Privacy statement

1.    Introduction

The European Commission (hereafter ‘the Commission’) is committed to protect your personal data and to respect your privacy.

As the Customs & Tax EU Learning (LMS) portal processes personal data, Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC Text with EEA relevance, is applicable.

This privacy statement explains the reasons for processing personal data, the way they are collected, handled and the way protection of all personal data is ensured. This privacy statement covers in addition:

-       The personal data processed;

-       How personal data are used;

-       Who has access to the personal data;

-       For how long personal data are preserved/stored;

-       What are your rights as the data owner and how you can exercise them;

-       The contact details of the responsible Data Controller with whom you may exercise your rights, the Data Protection Officer and the European Data Protection Supervisor.

2.    Why and how do we process your personal data?

The Customs & Tax EU Learning (LMS) portal was specifically developed to address competency-based customs and tax officials learning and development, aiming therefore at increasing the overall performance development of national administrations staff. All features are designed for ‘co-management’ and ‘co-organisation’ by and with national administrations and European Commission.

The portal reflects, throughout its integrated components (functionalities and process management), such national ownership and contains:

-       Common workspace: for co-management and co-development of e-Training;

-      eLearning Content Management: for co-management of shared training materials, be it commonly across the EU or cross-country amongst national administrations (under their own control and without DG TAXUD involvement);

-       Event management: for coordination of learning activities in co-management and co-organisation mode);

-       Competency Framework management: to plan training based on EU-wide agreed and nationally identified performance gaps between current and needed competencies, both at individual user and at national administration level.

These components are further designed to be integrated and/or linked, in order to guarantee a single entry point through the EU Login account maintaining the assigned group belonging and the granted rights level.

The portal is developed for a specific public sector audience, to facilitate and enhance EU Customs and Tax administration’s cooperation in learning and staff development.


Purpose of the processing operation: DG TAXUD E3 acts as controller, decides ‘why’ and ‘how’ the personal data included in the user accounts/profiles of the portal.

Personal data will be processed for the following purposes:

-       To test development environment

In order to solve future (unforeseen) disfunctionalities as part of warranty services, some workflows may need to be recreated on the production development environment for root cause analysis and testing. Only synthetic data will be used in the development environment except for several valid email addresses for contractor users in order to evaluate the automatic system response.

-       In production environment:

  •     To identify users (EU Login);
  •     To grant the registered users the proper access to the full features of the portal;
  •     To generate certificates and badges based your achievements;
  •     To ensure that the user history of activity on the platform (courses started, finished, certificates, etc.) are easily accessible to users;
  •     To collect information related to use of the platform, for the purpose of delivering personalised recommendations (as notifications and/or emails), and to evaluate it’s performance (thus gathering information on potential issues through users’ direct feedback or platform’s metrics like the number of currently active users, the most visited and viewed items, time spent, country of visit, material downloaded, best rated courses, scheduled and past events metrics); and other statistical purposes and reporting
  •      To organise trainings events, including management of participants lists;
  •      To send information regarding new/upcoming events or events where one has registered;
  •      To disseminate and manage of the newsletter / learning bulletin.

No personal data will be used for an automated decision-making, including profiling.

Your data will be processed automatically to evaluate portal performance:

-       Predefined reports will be automatically generated:

  •   Information on potential issues through anonymous direct feedback;
  •   General metrics like number of currently active users, the most visited and viewed items, time spent, country of visit, material downloaded, best rated courses;
  •    Scheduled and past events metrics like number of participants, place, target group, domain (customs or taxation), and organizer.

-     A predefined private report (My competencies) will be available for each user to view what competences one have exercised by attending various courses.

-    In order to solve future (unforeseen) disfunctionalities as part of warranty services, some workflows may need to be recreated on the development environment for root cause analysis and testing. Only synthetic data will be used in the development environment except for several valid email addresses for contractor users in order to evaluate the automatic system response.

The development environment will be available until 31.12.2021. An extension of 1 year will be possible if an additional RfA is requested and approved by DG TAXUD in due time. Once released, the hosting resources will make any data recovery impossible.

-     Europa web Analytics will be used to monitor the activity of the users and records data regarding their actions in order to evaluate performance. Every request in the portal and the information submitted by the user are intercepted and stored as a navigation event in the database.

The data collected are stored on dedicated servers provided by StarStorage and located in Bucharest, Romania.

Your data will be processed manually:

-      Automatically generated reports will be available to be downloaded in various formats: PDF or diagram (PNG format). These reports may be further processed to obtain advanced statistics;

-    In order to solve future (unforeseen) disfunctionalities as part of warranty services, some workflows may need to be recreated (manual methods included) on the development environment for root cause analysis and testing. Only synthetic data will be used in the development environment except for several valid email addresses for contractor users in order to evaluate the system response.

3.    On what legal ground(s) do we process your personal data?

Your personal data are processed on the basis of the Regulation (EU) 2018/1725, Art. 5.1 point d):

The data subject has given consent to the processing of his or her personal data for one or more specific purposes “.

DG TAXUD, Unit E3 acts as a controller and decides ‘why’ and ‘how’ the personal data is used to ensure the functioning, management and promotion of the Customs & Tax EU Learning LMS portal.

