AENAON

Privacy Policy

Stay updated with the latest policies from the AENAON project.

Privacy Policy

1. Who We Are and What This Policy Covers 

This Privacy & Cookies Policy explains how the AENAON Consortium, with Asfalys SRL acting as data controller on behalf of the consortium, collects and processes personal data through the AENAON project website at https://aenaon-project.eu (the “Website”).  AENAON (Ex-Ante cybersecurity Federated Digital twin-based Cyber Range and managed security services for offshore wind farms) is funded under the Digital Europe Programme, Grant Agreement No. 101249723.  This Policy does not cover the AENAON Open Call portal. A separate Open Call Privacy Notice applies to applicants, evaluators, and sub-grantees, available at https://aenaon-project.eu/open-calls/.   
Data Controller  ASFALYS SRL, Esplanade 1, Brussels, 1020, Belgium 
Data Protection Officer Contact   Dpo@aenaon-project.eu  
Open Call processing  Governed by a separate Open Call Privacy Notice 
Lead Supervisory Authority   Belgian Data Protection Authority — Autorité de protection des données / Gegevensbeschermingsautoriteit (APD/GBA), Rue de la Presse 35, 1000 Brussels, Belgium, www.dataprotectionauthority.be  
Legal framework  Regulation (EU) 2016/679 (GDPR); Belgian Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data; Belgian Act of 13 June 2005 on electronic communications; Article 15 of Grant Agreement No. 101249723.   
The internal allocation of responsibilities between consortium partners is set out in the AENAON Consortium Agreement (Section 11) and in a separate Privacy and Data Protection Agreement, where required. Where consortium partners or service providers process personal data on behalf of ASFALYS SRL for website-related operations, this is governed by appropriate data protection arrangements, including Article 28 GDPR processor terms where applicable.  

2. Personal Data We Collect and Why 

We collect personal data only for specific, explicit and legitimate purposes and only to the extent necessary.  Where legitimate interest is used as a legal basis, it has been balanced against the rights and reasonable expectations of data subjects. 
Activity Data Categories Purpose Legal Basis (GDPR Art. 6) Retention
Newsletter subscription Email address, name and organisation optional; subscription status; consent records; unsubscribe history Sending AENAON project updates, news, events and result highlights to subscribers Art. 6(1)(a) GDPR — consent opt-in; withdrawable via unsubscribe link in every email Until unsubscription, withdrawal of consent, or discontinuation of the newsletter service
General contact form Name, email, organisation where provided, content of message Responding to general enquiries about the AENAON project non-Open-Call enquiries Art. 6(1)(f) — legitimate interest in responding to enquiries about a publicly funded project 2 years from receipt, unless follow-up correspondence is ongoing
General event and webinar registration Name, organisation, email; dietary or accessibility requirements where voluntarily provided Organising AENAON dissemination events, webinars, training and showcase activities Art. 6(1)(b) — pre-event steps at the data subject’s request; Art. 6(1)(f) — legitimate interest in project dissemination 12 months after the event; dietary/accessibility data deleted immediately after the event
Website technical operation and security logs IP address, browser/user-agent, timestamps, requested resources, error/security logs Ensuring the proper functioning, integrity and security of the Website; detecting errors, abuse, unauthorised access or security incidents. Art. 6(1)(f) — legitimate interest in network and information security Up to 90 days, unless extended for security-incident investigation
Cookie consent management Consent ID, consent status per category, timestamp, browser/device technical identifiers Recording and managing user cookie preferences; demonstrating compliance with consent requirements Art. 6(1)(c) — legal obligation under Article 7(1) GDPR proof of consent Up to 12 months from last consent action CookieYes default
Publication of project content Names of authors of publications, deliverables or news items where applicable Project visibility and dissemination under Article 17 of the Grant Agreement Art. 6(1)(c) — visibility obligation under the GA; Art. 6(1)(f) — legitimate interest in reporting on a publicly funded project Duration of the Website plus at least 5 years after final payment under the GA
Where records are relevant to audit, review, investigation or legal proceedings, they may be retained until the relevant procedure is fully closed, even if the standard retention period has expired. 

