Data Protection Notice

The European Education and Culture Executive Agency ("EACEA") is committed to preserving the protection of your personal data. This notice provides information on your rights in relation to data protection and on how your personal data are processed by EACEA in accordance with Regulation (EU) No 2018/1725 on the protection of personal data by the Union institutions, bodies, offices and agencies¹ ("the Data Protection Regulation").

1. Who is responsible for processing your personal data (data controller)?

The controller is EACEA, BE-1049 Brussels
The person designated as being in charge of the processing operation is the Head of Unit A6 - Platforms, Studies and Analysis.
The contact Email address is ec-selfie@ec.europa.eu

2. For which purpose do we process your data?

SELFIE for Teachers and SELFIE for Schools are free, online tools provided by EACEA Unit A.6, designed to support the digital competence development of teachers and school communities (respectively) without assessing or benchmarking individuals or groups. The tools are accessible at https://selfie-in-education.ec.europa.eu and are hosted and deployed in the DIGIT data centre environment. Registration and login in the tools are managed through the EU Login platform, as detailed in the DIGIT record DPR-EC-03187.2 for data protection inquiries.

SELFIE for Teachers targets teachers and educators from pre-primary up to upper secondary education, providing a personalised report based on voluntarily provided data to enhance digital competence and professional learning. Teachers can view their progress and tailor learning plans using their aggregated feedback, while groups can receive anonymised collective reports based on customised questionnaires, ensuring no individual identification. Aggregated data, with educator consent, can inform broader educational and policy decisions.

Meanwhile, SELFIE for Schools assists school leaders, teachers, students, and (in the case of the work-based learning version of the tool) in-company trainers in reflecting on the digital capacity of their school. Registered schools and companies can collect input from school leaders, teachers, students, and in-company trainers who complete tailored questionnaires on a voluntary and anonymous basis. The tool generates a dedicated interactive report that can be used as a basis for discussion within the school community on technology use for teaching and learning and for action plan development, with schools assuming full ownership of the SELFIE tool implementation and their data use.

EACEA and the European Commission may also use anonymised, aggregated data from both tools to produce public reports and analyses, ensuring that individual privacy is maintained. The tools have been developed in the context of the EU Digital Education Action Plans 2018-2020 (SELFIE for Schools) and 2021-2027 (SELFIE for Teachers).

SELFIE for Teachers

EACEA Unit A.6 collects and uses the information provided on a voluntary basis by primary and secondary education teachers and early education and childhood educators by completing the online questionnaires of SELFIE for Teachers tool.
Anonymised and aggregated statistical data deriving from the tool can be shared, provided that the individual teachers or educators gave their consent by accepting a relative statement within the tool. This aggregated and anonymised data can be used to inform decision making on teaching and learning using digital technologies and teachers education and training. EACEA may use the raw and aggregated data from the SELFIE for Teachers self-reflection tool platform in the following ways:
- Extract aggregated and anonymised data into other EACEA or European Commission systems for data visualisation and analyses.
- Share aggregated and anonymised data with third parties (e.g., Ministries of Education), for instance through publicly available dashboards or through presentations, reports and other publications to inform broader educational and policy decisions at regional, national or EU level, following Directive (EU) 2019/1024 of the European Parliament and of the Council of 20 June 2019 on open data and the re-use of public sector information (recast).
Individual participants will never be identified in these dashboards, presentations, reports and analyses. At no time will individual responses of teachers or educators ever be shared or made public, nor will any aggregated data be shared in a way that allows individuals to be identified, directly or indirectly.

SELFIE for Schools

EACEA may use the aggregated data from the SELFIE for Schools self-reflection tool platform in the following ways:
- Download aggregated and anonymised data into other EACEA or European Commission systems for data visualisation and analyses.
- Share aggregated and anonymised data with third parties (e.g., Ministries of Education), for instance through publicly available dashboards or through presentations, reports and other publications to inform broader educational and policy decisions at regional, national or EU level, following Directive (EU) 2019/1024 of the European Parliament and of the Council of 20 June 2019 on open data and the re-use of public sector information (recast).

In aggregated and anonymised data from SELFIE for Schools, individual participants will never be identified in these dashboards, presentations, reports and analyses. At no time will individual responses from the school ever be shared or made public, nor will any aggregated data be shared in a way that allows individual students or staff members to be identified, directly or indirectly.

For both SELFIE for Teachers and SELFIE for Schools, the EACEA Unit A.6, as system provider, uses the EU Login platform for user authentication and account management. The processing of your personal data related to EU Login is carried out under the responsibility of DG DIGIT, as described in the record DPR-EC-03187.2 (https://ec.europa.eu/dpo-register/detail/DPR-EC-03187).

Your personal data will not be used for automated decision-making including profiling.

