List of active policies

Name Type User consent
Terms & Conditions Site policy All users
Privacy Policy Privacy policy All users


This policy constitutes the Institute’s position on its contractual obligations with customers.

Full policy

The following terms and conditions apply to the sale of goods and services provided by the Institute and its representatives to its clients.



"Provider" refers to IEIS, its subsidiary bodies, agents, staff and associates.

"Event" refers to any event, course or other activity organised by the provider on behalf of its clients.

"Applicant" refers to any individual or group who has applied for an event either for themselves or for others.

"Attendee" refers to any individual or group in attendance at an event or intending to attend.


Applicants must request attendance via the website or by e-mail, providing evidence that minimum requirements for the event as set out in the eligibility criteria have been met. All attendees will be assessed against the eligibility criteria. Applications are not considered complete until all evidence has been received by the provider.

Rejection & Appeal

Applicants that are not accepted will receive a rejection e-mail citing the reason why the application was rejected and be given the right to appeal the decision to an executive authority.

Conditional Offers

If insufficient information was provided, the application will be considered on its existing merits. A request for further information may be issued together with an offer of attendance at the event. Such an offer will be made by e-mail and will be on condition that all remaining evidence is received by the provider no less than 28 days prior to the event start date.

Unconditional Offers

Applications that are accepted will result in the applicant receiving an unconditional offer of attendance at an event by e-mail.

Confirmed Offers

If the applicant and the attendee are the same person the offer is confirmed on issuance of remaining evidence and full settlement of fees. Otherwise, the attendee is required to confirm their acceptance of the offer. In cases of competitive entry, attendees with a confirmed offer are always admitted in place of those without.


In the event of any cancellation, the provider will first make every effort to negotiate a concession suitable to both the provider and the attendee (e.g. deferral, varying delivery methods, etc). In the event that no concession can be reached, the offer has not been confirmed and the applicant has provided more than 28 days notice from the start date, a full refund or transfer to an alternate event will be provided. Unavoidable expenses resulting from a cancellation and any administrative charges incurred in processing the application will always be deducted from the refund. Confirmed attendees and applicants providing less than 28 days notice of cancellation remain liable for the balance of all payments and fees.

Event Changes

The provider reserves the right to change the details of an event at any time and refuse anyone access to an event without notice. The provider may cancel or reschedule any event with 28 days notice to the applicant. If the provider cancels or reschedules an event with less than 28 days notice, the applicant is entitled to a full refund or transfer to an alternate event. Refunds pertain exclusively to fees. The provider is not liable for any other costs and expenses incurred by the applicant or attendee.

Unless otherwise stated, attendees will be automatically unenroled from an event 365 days after initial enrolment. Enrolment may be extended with the permission of the course director and the decision appealed to the head of training and directing staff.


Full payment of fees is required 28 days prior to the event start date. Fees must be paid in Euros (EUR) and settled by electronic transfer (e.g. credit card, bank transfer, paypal, etc.) unless otherwise agreed with the provider. Receipts, invoices and estimates will be provided upon request.

Late Booking Policy

The normal 28 day notice period for applications and payment may be reduced to 7 days if sufficient information is presented in the application to make a confirmed offer and a 20% late booking fee is accepted by the applicant. Automated processes via online booking may enable applications to be processed faster and without penalty, subject to agreement with the provider.


Due to the administrative burden involved, as a matter of policy, providers do not operate in jurisdictions where they would be required to register for VAT.

Events are run as independent legal entities and/or under the authority of the provider. Listed fees do not generally include tax unless otherwise stipulated, as tax obligations vary depending upon the provider's status and where the event is delivered. The provider typically operates below the threshold for VAT registration due to the Institute’s unincorporated cellular structure, and consequentially nominal turnover per cell. The provider may also carry non-profit status and other privileges which grant special exemptions from other forms of local taxation. Typically attendance events are liable for taxation at local rates at the point of service delivery in accordance with the appropriate tax laws for that country. The most common exemptions for this are if events are digital, excursions or otherwise exempt locally. Excursions are optional, ancillary, non-profit, educational events delivered overseas as a part of a significantly larger digital or local event liable for taxation at local rates. The delivery of digital products and services is completed locally, as a "hands-on" EU cross-border digital service, or is exempt from taxation outside of the EU and therefore only liable for taxation at local rates.

