Unified GDPR framework for OpenEU activities
1. Purpose & context
Recent discussions within several WPs regarding the upcoming OpenEU events have highlighted a recurring administrative bottleneck: the lack of a standardized approach to GDPR compliance across project subtasks.
To prevent management paralysis, avoid endless legal debates in every single activity, and ensure robust compliance across different Member States, the OpenEU Alliance Secretariat proposes a unified approach. Instead of treating GDPR on a case-by-case basis, we propose that GDPR management is centralized, but legal responsibility remains appropriately distributed. Under GDPR Article 26 (Joint Controllership), the secretariat recommends formalizing this framework as a short Annex to the D1.1B or via a formal WP1 board mandate.
2. The OpenEU GDPR Framework
Pillar 1: The privacy toolkit (standardized templates)
To eliminate guesswork, the OpenEU alliance will operate using a centralized "GDPR Toolkit". The Secretariat will host and distribute these master templates, which must be embedded into every alliance activity.
1.1. Master privacy notice: A plug-and-play text for registration forms (Webinars, Job Fairs, Workshops). It will contain pre-written fields detailing why data is collected, how long it is kept, and who has access. Task Leaders will only need to fill in variable fields (e.g., event name, date).
1.2. Media consent release: A standard form covering image rights, video recordings, and photography during live or virtual events, ensuring compliance for marketing and dissemination activities.
-
1.3. Third-party processor clauses: Standard data processing language to be included if an activity relies on external platforms to meet EU standards.
Pillar 2: The Task Leader workflow (3-Step process)
The Secretariat wants to ensure that managing GDPR does not slow down operational delivery. Task Leaders will follow a simple, mandatory three-step pipeline:
Step 1 – Define: The Task or Subtask Leader outlines the event scope and identifies if personal data will be collected.
Step 2 – Apply: The Task or Subtask Leader downloads the appropriate template from the Toolkit and embeds it directly into the registration mechanism (e.g., Google Forms, institutional survey tools). No local modifications to the legal text are permitted without prior notification to the university legal team.
Step 3 – Secure: All collected databases must be stored in a restricted-access repository (e.g., a secure, dedicated folder in the WP’s shared cloud space) with strict access controls, and the Secretary General needs to be informed about it.
Pillar 3: Governance model
To balance agility with legal security, responsibilities are clearly split between the central hub and individual members:
Secretariat: Acts as the operational hub and the main point of contact for data subjects and partners. Maintains the Toolkit, monitors data storage compliance, and routes formal data access requests to the relevant partners.
Alliance Members: Holds the ultimate legal responsibility to comply with EU and national regulations. Each member's legal team ensures their own institution’s data collection practices align with the agreed alliance framework.
-
Task or Subtask leader: Responsible for operational compliance— ensuring the form has the correct check-boxes, managing local access to the data, and executing data anonymization protocols once the retention period expires.
3. General recommendation
The Secretariat recommends that this framework is adopted via a WP1B agreement. The Secretariat could serve as the central repository for the standard GDPR Toolkit. It is suggested that Task or Subtask Leaders use these templates to streamline processes and minimize legal debates, while acknowledging that ultimate regulatory compliance remains the responsibility of each respective member legal entity.
Share
Or copy link