as the “Users” or the “User” and “Platform” respectively) and forms
an integral part of the Platform's Website Terms and Conditions. The present Privacy
Policy provides the
User with general information regarding how the Data Controller uses your personal data
and other information required by data protection legislation. In case of future
amendment, the User will be provided with necessary updates and information through the
1. Who is the Data Controller?
1.1. The Company with the company name “ECAS - European Citizen Action Service”, address:
BeCentral Cantersteen 12 B-1000 Brussels, Belgium ,
Telephone: +32 (0) 2 548 04 90, email:
info(at)ecas.org, is the Data Controller for the processing of the User’s Personal
Data (herein after referred to as "Data Controller").
1.2. Data Controller's Contact details: For any issue or concern with regards to
uploaded by the User to use the Platform, the User can communicate with the
Data Controller, by using one of the following alternatives:
By calling at +32 (0) 2 548 04 90, from Monday to Friday from 10.00 a.m. to 18.00 p.m. EET
(Eastern European Time)
By sending an email at the following email address: info(at)ecas.org
By sending correspondence to the following address: BeCentral Cantersteen 12 B-1000 Brussels, Belgium
2. What is the purpose and the legal basis for User’s data processing?
2.1. Platform's operational purpose is to collect opinions of users via questionnaires. The opinions are processed in order to gain insights, gather and present valuable ideas and suggestions on the topics addressed in the questionnaires.
Users can respond anonymously (without providing any personal information) or can
in order to submit eponymous answers.
User's answers are translated into English and are presented in Reports.
For the specific purpose of processing, the legal basis is User's prior consent.
2.2. To send User informative emails with the purpose to inform him about
new activities, projects and other issues of interest of the Platform. For this purpose
of processing the legal basis is the User's prior consent.
2.3 Processing of data for reasons related to Data Controller's compliance with
legal obligations. In such cases processing of data takes place for only the necessary time period in order for Data Controller to comply with obligations imposed by various legal provisions.
In case of the above provisions where the legal basis is User's prior consent, the
User can always withdraw his consent at any time without affecting the legitimacy of
data based on consent prior to its withdrawal.
3. Types of data collected
3.1 Personal data
3.1.1 Registration- account creation:
In order for a User to voluntarily create an account in the Platform, the User should
fill in the necessary data: his nickname, email address, and password
3.1.2 Submitted questionnaire responses
The Platform collects user answers (that is opinions on various subjects) on questions
made via Platform's questionnaires.
These answers are analyzed and presented in a questionnaire results page.
The User is strictly advised to conform the platform's "code of conduct for successful
participation" and avoid
posting publicly any personal data that do not wish to be publicly available on the
3.1.3. Platform's communication for reasons related to User's permitted use of the
In order for the Platform to communicate with the User for the above purposes, Data
Controller can process all data relating to User's account, uploaded content and data
related to the User's use of the Platform.
3.2 Usage data
We may also collect information how the webpage is accessed and used ("Usage Data").
This Usage Data may include information such as your computer's Internet Protocol address (e.g. IP address),
browser type, browser version, the pages of our webpage that you visit, the time and date of your visit,
the time spent on those pages, unique device identifiers and other diagnostic data.
4. How the Platform collects data
4.1 The information can be collected by the following ways:
4.1.1 When the User registers and creates an account on the Platform.
4.1.2 When the User submits answer's on the Platform's questionnaires
4.1.3 When the User visits the Platform and agrees to the installation of cookies (as
personal data such as the IP address, operation system, type and browser edition
5. How long are User's data stored and when are they deleted?
5.1. User's account data:
Without prejudice to User's deletion/erasure right mentioned below, the Data registered
and stored in the User's account will be stored as long as the User wishes to make use
of the Platform for the purpose mentioned above. In
case a User wishes to delete his account, he can delete his account through account's
settings or contact Data Controller at the above mentioned contact details.
5.2. Platform's communication for reasons related to User's permitted use of the
Data related to such communication will be stored only as long as the User wishes to use
the Platform and maintains his account. In case a User wishes to delete his account he
can delete his account through account's settings or contact Data Controller at the
above mentioned contact details.
5.3. Statistical analysis for the optimization of the Website
Regardless of the above mentioned provisions of article 5, Data Controller will store
and process only necessary data for the period required in order to comply with its
obligations imposed by law each time (compliance with fiscal obligations etc).
5.4. Processing of personal data for the purposes of conducting statistical
Please see cookies policy (article 11 ) below.
6. What are User's rights ιn relation to the processing of his data and how can he exercise these rights?
The Data Controller respects User's right in relation to data processing.