3. Which personal data are processed?

In order to carry out the processing operation, the following data may be processed:

personal identification numbers (IDs, passport, etc);
data subjects contact details (names and addresses (including email addresses);
registration data/participation to meeting, etc;
physical characteristics of persons: image, voice, video recording, etc;
info concerning the data subjects private sphere and family;
allowances and bank accounts;
info concerning the data subjects career and education;
data subjects communications via phone, emails etc;
geo/localization, IP address, etc.

SELFIE for Teachers:

The data collected through the SELFIE for Teachers self-reflection questionnaires refer to the teachers and educators digital competence. EACEA also collects personal data that are anonymised wherever possible. However, some responses may contain personal data voluntarily provided by teachers and educators, for example through free-text inputs which may increase the residual risk of re-identification (e.g. names of individuals, their schools, or unique situations). To mitigate this risk, free-text inputs are filtered and cleaned before export and excluded from shared datasets.

SELFIE for Schools:

The data is collected anonymously through the questionnaires for school leaders, teachers, students and in-company trainers refer to the use of digital technologies for teaching and learning. School leaders, teachers, in-company trainers and students do not have to register or log in to complete the questionnaires. However, some responses may contain personal data voluntarily provided by teachers and educators, for example through free-text inputs which may increase the residual risk of re-identification (e.g. names of individuals, their schools, or unique situations). To mitigate this risk, free-text inputs are filtered and cleaned before export and excluded from shared datasets.

4. Who has access to your personal data and to whom is it disclosed?

Access to your personal data is granted to the EACEA staff responsible for carrying out this processing operation and to any authorised staff according to the "need to know" principle. Such staff abide by statutory confidentiality obligations.

The following recipients may also access to your personal data:

Authorised staff of the EACEA contractors acting as processors: EUN PARTNERSHIP AISBL and TREMEND SOFTWARE CONSULTING SRL that abide by contractual confidentiality requirements. For more information on how your data may be processed by them, please have a look at their privacy statements: EUN Legal Notices and Privacy; Tremend Privacy Policy. Please note that only the data mentioned in this data protection and in line with the conditions stipulated herewith are processed by the contactors.
Authorised staff of the European Commission, such as:
- DG EAC, DG EMPL, DG CNECT, DG JRC, DG COMM, and other EU institutions and bodies, e.g. the European Training Foundation.
- DG DIGIT acting as processor for EACEA and its contractor:
  - - for hosting SELFIE tools;
  - - MICROSOFT, for the use of TEAMS (see Privacy Statement for M365, under part 7);
  - - CISCO, for the use of WEBEX/ web conference service (See Privacy Statement for WEBEX under part 7) and for SLIDO (See Privacy Statement for SLIDO under part 7).
In the case where a self-reflection is initiated through SELFIE for Teachers for a group of teachers or educators, then the group assigned leader can have access to the aggregated anonymised data of the group, and only by the group participants who gave their consent (by accepting/rejecting a relative statement before going through the tool). No personal data will be accessed by any other than the EACEA staff and its contractors directly involved in the SELFIE tools project according to the "need to know" principle.

SELFIE tools are also available for use outside EU Member States, as any school or teacher can freely register and use them. In addition, institutions such as the European Training Foundation and the Unescos Institute for Information Technologies in Education have promoted the use of the tools in Partner Countries and third countries, respectively. Also, if a self-reflection is initiated through SELFIE for Teachers for a group of teachers or educators, the group coordinator can have access (only) to the aggregated data of the group, provided that at least 10 groups participants have given their consent (by accepting or rejecting the relative statement before going through the tool).

Also, the use of M365/TEAMS, WEBEX or SLIDO may imply the possible transfer of your data to third countries such as the U.S.A. This may be based on the Adequacy Decision for the US in view of the Privacy Framework List or on derogations as per Article 50 of the Data Protection Regulation, namely:

- the transfer is necessary for important reasons of public interest and is based on Article 50(1)(d) of the Regulation as recognised in the following Union law:

Article 14 of the Charter of Fundamental Rights of the European Union;
Article 26 of the Universal Declaration of Human Rights;
Article 11 of the Treaty of the European Union;
Article 15 of the Treaty on the Functioning of the EU.

In addition, data may be disclosed to public authorities in accordance with Union and Member State law such as the European Court of Justice, the relevant national judge as well as the lawyers and the agents of the parties in case of legal proceedings, the Investigation and Disciplinary Office of the European Commission (IDOC), the competent Appointing Authority in case of a request or a complaint lodged under Articles 90 of the Staff Regulations, the European Anti-Fraud Office (OLAF), the Internal Audit Service of the Commission (IAS), the Court of Auditors, the European Ombudsman, the European Data Protection Supervisor (EDPS) and the European Public Prosecutors Office (EPPO).

5. How long do we keep your personal data?

For both SELFIE tools, until the individual user or school proactively requests the deletion or deletes the account (as per DPR-EC-03187), or for a maximum duration of 5 years from the last use.

