SPECIFIC PRIVACY STATEMENT – Marie Curie Alumni Association
- Why do we process your data?
- What data do we collect and process?
- How do we collect data?
- How long do we keep your data?
- Who has access to your personal data and to whom is it disclosed?
- How do we protect and safeguard your information?
- What are your rights and how can you exercise them?
- Contact information
The processing of personal data by the Marie Curie Alumni Association (MCAA), an international non-profit association with registered address at Kunstlaan 24, 1000 Brussels, Belgium and registered in the Belgian Crossroad Bank of Enterprises under the number 0548.914.288, is governed by this privacy statement.
MCAA data processing operations take place under the joint responsibility of:
(i) the MCAA Board (Kunstlaan 24, 1000 Brussels, Belgium, CBE 0548.914.288), and
(ii) (ii) the European Commission, represented by the Head of Unit of the Marie Skłodowska-Curie Actions (MSCA) at the Education and Culture Directorate-General of the European Commission.
They are to be qualified as “joint data controllers” within the meaning of the EU General Data Protection Regulation 2016/679 (GDPR) concerning the protection of individuals with regard to the processing of personal data, and on the free movement of such data. Jointly, they determine the purposes and means of the data processing activities, on the basis of their respective roles, as described in this privacy statement. Unless specified, any reference in this privacy statement to “we”, “us” or “our” consequently refers to the joint data controllers.
The European Commission and the MCAA are both responsible as joint controllers for the contents of the Privacy Statement for the access granted to their respective staff to personal data processed for the means and purposes they jointly determine. The European Commission and the MCAA, both acting as Joint Controllers, have appointed the Data Processors, to process personal data of past and present beneficiaries of the MSCA in order to i.a. enhance networking among participating researchers, increase and at the same time assess the impact of the programme.
The processing of personal data described here is governed by two data protection Regulations:
- The MCAA processes your data under Regulation (EU) 2016/679 also known as the GDPR. The MCAA is responsible for ensuring that the Privacy Statement is made available and kept up-to-date through the MCAA website for the processing of personal data concerning the detailed dataset processed by the Data Processors once a new member registers at and creates a profile in the MCAA website in case a MCAA member submits an application using forms such as event registration, grant applications and reimbursement, or when s/he resigns as MCAA member.
- The European Commission is bound by Regulation (EU) 2018/1725 on the processing of personal data by the EU Institutions, bodies and agencies, hereinafter referred to as the IDPR. The European Commission is responsible for the processing of personal data concerning the limited dataset of identification and contact data of MSCA researchers and other relevant staff, provided to the Data Processors for inviting new members to join the MCAA.
In order to legally cover this processing, both joint data controllers created their own Data Protection Record (DPR), in which they refer to this joint controllership, which is governed by a Joint Controllership Arrangement between MCAA and the European Commission.
- The DPR by the European Commission is identified as DPR-EC-01546 and can be found at https://ec.europa.eu/dpo-register/detail/DPR-EC-01546.
- The DPR by the MCAA is identified as MCAA DPR-2020 and can be found at https://www.mariecuriealumni.eu/data-protection-record
The actual storage and processing of personal data is carried out by the contractor appointed by the European Commission to assist in the running and management of the MCAA. This contractor, acting as “data processor” within the meaning of both EU Data Protection Regulations, is Intrasoft International.
This privacy statement explains the reason for the processing, the way we collect, handle and ensure protection of all personal data provided, how that information is used, and what rights you may exercise in relation to your data (the right to access, rectify, block etc.).
From time to time, we may need to change this Privacy Statement. The MCAA will in such case duly inform you. The most recent version of this Privacy Statement is at all times available on the MCAA website.
Please note that this text is for the reference of the data subjects only and it does not in any way restrict the right of the data subjects to address either one or both of the Joint Data Controllers in case of complaint.
Why do we process your data?