The User can exercise his rights by contacting the Data Controller at the
following contact details: Telephone: +32 (0) 2 548 04 90, email: info(at)ecas.org
For User's facilitation, User's rights are included in the following table along with a
short explanation of each right (reference to articles corresponds to article of GDPR
|Access (article 15)
The User can ask the Data Controller to:
- confirm whether the Data Controller processes User's personal data
- give the User access to data that the User does not dispose
- give the User other information related to User's personal data such
as which are the data that the Data Controller disposes, what are
the purposes of processing, to whom are these data disclosed,
whether these data are transferred in foreign countries and how are
these data protected, how long are the data stored, what are the
User's rights, how can a complaint be lodged, where were the data
taken from to the extent this information is not included in the
|Rectification (article 16)
The User can ask the Data Controller to rectify inaccurate personal
The Data Controller can seek to verify the accuracy of the data before
The User can ask the Data Controller to erase his personal data:
- whenever, when the personal data are no longer needed for the
which they were collected
- when the User withdraws his consent
- the personal data have been unlawfully processed
The Data Controller is not obliged to comply with User's request to erase
his personal data, if the processing of User's personal data is necessary:
- for compliance with a legal obligation
- for the fulfillment of another legitimate purpose or another
- for the establishment, exercise or defense of legal claims
|Restriction (article 18)
The User can ask the Data Controller to restrict (store but not process)
User's personal data when:
their accuracy is contested (see rectification), so that the Data Controller
can verify the accuracy of the personal data or
the personal data have been unlawfully processed but the User opposes the
erasure of the personal data or
they are no longer necessary for the purposes for which they were collected
but the User still needs them for the establishment, exercise or defense of
legal claims or there is another legitimate purpose of processing or other
Data portability (article 20)
When processing is based on consent and the processing is carried out by
automated means, the User can ask the Data Controller to receive his
personal data in a structured commonly used and machine readable format or
ask the Data Controller to transmit them to another controller directly from
the Data Controller. Nevertheless, according to the law, this right refers
only to those data that have been given by the User himself and not to those
data that are inferred by the Data Controller based on the data that the
User has provided.
|Objection (article 21)
The User can object at any time to the processing of personal data
concerning him or her which is based on legitimate interest or performance
of a task carried out in the public interest.
When the User exercises his right to object, the Data Controller has the
right to demonstrate that compelling legitimate grounds for the processing
that override the interest, rights and freedom of the User or for the
establishment, exercise or defense of legal claims.
Consent withdrawal (opt-out)
The User has the right to withdraw his consent where consent is the basis of
processing. Withdrawal is valid for the future.
The User has the right to lodge a complaint with the local supervisory
authority related to data protection.
In Greece the supervisory authority for Data Protection is Data Protection
|The Data Controller takes seriously the confidentiality of all files that
include personal data, thus he is entitled to ask the User proof of his
identity if the User submits a request in relation to those files.
|The User will not have to pay for the exercise of his rights in relation to
personal data unless as provided by law, the request to acquire access to
information is unfounded or excessive. In that case the Data Controller can
charge the User with a reasonable fee under the specific circumstances. The
Data Controller will inform the User for any possible charge before he
completes the request.
|Data Controller aims at answering at User's valid requests the latest within
one (1) month from their receipt, unless the request is extremely
complicated or the User has submitted multiple requests, in which case the
Data Controller aims at answering to them within three months. In case the
Data Controller needs more than one month for the reasons above mentioned,
he will inform the User. The Data Controller may ask the User if he wants to
explain what exactly he wishes to receive or what is his concern. This will
help Data Controller to act more quickly in relation to User's request. In
any case the User should mention specific and true data and/or facts so that
the Data Controller can answer and/or satisfy accurately to User's request.
Otherwise, the Data Controller reserves his right for any faults that are
outside of his control. Additionally the Data Controller can reject requests
that are unfounded, excessive, abusive, made in bad faith or are
illegitimate in the framework of the legal provisions.
7.How is data security safeguarded?
The Data Controller implements all appropriate security measures to ensure
protection and confidentiality of personal data among which the following are included:
- Strong password policies in all servers
- HTTPS protocol for interacting with APIs and Web clients
- SSH protocol for server connection
- Periodical server updates with latest security fixes
Please note that only specifically authorized employees of the Data
Controller, acting under the authority of the Data Controller and only on his
instructions as well as recipients, where necessary, handle the data submitted by the
User. For the processing, the Data Controller chooses persons with appropriate
qualifications that have sufficient safeguards as to technical knowledge and personal
integrity to protect confidentiality. The Data Controller takes all necessary security
measures for the protection and safeguard of secrecy, confidentiality and integrity of
personal data also through relevant contractual commitments of his associates. In any
case the security of the Website may be infringed due to reasons that reside outside of
the Data Controller control sphere as well as due to technical or other problem of the
net or force majeure or accidental facts. In that case, the security of personal data
cannot be guaranteed.
8. Who are the recipients of data?
8.1 The recipients of User's personal data are associate companies that provide
technical infrastructure for the operation of the Website, hosting provider as well as
the company that undertakes to send electronic communication related to the operation of
the Platform to Users. Where necessary as per applicable laws, the Data Controller will sign agreements with such
companies, which refer to the implementation and regular monitoring of security
measures. In case data are transferred outside ΕU all necessary guarantees are in place.