3. Cookies and Similar Technologies 

The Website uses the following categories of cookies: 
Category  Description  Consent required? 
Strictly necessary  cookieyes-consent (CookieYes — stores user’s cookie preferences, expiry ~1 year, SameSite=Strict)  WordPress session cookies (set only for logged-in administrators, not for public visitors)   No (Article 5(3) ePrivacy Directive exception for strictly necessary  
Users can manage or withdraw consent at any time via “Cookie Preferences” in the footer. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. 

4. Who We Share Data With

ASFALYS SRL, as data controller for Website processing, shares personal data only where necessary for the operation of the Website, project communications, event management, compliance with the Grant Agreement, or the handling of requests from data subjects.

Recipient Data shared and purpose
ZELUS IKE,
Athens, Greece
Provides website content management and WordPress administration support. May access WordPress user accounts, contact form submissions, newsletter records, event registration data, technical logs or other Website data where necessary for website maintenance, content publication or technical support. Acts as processor for ASFALYS SRL under an Article 28 GDPR Data Processing Agreement. Zelus IKE engages Papaki/Enartia S.A. as sub-processor for hosting and infrastructure services, as a pre-approved sub-processor under the applicable Data Processing Agreement.
Papaki / Enartia S.A.
Athens, Greece
Provides hosting and related technical infrastructure services for the AENAON Website through the hosting arrangements managed by ZELUS IKE. Papaki / Enartia S.A. may process website-hosting data, server logs, IP addresses, browser/user-agent data, timestamps, requested resources, error/security logs, WordPress database records and newsletter delivery metadata in accordance with the applicable hosting, service and data protection terms.
The Newsletter Plugin
WordPress plugin local
The newsletter is operated through a WordPress plugin installed on the Website. Subscriber data is stored in the WordPress database on the Papaki server in Athens, Greece. No third-party newsletter platform processes subscriber data.
CookieYes Limited
United Kingdom
Provides cookie consent management. Processes cookie preferences, consent status, consent ID, timestamp and technical identifiers. Acts as processor under its applicable Data Processing Agreement. Transfers to the United Kingdom are covered by the EU adequacy decision under Article 45 GDPR.
Microsoft Ireland Operations Ltd, Ireland May process registration, attendance and participation data where Microsoft Teams, Microsoft Teams Events or related Microsoft services are used for AENAON online events or webinars. Acts under the applicable Microsoft data protection terms. Event-specific information will be provided where relevant.
AENAON consortium partners Personal data may be shared with consortium partners only where necessary for their role in project implementation, for example to respond to a request, manage participation in a project activity, organise an event, or carry out dissemination obligations. Access is limited to what is necessary and subject to the confidentiality and data protection obligations applicable within the consortium.
ECCC, European Commission, OLAF, EPPO, European Court of Auditors Personal data may be shared where required for reporting, monitoring, checks, reviews, audits or investigations under the Grant Agreement and applicable EU rules. Legal basis: Article 6(1)(c) GDPR.
Belgian Data Protection Authority Personal data may be shared where required by law, in the context of a complaint, investigation, breach notification or regulatory enquiry. For Website processing controlled by ASFALYS SRL, the Belgian Data Protection Authority is the relevant lead supervisory authority, without prejudice to the data subject’s right to complain to another competent supervisory authority under Article 77 GDPR.
Courts, legal advisers and public authorities Personal data may be disclosed where required by law or where necessary to establish, exercise or defend legal claims.
  We do not sell, rent or commercially exploit personal data. We do not share personal data with third parties for their own marketing purposes.  If analytics cookies or a third-party analytics tool are introduced in the future, this Policy and the cookie banner will be updated before activation.   