4.    Which personal data we collect and further process?

Data subjects:

-       Public sector

  •     European Commission officials and other persons working for the EU institutions;
  •     Customs/Taxation experts / officials from National Authorities;
  •     Training departments from National administrations, including the Training Support Group members;
  •     Customs/Taxation Officials  from non-UE countries;

-       Private sector

  •   Economic operators (including lawyers & academics), in EU and worldwide;
  •   Legal and natural persons.

In order to carry out this processing operation the Data Controller (TAXUD E3 and the contractor SIMAVI – INTRASOFT – Price Waterhouse Consortium) collect personal data directly from the data subject.

The provision of personal data is not mandatory to get a public access to the Portal 

However, the provision of personal data is mandatory to grant the registered users the proper access to the full features of the portal.

During the very first login, one is requested to validly perform a ´clear affirmative act´ to consent to the processing by actively ticking an optional box stating “By checking this box, you acknowledge that you have read and understood the Privacy Statement”.

If the user does not check the box, the system does not create an account, the login fail, and the system displays the Home page for an unregistered user.

The personal data are also collected from EU login registration (first name, surname, country and email address).

When creating the EU Login account, a specific privacy statement link provides the future user all the information in regards to the processing of personal data : https://webgate.ec.europa.eu/cas/privacyStatementPopup.html;%20__Secure-ECAS_SESSIONID=f9Qd1730nNJJmq-gbMd-AhRY5JJIUn2MW-Bmy9JOn4cXBbgonapSCOF9Gj0lKUw983E!1752716433 )

These data are not editable on the Portal, and should be modified on EU Login portal if needed.

In order to carry out this processing operation the Data Controller (TAXUD E3 and the contractor SIMAVI – INTRASOFT – Price Waterhouse Consortium) collect the following categories of personal data:

a)     Identification data:

  •     Mandatory data: first name, last name (surname), email address, location, country, time zone, preferred language of communication, IP address;
  •     email address  for testing development environment;

b)     HR related data:

  •       Mandatory data: institution (employer) type, institution name, industry (domain);
  •      Optional data: institution department, topics of interest, option to activate the (guided) tour, landing page (Dashboard or Home), user type (registered or guest);

c)     Events specific data:

  •  Mandatory data: first name, last name (surname), institution (employer) type, email address, country;
  •   Optional data: reason to participate to an event (one of the following options: relevant for my current job, relevant for my future career, Personal interest, or Other), events related attributes (display or hide an event, invited, accepted an invitation, declined an invitation, applied to an event, registered for an event, unregistered from an event), comments;

d)     Newsletter subscription data:

  •      Mandatory data: email address, frequency, preferred language, policy areas;

e)     Other types of data specific to the processing operation:

  • Other mandatory data: allowed to flags (these are built-in access rights that allow the user to: post in forum or manage objects: catalogue, badge, event, news, newsletter / learning bulletin, spot, FAQ, forum, users, notifications);
  •   Other optional data: course related attributes (courses recently viewed, started, finished, grouped as training plan, certificates or badges awarded, competencies developed, feedback – anonymous survey, rating), feedback on portal’s web pages (if a particular web page was useful or had an issue), forum posts and ratings.

5.    How long do we keep your personal data?

In production environment, we only store your data as long as is necessary to fulfil the purpose of collection or further processing, namely:

-       (a) Identification data, (b) HR related data, (c) Events specific data, and (e) Other types of data specific to the processing operation: will be stored on the portal as long as your account of registered user remains active (*), and no request has been made by you to have your account removed from the portal;

-       (d) Newsletter subscription data: will be stored on the site as long as your account remains active(*), and no request has been made by you to functional mailbox to unsubscribe him/her from the Newsletter.

(*) On 1st of November each year, if you have not logged in during the current year, the system will automatically send you a notification (from a “no reply” email address) to advise you to log in the portal in the next 2 months or your account will be closed and ALL associated data will be deleted, with no option to be restored.  There will be no second notification.

On 31st of December each year, if you have not logged in during the current year, the system will automatically deletes your account and will inform you that ALL associated data have been deleted. There will be no restore account/data option.

Notifications by emails will be enabled by 1st of November 2021, as soon as additional security measures will be implemented.

In Development environment, we only store your data as long as is necessary to fulfil the purpose of collection or further processing, namely:

Valid email addresses for contractor users will be used in order to evaluate the automatic system response.

The development environment will be available until 31.12.2021; the retention period for personal data will be 1 year. Once released, the hosting resources will make any data recovery impossible.

An extension of 1 year will be possible if an additional contract  is requested and approved by DG TAXUD in due time; in this case the retention period for personal data will also be increased by 1 year.

The Record and the Privacy statement will be accordingly updated.

6.    How do we protect and safeguard your personal data?

All personal data in electronic format (e-mails, documents, databases, uploaded batches of data, etc.) are stored either on the servers of the European Commission or of its contractors.

All processing operations are carried out pursuant to the Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission.

