List of active policies

Full policy

Intended Use and different user roles
CYBOX serves as a repository of training and other materials, a virtual environment for training courses and other activities, and a virtual classroom accessible to the registered users of CYBOX.

At the discretion of their respective tenants or authorized administrators, users may be enrolled in certain courses or activities without explicit request from themselves or their employers. This may include auto-enrollment by CYBOX administrators, project managers, tenant administrators, or designated course creators/managers. Users have the option to opt-out of automatic enrollment or request removal from enrolled courses or activities by contacting CYBOX administrators. 

Certain materials, courses, activities or areas / tenants on CYBOX may be subject to access restrictions. These restrictions are implemented to protect sensitive information and intellectual property rights.

CYBOX supports various user roles, including but not limited to: 

Participant: users enrolled in training courses or actively participating in collaborative activities.

Trainer: users responsible for delivering training content and facilitating learning experiences.

Course Creator: users responsible for designing and developing course content, activities, and assessments.

Manager: users with administrative privileges to oversee and manage specific areas or activities within CYBOX.

Administrator: users with full administrative rights to manage the overall operation and configuration of CYBOX.

Tenant-Administrator: administrators responsible for managing and configuring specific tenant spaces within CYBOX.

Other user roles may be established by platform administrators as needed to support the intended use and functionality of CYBOX. This EULA and term “user” applies to all of the roles and all users need to accept this EULA. 

Prohibited use
You may not re-use training material or other resources supplied on the platform for commercial purposes unless you supplied them yourself and have the legal authorization to do so.

You may not use any robots, spiders, or similar data mining, data gathering or extraction tools or manual processes to collect, gather or copy any content or data on or related to CYBOX in a manner not authorized by the Council of Europe in writing. You may not engage in practices of “screen scraping,” “database scraping” or any other practice or activity the purpose of which is to obtain lists of users, portions of a database, or other lists or information from the Platform, in any manner and any quantities not authorized by the Council in writing. You may not frame or utilize framing techniques to enclose any trademark, logo or other proprietary information (including images, text, page layout or form) of the Council of Europe, tenant institutions or the trainers without express written consent. You may not use meta tags or any other “hidden text” utilizing their names, trademarks or logos without their express written consent.

You may not share content from CYBOX with anyone who is not properly licensed to access the content. You may also not make any training or other material from CYBOX available to providers of generative AI models. Users may not use the Council of Europe’s name or logos without prior approval.

The Council of Europe reserves the right to block your account if you do not comply with the terms of this clause. 

Intellectual Property Rights
Subject to these terms the Council of Europe grants you a personal, non-exclusive, non-transferable and revocable license for the entire world and for the entire duration of protection by the applicable intellectual property rights law to use CYBOX and the training material and other resources according to the pre-defined access restrictions. The rights granted herein are only for your professional, noncommercial use, unless you obtain the Council of Europe’s written permission otherwise. Course creators might limit the use as stipulated on the training material.

You acknowledge and agree that CYBOX may contain content or features that are protected by copyright, patent, trademark, trade secret or other proprietary rights and laws. Except as expressly authorized by the Council of Europe you agree not to modify, copy, frame, scrape, rent, lease, loan, sell, distribute or create derivative works based on CYBOX and published training material or other resources, in whole or in part except that the foregoing does not apply to your own training material or other resources that you make available on CYBOX, or unless you have the legal authorization to do so.

Under no circumstances will the Council of Europe be liable in any way for any content or material of any third parties, including, but not limited to, for any errors or omissions in any content, or for any loss or damage of any kind incurred as a result of the use of any such content. You acknowledge that the Council of Europe does not pre-screen content, but will have the right (but not the obligation) in its sole discretion to refuse or remove any training material that is available via CYBOX. Without limiting the foregoing, the Council of Europe will have the right to remove any content that violates these Terms of Service or is deemed by the Council of Europe in its sole discretion, to be otherwise objectionable. You agree that you must evaluate, and bear all risks associated with the use of any training material or other resource including any reliance on the accuracy, completeness or usefulness of such content.

Specific Rules for Trainers, Course Creators, Managers and Tenant-Administrators
When you carry out an activity on CYBOX and/or publish training material or other resources, you agree to the following rules:

You will not refuse participation by users for any illegal reason.

