Title: HEInnovate

Reference: DPR-EC-01867.4

Entity of the Operational Controller: European Commission: Education, Youth, Sport and Culture (EAC.C.1)

Publication date:

1. General information

Data protection record

Record reference

DPR-EC-01867.4

Title of the processing operation

HEInnovate

Language of the record

English

Corporate record

No

Data Protection Officer

Contact details

EC-DPO-INTERNAL@ec.europa.eu

Entity of the Operational Controller

Responsible organisational entity

Education, Youth, Sport and Culture (EAC)

Directorate / Unit

C.1

Contact Details

Eac-heinnovate@ec.europa.eu

Other Commission departments involved

Other Commission departments involved in the processing

No

Joint controllership

Joint controllership is involved

N/A

Processors

Processors are involved in the processing

Yes

• Names and contact details of processors

PPMI Group UAB (part of the Verian Group), Gedimino pr. 50, LT-01110 Vilnius, Lithuania · Touch4IT s.r.o., Hany Meličkovej 5, 841 05 Bratislava, Slovakia

2. PURPOSE AND DESCRIPTION OF THE PROCESSING

Purpose

Description of the purpose of the processing

HEInnovate (the Commission’s processors) through the contractors (the website developer and administrator team by virtue of website administration)

collect and use your personal information to:

• Provide you with tailored features and functionality of the Website
• Identify you as the sender of, and to process, your e-mails
• Respond to your questions and comments
• Send you tailored messages you requested helping you use the Website
• Improve, enhance, and tailor the Website for you
• Carry out specific actions you request
• Provide information you requested on different topics on important developments, activities, events, webinars, initiatives or thematic issues in the area of the services of HEInnovate in particular through news items and newsletters or notifications
• Collect information for statistical purposes in an aggregated and anonymized manner

Personal data are processing when users:

• have given consent to the processing of your personal data during the registration process to HEInnovate and the community.
• have subscribed to receive tailored messages helping you use the Website.
• have subscribed to receive the information on important developments, workshops, webinars, events, trainings, study visits or thematic issues in the area of the services of HEInnovate in the form of newsletters and/or news items and notifications.

Processing for further purposes

The purpose(s) for further processing

• N/A

Modes of processing

The mode of processing

• Automatic processing
  • Computer/machine
    • Online form/feedback

Description/additional information regarding the modes of processing

-

Storage medium

The medium of storage (one or more)

• Electronic
  • Servers
• External contractor premises

Description/additional information regarding the storage medium-

Source of personal data

Personal data are obtained directly from the data subjects

Yes

Comments

Comments/additional information on the data processing

-

3. DATA SUBJECTS AND DATA CATEGORIES

Data subjects’ categories

Data subject(s) are

• External to the organisation

A description of the data subjects (external to the organisation)

• HEInnovate users are:
  • University leaders, members of the governing board, rectors, vice-rectors, deans, heads of faculty and departments;
  • Scholars and researchers in the field of entrepreneurial education and innovation in higher education;
  • Administrative staff working in entrepreneurship centres, career centres, technology transfer units and innovation centres;
  • University stakeholders and partners that work directly with universities in supporting entrepreneurship;
  • Students

Data categories/fields

Description of the categories of data that will be processed

• full name,
• address,
• e-mail address,
• any other information that may identify the user as an individual (e.g., country, name of higher education institution or organization, role, name of faculty/department and discipline)
• any personal information the users provide to the contractor in any message boards and contact forms

The contractor may also collect information about the use of the Website and the device used to access the Website (“non-personal information”), such as:

• IP address and country location
• Browser information (including browser type, capabilities, and language)
• Operating system
• Date and time users access the Website
• Website usage information, including the paths taken moving from one website or webpage to another website or webpage (i.e., "click stream" activity)

The processing operation concerns any 'special categories of data' which fall(s) under Article 10(1), which shall be prohibited unless any of the reasons under Article 10(2) applies

N/A

Description/additional information regarding special categories of personal data

-

Data related to ‘criminal convictions and offences’

The data being processed contains sensitive data which fall(s) under Article 11 'criminal convictions and offences'

N/A

Comments

Comments/additional information on data subjects and data categories

-

4. RETENTION PERIOD

Data categories and their individual retention periods

The administrative time limit(s) for keeping the personal data per data category

1. Data category

   Data of anonymous users
   
   Retention period

   3 months
   
   Start date description

   -
   
   End date description

   -
   
    

2. Data category

   Data of registered users
   
   Retention period

   7 years
   
   Start date description

   -
   
   End date description

   -
   
    