The Commission’s contractors are bound by a specific contractual clause for any processing operations of your data on behalf of the Commission, and by the confidentiality obligations deriving from the transposition of the General Data Protection Regulation in the EU Member States (‘GDPR’ Regulation (EU) 2016/679.]

In order to protect personal data, a number of technical and organisational measures have been put in place.

Technical measures include appropriate actions to address online security, risk of data loss, alteration of data or unauthorised access, taking into consideration the risk presented by the processing and the nature of the personal data being processed.

Organisational measures include restricting access to the personal data solely to authorised persons with a legitimate need to know for the purposes of this processing operation.

Overall, TAXUD IT systems containing personal information should meet certain criteria to ensure the security of the data. The risks on Personal Data associated with IT systems are mitigated by implementing over 100 technical and organizational measures grouped on 4 categories of controls (Security Planning, Access Management, System and Network Security, Technical Controls) providing an equivalent level of control as demanded by GDPR. In addition, DG TAXUD is complementing these controls with additional security controls applicable to all information under DG TAXUD responsibility grouped around the following categories: Information Security policy, Organization of information security, Human Resource Security, Asset Management, Access Control, Cryptography, Physical and Environmental Security, Operations Security, Communications Security, Systems Acquisition, Development and Maintenance, Supplier Relationships, Management of Information Security Incidents and Improvements, Information Security Aspects of Business Continuity Management, Compliance.

These controls contains but are not limited to, encryption of communication, strict application of the ‘need to know’ principle, segregation of duties, back-up and restoration, anonymization, pseudonimization, access control, incident management.

7.    Who has access to your data and to whom is it disclosed?

a.      INTERNALLY

Access to your personal data is provided to the Commission staff responsible for carrying out this processing operation and to authorised staff according to the “need to know” principle. Such staff abide by statutory, and when required, additional confidentiality agreements. Access to your personal data within the Commission is also provided to the training managers of the EU Institutions for the purpose of generating analytics reports, including the navigation event data stored and processed by Europa web Analytics to evaluate portal performance.

All staff should abide by statutory and, when required, additional confidentiality agreements.

b.      EXTERNALLY

Personal data are accessible outside the EU organisation by DG TAXUD contractor in charge of preparing the data for statistical use or to investigate and fix possible issues, where appropriate contractual arrangements and confidentiality agreements are in place.

Contractor processes data on European Commission behalf. The data collected are stored on dedicated servers provided by StarStorage and located in Bucharest, Romania. All personal data in electronic format (e-mails, documents, databases, uploaded batches of data, etc.) are hosted on dedicated servers located in Romania, through an external service provider certified as Tier 3 Data Centre. In order to protect personal data, a number of technical and organisational measures have been put in place, for both the development and production environments.

8.    What are your rights and how can you exercise them?

You have specific rights as a ‘data subject’ under Chapter III (Articles 14-25) of Regulation (EU) 2018/1725, in particular the right to access, your personal data and to rectify them in case your personal data are inaccurate or incomplete. Where applicable, you have the right to erase your personal data, to restrict the processing of your personal data, to object to the processing, and the right to data portability

You have consented to provide your personal data to DG TAXUD, Unit E3  and SIMAVI – INTRASOFT – Price Waterhouse Consortium for the present processing operation. You can withdraw your consent at any time by notifying the Data Controller. The withdrawal will not affect the lawfulness of the processing carried out before you have withdrawn the consent.

You can exercise your rights by contacting the Data Controller, or in case of conflict the Data Protection Officer. If necessary, you can also address the European Data Protection Supervisor. Their contact information is given under Heading 9 below.

Where you wish to exercise your rights in the context of one or several specific processing operations, please provide their description (i.e. their Record reference(s) as specified under Heading 10 below) in your request.

In case of a data breach, we will fulfil our obligation in compliance with our duties stipulated in the Regulation (EU) 2018/1725.

Where that personal data breach is likely to result in a high risk to your rights and freedoms we are committed to inform you immediately in order to allow you to take the necessary precautions.

9.                 Contact information

-       The Data Controller

If you would like to exercise your rights under Regulation (EU) 2018/1725, or if you have comments, questions or concerns, or if you would like to submit a complaint regarding the collection and use of your personal data, please feel free to contact the Data Controller: TAXUD-UNIT-E3@ec.europa.eu or EU-CUSTOMS-TAX-LEARNING-SUPPORT@ec.europa.eu

-       The Data Protection Officer (DPO) of the Commission

You may contact the Data Protection Officer (DATA-PROTECTION-OFFICER@ec.europa.eu) with regard to issues related to the processing of your personal data under Regulation (EU) 2018/1725

-       The European Data Protection Supervisor (EDPS)

You have the right to have recourse (i.e. you can lodge a complaint) to the European Data Protection Supervisor (edps@edps.europa.eu) if you consider that your rights under Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal data by the Data Controller

Details can be found at: https://edps.europa.eu/data-protection/our-role-supervisor/complaints_en.

10.                 Where to find more detailed information?

The Commission Data Protection Officer publishes the register of all operations processing personal data. You can access the register through the following link: http://ec.europa.eu/dpo-register.

This specific processing operation has been included in the Commission Data Protection Officer’s public register with the following Record reference: DPR-EC-09088.1