Book page

Data Protection Notice

Erik BALLHAUSEN
Erik BALLHAUSEN • 19 May 2025

Education for Climate Coalition (E4C) 

Data Protection Notice


The European Education and Culture Executive Agency ("EACEA") is committed to preserving the protection of your personal data. This notice provides information on your rights in relation to data protection and on how your personal data are processed by EACEA in accordance with Regulation (EU) No 2018/1725 on the protection of personal data by the Union institutions, bodies, offices and agencies1 ("the Data Protection Regulation").


1. Who is responsible for processing your personal data (data controller)?


The controller is the European Education, and Culture Executive Agency (EACEA)
Avenue du Bourget 1, BE-1049 Brussels.


The person designated as being in charge of the processing operation is the Head of Unit A.6 Platforms, Studies and Analysis.


The contact Email address is EACEA-EDUCATION-FOR-CLIMATE@ec.europa.eu


2. For which purpose do we process your data?

The Education for Climate Coalition (E4C) is a collaborative initiative engaging the education community across the EU to drive the green transition and sustainable development. As part of the European Education Area, it connects students, teachers, and stakeholders to tackle climate change through cooperation, experience sharing, and concrete pledges.

The purpose of the processing is to support the Education for Climate Coalition (E4C) initiative for transition to climate neutrality by facilitating collaboration and engagement of the educational community via a secured online environment and relevant activities.

Your personal data are collected and used to:

• Set up and manage the members’ accounts
• Protect the platform against malicious activities
• Implement the verification process for newly registered users
• Manage cookies and consent management
• Keep history of user’s operations performed
• Assure quality of the online content (e.g., monitoring and validation of publications on the platform)
• Allow users to create content

(1) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC Text with EEA relevance, OJ L 295, 21.11.2018, p. 39.

• Publish announcements, comments and feedback
• Share content, documents, scientific publications and contributions to discussion forums.
• Organise and manage online and on-site or hybrid events (including live streaming, videos and recording of events)
• Provide specific e-services on the platform, like joining and being invited to communities, groups and conversations, activities/ events, receiving notifications and messages
• Inform & communicate with the platform users, community and groups members on existing communities and groups and related network activities
• Ensure platform functionalities and content as well as related activities such as participation to online and onsite events (e.g. E4C annual event, workshops, interviews, testimonials, community cafés, country groups events, etc.), calls for participation, contest, surveys, mentoring groups for motivational purposes, written contributions for input/output like achievements or contributions on the E4C platform by means of newsletters, announcements, notifications, posts, social media, user stories, emails, etc.
• Ensure subscription to Newsletter (Newsroom)
• Allow interaction and networking among the members of the communities/groups
• Identify new user needs and improve the quality/functioning of the platform
• Reply user queries
• Process authorization and contact forms
• Extract aggregated data for research and statistical purposes

The platform has the technical capability to administer and add/remove details of the User Profile to better fulfil the purpose of the network, in full respect of data protection principles (in particular data minimisation).

This is because EACEA is mandated by the European Commission to implement the E4C collaborative initiative and the processing is needed to support the EC (DGEAC)’s stakeholders’ engagement and facilitate communities’ collaboration for an efficient and concrete mobilisation of the educational community.

Your personal data will not be used for an automated decision-making including profiling.

3. Which personal data are processed?

In order to carry out the processing operation, the following data may be processed:

• Names, surnames and email addresses of community members (when registering on the platform and to request technical support) and also organization, current, field of expertise, curriculum vitae, job position/title, fields of interest (for events, surveys, video and audio recording, interviews, announcements, publications, news and in content published on the platform)
• Registered E4C members’ experiences, opinions, pictures and quotes for articles to be published within the platform (in the users’ profile area and on a voluntary basis)
• Images that are voluntarily shared by registered EAC members in public and private channels of the platform and in their user profile
• Photos, voice, meetings and video recording upon the users’ consent, that may be e used for promotion on the platform or social media accounts (for online, hybrid and physical events via videoconferencing, live-streaming, interviews, audio calls and/or podcasts: image)
• Process other optional data, which might be submitted by community and group members on a voluntary basis and at their free choice and may be published on the communities and groups (e.g., messages, challenges and threads, files, videos/webcam recordings and pictures).