Intellectual Property Rights

All non-educational materials delivered at the event remain the intellectual property of the provider. All rights not expressly granted shall be reserved by the provider. Modification or incorporation of materials shall not constitute a joint work. If the attendee wishes to make additional use of materials not covered in these terms and conditions the attendee shall obtain permission from the provider and pay an additional fee to be agreed upon. If permission is granted for the attendee to make additional use of materials, a credit in the name of the provider shall accompany the materials whenever practical and the attendee shall supply the provider with a copy of any publication the material appears in. 

Due to the potential for material covered at events to be abused, attendees have a legal duty to protect the public from any harm caused by reckless or negligent disclosure. Specifically, attendees may not disclose materials covered at events without taking due diligence precautions the public would expect relating to such material (e.g. security vetting, clearances, contracts, etc).


Some events place special requirements upon the attendee prior to attendance (e.g. security vetting) and whilst at the event (e.g. venue security requirements). Attendees must adhere to those requirements and be willing to undertake all necessary action in order to comply with them. The applicant is liable for any costs the provider incurs in meeting these requirements. For further information on Institute vetting policy, including the Baseline Security Check (BSC), Enhanced Security Check (ESC) for access to sensitive materials consult the relevant policy pages on this site. If these checks are required the normal 28 day notice period for applications and payment may be extended to 6 months in order to complete sufficient security investigations.

Amongst other commitments attendees may also be required to limit personal movements in venues, limit communication with others on or before events, share data with European authorities and sign non-disclosure agreements. These requirements will be communicated to the applicant prior to an offer of a place at the event. With the exception of forfeiture of a place at the event the applicant or attendee will not suffer any further disadvantage for non-cooperation with special requirements.

In lieu of a current EU or NATO security clearance of any level, written authority at UN ASG, NATO OF-6 or EU DDG level, enhanced security investigations with necessary and justifiable "need-to-know/attend" will be accepted. Photographic proof of identity will be requested at course registration.


By agreeing to these terms and conditions an attendee agrees to the following declaration:

"In applying for this event I hereby declare that I have no unlawful or unethical intent nor do I intend to use skills or knowledge gained therein to commit unlawful or unethical actions in the future. Furthermore, I recognise and attest to my on-going legal obligation not to pass on course material to others and not to misuse that material to commit or conspire in unlawful or unethical actions that undermine the rule of law.”

Policy reference: IEIS/0202/150706/1
Policy owner: Chair of the Institute
Authorised date: 06 July 2015
Operational date: 22 July 2015
Review schedule: Annual


This policy constitutes the Institute’s position on the use of personal information in fulfilling its obligations to the public.

Full policy

This policy constitutes the Institute's position on the use of personal information in fulfilling its obligations to the public.


This website is hosted by the Institute for European Intelligence and Security. Representatives of the Institute may be reached via the contact page.

The Institute needs to gather and use certain information about individuals in order to function. This can include contact details, security, medical, financial and other personal information. This policy describes the Institutes position on how this information must be collected, handled and stored.

This policy ensures that the Institute:

  • Complies with data protection law and follows good practice.
  • Protects the rights of individuals.
  • Stores and processes data in a transparent way.
  • Protects itself from the risks of data breach.

This policy applies to:

  • All staff and directors.
  • All volunteers and registrants.
  • All customers and other recipients of Institute services.
  • All contractors, suppliers and others working on behalf of the Institute.

The policy applies to all data that the Institute holds relating to identifiable individuals. This can include any information relating to individuals including but not limited to:

  • Sensitive information: Information which may be harmful to the data subject if inappropriately disclosed such as medical conditions, political or religions opinions, criminal convictions (inc. alleged offences), lifestyle profiles, financial stability, opinions/analysis etc.
  • Personal information: Information that is privately held or permanently linked to an individual such as full names, education, training, home postal addresses, personal e-mail addresses, home telephone numbers, etc.
  • Non-personal information: Information that is publicly available or not permanently linked to an individual such as work addresses, office telephone numbers/extensions, professional e-mail addresses, etc.

This policy helps to protect the Institute from data security risks, including:

  • Breaches of confidentiality.
  • Legal damages.
  • Reputational damage.

