European Commission
en English
Digitalisation of Construction SMEs

Privacy policy

Data Protection Notice for ‘Supporting actions for the digitalisation of construction SMEs’ (EASME/2020/OP/0025, GRO/SME20/F107)

Your personal data is processed in accordance with Regulation (EU) No 2018/17251 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data.

The data controller of the processing operation is the Head of Unit, Unit.I-02 SMP/SME Pillar of the European Innovation Council and SMEs Executive Agency (EISMEA),
The following entities process your personal data on our behalf:

Ecorys Europe EEIG – GEIEE
Rue Belliard 12, 1040 Brussels, Belgium
T: +32 2 743 89 49

Nederlandse Organisatie Voor Toegepast Natuurwetenschappelijk Onderzoek TNO
Anna van Buerenplein 1, 2595 DA Den Haag, The Netherlands
T: +31 88 866 08 66

IMP3ROVE – European Innovation Management Academy EWIV
Dreischeibenhaus 1, 40211 Düsseldorf, Germany
T: +49 211 1377 0

EMG Group PLC, Gabor Kitley
Zahony utca 7, 1031 Budapest, Hungary
T: +36 1 505 3381

The legal basis for the processing activities are:

  • Article 5(1)(a) of Regulation (EU) 2018/1725 because processing is necessary for the performance of a task carried out in the public interest (or in the exercise of official authority vested in the Union institution or body)2;
  • Article 5(1)(d) of Regulation (EU) 2018/1725 based on your explicit prior consent for your non-mandatory personal data indicated below;

The purpose of this processing is to support construction SMEs in their digitalisation efforts. Therefore, an individual maturity scan is provided, trainings are organised and relevant information shared. To support these actions, data of registrants, participants or other persons involved in actions of this project needs to be collected and processed in line with specific project requirements.

The following of your personal data are collected: your first name, last name, title, function, (professional / personal) e-mail, and address. All personal data are mandatory for the purpose(s) outlined above.
In addition, the following non- mandatory personal data might be collected: your photo, your Linkedin/Twitter account etc. and can only be processed based on your explicit prior consent3.

The recipients of your personal data will or may be authorised Agency and Commission staff, in charge of the project, authorised service provider staff in charge of implementation of the project and bodies in charge of monitoring or inspection tasks in application of Union or national law (e.g. internal audits, Court of Auditors, European Anti-fraud Office (OLAF), law enforcement bodies).

Your personal data will not be transferred to third countries or international organisations.

The processing of your data will not include automated decision-making (such as profiling).

In accordance with the IT Security Standard of C(2018) 7283, the following technical security measures are in place to safeguard the processing of your personal data:

  • Processors (service providers) are bound by the Commission contractual clauses ensuring security and confidentially when processing personal data.
  • The application uses EU Login to enforce authentication with a strength that satisfies the required level of security, and access rights are only evaluated on server-side;
  • Personal data of users are only accessible through the application, and only the data owner and the administrators have access to them;
  • Data such as passwords are stored in a secure way hashed using a strong cryptographic hash function;
  • The application is only accessible over encrypted (HTTPS) transfer protocol;
  • The application is hosted on a strongly protected infrastructure allowing access from the network to no other components (e.g., database) but the user interface and the application’s programming interface (API).

Your personal data will be kept for a maximum period of  5 years after the end of SMP programme.  Data will be permanently anonymised automatically at the end of this period.

You have the right to access your personal data and to request your personal data to be rectified, if the data is inaccurate or incomplete; where applicable, you have the right to request restriction or to object to processing, to request a copy or erasure of your personal data held by the data controller. If processing is based on your consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of the processing based on your consent before its withdrawal.

Your request to exercise one of the above rights will be dealt with without undue delay and within one month.

Your right to information, access, rectification, erasure, restriction or objection to  processing, communication of a personal data breach or confidentiality of electronic communications may be restricted only under certain specific conditions as set out in the applicable Restriction Decision in accordance with Article 25 of Regulation (EU) 2018/1725.

If you have any queries concerning the processing of your personal data, you may address them to the Head of Unit, EISMEA, Unit.I-02 SMP/COSME Pillar (entity acting as data controller) via

You shall have the right of recourse at any time to the EISMEA Data Protection Officer at and to the European Data Protection Supervisor at

1 Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L295/39 of 21.11.2018).

2 EISMEA Establishment Act: Commission Implementing Decision (EU) 2021/173 of 12 February 2021 establishing the European Climate, Infrastructure and Environment Executive Agency, the European Health and Digital Executive Agency, the European Research Executive Agency, the European Innovation Council and SMEs Executive Agency, the European Research Council Executive Agency, and the European Education and Culture Executive Agency and repealing Implementing Decisions 2013/801/EU, 2013/771/EU, 2013/778/EU, 2013/779/EU, 2013/776/EU and 2013/770/EU (OJ L 50/9 of 15.2.2021) 

3 Processing of non-compulsory personal data can only be based on consent and individual tick boxes have to be provided when data is collected to document the consent.