REGISTER OF THE DATA PROTECTION OFFICER (DPO)

Title: EURES 

1. GENERAL INFORMATION

DATA PROTECTION RECORD

  • Title of the processing operation: EURES
  • Language of the record: English
  • Corporate record: No
  • Data Protection Officer
  • Contact details: data-protection@ela.europa.eu  

ENTITY OF THE OPERATIONAL CONTROLLER

  • Responsible organisational entity: European Labour Authority 
  • Directorate / Unit:  Information and EURES Unit
  • Contact Details: data-protection@ela.europa.eu  

Joint controllership

Joint controllership is involved: N/A

PROCESSORS

Processors are involved in the processing Yes
 

  • Names and contact details of processors: Development, support and operations of the EURES system may be delegated to external companies or organisations acting as "processor" on behalf of the European Labour Authority. Such processors are bound by contracts defining the terms of service, including personal data protection clauses indicating their responsibilities as provided for by Regulation (EU) 2018/1725. External contractor bound by agreement to compliance with data protection rules and confidentiality; the external contractor includes ARHS, contractor to EMPL unit F5, for IT development and testing, and ELA Information and EURES Unit contractors for the EURES helpdesk, Newsroom and European Online Job Days.

2. PURPOSE AND DESCRIPTION OF THE PROCESSING

PURPOSE
Description of the purpose of the processing


The EURES (European network of employment services) is created by Regulation (EU) 2016/589 of the European Parliament and of the Council of 13 April 2016.

EURES is a network of employment services to help jobseekers and employers to find each other across Europe.

The purpose of user account data processing is to enable user authentication/authorization to access specific EURES functionalities requiring authentication.

CV data/profile storage and processing is necessary to provide the best matching job vacancies to a jobseeker.

Job vacancy data (that includes some personal data in contact information) storage and processing is necessary to provide the best matching job vacancies to a jobseeker.

Enquiries are exchanges between jobseekers, employers or EURES staff, conducted in a secure way in the EURES portal.
Anonymised CV data and job vacancy data is used for statistical purposes, to contribute to labour market statistics.

Anonymised system usage logs (user-system interactions information for both registered and non-registered users) are used to understand frequency and pattern of use of specific features and serve as input to further system development. System usage logs are also used to enable data protection and security auditing to detect abuse (such as web-crawling) or inform users on access to their data (GDPR compliance)

PROCESSING FOR FURTHER PURPOSES

The purpose(s) for further processing: N/A

MODES OF PROCESSING

The mode of processing
• Any other mode:

User account data is encoded during creation of a user account. It is processed by EURES IT system to allow user access to its personal space in EURES that gives access to additional functionalities and customization. Identified user can save search profiles; receive and send enquiries. Identified user can also receive automated notifications on new jobs vacancies or CVs fitting predefined criteria; save CVs fitting employers’ search criteria), to receive newsletters and fill out EURES surveys.

CV data/profile can either be encoded by jobseekers themselves on EURES portal, or sent to EURES database via automated data transfer by EURES staff (PES) on behalf of the jobseeker. CV data (only specific/limited data fields) is used for search, match and display by authorized users, with the goal to allow jobseekers to find optimal jobs for them. 

CV data (anonymized) is used to provide statistics on EURES IT system performance.

Job vacancy data can include some personal data in contact information. Job vacancy is sent via automated data transfer by EURES staff (PES) on behalf of the employer and stored in EURES database. Job vacancy data is used for search, match and display so that jobseekers can find job opportunities.

Enquiries are exchanges conducted in a secure way in the EURES portal. Instead of sending direct e-mails, the first communication is done through the EURES portal. Users can decide later to provide their personal contact details.

Anonymised CV data and job vacancy data is stored and used for statistical purposes, reports and ad-hoc queries, to contribute to labour market statistics.

Anonymised system usage logs (user-system interactions information for both registered and non-registered users) are used to understand frequency and pattern of use of specific features and serve as input to further system development. System usage logs are also used to enable data protection and security auditing to detect abuse (such as web-crawling) or inform users on access to their data (GDPR compliance).


Description/additional information regarding the modes of processing

STORAGE MEDIUM
The medium of storage (one or more)

  • Electronic
  • External contractor premises
  • Others:


Description/additional information regarding the storage medium 

After the commencement of the European Labour Authority’s activity (August 1st, 2021) the Authority is replacing the European Commission (“the Commission”) in managing the European Coordination Office of the European network of employment services (EURES).

