Record of Processing Activities
EITCA Academy Record of Processing Activities
The European IT Certification Institute maintains the Record of Processing Activities which is a document that outlines the processing of personal data carried out by the organization. It is required under the EU General Data Protection Regulation (GDPR) and is intended to support understanding of data processing activities and demonstrating compliance with the GDPR.
The ROPA includes basic information on the name and contact details of the organization, the purposes of the data processing, the categories of personal data processed, the recipients of the personal data, and the retention periods for the personal data. It also includes information about any third-party processors who process personal data on behalf of the organization.
Maintaining the Record of Processing Activities by the European IT Certification Institute is part of its Data Subject Rights Requests Management and GDPR Policy. The ROPA is updated regularly and is a living document reflecting changes in the European IT Certification Institute’s data processing activities supporting building trust with data subjects. The last update to the EITCI Record of Processing Activities was made on 10th January 2023.
1. Data Processor
1.1. Data Processor Name
European Information Technologies Certificaiton Institute (abbreviation: EITCI)
1.2. Data Processor Legal Status
Non-profit association (association sans but lucratif, ASBL) in Belgium
1.3. Data Processor Registration Number
0807397811 in the Belgian KBO/BCE Register
1.4. Data Processor Role
Certification body
1.5. Data Processor Date of Registration
17th October 2008
1.6. Data Processor Contact Details
European IT Certification Institute
Avenue des Saisons 100-102
1050 Brussels, Belgium
Phone: +32 2 588 73 51
E-mail: info@eitci.org
1.7. Data Protection Officer (DPO) Contact Details
E-mail: data.protection.officer@eitci.org
2. Purpose of and Details of Personal Data Processing Activities
2.1. Certification of skills and competencies in the EITC/EITCA certification programmes
2.1.1. Personal Data Collected
Name, address, email address, telephone number, job title, organization name, skills and qualifications testing and assessment, payment information
2.1.2. Lawful Basis for Processing
Contractual obligation
2.1.3. Categories of Data Subjects
Customers, employees of customers
2.1.4. Recipients of Personal Data
Internal staff, regulatory bodies, hosting and cloud data-centers operators, customers, third-party tax and accounting companies
2.2. Certification of solutions, products, services for compliance with industry standards
2.2.1. Personal Data Collected
Name, address, email address, telephone number, job title, organization name, payment information, solution/product/service information
2.2.2. Lawful Basis for Processing
Contractual obligation
2.2.3. Categories of Data Subjects
Customers, employees of customers
2.2.4. Recipients of Personal Data
Internal staff, regulatory bodies, hosting and cloud data-centers operators, customers, third-party tax and accounting companies
2.3. Marketing and promotion of certification services
2.3.1. Personal Data Collected
Name, address, email address, telephone number, job title, organization name, solution/product/service information
2.3.2. Lawful Basis for Processing
Consent
2.3.3. Categories of Data Subjects
Prospective customers
2.3.4. Recipients of Personal Data
Internal staff, regulatory bodies, hosting and cloud data-centers operators, third-party marketing companies
2.4. Employee management
2.3.1. Personal Data Collected
Name, address, email address, telephone number, job title, payroll information, performance evaluations, skills and qualifications testing and assessment
2.3.2. Lawful Basis for Processing
Contractual obligation
2.3.3. Categories of Data Subjects
Employees
2.3.4. Recipients of Personal Data
Internal staff, regulatory bodies, hosting and cloud data-centers operators, third-party payroll companies, third-party tax and accounting companies
3. Data Transfers
3.1. Transfer of personal data to data centers (hosting, data cloud) outside the EU
Appropriate safeguards: Standard Contractual Clauses
3.2. Transfer of personal data to IT, marketing, tax and accounting companies
Appropriate safeguards: Processor Agreement with Standard Contractual Clauses
4. Retention Periods
4.1. Certification data
Retained for 10 years after certification expiration.
4.2. Employee data
Retained for 8 years after employment termination.
4.3. Marketing data
Retained until withdrawal of consent.
5. Security Measures
- Access controls to personal data systems.
- Encryption of personal data in transit and at rest.
- Regular security awareness training for employees.
- Regular security audits and risk assessments.
- Compliance with the EITCI Information Security Policy.
6. Review and Update
This Record of Processing Activities is reviewed and updated periodically, as well whenever there is a significant change to data processing activities of the European IT Certification Institute.
The European IT Certification Institute is committed to maintaining the highest standards in regard to personal data protection and compliance with the General Data Protection Regulation, making sure to comply with all applicable laws and regulations related to these issues, as well as to leading industry standards and best practices, including the ISO 27701 Privacy Information Management System.