You grant the Council of Europe a non-exclusive, non-transferable and revocable license for the entire world and for the entire duration of protection by the applicable intellectual property rights law for the use of the training material and other resources on CYBOX. This use includes but is not limited to its publication on the platform and the granting of a sublicence to the participants. This sublicence shall allow the Council of Europe to comply with its obligation under the above intellectual property rights clause vis-à-vis the participants. You may restrict the use and distribution scope of the material you share on the platform.

Any content you present or publish on CYBOX shall not contain third party copyrighted material, or material that is subject to other third-party proprietary rights, unless you have permission from the rightful owner of the material.

Code of Conduct
All users of CYBOX, including participants, trainers, course creators, managers, administrators, shall show respect towards one another. This includes communicating respectfully and professionally, refraining from offensive language and behavior, valuing diverse perspectives and opinions.

All information acquired shall be treated as confidential unless explicitly stated otherwise. This includes course materials, discussions, and any proprietary or sensitive information shared by other users or trainers. 

Modification of terms of use
The Council of Europe may, at its sole discretion, modify the terms of this EULA at any time. You will be notified of any significant changes to the EULA through the CYBOX notification system. By accessing CYBOX at any time after such modifications you agree to such modifications. 

Disclaimer of Warranties
The Platform and all materials included therein are provided on an “as is” and “as available” basis without warranty of any kind, either express or implied, including, but not limited to the fitness for a particular purpose, or the warranty of non-infringement of third-party intellectual property rights. Without limiting the foregoing, the Council of Europe makes no warranty but will make its best efforts that (a) the Platform and training material or other resources will meet your requirements, (b) the Platform and the training material will be uninterrupted, timely, secure, or error-free, (c) the results that may be obtained from the use of CYBOX or training materials or other resources will be effective, accurate or reliable, or (d) the quality of any course that you attend via CYBOX will meet your expectations or be free from mistakes, errors or defects.

Information on CYBOX or any of the materials could include technical or other mistakes, inaccuracies or typographical errors. The use of CYBOX or the downloading of any training materials or other resources through the service is done at your own discretion and risk and with your agreement that you will be solely responsible for any damage or loss of data that results from such activities.

Training material or other resources available through the Platform or presented during trainings or other activities represent the opinions and judgments of a trainer or entity not connected with the Council of Europe. We do not endorse, nor are we responsible for the accuracy or reliability of, any opinion, advice, or statement.

You understand and agree that temporary interruptions of the Platform may occur as normal events. You further understand and agree that we have no control over third party networks you may access in the course of the use of the Service, and therefore, delays and disruption of other network transmissions are completely beyond our control.

You understand and agree that the Platform is provided “AS IS” and that we assume no responsibility for the timeliness, deletion, mis-delivery or failure to store any user communications or personalization settings.

Limitation of Liability
In no event shall the Council of Europe be liable to you or any third party for any special, punitive, incidental, indirect or consequential damages) of any kind, or any damage whatsoever, including, without limitation, those resulting from loss of use, data or profits, whether or not we have been advised of the possibility of such damages, and on any theory of liability, arising out of or in connection with the use of the service or of any web site referenced or linked to from the Platform.

Indemnification
Upon a request by the Council of Europe, you agree to defend, indemnify, and hold us harmless from all liabilities, claims, and expenses, including attorneys’ fees, that arise from your violation of these terms or other negligent or wrongful conduct. We reserve the right to assume the exclusive defense and control of any matter otherwise subject to indemnification by you, in which event you will cooperate with us in asserting any available defenses.

Termination
Users may close their account at any time which will automatically terminate this EULA. The Council of Europe may terminate the EULA forthwith if the users do not comply with the terms of this EULA. 

Disclosure of information 
You are informed and give an authorisation of disclosure of all relevant terms of this EULA for the purposes of internal and external audit and to the Committee of Ministers and to the Parliamentary Assembly of the Council with a view to these latter discharging their statutory functions, as well as for the purpose of meeting the publication and transparency requirements of the Council of Europe or its donors. 

Dispute settlement 
The Council of Europe will bear no responsibility for any disputes between users. In such cases the Council of Europe will not get involved in the dispute.

Any dispute between the Council of Europe and users shall - failing a friendly settlement between the Parties - be submitted to arbitration.

