Data Protection Notice for a hybrid conference supporting a project to map vaccination monitoring methodologies in EU member states and develop recommendations.

This Data Protection Notice describes the measures taken to protect your personal data1 with regard to the action involving the present data processing operation and what rights you have as a data subject. 

European Health and Digital Executive Agency (HaDEA) protects the fundamental rights and freedoms of natural persons and in particular your right to privacy and the protection of your personal data. 

Your personal data are processed by HaDEA in accordance with Regulation (EU) No 2018/1725 of the European Parliament and of the Council of 23 October 20182 on the protection of individuals with regard to the processing of personal data by the European Union institutions, bodies, offices and agencies and on the free movement of such data. 

The purpose of the high-level conference carried out in execution of contract N. HADEA/2022/OP/002, is the following: 

• Dissemination of the findings of the first phase of the project (mapping vaccination monitoring EU wide) 

• Collection of written feedback on draft recommendations that will be pre-circulated 

• Co-production (conference participants and study team) of a finalised set of recommendations 

The purpose of this document is to inform participants, moderators, facilitators and speakers in the high-level conference about the processing activities related to their personal data, which cover:  

• Invitations to attend and register interest in the conference or participate in any way (including attending, speaking, moderating and facilitating) 

• Ensuring the conference meets the dietary and accessibility requirements of all participants, speakers, moderators and facilitators. 

• Sharing operational and logistical information about the conference such as: 

• Agenda 

• Breakout group allocations 

• Date, time, location 

• Changes to schedules 

• Reimbursement procedures 

• Documenting the conference which may include recording of sessions (both online and in person and applies to participants and speakers, moderators and facilitators), note taking, as well as photography/videography for example by a conference photograph. 

• Production of a conference report that shall synthesise the inputs of participants and include a list of participants, moderators, speakers, and facilitators at the conference. 

• Enabling reimbursement of expenses wherever applicable 

The data controller of the processing operation is the Head of Unit A2 of the HaDEA, managing the contract N. HADEA/2022/OP/002. 

The following entities process personal data on behalf of HaDEA in this project:  

1. Technopolis B.V.,  

2. Stichting Nederlands Instituut Voor Onderzoek Van De Gezondheidszorg 

3. Schuttelaar & Partners. 

Technopolis B.V. has subcontracted the entity Technopolis Ltd., who is a sub-processor of the data (collecting, processing, storing) under the instructions of Technopolis B.V. 

For the hybrid conference your personal data will be collected and processed by Schuttelaar & Partners via third party tools (see below). All the entities above will have access to the data on a needs basis.  

The following of your personal data are collected during the registration process via a web-based form and then used for operational planning of the conference including contacting you: 

1. Title (which may indicate gender) 

2. First name* 

3. Last name* 

4. Organisation you are representing (if applicable) or place of employment* 

5. Job title* 

6. Country* 

7. Email address* 

8. Phone number 

9. Accessibility requirements that may include information on disability status 

10. Special dietary restrictions (allergy, intolerance or preference) 

The following of your personal data are additionally collected during the reimbursement process and are used in order to reimburse you.  

11. Bank details including name on account and account number (IBAN)* 

All personal data marked with a * (star) are mandatory for the purposes outlined above, other fields are non-mandatory and can only be processed based on your explicit prior consent. 

The following of your personal data may also be collected during the conference: 

12. Recording of your voice and image or written contributions (online) 

The following of your personal data may be collected when you are interacting online with the conference portal and third-party tools used for the organisation of the conference. (Zoom or Teams when joining online and Eventbrite during registration in the portal).  

13. When participating in the conference online: Profile and participants information, contact information as well as non-personal information such as settings, device information. 

14. When registering via the portal IP addresses, as well as other non-personal information such as browser type, other characteristics of users’ device and software.   

For further information on this data collection and the use of cookies please see the section below on Third party tools used for the organisation of the conference. 