However, according to Article 6 of Regulation 2019/1149 establishing the European Labour Authority, the Commission will continue to ensure the provision of IT and the operation and development of IT infrastructure. 

The data is stored in a database located in the Data Centre of the European Commission and access to this data is protected by an authentication mechanism. Access to the service is made available through the EUROPA web servers, also located in the Data Centre, where the portal is hosted. The data in the database is used for aggregated statistics without the possibility to refer back to the source persons. Statistics are anonymous counters losing the trace to the individual contribution of the participant records. The chat service allowing users to contact the EURES helpdesk and EURES advisers is supported by an external provider as a Software as a Service (SaaS) using a DIGIT framework contract.

Comments
Comments/additional information on the data processing Security measures are continuously introduced whenever there is a need for it. All interactions with the portal involving personal information, in particular registration and log in to the EURES accounts, is submitted via secure HTTPS connections.

3. DATA SUBJECTS AND DATA CATEGORIES

DATA SUBJECTS CATEGORIES

Data subject(s) are

• Internal to the organisation

A description of the data subjects (internal to the organisation)
EURES staff, of the European Coordination Office, the European Labour Authority,  the European Commission, and EURES members and partners.

• External to the organisation

A description of the data subjects (external to the organisation)
Jobseekers and employers

DATA CATEGORIES/FIELDS

Description of the categories of data that will be processed

Registered jobseeker using self-service functionalities:

  • Account: Username, name, surname, address, e-mail address; optional: phone, mobile phone, fax number, date of birth, nationality, language preferences, gender.
  • CV/jobseeker profile: Educational and professional background, language and personal skills, desired location, desired occupation.
  • Desired employment information (as defined in the registered jobseeker profile): Preferred occupation, preferred job title, preferred position, desired location of employment, desired contract type and duration.
  • Saved search profiles of a registered jobseeker: Name of the profile, frequency of the notification, language, e-mail (prefilled), chosen search criteria

Enquiries: The text of the question to another user

Public/non-registered users

E-mail address and preferred language, if they consented to receive the newsletter

Registered employers using self-service functionalities

  • Registered employer user data: Company name and address, VAT or registration number; contact person name, address, telephone number, e-mail address, username
  • Registered employer saved search profile: Name of the profile, frequency of the notification, language, e-mail (pre-filled), chosen search criteria
  • Registered employer enquiries data: The text of the question to another user
  • Saved candidates in the Registered employer profile: Links to CVs; a status of the process (optional) and a comment (optional).

EURES Network users

  • EURES staff user data: e-mail address, organisation, primary function, address, comment to the EURES helpdesk, username
  • Saved search profiles “Find a Job”: Name of the profile, frequency of the notification, language, e-mail (pre-filled), chosen search criteria
  • Saved search profiles “Find a Candidate”: Name of the profile, frequency of the notification, language, e-mail (pre-filled), chosen search criteria
  • Enquiries: The text of the question to another user
  • EURES staff user - saved candidates: Links to CVs; a status of the process (optional) and a comment (optional).
  • EURES staff user - information contained in extranet and collaboration workspace: in the chat function: users can see who is online, their name and a short status message, in the “Who is who”: users can be searched for by name, organization and language spoken; uploaded documents or comments include the name and surname of the contributor.

CVs received from EURES Network

The full set of XML data in line with HR open data standards can be sent. This includes, name, surname, age, nationality, birth date, gender, qualifications, education history, job experience and occupation types, future job preferences, desired remuneration and contract type, availability of driving licence.

Job vacancies received from EURES Network

Full set of XML data in line with HR open data standards can be sent, to provide a detailed description of the vacancy, including information on vacancy origin, the organization offering the vacancy, position title, the required qualifications, the remuneration offered, the location of the position, occupation classification, working languages, contract duration.

Helpdesk user
Name, surname, e-mail address, preferred language

Users of chat
Name, surname, e-mail address, country of residence

Anonymized usage data logs
The portal stores anonymized information on certain user characteristics and user actions for statistical purposes to determine EURES system usage. For instance, frequency of usage is logged to improve the portal.

User actions can also be logged for data protection and security auditing, to detect web crawlers (for example, number of pages viewed within a time period).

