Privacy Policy

The controller of personal data on this platform is: Conservatorio Profesional de Música «Francisco Guerrero» Avda. Ramón y Cajal, s/n 41005 Sevilla, España CIF: S4111001F Email: info@erasmusarts.eu The Conservatorio acts as coordinator of the Erasmus+ project «MUSIC AND DANCE FOR EUROPE 2.0», funded by the European Commission through the Spanish Service for the Internationalisation of Education (SEPIE) under the KA210-VET 2024 call.

This policy applies only to the erasmusarts.eu web platform, a coordination tool for the centers that make up the M&D Europe network. This platform DOES NOT collect or store personal data of students or teaching staff at the participating centers. All sensitive information about people who take part in mobilities — students, teachers, their families — is handled locally at each center using independent tools that are not part of this platform and are not covered by this policy. Each center in the network is an independent controller of its participants' personal data. If you have questions about how a specific center processes student or teacher data, please contact that center directly.

We apply the data minimisation principle set out in Article 5(1)(c) of Regulation (EU) 2016/679 (GDPR): we collect only the data strictly necessary for the platform to operate as a professional coordination tool between centers. Specifically: • We do not collect data on students or teaching staff at the centers. • We do not collect personal data of minors. • We do not collect sensitive data (health, beliefs, biometrics, sexual orientation, etc.). • We do not use the data for profiling, advertising or commercial analysis. • We do not sell or transfer data to third parties for commercial purposes.

We limit collection to the following categories: Professional identification data of the coordinator: • First name and surname • Institutional email • Role on the platform (coordinator or administrator) • Affiliated center Educational center data: • Professional information about the center: name, institutional address, country, institutional contact details (email, institutional phone if the center chooses to provide it) • Center mobility profile Most of this data is public and refers to the center as an institution. Technical platform usage data: • Login timestamps • IP address of the session • Session identifiers (managed by Supabase Auth) • Actions performed on the platform (creation of opportunities, messages between centers, expressions of interest)

We process your data for the following purposes, each with its legal basis under the GDPR: Account management and authentication. Legal basis: performance of a contract (Art. 6(1)(b) GDPR). We need your basic identification data to create and maintain your coordinator account. Coordination between centers. Legal basis: performance of a contract (Art. 6(1)(b) GDPR). We need your professional data so you can create opportunities, send proposals to other centers, exchange messages with other coordinators and manage agreed mobilities. Platform security and prevention of misuse. Legal basis: legitimate interest (Art. 6(1)(f) GDPR). We keep records of actions and technical data to safeguard the platform, prevent abuse and resolve incidents. Compliance with Erasmus+ programme obligations. Legal basis: legal obligation (Art. 6(1)(c) GDPR). The Erasmus+ programme requires documentation of project activities. The platform records metadata about mobilities agreed between centers (types, dates, participating centers) without including personal data of the participants in those mobilities, which is handled at each center.

We retain personal data for the time strictly necessary for the purposes described in this policy: • While your account is active: for as long as your coordinator role at a center in the network is in effect. • After account closure: up to five (5) years from last active use, a period aligned with audit obligations applicable to the Erasmus+ programme under the EU Financial Regulation. • Aggregated, anonymised statistics (number of agreed mobilities, active countries, network growth): may be kept indefinitely for evaluation of the project and the network, since they do not identify individuals. You may request early deletion of your account at any time. We will honour the request except for any data whose retention is required by law, in which case we will inform you of the applicable legal retention period.

We apply reasonable technical and organisational measures to protect personal data: • TLS encryption for all communications between your browser and the platform. • Row Level Security (RLS) in the database: each user only accesses the data they are authorised to. • Authentication managed by Supabase Auth with mandatory email verification. • Access to the administration panel is role-restricted and recorded in audit logs. • Servers hosted on European Union infrastructure. • Passwords stored only as irreversible hashes; we never have access to the password in plain text. No security measure is absolute. In the unlikely event of a security incident affecting your personal data and posing a risk to your rights and freedoms, we will notify you without undue delay and notify the competent supervisory authority in accordance with Articles 33 and 34 of the GDPR.

As a data subject, you have the following rights recognised by the GDPR: • Right of access: request a copy of the personal data we hold about you. • Right to rectification: correct inaccurate or incomplete data. • Right to erasure: request deletion of your data when it is no longer needed or when you withdraw consent, subject to legal retention obligations. • Right to object: object to processing based on legitimate interest. • Right to restriction: request that we limit processing of your data in certain circumstances. • Right to portability: receive your data in a structured, commonly used format. To exercise any of these rights, write to us at info@erasmusarts.eu indicating the right you wish to exercise. We will respond within a maximum of one month from receipt of your request, in accordance with Article 12(3) GDPR. For particularly complex requests this period may be extended by a further two months, in which case we will inform you. If you consider that the processing of your data does not comply with the regulations or you are not satisfied with our response, you have the right to lodge a complaint with the data protection authority of your country of residence. In Spain, the competent authority is the Spanish Data Protection Agency (AEPD), accessible at aepd.es. You may also contact the supervisory authority in your own country.

The platform uses only strictly necessary cookies for its operation. We do not use tracking cookies, third-party analytics, advertising or profiling. For more information, see our Cookie Policy.

This platform is intended exclusively for adults (over 18) acting in their professional capacity as Erasmus+ coordinators or administrative staff of educational centers belonging to the M&D Europe network. We do not process personal data of minors on this platform. Student data at the centers, where minors may be involved, is handled locally at each center and is not covered by this policy.

This Privacy Policy may be updated to reflect changes in our practices or in applicable law. If we introduce substantial changes, we will notify you by email at the address associated with your account before they take effect. The «Last updated» date at the top of this document always reflects the current version.

For any query about this Privacy Policy, about how we process your data or to exercise your rights: Email: info@erasmusarts.eu We will respond as soon as possible and, in any event, within the applicable legal deadline.