1. Who We Are and What This Policy Covers
This Privacy & Cookies Policy explains how the AENAON Consortium, with Asfalys SRL acting as data controller on behalf of the consortium, collects and processes personal data through the AENAON project website at https://aenaon-project.eu (the “Website”). AENAON (Ex-Ante cybersecurity Federated Digital twin-based Cyber Range and managed security services for offshore wind farms) is funded under the Digital Europe Programme, Grant Agreement No. 101249723. This Policy does not cover the AENAON Open Call portal. A separate Open Call Privacy Notice applies to applicants, evaluators, and sub-grantees, available at https://aenaon-project.eu/open-calls/.| Data Controller | ASFALYS SRL, Esplanade 1, Brussels, 1020, Belgium |
| Data Protection Officer Contact | Dpo@aenaon-project.eu |
| Open Call processing | Governed by a separate Open Call Privacy Notice |
| Lead Supervisory Authority | Belgian Data Protection Authority — Autorité de protection des données / Gegevensbeschermingsautoriteit (APD/GBA), Rue de la Presse 35, 1000 Brussels, Belgium, www.dataprotectionauthority.be |
| Legal framework | Regulation (EU) 2016/679 (GDPR); Belgian Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data; Belgian Act of 13 June 2005 on electronic communications; Article 15 of Grant Agreement No. 101249723. |
2. Personal Data We Collect and Why
We collect personal data only for specific, explicit and legitimate purposes and only to the extent necessary. Where legitimate interest is used as a legal basis, it has been balanced against the rights and reasonable expectations of data subjects.| Activity | Data Categories | Purpose | Legal Basis (GDPR Art. 6) | Retention |
|---|---|---|---|---|
| Newsletter subscription | Email address, name and organisation optional; subscription status; consent records; unsubscribe history | Sending AENAON project updates, news, events and result highlights to subscribers | Art. 6(1)(a) GDPR — consent opt-in; withdrawable via unsubscribe link in every email | Until unsubscription, withdrawal of consent, or discontinuation of the newsletter service |
| General contact form | Name, email, organisation where provided, content of message | Responding to general enquiries about the AENAON project non-Open-Call enquiries | Art. 6(1)(f) — legitimate interest in responding to enquiries about a publicly funded project | 2 years from receipt, unless follow-up correspondence is ongoing |
| General event and webinar registration | Name, organisation, email; dietary or accessibility requirements where voluntarily provided | Organising AENAON dissemination events, webinars, training and showcase activities | Art. 6(1)(b) — pre-event steps at the data subject’s request; Art. 6(1)(f) — legitimate interest in project dissemination | 12 months after the event; dietary/accessibility data deleted immediately after the event |
| Website technical operation and security logs | IP address, browser/user-agent, timestamps, requested resources, error/security logs | Ensuring the proper functioning, integrity and security of the Website; detecting errors, abuse, unauthorised access or security incidents. | Art. 6(1)(f) — legitimate interest in network and information security | Up to 90 days, unless extended for security-incident investigation |
| Cookie consent management | Consent ID, consent status per category, timestamp, browser/device technical identifiers | Recording and managing user cookie preferences; demonstrating compliance with consent requirements | Art. 6(1)(c) — legal obligation under Article 7(1) GDPR proof of consent | Up to 12 months from last consent action CookieYes default |
| Publication of project content | Names of authors of publications, deliverables or news items where applicable | Project visibility and dissemination under Article 17 of the Grant Agreement | Art. 6(1)(c) — visibility obligation under the GA; Art. 6(1)(f) — legitimate interest in reporting on a publicly funded project | Duration of the Website plus at least 5 years after final payment under the GA |
3. Cookies and Similar Technologies
The Website uses the following categories of cookies:| Category | Description | Consent required? |
| Strictly necessary | cookieyes-consent (CookieYes — stores user’s cookie preferences, expiry ~1 year, SameSite=Strict) WordPress session cookies (set only for logged-in administrators, not for public visitors) | No (Article 5(3) ePrivacy Directive exception for strictly necessary |
ASFALYS SRL, as data controller for Website processing, shares personal data only where necessary for the operation of the Website, project communications, event management, compliance with the Grant Agreement, or the handling of requests from data subjects.