• Diet and/ or accessibility requirements and related consent (for physical meeting), including food allergies for events catering may be processed. The names of people are not shared with the catering vendor
• Information concerning communities, groups or areas of interest, personal motivation to join the communities and groups, data on private sphere and family, such as blogs, personal websites, personal social media handles etc (on a voluntary basis - at registration on the platform, in communities, groups, mentoring and job board section, interviews, or in helpdesk enquiries)
• Allowances and bank account reference (IBAN and BIC codes), VAT number, passport number and/or ID number
• Accommodation and subsistence costs, information on itineraries and travel receipts and related r expenses for mission and journeys
• E-mail addresses of community and group members, as well as institutions/organisations, which may be shared by registered members on a voluntary basis with other members on the platform
• EU login, platform generated user ID, username or account, password changes, last authentication and authenticated account activity, log files, which may include the IP address, geo/localization, interest, spoken languages, country and nationality
• Other data submitted voluntarily during interviews/activities (e.g. opinions, interests, quotes), on EU surveys, MS TEAMS, WEBEX, SLIDO, MIRO, and/or on the platform, by answering questions during interview, asking for assistance for technical problems with the platforms or tick box agreeing data to be used in a publication, etc.

4. Who has access to your personal data and to whom is it disclosed?

Access to your personal data is provided to any EACEA staff responsible for carrying out this processing operation according to the “need to know” principle. Such staff abide by statutory confidentiality obligations.

The following recipients may also access to your personal data:

• Authorised staff of the European Commission (such as DG EAC, DG CNECT (for the use of Newsroom and acting as processor), DG COMM, JRC (for the use of EU Academy), DG DIGIT, DG INTPA)
• Authorised staff of the EACEA contractor(s) acting as processor(s): ESN and ECORYS as contractors that abide by contractual confidentiality requirements. For more information on personal data may be processed by them, see their privacy statements: https://esn.eu/about/privacy-statement, and https://www.ecorys.com/privacy/. Please note that only the data mentioned in this data protection notice and in line with the conditions stipulated herewith are processed by the contactor(s)
• DG DIGIT acting as processor for EACEA and its contractor (MICROSOFT) for the use of TEAMS (, and its contractor (CISCO) for the use of WEBEX/ web conference service
• Other registered members and participants of events based on consent for sharing participants’ list • General public for the information being published on the E4C website, and/ or for data published on the EC and EACEA websites, EC corporate platforms and/or on the social media of Commission Services and EACEA accounts (X, Facebook, Instagram, LinkedIn, BlueSky, etc.), including the VIMEO platform (see https://vimeo.com/privacy , which can be accessed by any person in the world using the internet or subscribing to internet notification services
• In order to deliver its service, VIMEO will act as separate controller for the processing of personal data on which they determine the means and the purposes and might transfer personal data outside the EU in accordance with their privacy policies.

Please note that users’ personal data are accessible within the public area once logged in and if the users have filled in their public profile.

During events and is the scope of social media, users may interact with third party tools on a voluntary basis. The use of these tools falls under their own privacy policies.

EU Survey (EUSurvey - Welcome (europa.eu)) may be used for the purpose of participating in surveys and consultations, to give consent for the use of image, voice, video recordings, etc in accordance with its privacy policy which can be found here:

https://ec.europa.eu/eusurvey/home/privacystatement.

Aggregated data will be processed possibly anonymously, especially if transferred to third parties for research purposes.

Personal data will never be used for marketing purposes. 

The following IT tools may be used, which implies possible transfer of your personal data from the controller to third countries:

• WEBEX for web conference services (see Privacy Statement for WEBEX:- 
https://ec.europa.eu/dpo-register/detail/DPR-EC-05006.5


• TEAMS (see Privacy Statement for M365:
https://ec.europa.eu/dpo-register/detail/DPR-EC-04966

• SLIDO as online audience interaction tool to enable event participants to engage and ask questions, in accordance with its privacy policy ( https://ec.europa.eu/dpo-register/detail/DPR-EC-06687 ) SLIDO users who are not willing to share their personal data with this tool can simply reply anonymously. As SLIDO was acquired by Cisco Systems, Inc (WEBEX), personal data may be transferred to Cisco
• VIMEO (see Privacy Policy on Vimeo: https://vimeo.com/privacy
• MIRO as online collaborative whiteboard platform to enable event participants to collaborate in real-time, in accordance with its privacy policy: https://miro.com/legal/privacy-policy/ 

In order to deliver the services, the use of WEBEX, TEAMS, SLIDO, VIMEO and MIRO may imply the possible transfer of personal data to the U.S and for WEBEX/SLIDO also to the UK: such transfers are based on the Adequacy Decisions signed with the US and the UK.


The information collected will not be given to any third party, except to the extent and for the purpose we may be required to do so by law.


In addition, data may be disclosed to public authorities in accordance with Union and Member State law such as the European Court of Justice, the relevant national judge as well as the lawyers and the agents of the parties in case of legal proceedings, the Investigation and Disciplinary Office of the European Commission (IDOC), the competent Appointing Authority in case of a request or a complaint lodged under Articles 90 of the Staff Regulations, the European Anti-Fraud Office (OLAF), the Internal Audit Service of the Commission (IAS), the Court of Auditors, the European Ombudsman, the European Data Protection Supervisor (EDPS) and the European Public Prosecutor’s Office (EPPO).

