Skip to main content

Erasmus+

EU programme for education, training, youth and sport

Privacy statement

This privacy statement is related to the Erasmus+ 2014-2020 programme. It is relevant for projects still ongoing from that period.

You can also read the privacy statement of the new Erasmus+ 2021-2027 programme.

Organisation Registration, Application Forms and EPlusLink

This privacy statement provides information about the processing and the protection of your personal data.

Table of contents

  1. Introduction
  2. Why and how we process your personal data
  3. On what legal ground(s) do we process your personal data?
  4. Which personal data do we collect and further process?
  5. How long do we keep your personal data?
  6. How do we protect and safeguard your personal data?
  7. Who has access to your personal data, and to whom is it disclosed?
  8. What are your rights, and how can we exercise them?
  9. Contact points
  10. Where to find more detailed information?

1. Introduction

The European Commission (hereafter ‘the Commission’) is committed to protect your personal data and to respect your privacy. The Commission collects and further processes personal data pursuant to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data (repealing Regulation (EC) No 45/2001).

This privacy statement explains the reason for the processing of your personal data, the way we collect, handle and ensure protection of all personal data provided, how that information is used and what rights you have in relation to your personal data. It also specifies the contact details of the responsible Data Controller with whom you may exercise your rights, the Data Protection Officer and the European Data Protection Supervisor.

The information in relation to processing operation “Organisation Registration, Application Forms and EPlusLink”: the registration and management of organisations’ information, the management of applications submitted under Erasmus+ and the European Solidarity Corps, undertaken by DG EAC.B.4 is presented below.

Back to table of contents

2. Why and how do we process your personal data?

Purpose of the processing operation.

DG EAC collects and uses your personal information to:

  • allow organisations to register so they may participate in the Erasmus+ and European Solidarity Corps actions managed by National Agencies
  • identify applicant organisations requesting an EC grant for a project under Erasmus+ and the European Solidarity Corps actions managed by National Agencies
  • facilitate the submission of applications to the different decentralised action types of Erasmus+ and European Solidarity Corps
  • manage the selection procedures of applications under Erasmus+ and European Solidarity Corps actions managed by National Agencies
  • establish anonymous statistics about registered organisations, applicant organisations, beneficiaries, projects, partners and participants
  • fulfil the obligations and responsibilities relating to monitoring, evaluation, reporting and auditing
  • assess the impact of Erasmus+ and European Solidarity Corps programme participation on beneficiary organisations and acquire better knowledge of participating groups in order to fine-tune outreach strategies via questionnaires and other techniques
  • disseminate the project results through the appropriate Erasmus+ and European Solidarity Corps IT tools (Project Results Platform) for which an unambiguous and informed consent will be requested from the contact persons before publishing their contact data
  • transfer data to OLS (Online Linguistic Support) system to allow the management of the language training licenses for individual participants in mobilities
  • transfer data on the Accreditation and Quality Label of the European Solidarity Corps to the European Youth Portal, for which an unambiguous and informed consent will be requested from the contact persons before publishing their contact data

Your personal data will not be used for automated decision-making including profiling.

Back to table of contents

3. On what legal ground(s) do we process your personal data?

We process your personal data because:

  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body
  • processing is necessary for compliance with a legal obligation to which the controller is subject
  • The processing operations are necessary for the fulfilment of the Commission obligations and responsibilities of monitoring and reporting established in the Regulations of the European Parliament and of the Council establishing Erasmus+ and the European Solidarity Corps
  • REGULATION (EU) No 1288/2013 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 11 December 2013 establishing 'Erasmus+': the Union programme for education, training, youth and sport and repealing Decisions No 1719/2006/EC, No 1720/2006/EC and No 1298/2008/EC
  • REGULATION (EU) 2018/1475 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 2 October 2018 laying down the legal framework of the European Solidarity Corps and amending Regulation (EU) No 1288/2013, Regulation (EU) No 1293/2013 and Decision No 1313/2013/EU

The processed data do not fall within the scope of the stipulations on Restrictions (art. 25) and Prior Consultation (art. 40) embedded in Regulation 2018/1725.