3. Data category

   Users of the newsletter and news notification
   
   Retention period

   Until users unsubscribe from the mailing list
   
   Start date description

   -
   
   End date description

   -
   
    

Comments

Comments/additional information on the data retention periods

-

5. RECIPIENTS

Origin of the recipients of the data

The origin of the data recipients

• Outside the EU organisation

  A description of the indicated recipients of the data

  The processor is:

  1) PPMI Group, UAB (part of the Verian Group), Joint Stock Company 300654654, Gedimino pr. 50, LT-01110 Vilnius, Lithuania (Data Steward – supporting the data owner, liaising with the technical team)

  VAT: LT100003672217

  PPMI is a leading European research and policy analysis centre. It is a trusted partner, providing actionable insights, facilitating shared understanding among stakeholders, and supporting positive and lasting change. On 6 July 2023, PPMI joined Verian Group, a world leading, purpose-led and independent research, evidence, evaluation, and communications agency, providing services to government and the public realm. The deal enabled both organisations to strengthen their combined offerings across public policy advisory and evaluation, data and analytics, and behavioural and communications work, to support government, multi-laterals, business and civil society clients, when dealing with the most important and complex public policy issues around the world.

  2) Touch4IT s.r.o., LLC, Slovakia 00686930, Hany Melickovej 5, Bratislava, 84105, Slovak Republic (Data Custodian – technical lead responsible for the data asset)

  VAT: SK2120068698

  It takes care of the development and maintains the HEInnovate website

Categories of the data recipients

The categories (one or more) of the data recipients

• A natural or legal person

Description of the indicated category(ies) of data recipients

• Personal information (e.g., full name, address)
• Non-personal information (e.g. IP address, operating system)

The contractor has access to the data provided by users when using the HEInnovate website (e.g. creating a user account, starting or submitting a self-assessment or questions through the website)

Who has access to which parts of the data

Access to personal data is provided to the Commission’s contractor responsible for carrying out this processing operation according to the “need to know” principle. They include the website developer and administrator team, who have access to data by virtue of website administration. In addition, the self-assessment results completed as part of a group exercise on HEInnovate are available to the registered user and to the group administrator (i.e. the registered user who set up the group and invited others to complete the self-assessment as part of their group). The registered profile gives access to all self-assessments completed by the user, which can be used for their own internal comparative purposes. The group administrator only has access to the self-assessment results completed as part of that specific group. Self-assessments assigned to a group can be removed and deleted by the user at any time.

Comments

Comments/additional information on data recipients

-

6. INTERNATIONAL DATA TRANSFERS

Transfer outside of the EU or EEA

Data is transferred to countries outside the EU or EEA

N/A

Transfer to international organisation(s)

Data is transferred to international organisation(s)

N/A

Comments

Comments/additional information on international data transfers

-

7. INFORMATION TO DATA SUBJECTS ON THEIR RIGHTS

Privacy statement

Rights of the data subjects

The processing should respect the following rights of data subjects

• Article 17 - Right of access by the data subject
• Article 18 - Right to rectification
• Article 19 - Right to erasure (right to be forgotten)
• Article 20 - Right to restriction of processing
• Article 21 - Notification obligation regarding rectification or erasure of personal data or restriction of processing
• Article 22 - Right to data portability
• Article 23 - Right to object
• Article 24 - Rights related to Automated individual decision making, including profiling

The data subjects are informed about their rights and how to exercise them in the form of a privacy statement attached to this record

Yes

Publication of the privacy statement

• Published on website

The link of the website where the privacy statement is published

Https://heinnovate.eu/en/about/privacy-policy

Guidance for Data subjects which explains how and where to consult the privacy statement is available and will be provided at the beginning of the processing operation

Yes

An explanation of the guidance on how and where to consult the privacy statement

The privacy statement can be consulted at: Privacy policy | HEInnovate

The privacy statement(s)

• Privacy_statement_HEInnovate_2025.docx

Comments

Comments/additional information on information to data subjects on their rights

-

8. SECURITY MEASURES

Short summary of overall Technical and Organisational measures implemented to ensure Information Security:

All personal data in electronic format (databases, uploaded data, etc.) are stored on the servers of the contractors of the European Commission hosted in a protected data centre, which is located in a country of the European Union.

In order to protect users' personal data, the Commission’s processors (contractor) have put in place a number of technical and organizational measures in place. Technical measures include appropriate actions to address online security, risk of data loss, alteration of data or unauthorized access, taking into consideration the risk presented by the processing and the nature of the personal data being processed. Organisational measures include restricting access to the personal data solely to authorised persons with a legitimate need to know for the purposes of this processing operation.