The Arbitration Board shall be composed of two arbitrators each selected by one of the parties, and of a presiding arbitrator, appointed by the other two arbitrators; in the event of no presiding arbitrator being appointed under the above conditions within a period of six months, the President of the Tribunal Judiciaire of Strasbourg shall make the appointment.

Alternatively, the parties may submit the dispute for decision to a single arbitrator selected by them by common agreement or, failing such agreement, by the President of the Tribunal Judiciaire of Strasbourg.

The Board referred to in paragraph 2 of this clause or, where appropriate, the arbitrator referred to in paragraph 3 of this Article, shall determine the procedure to be followed.

If the parties do not agree upon the law applicable the Board or, where appropriate, the arbitrator shall decide ex aequo et bono having regard to the general principles of law and to commercial usage.

The arbitral decision shall be binding upon the parties and there shall be no appeal from it. 

Full policy

The Council of Europe is committed to user privacy.

Its rules on the protection of personal data are laid down in the Secretary General’s Regulation of 1 January 2023 outlining a data protection system for personal data files in the Council of Europe,.

These general rules cover the Council of Europe's family of institutional websites as well as the CYBOX platform implemented and managed by the Cybercrime Programme Office of the Council of Europe (C-PROC). These rules apply to any personal data collected when browsing on this platform.

The linkedprivacy notice applies to all the Council of Europe websites within the coe.int domain.

For the cybox.coe.int website, you can find more information about the use of your data (e.g. in relation to what information is collected, for what purpose and through which technical means, to whom your information is disclosed, how you can access your information, verify its accuracy and, if necessary, correct it, how long your data is kept, what are the security measures taken to
safeguard your information against possible misuse or unauthorised access, etc.) in the Specific Privacy Statement policy outlined below.

SPECIFIC PRIVACY STATEMENT

1. OBJECTIVE OF THE CYBOX PLATFORM
The objective of the CYBOX platform implemented and managed by the Cybercrime Programme Office of the Council of Europe (C-PROC) is to provide its users an environment for exchanging, training and sharing resources on cybercrime and e-evidence among law enforcement and criminal justice authorities and their training institutions.

It aims at serving as a portal for practitioners from and beyond the Council of Europe member states and all those cooperating with the Cybercrime Programme Office of the Council of Europe (C-PROC) in the framework of its capacity-building activities.

CYBOX platform supports all training activities including onsite and various types of online events, project and work spaces, as well as access to reading, video and other materials.
To enable this, users will be given the option to register some personal information to the CYBOX platform, maintained by the CYBOX Platform Secretariat within the C-PROC.

As this online service collects and further processes personal data, Secretary General’s Regulation of 1 January 2023 outlining a data protection system for personal data files in the Council of Europe, is applicable.

2. PURPOSE OF THIS PRIVACY STATEMENT
This Specific Privacy Statement outlines how the CYBOX platform collects, processes, stores, and protects personal data in compliance with applicable data protection regulations. The policy is
designed to ensure transparency and inform users about their rights, the responsibilities of the platform administrators, and the safeguards in place to protect user data.

The policy applies to all users of the CYBOX platform and governs data practices for tenants managed by the C-PROC. For tenants administered by external counterparts, supplemental privacy
policies may apply to address their specific data management practices.

3. TENANT-SPECIFIC PRIVACY POLICIES
The CYBOX platform operates on a multitenancy model, allowing for the creation of distinct tenant environments. Each tenant is administered either by the C-PROC or by external counterparts (public authorities, training institutions, etc) having signed a CYBOX platform cooperation agreement with the C-PROC. Tenant-specific administrators may manage user accounts and course participation for their respective environments.

▪ Tenants administered by C-PROC:

Tenants administered by the C-PROC abide by this Privacy Statement. C-PROC acts as the
data controller for these tenants and ensures compliance with applicable data protection
standards.

▪ Tenants administered by external counterparts:

Tenants managed by external counterparts may operate under supplemental privacy notices specific to their administration. For these tenants, data processing will be conducted under a
joint controllership arrangement between the C-PROC and the external tenant administrator.

Tenant administrators are granted access only to the data of users registered under their respective tenants, and users participating in activities organised by their tenant, as per the user’s enrollment. This limited access ensures that personal data is not shared across tenants and remains isolated to
the relevant tenant environment.