| Recipient | Data shared and purpose |
|---|---|
|
ZELUS IKE, Athens, Greece |
Provides website content management and WordPress administration support. May access WordPress user accounts, contact form submissions, newsletter records, event registration data, technical logs or other Website data where necessary for website maintenance, content publication or technical support. Acts as processor for ASFALYS SRL under an Article 28 GDPR Data Processing Agreement. Zelus IKE engages Papaki/Enartia S.A. as sub-processor for hosting and infrastructure services, as a pre-approved sub-processor under the applicable Data Processing Agreement. |
|
Papaki / Enartia S.A. Athens, Greece |
Provides hosting and related technical infrastructure services for the AENAON Website through the hosting arrangements managed by ZELUS IKE. Papaki / Enartia S.A. may process website-hosting data, server logs, IP addresses, browser/user-agent data, timestamps, requested resources, error/security logs, WordPress database records and newsletter delivery metadata in accordance with the applicable hosting, service and data protection terms. |
|
The Newsletter Plugin WordPress plugin local |
The newsletter is operated through a WordPress plugin installed on the Website. Subscriber data is stored in the WordPress database on the Papaki server in Athens, Greece. No third-party newsletter platform processes subscriber data. |
|
CookieYes Limited United Kingdom |
Provides cookie consent management. Processes cookie preferences, consent status, consent ID, timestamp and technical identifiers. Acts as processor under its applicable Data Processing Agreement. Transfers to the United Kingdom are covered by the EU adequacy decision under Article 45 GDPR. |
| Microsoft Ireland Operations Ltd, Ireland | May process registration, attendance and participation data where Microsoft Teams, Microsoft Teams Events or related Microsoft services are used for AENAON online events or webinars. Acts under the applicable Microsoft data protection terms. Event-specific information will be provided where relevant. |
| AENAON consortium partners | Personal data may be shared with consortium partners only where necessary for their role in project implementation, for example to respond to a request, manage participation in a project activity, organise an event, or carry out dissemination obligations. Access is limited to what is necessary and subject to the confidentiality and data protection obligations applicable within the consortium. |
| ECCC, European Commission, OLAF, EPPO, European Court of Auditors | Personal data may be shared where required for reporting, monitoring, checks, reviews, audits or investigations under the Grant Agreement and applicable EU rules. Legal basis: Article 6(1)(c) GDPR. |
| Belgian Data Protection Authority | Personal data may be shared where required by law, in the context of a complaint, investigation, breach notification or regulatory enquiry. For Website processing controlled by ASFALYS SRL, the Belgian Data Protection Authority is the relevant lead supervisory authority, without prejudice to the data subject’s right to complain to another competent supervisory authority under Article 77 GDPR. |
| Courts, legal advisers and public authorities | Personal data may be disclosed where required by law or where necessary to establish, exercise or defend legal claims. |
5. International Transfers
Personal data processed through the Website is primarily stored and processed within the European Economic Area (EEA). Specifically:6. Your Rights Under GDPR
You have the rights of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), objection (Art. 21), withdrawal of consent (Art. 7(3)) and lodging a complaint with a supervisory authority (Art. 77). The right to erasure does not apply where processing is necessary to comply with audit obligations under the Grant Agreement or for the establishment, exercise or defence of legal claims. To exercise any right, contact aenaonDPO@privact.eu. Response within one month, extendable by two months for complex requests under Article 12(3) GDPR. Complaints: Belgian Data Protection Authority (APD/GBA) -Autorité de protection des données / Gegevensbeschermingsautoriteit, Rue de la Presse 35 / Drukpersstraat 35, 1000 Brussels, Belgium, contact@apd-gba.be, +32 (0)2 274 48 00 – www.dataprotectionauthority.be. You may also complain to the supervisory authority of your country of residence or place of work.7. How We Protect Your Data
We apply appropriate technical and organisational measures under Article 32 GDPR, including:8. Links to Other Websites
The Website contains links to external sites (ECCC, EU Funding & Tenders Portal, consortium partners’ websites, social media pages). This Policy does not apply to those sites. The EU Funding & Tenders Portal operates under its own Portal Privacy Statement: https://ec.europa.eu/info/funding-tenders/opportunities/portal/screen/support/legalnotice . ECCC processing is governed by Regulation (EU) 2018/1725.9. Changes to This Policy
We may update this Policy. The current version date is shown at the top. Material changes will be notified to active newsletter subscribers and shown prominently on the Website. Previous versions are available on request.10. Contact
| Coordinator | info@aenaon-project.eu |
| Data Protection Officer contact | Dpo@aenaon-project.eu |
| Open Call enquiries | Open-call@aenaon-project.eu |
| Supervisory Authority | Complaint details are provided in Section 6 above. You may also lodge a complaint online at: https://www.dataprotectionauthority.be/citizen/actions/lodge-a-complaint |
11. Legal References
Focuses on the initial validation, integration and testing of AENAON technologies and services in realistic environments, with emphasis on strengthening the technical foundations of the platform and related cybersecurity capabilities.