Initial contact of invitees, moderators, facilitators and speakers: in order to contact you to participate in the high level conference you have been selected either (1) through desk research and your contact details were obtained through publicly accessible sources (2) you previously gave explicit documented consent during a previous data collection activity (either an online survey or an interview) where you checked a box or verbally confirmed (recorded, transcribed) that you consent to be contacted for the conference3,4 and that contact has not been subsequently withdrawn or (3) you contacted us directly on the project email address or the conference portal to register interest. Within the initial and any subsequent contacts you will be given the option to opt out of further contact (see consent process below).  

Registration: will be a two-stage process via an online portal and a registration system which is embedded (EventBrite). The portal is hosted by Schuttelaar & Partners (a named data processor above) with an EUbased server. In the first stage of registering interest, you will complete a form corresponding to personal data fields 1-8 above. At the second stage you will add further fields 9-10. 

Conference Documenting: Prior to photography, videography or recording commencing participants, speakers, moderators and facilitators will be informed and offered the opportunity not to be subject to such processing.. In person this will be at the beginning of the day and individuals opting out and those recording/videoing/photographing will make arrangements with those individuals. Online, this will be before each session begins and opting out will require either making no spoken contribution, turning off video and submitting written contributions via a different channel (that can be arranged), or choosing to not attend the conference. Recordings will not be shared beyond the data processors/sub processors listed above. Their purpose is for the creation of conference notes that capture and document discussions and their outcomes or decisions and ensure that all feedback is noted and represented. The recordings  will be deleted as soon as transcripts and/or detailed notes are created and verified. Video and photographs may be shared more widely on social media and/or in the conference report. 

Reimbursement: Where reimbursement is agreed having submitted receipts and gained approval according to reimbursement guidelines you will be asked to complete a form (that will be shared with you by email) detailing where the reimbursement should be paid. This will correspond to field 11 above.  

We will contact you a maximum of four times to invite you to register. The invitation will contain further information about the study, the conference and direct you to the conference online portal. The invitation will also contain an ‘unsubscribe’ option which you can use if you do not wish for further communication or contact about the conference. If you have previously consented to communications via a previous data collection activity this ‘opting out’ will be a withdrawal of that consent and the withdrawal will be processed according to the DPN for that activity.  

If you chose to register interest in participating in the conference via the conference online portal you will be asked to give your specific, explicit and informed confirm that your data can be collected and processed for the purposes of the conference. By confirming at this point that you are consenting for the personal data listed (1-10 above) to be processed. 2-8 are mandatory and it will not be possible to register interest without them , 9 and 10 are not mandatory, can only be collected with this explicit prior consent. 

Furthermore, these questions (9,10) can be skipped – so to provide this data is to opt in, while to skip the question is to opt out. The purpose of collecting this non-mandatory data is to ensure accessibility and dietary requirements can be met enabling an inclusive conference.  

The recipients of your personal data will be the responsible staff members of the processorsTechnopolis B.V., Stichting Nederlands Instituut Voor Onderzoek Van De Gezondheidszorg and Schuttelaar & Partners, and the sub-processor Technopolis Ltd. 

Moreover, on a need-to-know basis and in compliance with the relevant current legislation, recipients of your personal data are bodies charged with monitoring or inspection tasks in application of EU law (e.g. EC internal audit, Court of Auditors, European Anti-fraud Office (OLAF), the European Ombudsman, the European Data Protection Supervisor, the European Public Prosecutor). 

Your personal data may be transferred to the United Kingdom (UK), where the sub-processor Technopolis Ltd. is based, after obtaining a consent from HaDEA, in line with requirements of Art. I.9.2 b) of the service contract. 

The following safeguards are in place for this transfer: the transfer to the UK takes place on the basis of the adequacy decision⁵. 

The following technical and organizational measures are in place to ensure sufficient protection of your personal data: 

• We use Microsoft’s Office 365 cloud solutions allowing us to control access to personal or sensitive data to individual users (authorized team members engaged in the data collection, analysis or future event or activities you are engaged in only) as well as benefit from Microsoft’s enterprise level cyber security measures. Furthermore, we use additional services to back all data from Microsoft Cloud in the event that Microsoft Cloud is compromised.  