5. How long do we keep your personal data?

EACEA only keeps your personal data for the time necessary to fulfil the above-mentioned purpose and follows the Common Retention List of the European Commission (CRL).


The personal data is kept on the platform for the time necessary to fulfil the purpose of collection, namely the authentication of the user on the website and it is kept for as long as the user is active and there is no request made by the user to remove the data from the system. The logs of the platform are kept for 42 days.

Time limits of the retention of data in the EU Login Authentication Service are defined in the privacy statement of the European Commission's Identity & Access Management Service (DPR-EC-03187).

The personal data of the verified community and groups members of the platform is kept up to three years following the last login. In case members request the deactivation of their profile the profile is automatically deactivated. Deactivated data will not be visible to other members. Deactivated data will be deleted. If deactivated members want to use the platform again, they must register a new as members.

The retention period for:

• personal data for social media influencers (e.g. first and last name, E-Mail address, pictures) that may be shared with EACEA is five years
• images, voices and recordings of interviewers, users, community and groups members and event participants (including videos, podcasts and user’s stories) is kept as long as the recording/ visual is used on the platform and for maximum five years after the closure of the contract with processors in charge of the platform. Images, voices and recordings based on prior. They may be published on the European Commission (EC) -DG EAC website and other public online platforms (e.g. VIMEO or other EC websites, as well as on the social media accounts of the EC and of community and groups members and influencers). Data may be used and archived by the EC in accordance with the applicable data protection record on long time preservation: https://ec.europa.eu/dpo-register/detail/DPR-EC-00837.3  
• the personal data shared by the platform's members is kept up to three years following the last login. In case members request the deactivation of their profile or the profile is automatically deactivated. Deactivated data will not be visible to other members. Deactivated data will be deleted. If deactivated members want, to use the platform again they must register anew as members
• the personal data collected for the participation on events is one year after the event for which it was collected
• the personal data shared in requests for information received in mailboxes is two years starting from the answer provided
• the voice recording published as podcast in EU Academy and in line with the EU Academy record and privacy statement is three years after the last interaction of the user on the platform https://academy.europa.eu/admin/tool/policy/view.php?versionid=19&returnurl=https%3A%2F%2Facademy.europa.eu%2F.

Data related to statistics and research purposes are kept for the entire duration of the E4C initiative. Five years after the end of the contract (2027 with a possible extension of maximum 2 years), the processors will hand over all information and data to EACEA and will not keep a copy of personal data in any format. The aggregated and anonymous data remain solely for research and monitoring purposes, at the disposal of EACEA, the European Commission (DG DIGIT, etc.). Data in aggregated and anonymous format may be kept longer by the contractor(s) ESN, ECORYS and by DG DIGIT under the authorisation of the Data Controller.

The retention period of E4C user’s personal data shared with DG CNECT (in Newsroom) to register to E4C newsletters is of five years after the last interaction (i.e., subscribing, confirming subscription, update users’ profile) of the data subject with Newsroom. Users could erase his/her account or unsubscribe from the mailing list at any time and his/her profile and personal data will be completely erased. This is described in the data protection record No DPR-EC-03928.1: https://ec.europa.eu/dpo-register/detail/DPR-EC-03928  and in the Newsroom Data Protection Declaration Wiki page: https://academy.europa.eu/admin/tool/policy/view.php?versionid=19&returnurl=https%3A%2F%2Facademy.europa.eu%2F. 

Personal data in security log files, the IP addresses and other additional data related to a user’s interaction with an EC e-service (date and time of authentication, change/reset of password or account status) is stored for a maximum of one year. In the context of investigations of security incidents, the
personal data could be further processed following record DPR-EC-02886: https://ec.europa.eu/dpo-register/detail/DPR-EC-02886  DIGIT IT security operations and services, where a different retention period applies.

6. How do we protect and safeguard your personal data?

Relevant organisational and technical measures are taken by EACEA to ensure the security of your personal data.

