Privacy policy for DE4A piloting

From DE4A
Revision as of 17:56, 4 March 2022 by Hans.graux (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Introduction and guidance for use

Hereunder you'll find a standard privacy policy for pilots. It is intended to be integrated into the piloting micro-sites.

Since it is required under the GDPR to identify the piloting purposes and the piloting parties (including contact details), these should be provided via the micro-site. The privacy policy requires only minor customisation, by adding the link where generic micro-site information can be found (see the section between square brackets and in italics).

DE4A privacy policy for [name of the pilot service, as used on the microsite]

This privacy policy applies to our use of any and all personal data collected by us or provided by you in relation to this pilot. Your use of any services and applications in this pilot will result in the processing of certain personal data relating to you (as the user of the pilot), or possibly relating to third parties (if the service or application requires personal data from such third parties to be processed). While DE4A is a pilot project, it is set up to comply fully with European data protection law, including specifically the General Data Protection Regulation (GDPR). Through this privacy policy, we aim to inform you of how your data will be used and protected, as required by law.

Please read this privacy policy carefully.

Who we are and how to contact us

Each pilot project in DE4A is principally managed by the organisations identified on the specific website of that pilot, in this case [URL to the microsite of the relevant pilot]. The organisations that you are interacting with in the context of your participation in the pilot will act as data controllers in relation to your data. When this privacy policy refers to 'us', 'we', or 'our', it refers to the organisations that you'll interact with during your participation in the pilot.

For any questions in relation to the pilots or to your personal data, please contact them directly using the contact information provided on the piloting website; or alternatively contact the DE4A project and its data protection officer via [[1]], and we will help to identify the relevant parties for you and/or address your questions.

Personal data and our use of it

During the course of piloting, we will explore ways to implement and provide once-only e-government services, particularly in the context of the Single Digital Gateway. The objective is to ensure that e-government services work more efficiently, securely and smoothly.

To do so, we may ask for certain personal data from you, or obtain it from you automatically. Specifically:

- You may choose voluntarily to register to participate in our piloting activities. In doing so, rudimentary contact and identity details relating to you and/or the organisation(s) that you represent may be requested.

- You may choose voluntarily to answer questionnaires relating to our piloting activities, e.g. to provide us with more details on your profile, expectations, needs, and requirements. In doing so, rudimentary contact and identity details relating to you and/or the organisation(s) that you represent may be requested, as well as your personal feedback.

- You may choose voluntarily to use the pilot services and applications in order to simulate a realistic but fictitious use case, or (if available) to actually complete a legally valid procedure. Whether the procedure is simulated or real will be clearly and unequivocally communicated to you in advance. In doing so, all personal data required to complete the procedure will be requested from you, including identity information and any additional information required to demonstrate your eligibility for the procedure, and your adherence to any applicable requirements. Any such required information will be explicitly communicated to you before you share it with us, and you will have the opportunity to review it and (if you desire) to terminate the procedure at any time.

In addition to personal data that you actively provide to us, we will also automatically collect personal data relating to your use experience, including detailed logs on your activities during piloting, data made available by you or by third parties, and metadata such as your IP address, device information, session date and duration, and success or failure logs. This data is collected and proactively analysed by us, since the applications and procedures are in pilot status, and we must ensure that no adverse effects can occur for you or for third parties. This data will therefore not only be used to complete the pilots, but also to evaluate risks and problems, to measure performance and satisfaction, and to improve piloting across iterations.

Please note that your participation in the pilots is never obligatory. There are always non-pilot alternatives to completing the relevant legal requirements, and there is never a negative repercussion if you prefer not to participate. Your data will not be used for automated decision-making, including profiling, except where a pilot service is used to complete a real life administrative procedure that is fully automated. In the latter case, the protections of European data protection law will be applied fully by the applicable public administration.

Personal data processed by us during piloting will principally relate to you. Depending on the pilot application however, you may need to provide personal data relating to third parties (such as e.g. your employees or your family members, depending on the pilot). Please ensure that you are legally permitted to engage in the pilot prior to proceeding, in the same way as for any other public service applications.

We will not share your personal data with parties other than those participating in the pilots as identified above and their service providers, nor will any third parties be permitted to use your data for other purposes than those mentioned above.

Our legal basis for processing your personal data in the context of piloting applications and services is your consent (in relation to your own personal data that you choose to provide to us), and the necessity of processing for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (for the performance of public sector services). Insofar as our processing is based on your consent, you may choose to withdraw your consent at any time by sending a notification to the contact details mentioned above.

Your rights and how to exercise them

You have the following rights in relation to your personal data, where applicable:

a. Right to access - the right to request (i) copies of the information we hold about you at any time, or (ii) that we modify, update or delete such information.

b. Right to correct - the right to have your data rectified if it is inaccurate or incomplete.

c. Right to erase - the right to request that we delete or remove your data from our systems.

d. Right to restrict our use of your data - the right to "block" us from using your data or limit the way in which we can use it.

e. Right to data portability - the right to request that we move, copy or transfer your data.

f.  Right to object - the right to object to our use of your data including where we use it for our legitimate interests.

Note that we may ask for proof of your identity, and that the applicability or consequences of your exercising of your rights may vary depending on the piloting context. By way of example: if you choose to use a pilot service to complete a real life administrative procedure, you will not be able to undo this procedure by exercising your data subject rights.

To make enquiries, or to exercise any of your rights set out above, please contact us via the contact information provided above.

If you are not satisfied with the way a question in relation to your personal data is handled by us, you may refer your complaint to the relevant personal data protection authority in your own country of residence.

Personal data retention

Unless a longer retention period is required by law, we will only hold your personal data on our systems for the period necessary to fulfil the purposes outlined in this privacy policy. For fictitious piloting, your data will be deleted at the end of the DE4A project at the latest. Note however that, if you choose to use a pilot service to complete a real life administrative procedure, retention of your data outside of the context of piloting will be determined by the laws applying to the relevant administrative authority.

Transfers outside the European Economic Area

Personal data which we collect or obtain from or via you will not be stored, processed in or transferred to countries outside of the European Economic Area (EEA).