CYBOX

The Council of Europe is committed to user privacy.

Its rules on the protection of personal data are laid down in the Secretary General’s Regulation of 1 January 2023 outlining a data protection system for personal data files in the Council of Europe,.

These general rules cover the Council of Europe's family of institutional websites as well as the CYBOX platform implemented and managed by the Cybercrime Programme Office of the Council of Europe (C-PROC). These rules apply to any personal data collected when browsing on this platform.

The linkedprivacy notice applies to all the Council of Europe websites within the coe.int domain.

For the cybox.coe.int website, you can find more information about the use of your data (e.g. in relation to what information is collected, for what purpose and through which technical means, to whom your information is disclosed, how you can access your information, verify its accuracy and, if necessary, correct it, how long your data is kept, what are the security measures taken to
safeguard your information against possible misuse or unauthorised access, etc.) in the Specific Privacy Statement policy outlined below.

SPECIFIC PRIVACY STATEMENT

1. OBJECTIVE OF THE CYBOX PLATFORM
The objective of the CYBOX platform implemented and managed by the Cybercrime Programme Office of the Council of Europe (C-PROC) is to provide its users an environment for exchanging, training and sharing resources on cybercrime and e-evidence among law enforcement and criminal justice authorities and their training institutions.

It aims at serving as a portal for practitioners from and beyond the Council of Europe member states and all those cooperating with the Cybercrime Programme Office of the Council of Europe (C-PROC) in the framework of its capacity-building activities.

CYBOX platform supports all training activities including onsite and various types of online events, project and work spaces, as well as access to reading, video and other materials.
To enable this, users will be given the option to register some personal information to the CYBOX platform, maintained by the CYBOX Platform Secretariat within the C-PROC.

As this online service collects and further processes personal data, Secretary General’s Regulation of 1 January 2023 outlining a data protection system for personal data files in the Council of Europe, is applicable.

2. PURPOSE OF THIS PRIVACY STATEMENT
This Specific Privacy Statement outlines how the CYBOX platform collects, processes, stores, and protects personal data in compliance with applicable data protection regulations. The policy is
designed to ensure transparency and inform users about their rights, the responsibilities of the platform administrators, and the safeguards in place to protect user data.

The policy applies to all users of the CYBOX platform and governs data practices for tenants managed by the C-PROC. For tenants administered by external counterparts, supplemental privacy
policies may apply to address their specific data management practices.

3. TENANT-SPECIFIC PRIVACY POLICIES
The CYBOX platform operates on a multitenancy model, allowing for the creation of distinct tenant environments. Each tenant is administered either by the C-PROC or by external counterparts (public authorities, training institutions, etc) having signed a CYBOX platform cooperation agreement with the C-PROC. Tenant-specific administrators may manage user accounts and course participation for their respective environments.

▪ Tenants administered by C-PROC:

Tenants administered by the C-PROC abide by this Privacy Statement. C-PROC acts as the
data controller for these tenants and ensures compliance with applicable data protection
standards.

▪ Tenants administered by external counterparts:

Tenants managed by external counterparts may operate under supplemental privacy notices specific to their administration. For these tenants, data processing will be conducted under a
joint controllership arrangement between the C-PROC and the external tenant administrator.

Tenant administrators are granted access only to the data of users registered under their respective tenants, and users participating in activities organised by their tenant, as per the user’s enrollment. This limited access ensures that personal data is not shared across tenants and remains isolated to
the relevant tenant environment.

For further inquiries about the privacy practices of a specific tenant, users can contact the CYBOX support team at cybox@coe.int or their tenant administrator directly.

4. WHAT PERSONAL INFORMATION DO WE COLLECT, FOR WHAT PURPOSE AND THROUGH WHICH TECHNICAL MEANS?
C-PROC’s core business is capacity building on cybercrime and e-evidence, and for that purpose a Learning Management System (LMS) is in place to support the preparation, design, implementation and evaluation of C-PROC activities. It supplies training and user data to management and involved decision makers within the Council of Europe. Data fields involving personal data have been set in line with the so-called principle of ‘data minimisation’. In other words, the personal data required each time are adequate, relevant and limited to what is necessary in relation to the purpose for which they are processed.

