s visitors. Among other things, this information will be used to generate video statistics with the aim of improving the user friendliness of the site and to prevent attempts to commit fraud.
Under certain circumstances, additional data processing transactions may be triggered after you have started to play a YouTube video, which are beyond our control.
To pass on educational content, the Youthpass website has integrated an online book-flipping tool called Flipsnack. The embedded documents on the Youthpass website are not automatically loaded, they do not pass on personal information to Flipsnack when you visit one of the sites with an embedded Flipsnack document. Only when you choose to load the document on this website, a connection to Flipsnack’s servers will be established. As a result, personal data (like your IP-address) may be transferred to the Flipsnack server.
8. What are your rights and how can you exercise them?
You have specific rights as a ‘data subject’ under Chapter III (Articles 14-25) of Regulation (EU) 2018/1725, in particular the right to access, your personal data and to rectify them in case your personal data are inaccurate or incomplete. Where applicable, you have the right to erase your personal data, restrict the processing of your personal data, and object to the processing. You have the right to object to the processing of your personal data, which is lawfully carried out pursuant to Article 5(1)(a) on grounds relating to your particular situation.
You can exercise your rights by contacting the Data Controller, or in case of conflict the Data Protection Officer. If necessary, you can also address the European Data Protection Supervisor. Their contact information is given under Heading 9 below.
Where you wish to exercise your rights in the context of one or everal specific processing operations, please provide their description (i.e. their Record reference(s) as specified under the section below) in your request.
9. Contact information
- The Data Controller
If you would like to exercise your rights under Regulation (EU) 2018/1725, or if you have comments, questions or concerns, or if you would like to submit a complaint regarding the collection and use of your personal data, please feel free to contact the Data Controller at firstname.lastname@example.org.
The Data Protection Officer (DPO) of the Commission
You may contact the Data Protection Officer (DATA-PROTECTION-OFFICER@ec.europa.eu) with regard to issues related to the processing of your personal data under Regulation (EU) 2018/1725.
- The European Data Protection Supervisor (EDPS)
You have the right to have recourse (i.e. you can lodge a complaint) to the European Data Protection Supervisor (email@example.com) if you consider that your rights under Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal data by the Data Controller.
10. Where to find more detailed information?
The Commission Data Protection Officer (DPO) publishes the register of all processing operations on personal data by the Commission, which have been documented and notified to him. You may access the register via the following link: http://ec.europa.eu/dpo-register.
This specific processing operation has been included in the DPO’s public register with the following Record reference: DPR-EC-12510.