EUAA LMS

1. Introduction

The European Union Agency for Asylum (hereinafter ‘the EUAA’ or ‘the Agency’) is committed to protecting your privacy. The EUAA collects and further processes personal data pursuant to Regulation (EU) 2018/1725[1] (hereinafter ‘the EUDPR’).

This Data Protection Notice explains inter alia the reasons for the processing of your personal data, the way we collect, handle and ensure protection of your personal data and what rights you have in relation to your personal data. It also specifies the contact details of the responsible Data Controller with whom you may exercise your rights, as well as of the Data Protection Officer (DPO) and the European Data Protection Supervisor (EDPS) to which you may have recourse as well to exercise the said rights.

2. Why and how do we process your personal data?

The EUAA Learning Management System (hereinafter ‘the LMS’) is an online training platform accessible from the Agency’s Intranet, which is used to deliver interactive modules covering the entire field of international protection to EUAA personnel (i.e., staff members, temporary agency workers / interim workers and remunerated external experts) and to personnel working in the asylum and reception administrations of EU+ Countries (i.e., case officers, managers of asylum units, reception officers, Country of Origin (COI) researchers and policy officers), amongst others. The LMS contains personal data of trainers and learners. For trainers, personal data are either collected directly by the Agency (where the EUAA assigns in-house trainers based on their availability and expertise) or provided to the Agency by the Training National Contact Points (TNCPs)[2] both in the context of a deployment procedure, for sessions organised by the EUAA, and in the context of national training sessions. This information is required to register trainers on the LMS, set up their personal profiles on the platform and decide on the appropriate trainer(s) for specific session(s).

 For learners, personal data are firstly provided to the Agency by TNCPs using a dedicated registration form. This information is required to register learners on the LMS, who subsequently are guided to set up their personal profiles on the platform by inserting information related to their education and professional background, according to the entry requirements and prerequisites of the chosen module. In addition, learners’ personal data included in module evaluation forms are processed by the Agency for reporting purposes, with a view to safeguarding the quality of the modules delivered. To execute such tasks, selected EUAA personnel have access to learners’ personal data stored in the registration forms and on the LMS platform.

When using the LMS platform, personal data are processed in the following manner:

• User data are collected via the LMS internal tools for the purpose of providing learners/trainers access to EUAA modules, check entry requirements and prerequisites for each module, managing the LMS, generate reports (e.g., LMS user enrolment report, LMS activity completion report, trainers report, etc.), as well as for statistical purposes.
• Learner experience data which are related to real-time spent on different sections of the LMS, and data related to online interactions on the system are collected automatically via the LMS. Learner experience data are also collected directly in the LMS live session and are accessible by the assigned trainer(s) to monitor learners’ progress during the online phase of the module. With the help of EUAA administrators, this helps to identify and measure the impact of the engagement of learner(s) at risk of dropping out to enable tutoring intervention in order to facilitate the completion of their training, and to improve the overall quality of the service. These data are also collected to mark learners’ responses automatically during quiz-based assessment sessions. In this case, scores are automatically attributed to learners based on the number of correct answers they provide, and the results are available online to the concerned users.
• (Anonymised) feedback information about the LMS is collected from learners and trainers via the feedback form plugin (SurveyPro) for purposes related to the (re)design of the curriculum (e.g., for the EUAA Annual Training Report).
• Relevant data is forwarded securely to the Malta Further and Higher Education Authority (MFHEA) and to the Malta National Statistics Office (NSO) on an annual basis. This data collection falls under Regulation (EC) No 452/2008[3] concerning the production and development of statistics on education and lifelong learning as further implemented by Commission Regulation (EU) No 1175/2014[4] and Commission Regulation (EU) No 912/2013[5].

 3. On what legal ground(s) do we process your personal data?

We process your personal data on the basis of Article 2(1) point (d) of Regulation (EU) 2021/2303[6] (hereinafter ‘the EUAA Regulation’) ), which provides that the Agency’s tasks include “assist[ing] Member States as regards training and, where appropriate, provid[ing] training to Member States’ experts from all national administrations, courts and tribunals, and national authorities responsible for asylum matters, including through the development of a European asylum curriculum”.

More specifically, paragraphs 1 to 4 of Article 8 of the EUAA Regulation provide, inter alia, that the Agency “shall establish, develop and review training for members of its own staff and members of the staff of relevant administrations, courts and tribunals, and of national authorities responsible for asylum and reception” and “shall develop a European asylum curriculum […] to promote best practices and high standards in the implementation of Union law on asylum”, offering such high quality training “with a view to ensuring greater convergence of administrative methods, decisions and legal practices, while fully respecting the independence of national courts and tribunals”.

Consequently, the relevant processing operation is lawful under Article 5(1) point (a) of the EUDPR given that it is necessary for the performance of the tasks that the Agency has been vested with by virtue of its mandate. To the extent that participation in the EUAA training activities taking place in the context of the LMS may be voluntary, the processing of any personal data shared on this basis is also lawful under Article 5(1) point (d) of the EUDPR, as it is based on consent of the data subjects concerned.

