EU Voice Data Protection Notice and Terms of Use

latest change: 14 February 2022

Overview

EU Voice is the official ActivityPub microblogging platform of the EU institutions, bodies and agencies (EUIs). Together with EU Video, it is part of an alternative social media pilot program proposed, and provided by the European Data Protection Supervisor (EDPS). The pilot program contributes to the European Union’s strategy for data and digital sovereignty that aims to foster Europe’s independence in the digital world.

EU Voice provides EUIs with privacy-friendly microblogging accounts that they typically use for the purposes of press and public relations activities. Please refer to the data protection notice of the respective account pages for details.

The website of EU Voice stores the cookie ‘_mastodon_session’ with an identifier in the browser of unregistered and registered users until the browser is closed for the purpose of ensuring a secure interaction with the website. For registered users, the cookie ‘_session_id’ stores their login status until logout. Based on user consent, EU Voice stores as well push notifications settings in the browser.

EU Voice processes feedback of users in the form of subscriptions, content appreciations (likes) and promotions (boosts) for publication in the context of account and content (toot) pages upon instruction of the users’ respective (third-party) ActivityPub service. EU Voice relies on consent that must be collected by the users’ (third-party) ActivityPub service before feedback transmission to EU Voice. EU Voice may store feedback or recollect it from the third-party service until it receives via that service or directly from the user a request for deletion or objection (unsubscribe, unlike, unboost).

EU Voice is powered by the software Mastodon chosen for its free, open, decentralised, interoperable, non-commercial and privacy-friendly character. Hence, the purpose of this pilot operation is also to understand the capabilities of such platforms and promote privacy-friendly alternatives to other already established social media platforms. EU Voice limits registration of accounts to EUIs only and relies for other users’ feedback on the interoperability with third-party services that also support ActivityPub protocol. The Mastodon developers maintain a list of Mastodon servers open for registration.

In the context of EU Voice, your personal data are processed based on Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC Text with EEA relevance (‘the Regulation’).

The following information is provided as established in Articles 15 and 16 of the Regulation.

Data Protection Notice

For the purposes of this Data Protection Notice:

“Platform” means the software instance of Mastodon at https://social.network.europa.eu.

 “User” means the natural person who interacts with the platform directly via the website or indirectly via third-party ActivityPub services

“Registered user” means the User after login to the Platform

“Account” means a Mastodon account on the Platform

“Account Owner” means the service or staff member(s) who manages an Account, namely sets up the profile and/or publishes on the account

“Account page” means the public pages of an account owner on the platform

“Subscribers” mean the accounts who follow the Account Owner

“Subscriptions” mean the accounts followed by the Account Owner

“Feedback” means any user interaction with Accounts (e.g. subscribing) and their content (e.g. boosting, liking, commenting, sharing)

Scope and purpose of the processing

This data protection notice applies to the processing of personal data for the provision of the microblogging platform ‘EU Voice’ by the EDPS. It offers information on what personal data is processed and how it is processed, and on your data subject rights.

Responsible of the processing 

The controller is the European Data Protection Supervisor (EDPS) in its capacity as the provider of the platform and the initiator of the pilot program. For more information on the EDPS please consult our website https://edps.europa.eu.

To contact us, please use our contact form or send us an email to tech-privacy@edps.europa.eu.

Processing of Personal Data

EU Voice provides EUIs with privacy-friendly microblogging accounts that they typically use for the purposes of press and public relations activities. Refer to the data protection notice of the account pages for more details.

Personal data processed by the Platform is accessible to limited number of EDPS staff on a need-to-know basis to ensure a secure platform operation and produce aggregated statistics. User content and feedback is published or delivered according to the user settings.

Website Visitors

The platform’s website processes the IP addresses and other metadata (as specified below) of its visitors. When accessing the platform, an encrypted connection to the platform’s web servers is established. To display the content correctly on the visitor’s computer or other terminal devices, the following data is processed in accordance with the HTTP and TCP/IP protocol:

  • the IP address of the visitor’s internet connection,
  • the operating system and operating system version of the visitor’s terminal, the display resolution of your device,
  • the visitor’s web browser and browser version,
  • the date of access to the website, and
  • the HTTP cookie ‘_mastodon_session’ (for the duration of the website visit)

This is required for the request, processing, and display of content. After each page visit, some of the data are stored in the account profile (if logged in) and server logs. These logs serve the purpose of maintenance and security of the server and personal data herein is anonymised after 14 days. This processing is based on Article 5 (1) (a) of the  Regulation (EU) 2018/1725 (‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body’). This includes processing carried out in order to comply with the necessary technical and organisational protection measures.