The Directorate-General for Education and Culture of the European Commission (DG EAC) is in charge of the policy of the Marie Skłodowska-Curie Actions (MSCA), part of the Horizon 2020 Framework Programme for Research and Innovation. Over the years more than 130 000 people have benefited from the MSCA. The MCAA itself, is governed by the MCAA Board, elected by the MCAA members.
The implementation of alumni services further increases the impact of the MSCA, through enhanced networking among participating researchers. Being able to contact past and present beneficiaries (when they are MCAA members) also enables the European Commission to conduct surveys and follow their careers, thus assessing the impact of the programme in the long term. Such assessment is both an obligation as well as a useful policy tool, allowing the programme to improve. Being members of the MCAA then allows registered users to network amongst themselves.
The processing of personal data for these purposes is lawful because:
- the processing of your personal data for assessing the impact of the programme and improving the programme, is related to a public interest task conferred on the European Commission, namely helping the mobility of researchers in Europe and worldwide; and
- the processing of your personal data to enable services such as facilitating a network amongst members is necessary for the execution of the agreements with MCAA members. The creation and updating of a personal profile is indeed a condition of membership under the MCAA Articles of Association (which form the legal basis for the MCAA under Belgian law).
In addition, your data is processed only after you have been informed of the provisions of this privacy statement, published on the MCAA website and web-portal, and have the chance to read it carefully.
Some processing of personal data may require specific consent from the data subject, as established in point (d) of article 5. 1 of regulation (eu) 2018/1725 on the protection of natural persons with regard to the processing of personal data by the union institutions, bodies, offices and agencies and on the free movement of such data. This would be the case of the following specific purposes of processing that would be based on consent:
- processing of data in the context of the celebration and participation in events and meetings and the organization of open calls for alumni (such as cases when mcaa members submit an application using forms such as event registration, grant applications or reimbursement).
- processing of data in the context of communication and outreach activities in the interest of mcaa members (such as cases when mcaa members subscribe to the mcaa mailing list to subscribe to the mcaa newsletters, receive updates, news, exclusive offers and invitations).
A consent box or banner to obtain the data subjects consent will be used for these purposes. The data subject will be able to withdraw his or her consent at any time.
What data do we collect and process?
Types of personal data
We may collect the following personal data about you insofar as this information is relevant for the purposes for which it is needed, as explained under title 2 above. At the registration certain information is mandatory and other information is optional, this shall be clearly indicated as such, so that you can choose whether or not to provide such information.
|Identification and contact information||First name, last name, e-mail address, postal address, country of residence, photo, account information and password for the personal profile, social network URL’s|
|Personal characteristics||Birth date, nationality, gender and any other information disclosed by data subjects|
|Financial information||Bank account numbers and payment information|
|Education||Academic curriculum and degrees|
|Profession and employment||Employer organization, position within the organizationCharacteristics specific to the management of contractual benefits, information about professional activities, licenses and permits|
|Other data||Photos and videosCopy of ID card or passport (insofar as legally required or permitted)Research experience and InterestsMembership of scientific panel, data concerning the Marie Curie project(s) in which the member was involved (project acronym, title, type of project, EC ID number, contract number host institution, host country, host city, role) and any other data that the individual member may choose to add to their profile to assist in networking with other members|
|Additional Data collected when users apply on forms like event registration, grant applications and reimbursement forms. Those data may vary per form.||IP AddressSpoken LanguagesVisa Information like Passport numberNumber and Age of childrenAffiliationFunding sourcePhone numberFinancial details like (Bank Name, VAT Number, BIC/SWIFT, IBAN/Bank account number, Name of account holder, city and country of account holder)PhotoExpenses breakdownTravel details like date, arrival and destination detailsAccommodation detailsTravel ticketsInvoices (Travel, Hotel, Meal)Proof of paymentQuotation detailsReimbursement amountsMCSA funding detailsMedia and publication detailsPaypal payment details(Payment date, payment status, payer first name, last name and email, transcaction id )Any other details the applicant chooses to enter to assist his application.|
How do we collect data?