For further inquiries about the privacy practices of a specific tenant, users can contact the CYBOX support team at cybox@coe.int or their tenant administrator directly.

4. WHAT PERSONAL INFORMATION DO WE COLLECT, FOR WHAT PURPOSE AND THROUGH WHICH TECHNICAL MEANS?
C-PROC’s core business is capacity building on cybercrime and e-evidence, and for that purpose a Learning Management System (LMS) is in place to support the preparation, design, implementation and evaluation of C-PROC activities. It supplies training and user data to management and involved decision makers within the Council of Europe. Data fields involving personal data have been set in line with the so-called principle of ‘data minimisation’. In other words, the personal data required each time are adequate, relevant and limited to what is necessary in relation to the purpose for which they are processed.

For the purposes of the CYBOX user management:

Any user who wants to obtain access to the CYBOX online platform, will need to enter certain registration details as further described below. Once access is granted this data will be retained in
the user profile that will be viewable by the platform administrators within the restricted access area. 

The Identification Data collected and further processed for the functioning of the CYBOX platform is as follows:
▪ first name, last name
▪ e-mail address
▪ country / territory
▪ gender (includes option to opt out of specifying, prefer not to say)
▪ institution
▪ function / position
▪ domain (law enforcement / judiciary, etc)
▪ fields of interest

Other information that may optionally be provided by the users, but are not required to set-up an account include:

▪ City / town
▪ Timezone
▪ User picture
▪ Mobile number (used case when Two-Factor Authentication (2FA) is enabled):

Additional information might be require for specific activities (like preferred language of interaction, or else) that might be set in specific registration / enrollment forms stored within the CYBOX environment or main

For the purposes of capacity building and other activities:

In addition to personal identification information, the CYBOX platform collects data related to users’ participation in courses and other activities. This data is essential for the functionality
of the platform, enabling users to track their learning progress and receive certification upon successful completion of courses. It is also used for administrative and reporting purposes related
to course management and user engagement.

The platform stores learning progress (e.g. certificates of completion, grades obtained if relevant, etc.) and learning paths (e.g. activities attended) of the active users as well as activity
log files (first and last access to the platform, IP address from which the user is accessing the system, course related communication, etc). Other logs kept refer to: User registration status for
CYBOX (registered (active), pending), Privacy Policy consent status (date and time given). 

The collection of data is based on voluntary agreement by the data subjects who wish to make use of the options offered by the platform. 

Furthermore, to make this platform work properly, we place small data files called “cookies” on a user’s device. These cookies enable the platform, for example, to remember the session ID of authenticated users, keeping them logged in for a given period.

More information about the use of cookies on Council of Europe websites can be found at the following link.

Who is the data controller?

All users registered in CYBOX Platform.

5. WHO HAS ACCESS TO YOUR INFORMATION AND TO WHOM IS IT DISCLOSED?
Full access to your personal data is only granted to the CYBOX platform administrators (dedicated C-PROC Staff and the Council of Europe Directorate of Information Technology), including the
company which hosts the CYBOX platform. They are linked to the data controller by a legal data protection and confidentiality clause in their contract.

Within a multitenant setup, tenant-specific administrators manage data related to their tenants users and courses.

Access to some of your personal data (first name, last name, and /or e-mail) may also be granted to a defined roles of users (trainer, course creator, manager – see Terms of Use of CYBOX Platform for more details on the roles) in view of implementation of or follow-up to activities with your participation.

By default, regular users of the CYBOX platform do not have access to view the profiles of other users. However, visibility may be enabled under the following circumstances:

▪ Participation in certain activities or membership in specific networks (e.g., 24/7 Point of Contact Network, International Network of National Judicial Trainers, T-CY Working Groups,
etc.) may require profile visibility for operational purposes, enabling contact sharing across participants or members.

Users can manage their profile visibility settings within the User Profile Settings or by contacting CYBOX Secretariat. Whilst changes to profile visibility can be made at any time, they may be subject to role-based limitations in certain networks or activities.

With the aim of better distributing information on similar Council of Europe activities, mailing lists composed by the names of the users of the platform may be used in the future by the CYBOX
Secretariat for the purpose of contacting data subjects in the context of other C-PROC activities.

If data subjects do not agree with this, they may contact the CYBOX Secretariat by using the Contact Information as mentioned below in this Privacy Statement.