For the purposes of the CYBOX user management:

Any user who wants to obtain access to the CYBOX online platform, will need to enter certain registration details as further described below. Once access is granted this data will be retained in
the user profile that will be viewable by the platform administrators within the restricted access area. 

The Identification Data collected and further processed for the functioning of the CYBOX platform is as follows:
▪ first name, last name
▪ e-mail address
▪ country / territory
▪ gender (includes option to opt out of specifying, prefer not to say)
▪ institution
▪ function / position
▪ domain (law enforcement / judiciary, etc)
▪ fields of interest

Other information that may optionally be provided by the users, but are not required to set-up an account include:

▪ City / town
▪ Timezone
▪ User picture
▪ Mobile number (used case when Two-Factor Authentication (2FA) is enabled):

Additional information might be require for specific activities (like preferred language of interaction, or else) that might be set in specific registration / enrollment forms stored within the CYBOX environment or main

For the purposes of capacity building and other activities:

In addition to personal identification information, the CYBOX platform collects data related to users’ participation in courses and other activities. This data is essential for the functionality
of the platform, enabling users to track their learning progress and receive certification upon successful completion of courses. It is also used for administrative and reporting purposes related
to course management and user engagement.

The platform stores learning progress (e.g. certificates of completion, grades obtained if relevant, etc.) and learning paths (e.g. activities attended) of the active users as well as activity
log files (first and last access to the platform, IP address from which the user is accessing the system, course related communication, etc). Other logs kept refer to: User registration status for
CYBOX (registered (active), pending), Privacy Policy consent status (date and time given). 

The collection of data is based on voluntary agreement by the data subjects who wish to make use of the options offered by the platform. 

Furthermore, to make this platform work properly, we place small data files called “cookies” on a user’s device. These cookies enable the platform, for example, to remember the session ID of authenticated users, keeping them logged in for a given period.

More information about the use of cookies on Council of Europe websites can be found at the following link.

Who is the data controller?

All users registered in CYBOX Platform.

5. WHO HAS ACCESS TO YOUR INFORMATION AND TO WHOM IS IT DISCLOSED?
Full access to your personal data is only granted to the CYBOX platform administrators (dedicated C-PROC Staff and the Council of Europe Directorate of Information Technology), including the
company which hosts the CYBOX platform. They are linked to the data controller by a legal data protection and confidentiality clause in their contract.

Within a multitenant setup, tenant-specific administrators manage data related to their tenants users and courses.

Access to some of your personal data (first name, last name, and /or e-mail) may also be granted to a defined roles of users (trainer, course creator, manager – see Terms of Use of CYBOX Platform for more details on the roles) in view of implementation of or follow-up to activities with your participation.

By default, regular users of the CYBOX platform do not have access to view the profiles of other users. However, visibility may be enabled under the following circumstances:

▪ Participation in certain activities or membership in specific networks (e.g., 24/7 Point of Contact Network, International Network of National Judicial Trainers, T-CY Working Groups,
etc.) may require profile visibility for operational purposes, enabling contact sharing across participants or members.

Users can manage their profile visibility settings within the User Profile Settings or by contacting CYBOX Secretariat. Whilst changes to profile visibility can be made at any time, they may be subject to role-based limitations in certain networks or activities.

With the aim of better distributing information on similar Council of Europe activities, mailing lists composed by the names of the users of the platform may be used in the future by the CYBOX
Secretariat for the purpose of contacting data subjects in the context of other C-PROC activities.

If data subjects do not agree with this, they may contact the CYBOX Secretariat by using the Contact Information as mentioned below in this Privacy Statement.