The MCAA collects your personal data directly from you when you provide them by registering on the MCAA website and create and update your personal profile or when you take part in research or survey conducted by the MCAA or survey conducted by MCAA. The limited set of identification and contact data, on which basis invitations to potential MCAA members are made, is collected by the European Commission when such data is provided by MSCA beneficiaries signing the grant agreement with the Commission.
How long do we keep your data?
The data and documents that are filled by a member in forms like micro grants and event registrations will be retained for as long as the MCAA exists and for as long as you are a member of the MCAA, or until you decide to resign from the MCAA, whichever occurs first. You can erase your data by resigning from the MCAA. In order to resign:
- Log in as member
- Visit your profile page
- Click to the red ACTIONS button to the right of the page
- Select ‘Edit account’
- Fill in the “resignation form”
- A confirmation request to cancel your account will be sent to your e-mail address
- Click on the cancelation link of the received email and your account will be deleted.
Afterwards, it is still possible that your data can be found in the MCAA back-ups or archives, but they will no longer be actively processed.
As described in art. 17.3 GDPR only where the MCAA is legally obliged to retain your data, or where retention is necessary for defending the MCAA interests in the context of judicial proceedings (e.g. in case of a dispute), your personal data will keep being processed after your resignation, for as long as required for such purposes.
If you want to resign from the MCAA and for any reason you are unable to log in to your MCAA account to resign, you may also send an e-mail message of resignation to email@example.com stating your name (under which you registered) and your reasons for wishing to resign.
You may also write to MCAA, c/o Inova+, 24 avenue des Arts, 1000 Brussels, Belgium.
Please note that the termination of your MCAA membership eliminates immediately all membership rights and privileges, including eligibility for micro-grants, etc., and should you wish to re-join the MCAA, your length of membership would start again at zero (meaning you would not be eligible for election as an MCAA official until the minimum term of membership is re-acquired).
After your resignation, any content (posts, events, etc.) you may have published on the MCAA web-site will remain on the site; they will no longer be associated with your name, but will be indicated as contributed by an anonymous user.
Who has access to your personal data and to whom is it disclosed?
To some extent, other MCAA members will be able to see your basic profile information and other relevant information you chose to make public, but certain information is not visible to other members, in particular your date of birth and your e-mail address.
Access to your personal data is granted to each of the joint data controllers, and specifically to a limited group of qualified users at the MCAA and to relevant staff of the European Commission, in compliance with the principle of necessity and data minimization, as well as to the relevant staff of the appointed contractor (acting as “data processor”), for the purpose of managing the MCAA web-site and services. Other (sub-) data processors may also – within the limits of the tasks entrusted to them – process your personal data.
Your data will not be communicated to any other third party unless you provide specific written request / consent for this (e.g. in the context of your participation in a specific event or activity organised or co-organised by the MCAA) or in case of (threatened) litigation which requires the disclosure of your personal data to the MCAA law firm (under a professional secrecy obligation) or in case of mandatory disclosure of personal data to government or police authorities or the judiciary (in case of a legal obligation to do so).
Your personal data will in principle not be transferred to countries outside the European Economic Area. If any of the controllers would intend to do so, you will be informed hereof and appropriate legal safeguards will be implemented.
How do we protect and safeguard your information?
The collected personal data is saved on servers of the EC-appointed external IT company working under contract for the European Commission (EC). This company ensures website security of your personal data. It shall act only on instructions from the European Commission and the MCAA Board and shall comply with the obligations set out in the EU General Data Protection Regulation (GDPR), and/or Regulation EU 2018/1725 (IDPR) applying to the processing of personal data by the EU institutions and bodies, depending on their applicability.
More information on our protection measures is available upon simple request.
What are your rights and how can you exercise them?
Within the limits defined by articles 15-22 of the GDPR, you have the following statutory rights:
Right to information and right to access your personal data – You may at any time request more information on our processing activities and the personal data that we are keeping from you.