Other recipients of the data being processed may include:
▪ C-PROC staff responsible for preparing, designing, implementing, and evaluating activities on the CYBOX platform, as outlined in this privacy notice.
▪ C-PROC staff working in support roles (e.g., technical support, user administration, etc.) involved in managing and maintaining the CYBOX platform.
▪ CoE actors in the financial workflow (if relevant to financial transactions related to training activities or project funding).
▪ CoE Communications Team (if relevant for communications purposes related to events, courses, or user engagement).
▪ Relevant National Authorities responsible for managing their Country or institution areas (Tenants) on the CYBOX platform (access is restricted to the data of users registered within
the respective tenant, as per tenant-specific privacy notices).
▪ National Contact Points or Institutional Contact Points within each participating country or institution, for data linked to users from their own country or institution.
▪ Service Providers for CYBOX, including technical service providers or platform support partners, and any other providers directly involved in platform maintenance, running
troubleshooting services, or content management.
▪ Other service providers, as necessary, involved in the delivery of services, including course evaluations or feedback collection (e.g., survey tools, external evaluators).
▪ General public, primarily through the C-PROC website and social media channels, if explicitly consented by the data subject (for example, if the user’s participation or achievements in
training are publicly shared or promoted).
▪ EU and other donors’ bodies: data may be disclosed for specific purposes (e.g., compliance, audit, or legal requirements). The Council of Europe will not share personal data with third parties for direct marketing purposes.

6. HOW DO WE PROTECT AND SAFEGUARD YOUR INFORMATION?
Your contact details are recorded in a secured and protected database hosted by an external company whose database centre is located in the EU. Information on the company is available in
the footer and upon request (see Contact Information below).

This contractor is aware of the prime importance to the Council of Europe of securing the hosted content in terms of confidentiality, integrity, and data back-up, particularly in respect of the risks of physical or logical intrusion and is contractually committed to ensuring that your personal information is secure by putting in place and maintaining a security policy which meets the highest relevant security standards.

This contractor has i.a. guaranteed that no third party has access to the Council of Europe’s data, in particular other clients of the contractor using the same Server.

It has also undertaken to:

▪ prevent physical access to the Server by any unauthorised third party and to keep the Server on premises which comply with professional standards, particularly in terms of electrical safety
and protection from the risks of intrusion, fire or overheating and 
▪ to put in place the necessary technical measures to protect the hosted content against computer viruses and against intrusions or attacks which might adversely affect the hosted
content or its accessibility. 

Inside the Council of Europe, the database can be accessed using a User Id/Password. Access to the application is via an encrypted connection using the https protocol.

7. HOW LONG DO WE KEEP YOUR DATA?
Personal data will be retained for as long as it remains necessary for the proper functioning of the platform and for the benefit of the platform's users. However, upon request from individuals
concerned or in the event of platform termination, all personal data will be promptly deleted. It is important to note that aggregated data pertaining to groups (excluding individual-level data) may be retained for an additional seven years to facilitate research analysis and reporting.

In terms of legitimacy of data processing and quality of data, we are aligned with Article 4.1 of the above-mentioned regulation:

4. Legitimacy of data processing and quality of data
4.1 Data processing shall be proportionate in relation to the legitimate purpose pursued and reflect at all stages of the processing a fair balance between all interests concerned, whether
public or private, and the rights and freedoms at stake.

8. HOW CAN YOU VERIFY, MODIFY OR DELETE YOUR INFORMATION?
If you wish to inquire about, modify, correct, or delete your personal data, kindly contact the controller using the provided Contact Information below. Please make sure to explicitly specify your request in your communication.

9. CONTACT INFORMATION
In case you wish to verify what personal data is stored on your behalf in the HELP online platform, have it modified, corrected, or deleted, or if you have questions regarding the platform, or
concerning any information processed in the context of the platform, or on your rights, feel free to contact the support team, using the following contact information:

CYBOX Platform Secretariat: cybox@coe.int

10. RECOURSE
In case of conflict, the Council of Europe’s Data Protection Commissioner can be contacted:

Jean-Philippe WALTER
Data Protection Commissioner
Directorate General Human Rights and Rule of Law - Data Protection Unit
Council of Europe
F-67075 Strasbourg Cedex
Email: datacommissioner@coe.int