8.2. In case the Data Controller receives a request to notify or transfer data
following a request by the appropriate Administrative Authority, Attorney, Court or
other Authority, he may notify / transfer those data in order to fulfill his duty
executed in favor of the public interest towards these authorities (with or without
User's previous notification) in accordance with the appropriate legal provisions. If
the User should be previously notified in accordance with the legal provisions, then the
User has the right to object to this processing as provided in article 7 above.
9. Communication with the Data Controller
well as exercise of User's rights, the User can contact the Data Controller using one of
the following ways:
Telephone: +32 (0) 2 548 04 90,
In case the User becomes aware of any data breach incident, he is kindly requested to
notify the Data Controller immediately.
9.2. The present terms are governed and supplemented by the Terms and Conditions
and consist along with them a uniform text.
10. Connection to other Websites/social media
This Website connects with other websites through hyperlinks. These websites are not
related to Data Controller's Website and their content is neither checked nor
recommended by the Data Controller. Thus, the accuracy, legitimacy, completeness or
quality of their content and legitimacy of the processing of User’s personal data cannot
be checked and no guarantee is provided for them. The Data Controller cannot be held
liable for them or any damage that may be caused to the User due to or following their
use. The Data Controller cannot check the processing of the User's personal data by
those linked Websites and thus does not bear any liability. When the User accesses those
websites he should take under consideration that terms and conditions of each website
apply. For any issue that may occur as to the content or the use of the linked website,
the User should directly contact the operator or administrator of each website. The Data
Controller does not approve or embrace the Content or the services of the linked
websites, which the User accesses through the Website.
The Website gives the User the possibility to connect and interact with social media
following his own initiative and will. In that case the Data Controller is not liable
for the processing of User's data taking place through or by the social media. The User
should directly address each specific social media in order to exercise his legitimate
improve User's navigation, to provide User with the full potential of the Platform, to
ensure the correct display of the content as well as for analytical and statistical
11.2. Cookies are small text files stored on User's computer when he visits a digital
platform, which are used as a means of identifying his computer.
11.3. Cookies apart from absolutely necessary cookies are only installed if the User
accepts their installation when he visits this Platform. By accepting cookies when
entering this Platform, the User expressly states that he has read and understood the
specific terms and conditions regarding the installation, function and purpose of the
cookies and that he provides his consent for their use.
11.4. Alternatively, the User may not accept cookies. In this case, only cookies that
are technically and functionally necessary for the operation of the Platform will be
11.5. The User can manage the use and installation of cookies at any time through a
panel, where he can choose which category of cookies he wants to accept and which ones
not (or request to install only the technically necessary cookies).
11.6. In particular, the cookies used by the Platform are the following:
|Type of cookies
|Examples of cookies
|Duration of each cookie installation
|Transfer of data to third parties
|Absolutely necessary Cookies
|The absolutely necessary cookies are essential for the proper operation of
the Platform. These cookies allow User to browse and use Platform features
such as access to secure areas. These cookies do not recognize User's
individual identity and without them, the smooth operation of the Platform
is not possible.
|crowdsourcing_app_cookies_consent_selection (Stores the user's cookie consent state for the current domain
crowdsourcing_app_cookies_consent_targeting (Stores the user's cookie consent state for the current domain
XSRF-TOKEN (Ensures visitor browsing-security by preventing cross-site
request forgery. This cookie is essential for the security of the website
and visitor. )
ecas_lets_crowdsource_our_future_session (When the app needs to “remember” the logged in user while (s)he navigates to the Platform)
Crowdsourcing_anonymous_user_id (used to store anonymous answers on the questionnaires by assigning an integer number to user that is submitting the response)
|These are cookies that evaluate the way visitors use the Platform (for
example, which pages are visited more often and whether they receive error
messages from webpages). These cookies are used for statistical purposes and
to improve the performance of a Platform.
|_ga_4S9N5MK4VE, _gat,_ga, _gcl_au, _gid: Google Analytics cookies are used to measure traffic on the Platform.
A unique textstring is saved to identify browser, timestamp for interactions and the browser/sourcepage that led the user to the Platform.
No sensitive information is saved.
|_ga_4S9N5MK4VE: 2 years
|Yes (Company that provides statistical and analytical services if considered
as third party)
12. Children's Privacy
Our project does not address anyone under the age of 18 ("Children").
We do not knowingly collect personally identifiable information from anyone under the age of 18.
If you are a parent or guardian and you are aware that your Children has provided us with Personal Data, please contact us.
If we become aware that we have collected Personal Data from children without verification of parental consent,
we take steps to remove that information from our servers.
when this is necessary to comply with new requirements imposed by applicable laws,
guidelines or technical requirements, or in the course of a revision of the Data
Controller's processes and practices. The User will be notified of any amendment to this
for any amendments.