5. International Transfers 

Personal data processed through the Website is primarily stored and processed within the European Economic Area (EEA). Specifically: 
  • Website hosting, newsletter database and email delivery are operated on infrastructure located in Athens, Greece (EEA), provided by Papaki/Enartia S.A. as sub-processor engaged by Zelus IKE. 
  • Cookie consent management is provided by CookieYes Limited, based in the United Kingdom. Transfers to the UK are covered by the EU–UK adequacy decision adopted by the European Commission under Article 45 GDPR,  for as long as that decision remains in force. 
Should any processor be added in the future whose processing involves transfers outside the EEA without an adequacy decision, those transfers will be governed by appropriate safeguards under Article 46 GDPR (Standard Contractual Clauses), accompanied by a Transfer Impact Assessment where required, or by a derogation under Article 49 GDPR where strictly applicable. This Policy will be updated accordingly. 

6. Your Rights Under GDPR 

You have the rights of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), objection (Art. 21), withdrawal of consent (Art. 7(3)) and lodging a complaint with a supervisory authority (Art. 77).  The right to erasure does not apply where processing is necessary to comply with audit obligations under the Grant Agreement or for the establishment, exercise or defence of legal claims.  To exercise any right, contact aenaonDPO@privact.eu. Response within one month, extendable by two months for complex requests under Article 12(3) GDPR.  Complaints: Belgian Data Protection Authority (APD/GBA) -Autorité de protection des données / Gegevensbeschermingsautoriteit, Rue de la Presse 35 / Drukpersstraat 35, 1000 Brussels, Belgium, contact@apd-gba.be, +32 (0)2 274 48 00 – www.dataprotectionauthority.be. You may also complain to the supervisory authority of your country of residence or place of work. 

7. How We Protect Your Data 

We apply appropriate technical and organisational measures under Article 32 GDPR, including: 
  • TLS/HTTPS encryption for all web traffic; 
  • Access controls on a need-to-know basis for the WordPress administration interface; 
  • DKIM email authentication for outgoing newsletter messages; 
  • Regular security reviews of the Website and underlying hosting environment; 
  • Documented procedures for detecting, reporting and managing personal data breaches. 
The AENAON Consortium Agreement (Section 10) imposes a five-year confidentiality obligation on partners after final payment under the Grant Agreement.  Personal data breaches likely to result in a risk to data subjects’ rights and freedoms are notified to the Belgian Data Protection Authority  within 72 hours under Article 33 GDPR, and to affected individuals where the breach is likely to result in a high risk (Article 34 GDPR). 

8. Links to Other Websites 

The Website contains links to external sites (ECCC, EU Funding & Tenders Portal, consortium partners’ websites, social media pages). This Policy does not apply to those sites. The EU Funding & Tenders Portal operates under its own Portal Privacy Statement: https://ec.europa.eu/info/funding-tenders/opportunities/portal/screen/support/legalnotice . ECCC processing is governed by Regulation (EU) 2018/1725. 

9. Changes to This Policy 

We may update this Policy. The current version date is shown at the top. Material changes will be notified to active newsletter subscribers and shown prominently on the Website. Previous versions are available on request. 

10. Contact 

Coordinator   info@aenaon-project.eu 
Data Protection Officer contact  Dpo@aenaon-project.eu  
Open Call enquiries  Open-call@aenaon-project.eu  
Supervisory Authority  Complaint details are provided in Section 6 above. You may also lodge a complaint online at: https://www.dataprotectionauthority.be/citizen/actions/lodge-a-complaint  

11. Legal References 

  • Regulation (EU) 2016/679 (GDPR);  
  • Belgian Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data;  
  • Belgian Act of 13 June 2005 on electronic communications; 
  • Regulation (EU) 2018/1725 (applicable to ECCC and EU institutions) 
  • Grant Agreement No. 101249723, Article 15; 
  • AENAON Consortium Agreement, Section 11; 
  • EU–UK adequacy decision under Article 45 GDPR.  

Open Call 1 (OC1) – Info Day 14/7/2026

Focuses on the initial validation, integration and testing of AENAON technologies and services in realistic environments, with emphasis on strengthening the technical foundations of the platform and related cybersecurity capabilities.