Furthermore, the website employs the cookie ‘_session_id’ to store the login status of registered users until logout or until a year after the last website visit. The website also stores the notifications settings in the browser. This processing is based on Article 5(1)(d) of the Regulation 2018/1725 (consent).

Feedback Contributors (from third-party platforms)

The Platform processes personal data when users of third-party platforms with ActivityPub support interact with its accounts. To enrich public Account pages and content pages (toots) with user feedback in the form of subscriptions, content appreciations (likes) and promotions (boosts), the following data is processed in accordance with the ActivityPub protocol:

  • the IP address of the third-party platform,
  • the user’s terminal software
  • the user’s display name, account name, and profile picture,
  • the current date and time,
  • the feedback content data, i.e.
    • subscribed account,
    • liked or promoted content, or
    • public comment or private message (including attached media content)

Private messages are not end-to-end encrypted and are therefore in principle accessible to the platform administrators. Sensitive information should therefore be exchanged on other communication channels.

This processing is based on consent (Article 5(1)(d) of the Regulation (EU) 2018/1725) that must be obtained and managed by the user’s third-party platforms before feedback transmission to the Platform. The Platform may store feedback or recollect it from the third-party platform until it receives via that platform or directly from the user a request for deletion or objection (unsubscribe, unlike, unboost).

Account Owners

The platform limits registrations to EUIs that use accounts typically for the purposes of press and public relations activities. To setup accounts and manage them subsequently, the following data is processed:

  • Account Owner’s display name, account name, profile picture and header image
  • Account Owner’s login credentials consisting of an email address and password
  • Account Owner’s notification and privacy preferences
  • Account Owner’s account description/biography
  • Account Owner’s own content (toots), promoted, and appreciated content
  • Account Owner’s private messages (sent and received)
  • Account Owner’s subscriptions and their recent content
  • Account Owner’s logged-in sessions (terminal software, time and date, IP)

If Account Owners give feedback, the previous section applies accordingly. Note that updating subscribers and giving feedback (including profile mentions) requires disclosure of personal data to the platforms of the recipients. Depending on their platform location, the disclosure can possibly involve international data transfers.

The Account Owner’s account and display name, profile picture and header, description, subscriptions, the own and promoted content, the content of their subscriptions, as well as their given feedback is published on their Account page.

This processing is based on Article 5(1)(a) of the  Regulation (EU) 2018/1725 (‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body’). The Account data is retained until the account is deleted.

Exercise your rights

You have the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning you or, where applicable, the right to object to processing or the right to data portability.

Where applicable, you also the right to withdraw your consent at any time. Please note that withdrawing your consent does not affect the lawfulness of processing based on consent before its withdrawal.

Please find more information on your rights at https://edps.europa.eu/about-edps/data-protection-edps_en.

If you have any remarks or complaints regarding the way the EDPS processes your personal data, you can contact the controller via the contact form or send us an email to tech-privacy@edps.europa.eu. You can also contact at any time the EDPS Data Protection Officer at DPO@edps.europa.eu.

You can also find contact information on the EDPS website: https://edps.europa.eu/about-edps/contact_en.

You have, in any case, the right to lodge a complaint with the EDPS as a supervisory authority. Please follow the instructions at https://edps.europa.eu/data-protection/our-role-supervisor/complaints_en.

API and Accounts Terms of Use

EU Voice is the official ActivityPub microblogging platform of the EU institutions, bodies and agencies (EUIs). Together with EU Video, it is part of an alternative social media pilot program proposed, and provided by the European Data Protection Supervisor (EDPS). The EDPS cannot guarantee the availability of EU Voice after the conclusion of the pilot program.

Account owners are responsible for the use of their accounts and compliance with the Regulation (EU) 2018/1725 as separate controllers. All accounts must have a data protection notice linked on their account page and shall indicate which moderation policies apply.

Third-party ActivityPub platforms must ensure to collect valid user consent before they transmit in accordance with the ActivityPub protocol personal data to the platform EU Voice.

EU Voice

EU Voice is the official ActivityPub microblogging platform of the EU institutions, bodies and agencies (EUIs). Together with EU Video, it is part of an alternative social media pilot program proposed, and provided by the European Data Protection Supervisor (EDPS).