Back to table of contents

4. Which personal data do we collect and further process?

In order to carry out this processing operation, DG EAC collects the following categories of personal data.

Personal data collected about a registered organisation’s contact person and authorised users as well as personal data collected about the legal representative and the contact persons of the organisations applying for funding or taking part in a project:

  • gender
  • first name
  • last name
  • department
  • position in the organisation
  • professional e-mail
  • main phone
  • street name and number

The provision of personal data is mandatory to register your organisation and process requests for funding.

Back to table of contents

5. How long do we keep your personal data?

DG EAC only keeps your personal data for the time necessary to fulfil the purpose of collection or further processing.

  • Organisation Registration. Data of organisations participating in projects will be deleted 10 years after the end of the year of the closure of the last project in the relevant programme (defined by the last financial transaction between NA and the beneficiary organisation) unless the organisation is participating in another programme. In addition, every 3 years, data of organisations that have neither applied for funding nor participated in a project in that period will be deleted.
  • Application Forms. Data will be deleted 5 years after the submission deadline of the relevant call for proposals.
  • EPlusLink. Personal data will be anonymised 10 years after the end of the year of the closure of the last project in the relevant programme (defined by the last financial transaction between NA and the beneficiary organisation).

The obligation to evaluate the impact of the programmes, as provided in the decisions establishing Erasmus+ and the European Solidarity Corps does not require personal data to be maintained.

Back to table of contents

6. How do we protect and safeguard your personal data?

All data is stored at the Commission (in central servers). EPlusLink data is also stored in a database hosted at each National Agency (containing their own data).

All processing operations are carried out pursuant to the Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission.

In order to protect your personal data, the Commission has put in place a number of technical and organisational measures in place. Technical measures include appropriate actions to address online security, risk of data loss, alteration of data or unauthorised access, taking into consideration the risk presented by the processing and the nature of the personal data being processed. Organisational measures include restricting access to the personal data solely to authorised persons with a legitimate need to know for the purposes of this processing operation.

National Agencies are required to adopt appropriate technical and organisational security measures with regard to protecting personal data.

Back to table of contents

7. Who has access to your personal data, and to whom is it disclosed?

Who has access to your personal data and to whom it is disclosed depends on where your personal data are transferred. There are currently two types of data transfers, which ensure different level of protection:

  1. Data transfers to the European Union Member States, to countries of the European Economic Area, or to countries for which the Commission adopted an adequacy decision ensuring an adequate level of protection. 
  2. Data transfers to third countries for which there is no Commission adequacy decision and the level of protection of your rights with respect to your personal data might not be equivalent to the EU legislation.

In case of transfers of personal data inside EU/EEA and to countries with an adequacy decision

Access to your personal data is provided to the Commission staff responsible for carrying out this processing operation and to authorised staff according to the “need to know” principle. Such staff abide by statutory, and when required, additional confidentiality agreements.

Outside the EU organisation, access to your personal data is provided to:

  • internal staff of the National Agencies in charge of the management of Erasmus+ and the European Solidarity Corps
  • authorised users in external companies contracted by the Commission for the delivery of services
  • in case of audit: external auditors
  • OLS external contractor
  • designated insurance company (for European Solidarity Corps)

The information we collect will not be given to any third party, except to the extent and for the purpose we may be required to do so by law.