Right to rectification of inaccurate or incomplete personal data – You have the right to require us to, without undue delay, rectify or complete any of your personal data that is inaccurate or incomplete.
¹ Corresponding to articles 17-24 of Regulation 2018/1725 (IDPR) applying to the processing of personal data by the EU institutions and bodies.
Right to deletion of your personal data (‘right to be forgotten’) – You may request us to delete (part of) your personal data in the following situations:
- when the processing is no longer necessary for achieving the purposes for which they we collected or otherwise processed these; or
- when the processing was based on your consent and you have decided to withdraw that consent;
- when you have other reasonable grounds to object to the processing of your personal data;
- when we would unlawfully process your personal data;
- when your personal data have to be erased in compliance with a legal obligation directed to us.
- We note that in some case, we may refuse to delete your personal data: (i) for exercising the right of freedom of expression and information; (ii) for compliance with a legal obligation; or (iii) for the establishment, exercise or defence of legal claims.
Right to restriction of processing – You may request us to (temporarily) restrict the processing of your personal data in the following situations:
- when you have contested the accuracy of your personal data, for a period enabling us to verify this accuracy; or
- when the processing appears to be unlawful and you request us the restriction of use of your data instead of the deletion of this data; or
- when we no longer need the personal data for the purposes of the processing, but you need them for the establishment, exercise or defense of legal claims; or
- pending verification whether our legitimate grounds override yours in the framework of an objection.
Right to object to the processing of your personal data (free of charge) – You may under certain circumstances object to the processing of your personal data, when such processing is based on our “legitimate interests”. If we agree, we will no longer process your personal data, unless we have compelling legitimate grounds to do so, or because such a processing is necessary.
Where we process your personal data for direct marketing purposes (in particular for sending an electronic newsletter) you may at any time object to the processing thereof or withdraw your consent thereto.
Right to data porta–bility – In some cases, you have the right to receive all your personal data in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller. This right applies:
- in case the processing is based on consent or on the necessity for the performance of a contract; and
- in case the processing is carried out by automated means.
You can exercise these rights by logging in to the MCAA website as a member, then go to your profile page and make use of the ‘Edit profile’ and/or ‘Edit account’ options in the red ‘ACTIONS’ tab on the right of the page. Alternatively, you can also contact the MCAA via [e-mail address]. To totally delete your information, you must resign from the MCAA; please use the information given above under title 5.
In principle you may exercise these rights free of charge. Only where requests are manifestly unfounded or excessive we may charge a reasonable fee.
Further information and advice about your rights can also be obtained from the data protection authority in your country. Finally, you also have the right to lodge a complaint relating to the processing of your personal data by us with the data protection authority in your country, which can be found here: https://edpb.europa.eu/about-edpb/board/members_en.
We aim to respond as quickly as possible to your requests or questions. We might request a proof of identity in advance in order to double-check your request.
For any questions related to this privacy statement, the processing of your data and your rights, please feel free to contact either one or both joint data controllers, explicitly specifying your request, by:
- using the ‘Contact us’ section of this website
- writing to the MCAA Board at the following address:
- Postal address : MCAA, 24 avenue des Arts, B-1000 Brussels, Belgium
- E-mail : firstname.lastname@example.org
- contacting the European Commission:
- DG EAC, Head of Unit C2: EAC-UNITE-C2@ec.europa.eu
- Contacting the European Commission Data Protection Officer (DPO):
- Postal address: Data Protection Officer, European Commission, 1049 Brussels, Belgium
- E-mail: email@example.com
- Website: https://ec.europa.eu/info/departments/data-protection-officer_en
In case of conflicts with the MCAA, complaints can be addressed to the Belgian Data Protection Authority: https://www.privacycommission.be/
In case of conflicts with the European Commission, complaints can also be addressed to the European Data Protection Supervisor http://www.edps.europa.eu.