Policy Statement

Information provided to the Institute shall be treated in full accordance with the EU regulations and standards.

Personal data will:

  • Be processed fairly and lawfully.
  • Be obtained only for a specific and lawful purpose.
  • Be adequate, relevant and not excessive.
  • Be accurate and kept up to date.
  • Not be held longer than is necessary.
  • Processed in accordance with the rights of data subjects.
  • Protected proportionately.
  • Not be transferred outside of the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection.

Everyone who works for or with the Institute has some responsibility for ensuring data is collected, stored and handled in line with this policy and data protection principles. However, these roles have key areas of responsibility:

  • The central committee is ultimately responsible for ensuring that the Institute meets its legal obligations.
  • The data controller is responsible for:
    • Keeping the central committee updated about data protection responsibilities, risks and issues.
    • Conducting an annual review of all data protection procedures and related policies.
    • Arranging data protection training and advice for those covered by this policy.
    • Handling data protection questions from those covered by this policy.
    • Dealing with requests to view, correct or delete data the Institute holds about them.
    • Checking and approving any contracts or agreements with third parties that may handle the Institute's data.
    • Ensuring all systems, services and equipment used for storing data meets acceptable security standards.
    • Performing regular checks and scans to ensure security hardware and software is functioning properly.
    • Evaluating third-party services the Institute is considering using to store or process data.
    • Approving any data protection statements attached to communications.
    • Addressing data protection queries from journalists or media outlets.
    • Working with others to ensure any marketing activities abide by data protection principles.

All those covered by this policy are required to follow general protection guidelines for personal data:

  • Only those with a need to know should be able to access personal data.
  • Personal information should be formally requested and access authorised.
  • Access will not be granted to personal data until data protection training has been received.
  • Personal data must be kept secure.
  • Computers should be locked when unattended.
  • Strong passwords must be used, regularly changed and never shared.
  • Anyone possessing personal data is obligated to protect against unauthorised disclosure.
  • Personal data should be regularly reviewed and updated. If it is out of date or no longer required it should be safely disposed of in a manner that would prevent recovery.
  • Whenever possible personal data should be stored using pseudonymisation or anonymisation.
  • If unsure about any aspect of data protection request assistance from the data controller.

These guidelines describe how and where personal data should be safely stored. Further questions about storing data can be directed to the data controller:

  • All data should be stored securely in a compartmentalised fashion so as to prevent inadvertent unauthorised disclosure.
  • Physical files should not be left unattended but locked in a drawer or filing cabinet when not in use.
  • Physical files should be shredded when no longer required.
  • Electronic files should be protected from unauthorised access, accidental deletion and malicious hacking attempts.
  • If electronic files are stored on removable media, these should be locked away securely when not in use.
  • Electronic files should only be stored on designated drives and servers and not uploaded to cloud services.
  • Servers containing personal data should not be co-located in general office space.
  • Electronic data should be backed up incrementally and backups should be tested annually.
  • Electronic data should never be saved directly to mobile devices.
  • All servers and computers containing personal data should be protected by approved security software.

Personal data is at the greatest risk of loss, corruption or theft at the point of access. Therefore, personal data should:

  • Be securely communicated.
  • Be encrypted before being transferred electronically.
  • Never be saved to private computers.
  • Always be accessed centrally.

The law requires that the Institute take reasonable and proportional steps to ensure data is accurate and up to date:

  • Data must only be held in as many places as is necessary. Unnecessary duplicates must not be created.
  • Every opportunity should be taken to verify and validate data.
  • The Institute must, where possible, enable others to update their own information.
  • Data should be updated as inaccuracies are discovered.

All individuals who are the subject of personal data held by the Institute are entitled to:

  • Ask what information the Institute holds about them and why.
  • Ash how to gain access to it.
  • Be informed how to keep it up to date.
  • Be informed how the Institute is meeting its data protection obligations.

Requests for subject information should be made by e-mail, addressed to the data controller at the link below. The data controller can supply standard request forms but individuals do not have to use these.

Once a request for personal data is made by a data subject the data controller must provide the relevant data within 1 month.

Prior to releasing subject information individuals may be required to pay an administrative fee not exceeding €50 and proportional to the expenses incurred in processing the request. The identity of an individual making a request must always be verified prior to the release of any personal information.