In case of transfers of personal data to third countries

Your personal data is transferred to a third country outside EU/EEA for which there is no adequacy decision (including to programme countries – Turkey, Serbia and North Macedonia) if you are in one of the following situations:

  • you are the contact person or authorised user of a registered organisation or the contact person or legal representative of an organisation which submits an application or participates in a project  managed by the National Agencies from Turkey, Serbia, North Macedonia
  • you are the contact person or legal representative of an organisation which wrongly submitted an application to a National Agency in EU/EEA Member States, while it should have been submitted to the National Agency in Turkey, Serbia, North Macedonia; in this case the application (including your personal data) is redirected towards these National Agencies
  • you are the contact person or legal representative of an organisation from Turkey, Serbia, North Macedonia submits an application or participates in a KA2 project managed by a National Agency in EU/EEA
  • you are a staff of the Erasmus+ or European Solidarity Corps National Agency
  • you are the contact person or the legal representative of an applicant organisation, which provided access to the application to an authorised person from a third country

Access to your personal data is provided to the following organisations from the third country:

  • authorised staff of the National Agencies from Turkey, Serbia and North Macedonia (if you are the contact person or authorised user of a registered organisation or the contact person or legal representative of an organisation which submits an application or participates in a project managed by those National Agencies; you are the contact person or legal representative of an organisation which wrongly submitted an application to a National Agency in Turkey, Serbia, North Macedonia, while it should have been submitted to the National Agency in EU/EEA Member States; you are the contact person or legal representative of an organisation from Turkey, Serbia, North Macedonia which submits an application or participates in a KA2 project managed by a National Agency in EU/EEA; you are a National Agency staff).
  • an authorised person from a third country organisation (if you are the contact person or the legal representative of an applicant organisation, which provided access to the application to an authorised person from a third country)

In this case, the level of protection of your personal data will depend on the law or practice of that third country. However, your rights as regards data protection might not be equivalent to those in and EU/EEA country or a country with an adequacy decision.

The information we collect will not be given to any other party located in a third country outside EU/EEA, except to the extent and for the purpose, which may be required by the national law of the country in question.

Back to table of contents

8. What are your rights, and how can you exercise them?

You have specific rights as a ‘data subject’ under Chapter III (Articles 14-25) of Regulation (EU) 2018/1725, in particular the right to access or rectify your personal data and the right to restrict the processing of your personal data.

You have the right to object to the processing of your personal data and in case the objection is successful you can have your personal data erased.

You can exercise your rights by contacting the Data Controller or, in case of conflict, the Data Protection Officer of the European Commission. If necessary, you can also address the European Data Protection Supervisor. Their contact information is given under Heading 9 below.

Where you wish to exercise your rights in the context of one or several specific processing operations, please provide their description (i.e. their Record reference(s) as specified under Heading 10 [where to find more detailed information?] below) in your request.

Back to table of contents

9. Contact information

The Data Controller

Directorate-general for Education, Youth, Sport and Culture, Unit B.4 - Erasmus+ Coordination.

If you would like to exercise your rights under Regulation (EU) 2018/1725 or if you have comments, questions or concerns related to the processing of your personal data, or if you would like to submit a complaint regarding the collection and use of your personal data, please send an email to the Data Controller at eu-erasmus-esc-personal-data@ec.europa.eu.

Further to the above, you can contact:

The Data Protection Officer (DPO) of the Commission

You may contact the Data Protection Officer (DATA-PROTECTION-OFFICER@ec.europa.eu) with regard to issues related to the processing of your personal data under Regulation (EU) 2018/1725.

The European Data Protection Supervisor (EDPS)

You have the right to have recourse (i.e. you can lodge a complaint) to the European Data Protection Supervisor if you consider that your rights under Regulation (EU) 2018/1725 have been infringed because of the processing of your personal data by the Data Controller.

Back to table of contents

10. Where to find more detailed information?

The Commission Data Protection Officer (DPO) publishes the register of all processing operations on personal data by the Commission, which have been documented and notified to him. You may access this information via the Register of the Data Protection Officer

This specific processing operation has been included in the DPO’s public register with the following Record reference: DPR-EC-01069.

More information about processing of personal data in Erasmus+ and European Solidarity Corps can be found on the Erasmus+ and data protection page.

Back to table of contents