Other recipients of the data being processed may include:
▪ C-PROC staff responsible for preparing, designing, implementing, and evaluating activities on the CYBOX platform, as outlined in this privacy notice.
▪ C-PROC staff working in support roles (e.g., technical support, user administration, etc.) involved in managing and maintaining the CYBOX platform.
▪ CoE actors in the financial workflow (if relevant to financial transactions related to training activities or project funding).
▪ CoE Communications Team (if relevant for communications purposes related to events, courses, or user engagement).
▪ Relevant National Authorities responsible for managing their Country or institution areas (Tenants) on the CYBOX platform (access is restricted to the data of users registered within
the respective tenant, as per tenant-specific privacy notices).
▪ National Contact Points or Institutional Contact Points within each participating country or institution, for data linked to users from their own country or institution.
▪ Service Providers for CYBOX, including technical service providers or platform support partners, and any other providers directly involved in platform maintenance, running
troubleshooting services, or content management.
▪ Other service providers, as necessary, involved in the delivery of services, including course evaluations or feedback collection (e.g., survey tools, external evaluators).
▪ General public, primarily through the C-PROC website and social media channels, if explicitly consented by the data subject (for example, if the user’s participation or achievements in
training are publicly shared or promoted).
▪ EU and other donors’ bodies: data may be disclosed for specific purposes (e.g., compliance, audit, or legal requirements). The Council of Europe will not share personal data with third parties for direct marketing purposes.

6. HOW DO WE PROTECT AND SAFEGUARD YOUR INFORMATION?
Your contact details are recorded in a secured and protected database hosted by an external company whose database centre is located in the EU. Information on the company is available in
the footer and upon request (see Contact Information below).

This contractor is aware of the prime importance to the Council of Europe of securing the hosted content in terms of confidentiality, integrity, and data back-up, particularly in respect of the risks of physical or logical intrusion and is contractually committed to ensuring that your personal information is secure by putting in place and maintaining a security policy which meets the highest relevant security standards.

This contractor has i.a. guaranteed that no third party has access to the Council of Europe’s data, in particular other clients of the contractor using the same Server.

It has also undertaken to:

▪ prevent physical access to the Server by any unauthorised third party and to keep the Server on premises which comply with professional standards, particularly in terms of electrical safety
and protection from the risks of intrusion, fire or overheating and 
▪ to put in place the necessary technical measures to protect the hosted content against computer viruses and against intrusions or attacks which might adversely affect the hosted
content or its accessibility. 

Inside the Council of Europe, the database can be accessed using a User Id/Password. Access to the application is via an encrypted connection using the https protocol.

7. HOW LONG DO WE KEEP YOUR DATA?
Personal data will be retained for as long as it remains necessary for the proper functioning of the platform and for the benefit of the platform's users. However, upon request from individuals
concerned or in the event of platform termination, all personal data will be promptly deleted. It is important to note that aggregated data pertaining to groups (excluding individual-level data) may be retained for an additional seven years to facilitate research analysis and reporting.

In terms of legitimacy of data processing and quality of data, we are aligned with Article 4.1 of the above-mentioned regulation:

4. Legitimacy of data processing and quality of data
4.1 Data processing shall be proportionate in relation to the legitimate purpose pursued and reflect at all stages of the processing a fair balance between all interests concerned, whether
public or private, and the rights and freedoms at stake.

8. HOW CAN YOU VERIFY, MODIFY OR DELETE YOUR INFORMATION?
If you wish to inquire about, modify, correct, or delete your personal data, kindly contact the controller using the provided Contact Information below. Please make sure to explicitly specify your request in your communication.

9. CONTACT INFORMATION
In case you wish to verify what personal data is stored on your behalf in the HELP online platform, have it modified, corrected, or deleted, or if you have questions regarding the platform, or
concerning any information processed in the context of the platform, or on your rights, feel free to contact the support team, using the following contact information:

CYBOX Platform Secretariat: cybox@coe.int

10. RECOURSE
In case of conflict, the Council of Europe’s Data Protection Commissioner can be contacted:

Jean-Philippe WALTER
Data Protection Commissioner
Directorate General Human Rights and Rule of Law - Data Protection Unit
Council of Europe
F-67075 Strasbourg Cedex
Email: datacommissioner@coe.int