Keeping the data for a maximum of five years is envisaged for statistical or scientific purposes as the tools are actions under the European Commission Digital Education Action Plan 2018-2020 and 2021-2027;
The retention time also aims to support individual users or schools that may want to come back to use the tools after a few years since the last use. In such a case, for the purposes of a longitudinal approach to the data analysis and user progress, it is important to keep the data for up to five years.

Upon a justified request, the Controller shall provide the Data Subject with information on the actions taken on a request pursuant to Articles 17 to 24 of Regulation 2018/1725 without undue delay, and, in any event, within one month of receipt of the request. That period may be extended by two further months where necessary, considering the complexity and the number of the requests. The Controller shall inform the Data Subject of any such extension within one month of receipt of the request, together with the reasons for the delay.

However, we may keep information identifying you for a longer period for historical, statistical or scientific purposes. Such data are the following:

SELFIE for Teachers: EU Login data and the personal data of subscribed users.

SELFIE for Schools: EU Login data and the personal data from the self-reflection questionnaires submitted anonymously by school leaders, teachers, in-company trainers and students.

6. How do we protect and safeguard your personal data?

Relevant organisational and technical measures are taken by EACEA to ensure the security of your personal data. A Corporate Local Informatics Security Officer (C-LISO) is in place. Its role includes supervising the Agency compliance with the relevant regulations, and the application of security measures recommended by DIGIT.

Technical measures include appropriate actions to address online security, risk of data loss, alteration of data or unauthorised access, taking into consideration the risk presented by the processing and the nature of the personal data being processed. Organisational measures include restricting access to the personal data solely to authorised persons with a legitimate need to know for the purposes of this processing operation.

Access to your data is done via authentication system on an individual basis through user-ID and password. Your data resides on the servers of the European Commission, which abide by strict security measures implemented by the European Commission (DG DIGIT) to protect the security and integrity of the relevant electronic assets.

EACEA is also bound by Commission Decision 2017/46 of 10/1/17 on the security of communications & information systems in the EC.

EACEAs contractors are bound by a specific contractual clause for any processing operations of your data on behalf of EACEA and by the confidentiality obligations deriving from the transposition of the General Data Protection Regulation in the EU Member States (GDPR Regulation (EU) 2016/679).

7. What are your rights concerning your personal data and how can you exercise them?

Under the provisions of the data protection regulation, you have the right to request to the controller to access the personal data that EACEA holds about you and to have your personal data rectified in case your personal data are inaccurate or incomplete. Where applicable, you have the right to request the erasure of your personal data and to restrict the processing of your personal data.

You are also entitled to object to the processing of your personal data on grounds relating to your particular situation at any time unless EACEA demonstrates compelling and overriding legitimate grounds or in case of legal claims. You have the right to data portability.

When processing is based on your consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of the processing before such a withdrawal.

However, the data controller may restrict the rights of the data subjects based on article 25 of the Data Protection Regulation (in exceptional circumstances and with the safeguards laid down in the Regulation. Such restrictions are provided for in the internal rules adopted by EACEA and published in the Official Journal of the European Union.²

Such a restriction will be proportionate, limited in time, and respect the essence of the above-mentioned rights. It will be lifted as soon as the circumstances justifying the restriction are no longer applicable. In principle, you will be informed on the principal reasons for a restriction unless this information may cancel the effect of the restriction.

A more specific data protection notice may apply in such case.

8. Contact Information

If you have questions or wish to exercise your rights under the Data Protection Regulation or if you want or to submit a complaint regarding the processing of your personal data, you are invited to contact the Data Controller (see contact details above).

You can also contact the Data Protection Officer of EACEA at the following email address: eacea-data-protection@ec.europa.eu.

You may lodge a complaint with the European Data Protection Supervisor: http://www.edps.europa.eu.

9. On which legal basis are we processing your personal data?

We process your personal data, because:

processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body (as laid down in Union Law);
the data subject has given consent to the processing of his or her personal data for one or more specific purposes.

These are the Union laws that are the basis for such processing (see above point a):

Regulation (EU, Euratom) 2024/2509 of the European Parliament and of the Council of 23 September 2024 on the financial rules applicable to the general budget of the Union (recast)
Council Regulation 58/2003 of 19 December 2002, laying down the Statute for executive agencies to be entrusted with certain tasks in the management of EU programmes;
Commission Implementing Decision (EU) 2021/173 of 12 February 2021 establishing the European Education and Culture Executive Agency;
Commission Decision C(2021)951 of 12 February 2021 delegating powers to the European Education and Culture Executive Agency with a view to the performance of tasks linked to the implementation of Union programmes in the field of education, audiovisual and culture, citizenship and solidarity;
Regulation (EU) 2021/817 establishing the Erasmus+ programme.