The processing operation concerns any 'special categories of data' which fall(s) under Article 10(1), which shall be prohibited unless any of the reasons under Article 10(2) applies
N/A

 

Description/additional information regarding special categories of personal data

Data related to ‘criminal convictions and offences’
The data being processed contains sensitive data which fall(s) under Article 11 'criminal convictions and offences' N/A

Comments

Comments/additional information on data subjects and data categories

4. RETENTION PERIOD

DATA CATEGORIES AND THEIR INDIVIDUAL RETENTION PERIOD

The administrative time limit(s) for keeping the personal data per data category

1. Data category Registered Jobseeker

Retention period Jobseeker accounts that have not been visited for a period of two years will be deleted and no data will be stored. Jobseekers can at any point delete their account themselves. Jobseeker profiles stored in the system and not updated or checked by the user for a period longer than twenty-six weeks will no longer be accessible to employers. The retention information for the job search profile is the same as the one related to the user account (i.e. deleted after 2 years of inactivity).

Start date description-

End date description-


2. Data category Registered employer

Retention period Employer accounts (including search profile information, enquiry information, saved candidate list) that have not been visited for a period of two years will be deleted. Employers can, at any point, delete their account and their company themselves.

Start date description-

End date description-

3. Data category EURES staff user

Retention period The account (including search profile information, enquiry information, saved candidate list) is deleted manually by the EURES Helpdesk on request of the NCO. Data is stored in the system as long as the registered user is active in the EURES network. If a user is unregistered the data will be deleted, except information related to messages and documents posted on the Extranet and only insofar as the information is necessary to identify the originator or sender of the message or document in question

Start date description-

End date description-

4. Data category CV from EURES network

Retention period By default, data is not retained – each data replication cycle has the possibility to add, remove or modify data. Any modification or deletion of data or change in data processing instructions, including withdrawal of the transmission consent, made by the jobseeker in the system of the EURES Member or and Partner will be reflected in the corresponding data held on the EURES portal through the constant data replication process (based on the update frequency determined by the relevant NCO).

Start date description-

End date description-

5. Data category Job Vacancies from EURES Network

Retention period By default, data is not retained – each data replication cycle has the possibility to add, remove or modify data. Any modification or deletion of data or change in data processing instructions, including withdrawal of the transmission consent, made by the jobseeker in the system of the EURES Member or and Partner will be reflected in the corresponding data held on the EURES portal through the constant data replication process (based on the update frequency determined by the relevant NCO).

Start date description-

End date description-

6. Data category Chat service

Retention period Unless otherwise agreed during the chat or stated elsewhere, the chat conversations may be stored for quality assurance purposes for a period not exceeding twelve months

Start date description-

End date description-

7. Data category Helpdesk

Retention period The data collected may be stored for quality assurance purposes for a period not exceeding two years

Start date description-

End date description-

8. Data category Newsletter

Retention period E-mail address remains in the database until a user unsubscribes or is deleted after not having confirmed that the user wants to remain on the list

Start date description-

End date description-

Comments
Comments/additional information on the data retention periods-

5. RECIPIENTS

Origin of the recipients of the data
 

The origin of the data recipients:

  • Within the EU organisation

A description of the indicated recipients of the data

OLAF, IAS, the Court of Auditors and the European ombudsman - upon request, and limited to what is necessary for official investigations and enquiries.

• Outside the EU organisation

A description of the indicated recipients of the data

Jobseekers, employers and EURES staff in NCOs, EURES members and EURES partners.

Categories of the data recipients

The categories (one or more) of the data recipients

  • A natural or legal person
  • Public authority
  • Agency

Description of the indicated category(ies) of data recipients

OLAF, IAS, the Court of Auditors and the European ombudsman: official bodies and services in charge of specific duties related to data protection.

Jobseekers and employers are the main EURES users.
EURES staff are the key internal users.

Who has access to which parts of the data OLAF, IAS, the Court of Auditors and the European ombudsman: any data deemed necessary, these could include EURES staff, jobseekers and employers contact details, enquiries, job vacanices and CVs. All portal users can access contact details of EURES advisers. Jobseekers and employers can mutually enquire contact details. Employers can search published jobseekers CVs. EURES staff can access details of all registered users to the extend they have provided authorization.

Comments

Comments/additional information on data recipients

All portal users can access contact details of EURES advisers, other EURES service delivery staff and Cross-border coordinators. Jobseekers and employers can mutually enquire contact details.

Employers can search published jobseekers CVs.

EURES staff can access contact data of all other EURES staff.

