Data Protection Notice - APF 2022
The European Union Agency for Cybersecurity (ENISA) and the Koźmiński University process your personal data to organise and manage the Annual Privacy Forum (APF) 2022, which will take place on 23 and 24 of June 2022 as a hybrid even in Warsaw, Poland. The virtual portion of APF2022 is supported by an online teleconference platform (Microsoft Teams).
The joint data controllers are ENISA and Koźmiński University, who are responsible for the overall organisation of the event, the communication with the participants before and after the end of the event, as well as the reimbursement of expenses of invited participants. ENISA is also responsible for the online registration of the event’s participants through its website. Koźmiński University is also responsible for the management of the Forum’s venue (local organiser), for the teleconference platform used for online participants as well as the management of the payments of the Forums’s participants.
ENISA processes personal data in accordance with the Regulation (EU) 2018/1725 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data[i]. The legal basis for the processing operation is article 5(1)(a) of Regulation (EU) 2018/1725, on the basis of Regulation (EU) No 2019/881, in particular the provisions establishing the tasks of ENISA.
Koźmiński University processes personal data in accordance with the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation – GDPR)[ii]. The legal basis is article 6(1)(e) GDPR, according to Regulation no. 20 – 2018/2019 of the Rector of Kozminski University dated 31 January 2019 concerning the introduction of the Security Policy of Personal Data Processing at Kozminski University.
The data processors involved in the processing operation are:
- EaudeWeb, established in Romania, who is responsible for ENISA’s web site hosting under specific service contract with ENISA;
- Microsoft that provides Teams[iii], which will be used as teleconference tool for the online participants, under specific contract with Koźmiński University;
The purpose of the processing of personal data is to organise the APF2022 as a hybrid event, register the event’s participants through ENISA’s website, provide registered participants’ access to the virtual sessions through the teleconference platform, as well as communicate with the registered participants within the scope of the APF2022.
The following personal data are processed:
- Contact data, such as first name, last name, organisation, e-mail address, phone number (collected upon registration at ENISA’s website and further processed by ENISA and processor EaudeWeb).
- Financial data: bank details and other legally required financial information for the payment of registration fees (processed exclusively under the responsibility of Koźmiński University) or related to the reimbursement of expenses of invited participants.
- Connection details for virtual session: username, email address (optional), IP address, user agent identifier, hardware type, operation system type and version and further technical connection data. These data are processed by Microsoft (processor) in order to provide for the event and for analytics purposes.
- User generated information: discussion chat logs, meeting recordings, uploaded files. These data are produced through the MS Teams platform during the event. They will be processed by Koźmiński University and deleted from the MS Teams platform after the end of the event.
- APF 2022 will not be audio/video recorded. Audio/video will only be activated for the event organisers and the presenters/panellists (video is optional).
- There will be photos taken during the workshop’s presentations (keynotes/panels) based on the prior consent of the speakers (presenters/panel participants). These photos may be published on ENISA’s and Koźmiński University websites and/or relevant social media channels. The focus of the photos will be on the speakers only and not on general views of the audience or specific views/pictures of workshop’s participants (other than speakers). Still, should your photo be taken in the context of this photo shooting, and you would like to have this photo removed, please contact ENISA at email@example.com and we will do so as soon as possible.
Access to your data is granted only to ENISA and Koźmiński University staff, who are involved in the organisation of the workshop, the data processor’s staff involved in the registration and payment service, event organisers contracted by ENISA or Koźmiński University (involved in the reimbursement of expenses of invited participants), as well as competent financial institutions (for the payment of the registration fees). Access to the data can also be granted to national and EU bodies charged with monitoring or inspection tasks in application of national or EU law (e.g. internal audits, European Anti-fraud Office – OLAF).
The retention periods for the personal data are as follows:
- the final participants list (name, surname, organisation, country) will be kept by ENISA for a maximum period of 5 years after the end of the event for auditing purposes.
- your contact data will be kept for a maximum period of six months after the end of the event.
- financial data related to the event will be kept for a maximum period of 10 years after the end of the event for auditing purposes. All data will be deleted after the end of their respective retention periods.
- the personal data related to the connection and use of the teleconference platform, will be retained by the relevant processor (Microsoft Teams) for the period necessary for the provision of the teleconferencing service. Personal data will be deleted after the end of the retention periods.
Storage of personal data: the contact data collected upon registration at the ENISA website are stored on the ENISA’s (and contractor’s EaudeWeb) servers and are only processed within EU/EEA. Personal data related to the connection/use of the teleconference platform are stored in Microsoft Teams servers within EU/EEA and may include transfers of personal data outside EU/EEA, subject to the provisions of Chapter V Regulation (EU) 1725/2018.
You have the right of access to your personal data and to relevant information concerning how we use it. You have the right to rectify your personal data. Under certain conditions, you have the right to ask that we delete your personal data or restrict its use. You have the right to object to our processing of your personal data, on grounds relating to your particular situation, at any time. We will consider your request, take a decision and communicate it to you. If you have any queries concerning the processing of your personal data, you may address them to ENISA at firstname.lastname@example.org. You may also contact at any time the ENISA DPO at email@example.com.
You have right of recourse at any time to the competent supervisory authorities: European Data Protection Supervisor (https://edps.europa.eu) and Polish Data Protection Authority (https://uodo.gov.pl/en).
[i] Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002.
[ii] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).