4. Which personal data do we collect and further process?

The following (categories of) personal data may be processed (for learners and/or trainers):

1. Learners
   • Credentials;
   • First name and surname;
   • Sex;
   • Date of birth;
   • Locality of residence (city/country);
   • Citizenship;
   • E-mail address;
   • Organisation or institution of origin;
   • Level of education;
   • Previous working experience and successful completion of prerequisite modules;
   • Assessment of learners’ results and grades;
   • Module completion status (i.e., enrolled, completed, withdrawn, participation in summative assessments);
   • Learner experience data collected via the LMS internal tools:
     • Time spent on the LMS and in different sections of the training modules;
     • Interactions with online content and activities (e.g., LMS webpages, learning objects, quizzes, tests, forums and assignments);
     • Tracking of learning progress.
2. Trainers
   • Credentials;
   • First name and surname;
   • E-mail address;
   • Organisation or institution of origin;
   • Trainers’ feedback on learners’ assessment of results and grades.
   • Learners’ (anonymised) feedback on trainers’ performance.

 5. How long do we keep your personal data?

Learners’ personal data will be kept for a maximum of 40 years in accordance with Standard 8 of the Guidelines for External Quality Assurance Audits of Further Education Institutions and Further Education Centres issued by the MFHEA, to meet the requirements of Maltese legislation for the accreditation of educational institutions.

Non-in-house trainers’ personal data will be stored for as long as trainers comply with the Trainers Pool selection criteria and are available for deployment as a trainer.

In-house trainers’ personal data are stored by the Agency for as long as they work in the EUAA.

 6. How do we protect and safeguard your personal data?

Personal data processed in the context of the LMS or data obtained for the purposes of registration in electronic format (e-mails, documents, etc.) are stored in Microsoft Azure and Microsoft 365 Services.

To protect personal data, the EUAA has put in place a number of technical and organisational measures as required under Article 33 of the EUDPR. Technical measures include appropriate actions to address online security, risk of data loss, alteration of data or unauthorised access, taking into consideration the risk presented by the processing and the nature of the personal data being processed. Organisational measures include restricting access to the personal data solely to authorised persons with a legitimate need to know for the purposes of this processing operation.

For website security purposes and to ensure that the LMS remains available to all users, network traffic is monitored to identify unauthorised attempts to exploit or change information on this website or otherwise cause damage or conduct criminal activity. Anyone using this website is advised that if such monitoring reveals evidence of possible abuse or criminal activity, results of such activity might be provided to the appropriate authorities in line with the applicable rules.

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons posed by the processing, the following security measures are applied:

1. The encryption of the data.
2. Measures to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
3. Measures to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
4. A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
5. Measures to ensure personal data will solely be processed by authorised personnel who are:
   • granted access to the personal data on a need-to-know basis.
   • familiar with the obligations stemming from the applicable data protection rules.
   • regularly trained in the care, protection and handling of personal data.
   • authorised to process the personal data; and
   • subject to a duty of confidentiality (either as a statutory or as a contractual obligation).

7. Who has access to your personal data and to whom are they disclosed?

The following (categories of) recipients may have access to personal data related to learners/trainers identified above:

1. Trainers;
2. Learners in the same training module(s);
3. Other users (i.e., trainers or learners) participating in discussion forums, personal/group messaging tools, chat rooms or with access to list(s) of participant(s) for different module(s);
4. Authorised EUAA personnel acting as LMS administrators with access rights;
5. External contractors (ALTIA CONSULTORES S.A) based in the EU/EEA providing LMS-related services with access rights (i.e., Helpdesk and Maintenance Services);
6. TNCPs, upon request, regarding information such as, information related to learner’s progress or completion rate or successful participation in EUAA modules.
7. The MFHEA and the NSO are forwarded relevant data of the user´s profile on an annual basis, such as age, previous qualifications and courses currently attended.

8. Do we transfer any of your personal data to third countries or international organisations (outside the EU/EEA)?

To the extent that users of the LMS (i.e., trainers or learners) may come from (international) organisations[7] and/or third country partners under EUAA Roadmaps[8], this processing activity may entail transfers of personal data to (international) organisations or third countries.

 For this purpose, in the absence of appropriate safeguards in place, the explicit and informed consent of the data subject(s) concerned is exceptionally sought for the international transfers of their personal data, pursuant to the derogation foreseen in Article 50(1) point (a) of the EUDPR.

9. Does this processing involve automated decision-making, including profiling?

This processing activity does not involve automated decision-making, or profiling.

10. What are your rights and how can you exercise them?

According to the EUDPR, you are entitled to access your personal data and to rectify them in case the data are inaccurate or incomplete. If your personal data are no longer needed by the EUAA or if the processing operation is unlawful, you have the right to erase your data. Under certain circumstances, such as if you contest the accuracy of the processed data or if you are not sure if your data are lawfully processed, you may ask the Data Controller to restrict the data processing. You may also object, on compelling legitimate grounds, to the processing of data relating to you. Additionally, you have the right to data portability which allows you to obtain the data that the Data Controller holds on you and to transfer them from one Data Controller to another. Where relevant and technically feasible, the EUAA will do this work for you.

If you wish to exercise your rights, please contact the Data Controller, Head of Training and Learning Management Unit, by sending an email to: elearning@euaa.europa.eu. 

You may always submit queries, remarks or complaints relating to the processing of your personal data to the Data Protection Officer (DPO) of the EUAA using the following e-mail address: dpo@euaa.europa.eu.

In case of conflict, complaints can be addressed to the European Data Protection Supervisor (EDPS) using the following e-mail address:  Supervision@edps.europa.eu