• Technical measures include appropriate actions to address online security, risk of data loss, alteration of data or unauthorised access, taking into consideration the risk presented by the processing and the nature of the personal data being processed. State of the art technical cybersecurity measures are implemented in the corporate systems, according to the security needs. Those measures are in constant evolution. The platform is hosted on the EC Europa domain, which is under the EC (DG DIGIT)’s control and abides by strict security and protective measures. Registered users to the “E4C” e-services have password protected access to their profile and can, at any moment, update their information, cancel their registration or request to unsubscribe from specific interest groups or communications

• Organisational measures include access control and restricting access to the personal data solely to authorised persons with a legitimate need to know for the purposes of this processing operation. Access to your data is done via authentication system on an individual basis through user-ID and password. As a rule within the Agency, access to information, to files and or to offices are subject to a series of authorisations where the person granting the access is different from the person requesting or authorising the access - except in limited cases of delegation. All Agency and EC staff are bound by a confidentiality obligation. Your data resides on the servers of the European Commission, which abide by strict security measures implemented by the European Commission (DG DIGIT) to protect the security and integrity of the relevant electronic assets. EACEA is also bound by Commission Decision 2017/46 of 10/1/17 on the security of communications & information systems in the EC.

EACEA’s contractors are bound by a specific contractual clause for any processing operations of your data on behalf of the Commission, and by the confidentiality and data protection obligations, deriving from the transposition of the General Data Protection Regulation in the EU Member States (‘GDPR’ Regulation (EU) 2016/679.

The E4C platform is a network site based on the Europa Communities Platform Software as a Service (ECP SaaS) established on Open Social – a DIGIT proposed third party solution - which is a ready-to-use Drupal Content Management System with standard functionalities to create and manage external communities websites under europa.eu.

The IT systems used by the Agency are the ones of the European Commission (EC) and abide by the EC’ s security guidelines.

7. What are your rights concerning your personal data and how can you exercise them?

Under the provisions of the data protection regulation, you have the right to request to the controller to access the personal data that EACEA holds about you and to have your personal data rectified in case your personal data are inaccurate or incomplete.

Where applicable, you have the right to request the erasure of your personal data and to restrict the processing of your personal data.

You are also entitled to object to the processing of your personal data on grounds relating to your particular situation at any time unless EACEA demonstrates compelling and overriding legitimate grounds or in case of legal claims.

When processing is based on your consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of the processing before such a withdrawal.

However, the data controller may restrict the rights of the data subjects based on article 25 of the Data Protection Regulation (in exceptional circumstances and with the safeguards laid down in the Regulation). Such restrictions are provided for in the internal rules adopted by EACEA and published in the Official Journal of the European Union: 
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32021Q0317%2801%29 

Such a restriction will be proportionate, limited in time, and respect the essence of the above-mentioned rights. It will be lifted as soon as the circumstances justifying the restriction are no longer applicable. In principle, you will be informed on the principal reasons for a restriction unless this information may cancel the effect of the restriction. A more specific data protection notice may apply in such case.

8. Contact Information

If you have questions or wish to exercise your rights under the Data Protection Regulation or if you want or to submit a complaint regarding the processing of your personal data, you are invited to contact the Data Controller (see contact details above).

You can also contact the Data Protection Officer of EACEA at the following email address: eacea-data-protection@ec.europa.eu
You may lodge a complaint with the European Data Protection Supervisor: http://www.edps.europa.eu.

9. On which legal basis are we processing your personal data?

We process your personal data, because:

• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body (as laid down in Union Law):

▪ Council Regulation 58/2003 of 19 December 2002, laying down the Statute for executive agencies to be entrusted with certain tasks in the management of EU programmes
▪ Commission Implementing Decision (EU) 2021/173 of 12 February 2021 establishing the European Education and Culture Executive Agency
▪ Commission Decision C(2021)951 of 12 February 2021 delegating powers to the European Education and Culture Executive Agency with a view to the performance of tasks linked to the implementation of Union programmes in the field of education, audiovisual and culture, citizenship and solidarity
2 https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32021Q0317%28…

▪ Regulation (EU) 2021/817 of the European Parliament and of the Council of 20 May 2021 establishing Erasmus+: the Union Programme for education and training, youth and sport and repealing Regulation (EU) No 1288/2013 (OJ L 189, 28.5.2021, p. 1–33).

• the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

▪ Subscription to newsletters, mails (campaign for motivational purposes, etc)
▪ Sharing events participant’s lists among themselves
▪ Audio, videos, recording of events, promotional video, selfie videos, user stories, testimonials
▪ Use of images of E4C users/members, and organizers for events, publications, (televisual broadcasting communication via the Internet or on public platforms (e.g. VIMEO) and on EACEA and European Commission (EAC) websites, platforms and/or social media accounts
▪ Providing voluntarily non-mandatory personal data in the platform by members who wish to do so on the basis of their own will.

The following special category(ies) of personal data is (are) being processed: health data (diet requirement, accessibility requirement to enter into a building for physical meetings), because:

• the data subject has given explicit consent to the processing for one or more specified purposes; participation to onsite events and business lunches.


Electronically signed on 16/05/2025 09:22 (UTC+02) in accordance with Article 11 of Commission Decision (EU) 2021/2121