The European Union Agency for Cybersecurity (ENISA) and the National Institute for Research in Digital Science and Technology (INRIA) process your personal data to organise and manage the Annual Privacy Forum (APF) 2023 that will take place on 1^st and 2^nd of June 2023 in Lyon.

The joint data controllers are ENISA and INRIA, who are responsible for the overall organisation of the event, the communication with the participants before and after the end of the event, as well as the reimbursement of expenses of invited participants.  ENISA is also responsible for the online registration of the event’s participants through its website and the teleconference platform. INRIA is also responsible for the management of the Forum’s venue (local organiser).

ENISA processes personal data in accordance with the Regulation (EU) 2018/1725 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data[i]. The legal basis for the processing operation is article 5(1)(a) of Regulation (EU) 2018/1725, on the basis of Regulation (EU) No 2019/881, in particular the provisions establishing the tasks of ENISA.

INRIA processes personal data in accordance with the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation – GDPR)[ii]. The legal basis is article 6(1)(e) GDPR.

The data processors involved in the processing operation are:

• EaudeWeb, established in Romania, who is responsible for ENISA’s web site hosting under specific service contract with ENISA;
• CISCO Webex that provides the online teleconferencing platform that ENISA uses under the European Commission’s DG DIGIT SIDE II Framework Contract;
• INRIA security contractor, who is responsible for APF 2023 venue physical security under specific contract with INRIA

The purpose of the processing of your personal data is: register the event’s participants through ENISA’s website, provide registered participants’ access to the physical venue, provide registered participants’ access to the physical venue, provide registered participants’ access to the conferencing platform (CISCO Webex), sharing presentations after the event among participants and feedback collection.

The following personal data are processed:

• Contact data, such as first name, last name, organisation, e-mail (collected upon registration at ENISA’s website and further processed by ENISA and processor EaudeWeb);
• Personal data related to the connection/use of the teleconference platform: name / pseudonym, email address (optional), organisation (optional), IP address, MAC address, browser information, hardware type, operating system type and version;
• User generated information: discussion chat logs, meeting recordings, uploaded files. These data are produced through the CISCO Webex platform during the event.
  

Please Note:

• APF 2023 will not be audio/video recorded. Audio/video will only be activated for the event organisers and the presenters/panellists (video is optional).
• There will be photos taken during the workshop’s presentations (keynotes/panels) based on the prior consent of the speakers (presenters/panel participants). These photos may be published on ENISA’s and INRIA's websites and/or relevant social media channels. The focus of the photos will be on the speakers only and not on general views of the audience or specific views/pictures of workshop’s participants (other than speakers). Still, should your photo be taken in the context of this photo shooting, and you would like to have this photo removed, please contact ENISA at isdp@enisa.europa.eu and we will do so as soon as possible. 

Access to your data is granted only to ENISA and Koźmiński University staff, who are involved in the organisation of the workshop, the data processor’s staff involved in the registration and payment service, event organisers contracted by ENISA or Koźmiński University (involved in the reimbursement of expenses of invited participants), as well as competent financial institutions (for the payment of the registration fees).  Access to the data can also be granted to national and EU bodies charged with monitoring or inspection tasks in application of national or EU law (e.g. internal audits, European Anti-fraud Office – OLAF).

The retention periods for the personal data are as follows:

• the final participants list (name, surname, organisation, country) will be kept by ENISA for a maximum period of 5 years after the end of the event for auditing purposes. 
• your contact data will be kept for a maximum period of six months after the end of the event.
• financial data related to the event will be kept for a maximum period of 10 years after the end of the event for auditing purposes. All data will be deleted after the end of their respective retention periods.
• the personal data related to the connection and use of the teleconference platform, will be retained by the relevant processor (Microsoft Teams) for the period necessary for the provision of the teleconferencing service. Personal data will be deleted after the end of the retention periods.

The recipients of your data will be designated ENISA and INRIA staff involved in the organisation of the workshop, designated staff of ENISA’s and INRIA’s contractors involved in the event, and bodies charged with monitoring or inspection tasks in application of EU law (e.g. internal audits, European Anti-fraud Office – OLAF).

Storage of personal data: the contact data collected upon registration at the ENISA website are stored on the ENISA’s (and contractor’s EaudeWeb) servers and are only processed within EU/EEA. Personal data related to the connection/use of the teleconference platform are stored in Microsoft Teams servers within EU/EEA and may include transfers of personal data outside EU/EEA, subject to the provisions of Chapter V Regulation (EU) 1725/2018.

The final participants list (name, surname, organisation, country) will be kept by ENISA and INRIA for a maximum period of 5 years after the end of the event for auditing purposes.

Your contact data will be kept for a maximum period of six months after the end of the event and in any case no later than 10 working days after the last event’s follow-up action.

You have the right of access to your personal data and to relevant information concerning how we use it. You have the right to rectify your personal data. Under certain conditions, you have the right to ask that we delete your personal data or restrict its use. You have the right to object to our processing of your personal data, on grounds relating to your particular situation, at any time. We will consider your request, take a decision and communicate it to you. If you have any queries concerning the processing of your personal data, you may address them to ENISA at isdp [at] enisa.europa.eu. You may also contact at any time the ENISA DPO at dataprotection [at] enisa.europa.eu.

You have right of recourse at any time to the competent supervisory authorities: European Data Protection Supervisor (https://edps.europa.eu) and the French Data Protection Authority (https://www.cnil.fr/en/home).

[i] Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002.

[ii] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).