Privacy Policy
KreativEU Seed Funding Platform (Moodle‑based)
(GDPR & KVKK Compliant)
Last updated: Feb 2026
This Privacy Policy explains how the 11 universities of the KreativEU Consortium (“we”, “our”, “the Consortium”) collect, process, store, and protect personal data when users access the KreativEU Seed Funding Platform, a Moodle‑based system dedicated to submitting project proposals, participating in funding calls, conducting peer review or expert evaluation, and managing consortium‑wide project workflows.
The Platform is jointly operated by the consortium members and integrates Microsoft Entra ID for authentication.
Our processing complies with the EU General Data Protection Regulation (Regulation (EU) 2016/679 – GDPR) and, where applicable, the Turkish Personal Data Protection Law No. 6698 (KVKK).
1. Data Controller Structure
Because the Seed Funding Platform is shared across 11 partner universities, the parties act as Joint Controllers under GDPR Art. 26.
Each university:
- Determines how its users’ personal and institutional project information is created, uploaded, and retained.
- Maintains responsibility for proposal applicants affiliated with their institution.
Under KVKK, each participating Turkish institution is considered an individual Data Controller for its users.
A Joint Controller Agreement (JCA) defines responsibilities regarding:
- Security controls
- Access governance
- Incident response
- Handling of data subject requests
- Data retention and accountability
2. Categories of Personal Data Processed
2.1 Data stored in the Seed Funding Platform (Moodle core + custom modules)
The Platform stores information related to:
- User profile data (name, email, institution, role—applicant, evaluator, administrator)
- Project proposal data, including uploaded documents, budgets, partner details, and narrative forms
- Evaluation and review data, including reviewer comments, scoring sheets, and decision records
- Activity logs, such as submission timestamps, revision history, evaluator assignments, internal commenting
- System metadata, including IP addresses and authentication logs
(Derived from standard Moodle logging mechanisms)
All proposal and LMS‑generated data are treated as personal data wherever a natural person (e.g., applicant, evaluator) is identifiable.
2.2 Data processed via Microsoft Entra ID
Authentication uses delegated Microsoft Graph permissions:
- Baseline permissions: openid, profile, email, offline_access
- Additional delegated permissions used by integrated Moodle plugins:
- User.Read – read basic profile attributes
- Calendar.ReadWrite – scheduling evaluation meetings or internal deadlines
- Files.ReadWrite, Sites.ReadWrite.All – enabling proposal file synchronization with institutional OneDrive/SharePoint repositories
These permissions act only on behalf of the signed‑in user, mirroring their existing rights in their institutional Microsoft 365 tenancy.
3. Purpose of Processing
3.1 Proposal submission and funding‑call administration
We process data to:
- Authenticate users
- Allow researchers to submit project proposals
- Enable evaluators to review proposals
- Manage multi‑stage funding workflows
- Notify users about deadlines, evaluation results, or required corrections
GDPR lawful basis: contract performance, public interest, legitimate interest.
3.2 Collaboration within the consortium
Optional Microsoft 365 integrations may:
- Synchronize deadlines/events with user calendars
- Allow exchange of supporting documents via OneDrive/SharePoint
These are enabled only when justified for project‑call management.
3.3 Legal, financial, and institutional compliance
We process logs and proposal data to:
- Support financial auditing
- Meet EU funding obligations (e.g., documentation trails)
- Ensure integrity of evaluation processes
- Respond to lawful institutional or regulatory requests
4. Legal Bases (GDPR & KVKK)
Under GDPR
We rely on:
- Art. 6(1)(b) – performance of a contract (operating the seed funding service)
- Art. 6(1)(e) – public interest tasks carried out by universities
- Art. 6(1)(f) – legitimate interests (platform security; fair evaluation workflows)
- Art. 6(1)(a) – explicit consent (analytics, cookies, optional add‑on tools)
Under KVKK
Processing may require explicit consent unless:
- Required by law
- Necessary to establish/exercise rights (e.g., proposal evaluation)
- Necessary for protection of vital interests
5. Data Minimization & Retention
We retain only the data strictly needed for:
- Proposal submission
- Evaluation processes
- Compliance with funding‑call documentation rules
- Archival obligations defined by EU or national funding bodies
Retention periods vary by institution according to:
- Research regulations
- Legal audit rules
- Archiving requirements of public universities
Logs and proposal artifacts are removed or anonymized once no longer necessary.
6. Data Subject Rights
Under GDPR
Users may request:
- Data access
- Rectification
- Erasure (“right to be forgotten”)
- Restriction or objection to processing
- Data portability
The Platform supports these mechanisms via Moodle’s Data Privacy subsystems.
Under KVKK
Users may:
- Learn whether data is processed
- Request information about processing
- Request correction or deletion
- Object to automated decisions affecting them
All requests are coordinated by the Consortium Data Protection Office and forwarded to the responsible Joint Controller(s).
7. International Transfers
Since the Consortium includes institutions in the EU and Turkey, transfers may occur across jurisdictions.
Cross‑border transfers follow:
- GDPR Chapter V, including Standard Contractual Clauses (SCCs)
- Supplementary security measures
- Lawful basis and accountability documentation
- KVKK requirements (including VERBIS registration and cross‑border consent when applicable)
8. Security Measures
The Platform implements:
- Security‑by‑design Moodle architecture
- Compliance with OWASP, CWE, and secure coding standards
- Multi‑factor authentication (available via Entra ID)
- Encrypted communications and secure tokens
- SOC2‑aligned development practices
Universities must implement institutional controls:
- Access‑control policies for evaluators and administrators
- Secure upload/storage environments for project documents
- Periodic security audits and vulnerability scanning
- Network security and encrypted storage
9. Use of Entra ID Delegated Permissions
Delegated permissions operate in the context of the user signing in.
Risk occurs only if:
- A high‑privilege institutional user signs in
- The institution grants excessive permissions unintentionally
The Consortium enforces:
- Least‑privilege access
- Consent restrictions
- Permission classifications using Entra ID governance tools
- No tenant‑wide or unscoped administrative access
10. Sharing of Data
User and proposal data may be shared only with:
- Partner universities (as Joint Controllers)
- Internal/external evaluators assigned to a proposal
- Microsoft 365 cloud processors (under DPA‑compliant agreements)
- Legitimate funding or accreditation bodies requiring documentation
All third‑party processors must follow GDPR/KVKK compliant contracts.
11. Cookies and Tracking
Cookies are used for:
- Session management
- Authentication
- User preference storage
Analytics or optional tracking cookies require explicit consent where required by GDPR jurisdictions.
12. Data Protection Officers
Each university appoints:
- A local GDPR/KVKK contact person, and
- A Consortium‑level Data Protection Officer (DPO) responsible for cross‑institutional governance and coordination of rights requests.
13. Incident Response
All security incidents:
- Are logged and analyzed
- Trigger internal investigation
- Are reported within 72 hours under GDPR where required
- Follow KVKK breach‑notification rules when applicable
14. Changes to This Policy
Updates will be published:
- On the Seed Funding Platform login page
- Inside Moodle’s Site Policy versioning module