6. INTERNATIONAL DATA TRANSFERS

TRANSFER OUTSIDE THE EU OR EEA

Data is transferred to countries outside the EU or EEA Yes

Countries to which data is transferred Switzerland

 

TRANSFER TO INTERNATIONAL ORGANISATIONS

Data is transferred to international organisation(s) N/A

 

LEGAL BASE FOR DATA TRANSFER

The legal base for the data transfer

  • Transfer on the basis of the European Commission's adequacy decision (Article 47)
  • Transfer subject to appropriate safeguards (Article 48.2 and .3)
    • Standard data protection clauses adopted by the European Commission

The International agreement(s) which is/are the legal basis for the data transfer


Derogations for specific situations (Article 50.1 (a) -(g))

Description of the indicated condition(s) that apply(ies) for the derogation(s)

Comments

Comments/additional information on international data transfers

Data may be transferred to Switzerland, being associated to the EURES network, in compliance with Chapter V of Regulation (EU) 2018/1725, Regulation (EU)2016/589 and the Agreement between the European Community and its Member States, of the one part, and the Swiss Confederation, of the other, on the free movement of persons - Final Act - Joint Declarations - Information relating to the entry into force of the seven Agreements with the Swiss Confederation in the sectors free movement of persons, air and land transport, public procurement, scientific and technological cooperation, mutual recognition in relation to conformity assessment, and trade in agricultural products, Official Journal L 114 , 30/04/2002 P. 0006 - 0072, in particular Article 11, Cooperation in relation to employment services:  The Contracting Parties shall cooperate, within the EURES (European Employment Services) network, in particular in setting up contacts, matching job vacancies and applications and exchanging information on the state of the labour market and living and working conditions.

7. INFORMATION TO DATA SUBJECTS ON THEIR RIGHTS

PRIVACY STATEMENT

Rights of the data subjects

The processing should respect the following rights of data subjects

  • Article 17 - Right of access by the data subject
  • Article 18 - Right to rectification
  • Article 19 - Right to erasure (right to be forgotten)
  • Article 20 - Right to restriction of processing
  • Article 21 - Notification obligation regarding rectification or erasure of personal data or restriction of processing
  • Article 22 - Right to data portability
  • Article 23 - Right to object
  • Article 24 - Rights related to Automated individual decision making, including profiling

The data subjects are informed about their rights and how to exercise them in the form of a privacy statement attached to this record: Yes

Publication of the privacy statement

  • Published on website

The link of the website where the privacy statement is published Https://ec.europa.eu/eures/public/en/data-protection-statements

Guidance for Data subjects which explains how and where to consult the privacy statement is available and will be provided at the beginning of the processing operation : Yes

  • An explanation of the guidance on how and where to consult the privacy statement
  • All data protection statements are published and accessible on the EURES portal.
  • All data subjects have to agree that their personal data is processed in accordance with the data protection statement before they register.

The privacy statement(s)

  • 1 Jobseekers and Employers data protection statement, July 2021
  • 2 EURES staff (Extranet) data protection statement, July 2021
  • 3 Data protection statement regarding messages and requests sent to the EURES Helpdesk, July 2021
  • 4 European Online Job Days platform data protection statement, July 21: Privacy statement and specific conditions | EURES - European Job Days
  • 5 Data protection statement for the EURES & you Newsletter mailing list, July 21
  • 6 Data protection statement regarding messages and requests submitted in the online chats with EURES, July 21

Comments

Comments/additional information on information to data subjects on their rights

8. SECURITY MEASURES

Short summary of overall Technical and Organisational measures implemented to ensure Information Security:
After the commencement of the European Labour Authority’s activity (August 1st, 2021) the Authority is replacing the European Commission (the “Commission”) in managing the European Coordination Office of the European network of employment services (EURES).

However according to Article 6 of Regulation 2019/1149 establishing a European Labour Authority, the Commission will continue to ensure the provision of IT and the operation and development of IT infrastructure. 
Databases and repositories operate on controlled access, limited to the persons needing it.

Access to the secured parts of the EURES application is controlled trough an authentication and authorisation mechanism managed within the application.

Access to EURES environments from outside the European Commission is strictly limited to contractors responsible for the development and maintenance of EURES, through a Security Convention defined in collaboration with HR.DS.

Data sent by NCOs may be encrypted on a 2waySSL channel.

The EURES portal visitor accesses the site using HTTPS.

All data in electronic format (uploaded batches of data, documents, emails, etc.) are stored/hosted either by DIGIT Data Centre through a hosting contract or of its contractors. All processing operations are carried out pursuant to Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission. The Commission's contractors are bound by a specific contractual clause for any processing operations of your personal data on behalf of the European Commission, and by the confidentiality obligations deriving from the GDPR.