Co-located Event

Data Protection Notice - APF 2020

The Annual Privacy Forum 2020 (APF 2020) will take place as an online event on the 22nd and 23rd of October 2020. It is co-organized by the European Union Agency for Cybersecurity (ENISA), DG Connect and the Católica University of Portugal, Lisbon School of Law. The virtual organisation of APF2020 is supported by an online teleconference platform (Cisco Webex).

Your personal data in the context of APF2020 shall be processed in accordance with the Regulation (EU) 2018/1725 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data[1].

The data controller is ENISA (Core Operations Department).

The legal basis for the processing operation is article 5(1)(a) of Regulation (EU) 2018/1725, on the basis of Regulation (EU) No 881/2019, in particular the provisions establishing the tasks of ENISA.

The purpose of the processing of personal data is to organise the APF2020 as an online event, register the event’s participants through ENISA’s website, provide registered participants’ access to the virtual sessions through the teleconference platform, as well as communicate with the registered participants within the scope of the APF2020.

The data processors involved in the processing operation are:

  • EaudeWeb, established in Romania, who is responsible for ENISA’s web site hosting under specific service contract with ENISA;
  • BT GS Belgium, established in UK, that provides the online teleconferencing platform under specific service contract with ENISA[2]. The sub-processor (online teleconferencing platform) used by BT is Cisco Webex[3].

The following personal data are processed for the events’ participants:

  • Contact data: first name, last name, organisation and email address (collected upon registration at ENISA’s website).
  • Personal data related to the connection/use of the teleconference platform: username, email address (optional), device identifiers & further technical connection data, discussion chat logs & audio/video traffic (collected by BT/Cisco Webex upon connection to and further use of the teleconferencing platform).

Note: APF 2020 will not be audio/video recorded. Audio/video will only be activated for the event organisers and the presenters/panellists (video is optional). Group chats will not be activated. Participants will only be able to send chat messages to the event organisers and presenters/panellists.

The retention periods for the personal data are as follows: the participants’ contact data will be kept by ENISA for a maximum period of 6 months after the end of APF2020, unless the participants have provided their consent upon registration for further processing by ENISA (in order for the participants to get informed about future ENISA activities and events). In the latter case, ENISA will keep the contact data until the participants withdraw their consent[4]. The personal data related to the connection and use of the teleconference platform, will be retained by the relevant processor (BT/Cisco Webex) for the period necessary for the provision of the teleconferencing service. Personal data will be deleted after the end of the retention periods.

Recipients of personal data: access to your contact data is granted only to designated ENISA staff, who are involved in the organisation of the event, as well as designated staff of ENISA’s contractor EaudeWeb. ENISA’s contractor BT and subcontractor Cisco Webex will have access to personal data related to the connection and use of the teleconference platform for the provision of the specific service. Access to the personal data may be provided to EU bodies charged with monitoring or inspection tasks in application of national or EU law (e.g. internal audits, European Anti-fraud Office – OLAF).

Storage of personal data: the contact data collected upon registration at the ENISA website are stored on the ENISA’s (and contractor’s EaudeWeb) servers and are only processed within EU/EEA. Personal data related to the connection/use of the teleconference platform are stored in BT/Cisco Webex servers within EU/EEA and may include transfers of personal data outside EU/EEA, subject to the provisions of Chapter V Regulation (EU) 1725/2018.

You have the right of access to your personal data and to relevant information concerning how we use it. You have the right to rectify your personal data. Under certain conditions, you have the right to ask that we delete your personal data or restrict its use. You have the right to object to our processing of your personal data, on grounds relating to your particular situation, at any time. We will consider your request, take a decision and communicate it to you. If you have any queries concerning the processing of your personal data, you may address them to ENISA at You may also contact at any time the ENISA DPO at

You have right of recourse at any time to the European Data Protection Supervisor (


[2] In the context of European Commission’s Framework Contract DI/07540 with the service provider.


[4] ENISA will provide additional information on further processing directly to those participants that give their consent.