In limited circumstances, a subject may make a request to prevent processing if it causes damage or distress. To do so a request must be made by e-mail stating what the objection is, how processing is unwarranted and reasons why handling is causing damage or distress.

Privacy Policy

The Institute aims to ensure that individuals are aware that their data is being processed and that they understand:

  • How the data is being used.
  • How to exercise their rights under the law.

For the reasons described in this policy outline how personal data is used by the Institute.

The Chair of the Institute is a designated data controller for the purposes of this policy and relating legislation. The Institute takes takes great care to ensure that personal information is handled appropriately and confidence in their security and discretion is maintained.

The Institute may obtain personal information from a variety of open and closed sources, including government agencies, private individuals and organisations.

Personal information is typically processed by the Institute to facilitate, protect and promote the:

  • Interests of international security.
  • Prevention of public disorder, international crime and terrorism.
  • Maintenance of judicial authority and the rule of law.
  • Protection of the fundamental rights and freedoms others.

Personal and non-personal information may be processed in the legitimate interests of the Institute when those interests are not overridden by the interests of the fundamental rights and freedoms of the data subject. However, it is strictly prohibited for sensitive information to be processed for ancillary support purposes (e.g. routine administration, public relations, advertising and other marketing activities).

Our website automatically gathers some impersonal information from your computer such as your general location, when and what you viewed. This is collected to provide some insight into our visitors (e.g what pages to people like to visit most, from what countries and when?) so we can improve our site and services. None of the data our site gathers is specific enough to identify an individual.

Cookie policy: Cookies are very small text files that are stored on your computer when you visit some websites. We use cookies to help identify your computer so we can tailor your user experience and track changes you have made to parts of our site (e.g. e-learning entries, messages and other interactive elements). Our website statistics program also uses cookies so we can tell what pages you find most interesting so we can improve the performance of our site. You can prevent your browser storing cookies on your computer, but this may stop our website from functioning properly. Our cookies are designed to provide you with the best user experience. Functional cookies help programs on our website work and targetting cookies allow you to share our data with other websites.

The Institute will never make decisions that may affect an individual based solely upon the automated analysis of personal data.

By voluntarily submitting personal data to the Institute the data subject explicitly grants the Institute permission to process it for the purpose for which it was originally supplied and to retain it for as long as may be required to fulfil that purpose and satisfy any legal obligations relating to it.

The Institute ensures that personal information is handled lawfully and justifiably. Personal information must be as accurate and current as possible, adequate and not excessive to the task, in respect of individual's rights.

The Institute complies with the relevant parts of European data protection regulation, common security policies and ISO27001 information security standards.

Any data breach likely to result in risks to the rights and freedoms of individuals will be reported to the relevant authority within 72 hours of the data controller becoming aware of it.

Oversight: The Inspectorate is the independent regulator responsible for overseeing data protection compliance. In limited circumstances complaints may also be lodged with the relevant national data protection or supervisory authorities. To find out where your relevant authority is located please contact the data controller who will aim to address your query within 14 days.

Sensitive Data Policy

For legal and security reasons the Institute is required hold some sensitive data on data subjects (e.g. in order to satisfy legal obligations to conduct security checks on delegates). Sensitive information is subject to rigorous security standards and may only be used in the interests of public safety and security. The use of such information for ancillary support (e.g. routine administration, public relations, advertising and other marketing activities) is strictly prohibited.

When processing sensitive data, the Institute and its personnel are typically subject to national security, law-enforcement, research/analysis or third-party exemptions.

Related Policy

Risk assessment and mitigation is required whenever specific risks to the rights and freedoms of data subjects are identified. Recurring high risk functions have been identified in legal disclosure, security vetting and unsolicited communication. All risks have been mitigated or reduced through the application of security procedures. Further details are available upon request.

Additional security regulations outlined in 2013/488/EU surround the use of sensitive, privileged and classified material and form the basis of the Institutes standard operating procedure for the protection of that material.

Additional policies regarding the terms and conditions of sale and use of services provided by the Institute are provided in the Institutes general terms and conditions.

Policy reference: IEIS/0202/180524/1
Policy owner: Data Controller
Authorised date: 14 May 2018
Operational date: 25 May 2018
Review schedule: Annual