• We use cloud cybersecurity service solutions to control our email operations focusing on spam blocks, impersonation attacks, malware detection, unsafe links and malicious attachments. We use digital risk protection and cybersecurity services for 24/7 continuous Dark Web monitoring for user credentials.  

• All employees are briefed and trained on data protection measures and cyber security.  

• Please find the privacy policies of all data processing entities in the footnotes: Technopolis B.V. and Technopolis Ltd6, Stichting Nederlands Instituut Voor Onderzoek Van De Gezondheidszorg7, Schuttelaar & Partners8. 

The processing of your data will not include automated decision-making (such as profiling). 

The conference will be a hybrid event and the online component will use the following tools:  

• For the purpose of communication and hybrid conferencing we will use Outlook and Teams services provided by Microsoft. Microsoft collects the following personal data: name, contact details. Moreover, it hosts the collected personal data on servers in the EU. For information on how Microsoft uses cookies and how it processes personal data, please see at: https://privacy.microsoft.com/en-us/privacystatement. 

• The online conference portal is built on the H5Mag platform. H5mag — as an EU-based Dutch company — is fully committed to the privacy of its users. Any personally identifiable information is stored and processed according to the Data Protection Act of 1998 and the GDPR (General Data Protection Regulation). This includes the ‘Right to be forgotten’, the ‘Right to object’, the ‘Right to rectification’, the ‘Right of access’ and the ‘Right of portability’. These rights apply to both direct users of H5mag as the readers/ subscribers of published materials. More information on H5Mag’s privacy policy can be found here. 

• EventBrite is embedded as registration system in the online portal. EventBrite’s exclusive transfer mechanism for data exported from the European Economic Area, United Kingdom and Switzerland is the use of the European Commission’s Standard Contractual Clauses. Eventbrite complies with GDPR and more information on its GDPR compliance programme is to be found here and a subsection on security and safety of data here.  

• Eventbrite uses cookies, some of which are required for technical reasons in order for the portal to operate and others to track and target preferences and user experience or for advertising. analytics and other purposes. As we will be using a European EventBrite domain you have the option to modify what cookies you allow on your browser at any time through the cookie settings tool. For further information please see the Eventbrite cookies policy.  

The legal basis for the processing activities for personal data items 1 -12  is Article 5(1)(a) of Regulation EU 2018/1725 because processing is necessary for the performance of a task carried out in the public interest (or in the exercise of official authority vested in the Union institution or body9 laid down in Union law).  

If you want us to delete your personal data please contact us on vacciationprogrammesEUstudy@technopolis-group.com, For any or all of fields 1 – 11 as above) we will delete your data at the latest 10 working days after your request.  

Please note that withdrawing your consent does not affect the lawfulness of any processing based on your consent before this consent is withdrawn. Attention is drawn to the consequences of a delete request, which means that all your contact details will be lost. 

As a general rule your personal data will be kept for a maximum period of 20 months, commencing from the start of the study until 2 months after the completion of the study. Data will be deleted at the end of this period.  

Voice recordings (field 12) will be deleted immediately upon notes being verified and can also be deleted within 10 days of request by this method. 

Video and images (field 12) will also be deleted from our servers within 10 days on request by email however should they already have been shared e.g. via social media we will be unable to trace and delete all occurrences of them.  

You have the right to access your personal data and to request your personal data to be rectified, if the data is inaccurate or incomplete; where applicable, you have the right to request restriction or to object to processing, to request a copy or erasure of your personal data held by the data controller. If processing is based on your consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of the processing based on your consent before its withdrawal. 

Your request to exercise one of the above rights will be dealt with without undue delay and within 1 month.  

If you have any queries concerning the processing of your personal data or wish to exercise any of the

rights described above, you can contact Technopolis B.V., acting as data processor via vaccinationprogrammesEUstudy@technopolis-group.com and the data controller HaDEA unit A2  HADEA-A2-DATA-PROTECTION@ec.europa.eu 

You shall have right of recourse at any time to the European Data Protection Supervisor at EDPS@edps.europa.eu.