How the EIC Accelerator collects, shares and safeguards personal data: responsibilities, partners and practical risks

Brussels, June 1st 2023

Summary

›The EIC Accelerator application, selection and contract management are run by EISMEA with the EIC Fund as joint controller under EU data rules.
›Personal data flow to multiple partners including the EIB, Alter Domus and Dealflow for investment due diligence and investor matching.
›Processing is based on a mix of public interest and explicit consent so applicants must expect both mandatory and optional data sharing.
›Data retention can be long, up to 10 years for beneficiaries and in some limited cases up to 25 years for research and statistical archiving.
›Technical logging, cookies and analytics are used and third party online tools may be involved for helpdesk and video interviews.
›AI may assist internal processing but decisions remain with human evaluators and jury panels.

What applicants need to know about EIC Accelerator data handling

If you apply to the European Innovation Council Accelerator you are entering a multi-stage process that collects and shares personal data across EU agencies, investment partners and contractors. The system mixes mandatory administrative checks with optional consent-based exchanges intended to help applicants find additional finance or coaching. Below is a structured explanation of who controls and processes your data, what is collected, who may see it, how long it is kept and where the practical risks lie.

Who runs the process and on what legal basis

The European Innovation Council and SMEs Executive Agency or EISMEA administers the EIC Accelerator programme. The EIC Fund is a separate entity responsible for the investment component. For data protection the two act as joint data controllers under Regulation (EU) 2018/1725. Processing is carried out to implement Horizon Europe programme tasks and therefore relies primarily on a public interest legal basis. Certain nonmandatory personal data exchanges and third party matches are handled on the basis of the applicant's explicit prior consent.

Joint controllers:EISMEA (the managing executive agency for the EIC) and the EIC Fund jointly control processing related to submission, evaluation, contracting and the EIC Fund investment flows.

Primary legal basis:Regulation (EU) 2018/1725 governing EU institutions and bodies, applied alongside Horizon Europe legal acts. Processing combines necessity for a public task and explicit consent for optional data sharing.

What personal data are collected

The programme collects standard identification and professional data about applicants and team members plus application material. Mandatory items include name, contact details, CV and project documentation. For jury interviews and practical access to meetings additional identity checks may be required such as date of birth, passport or ID number, employment contracts or salary slips when these are needed to verify legal representation of a company. Optional items include profile photos and links to social profiles which are processed only with explicit consent.

EU Login and PIC:Applicants must use EU Login credentials and obtain a Participant Identification Code. EU Login is the Commission authentication service and has its own privacy statement. The EIC platforms store EU Login identifiers and related basic account data to link users to applications.

How personal data are used in the application and selection flow

The EIC Accelerator follows a stepwise process. Each step requires particular data and may involve different recipients or contractors. Personal data is used for assessment, to match applicants with coaches or investors and to prepare grant or investment agreements. Where applicants opt in, selected information may be shared with national or regional actors to secure alternative funding and to support follow-up services.

Step 1 short proposal:Applicants submit a short proposal online including a video and pitch deck. These materials are evaluated remotely by EIC evaluators. Applicants need a PIC and EU Login to submit. With consent, proposal material or a limited set of data may be shared with National Contact Points, Enterprise Europe Network members and other relevant public bodies for additional support.

Step 2 full proposal and coaching:Successful Step 1 applicants prepare a full proposal in the Funding and Tenders portal. They may request an EIC business coach from a prequalified list. Coaches are contracted by EISMEA and will see application material necessary to provide coaching.

Interviews and jury selection:Step 2 successful candidates are invited to a face to face or online interview with an EIC jury. Jury members are drawn from Horizon Europe expert pools. For physical meetings identity documentation can be required to enable access to Commission or Agency premises.

Seal of Excellence and external funding:If applicants receive a Seal of Excellence they must agree to share proposal or selected data with national or regional funding authorities to facilitate alternative support. That sharing depends on the applicant's consent.

Third party partners, contractors and recipients

Several external partners are explicitly named in the EIC data notice for operational reasons. These entities perform investment advisory, due diligence, accounting and investor matching roles. In addition there are standard recipients such as internal auditors and oversight bodies who can access data where legally required.

European Investment Bank (EIB):The EIB acts as investment adviser to the EIC Fund. EIB staff and authorised contractors may receive data to conduct due diligence on candidates for the EU funded equity component.

Alter Domus Luxembourg S.à r.l.:Alter Domus supports 'Know your Company' checks for potential beneficiaries, participates in valuation, provides detailed data to the EIC Board for investment decisions and acts as accountant and paymaster for the EIC Fund.

Dealflow.eu BV:Dealflow.eu helps present selected companies to potential co-investors, analyses documentation, supports pitch decks, organises e-pitching and undertakes additional due diligence.

Other recipients:Authorised staff in EU institutions, auditors such as the European Court of Auditors, the European Anti-Fraud Office OLAF, the European Public Prosecutor's Office and national law enforcement bodies may access data where legally required. Data may also be shared with National Contact Points and Enterprise Europe Network members only when applicants consent to such sharing.

Automated processing, AI and human oversight

The EIC notice indicates that Artificial Intelligence tools may assist data processing and structuring. However the selection and funding decisions are taken by human evaluators and jury panels. The EIC states explicitly that no fully automated decision making is used for grant or investment decisions. Applicants should nonetheless be aware that AI may influence internal sorting, triage or search activities prior to human review.

No automated decisions:While AI may assist processing and data management, final decisions about awards and investments remain with natural persons.

Storage, security, logging and cookies

Application data are stored on European Commission or Agency servers and on authorised contractors systems. Processing follows Commission security rules and contracts include confidentiality obligations. Activity logging captures IP addresses, browser information and session events for trend analysis and security. An analytics tool such as Matomo is used for aggregated statistics. Session cookies are required for platform functionality and some optional cookies improve usability.

Site logging and analytics:Firewalls, web server logs and analytics record behaviour to improve services and detect misuse. Personally identifiable information may be kept for auditing and security investigations.

Record type	Retention period stated in notice	Purpose
Selected EIC experts and coaches' personal data	7 years after the end of the programme	Future expert lists and accountability
Applicants invited to jury interviews specific ID documents	6 months from the last day of the interview week	Verification of company representation and access control for physical meetings
Personal data of funded EIC Accelerator beneficiaries	10 years after the end of the year following programme closure	Contract compliance and audits
Unsuccessful or withdrawn applications	Up to 5 years after evaluation closure	Record keeping and dispute handling
Limited categories retained for scientific or statistical research	Up to 25 years unless objection is exercised	Long term research and historical archiving

Data subject rights and contacts

Applicants have the standard rights under Regulation (EU) 2018/1725. That includes access, rectification, erasure, restriction, portability where applicable and the right to withdraw consent for optional processing. Some rights can be limited by law for specific reasons. Requests are handled within one month and applicants can contact the EISMEA helpdesk, the agency Data Protection Officer or the European Data Protection Supervisor.

How to contact and exercise your rights:Use the EISMEA helpdesk at EISMEA - SME - HELPDESK@ec.europa.eu for operational queries. For data protection concerns contact EISMEA-DPO@ec.europa.eu. Recourse to the European Data Protection Supervisor is available if you believe your rights are breached.

Vulnerabilities and reporting channels

The Commission maintains a Vulnerability Disclosure Policy. Security researchers acting in good faith and following the policy will not face legal action for responsible reporting. Reports should be emailed to the Commission vulnerability address and encrypted where possible. For suspected fraud and misuse of EU funds the European Anti-Fraud Office OLAF operates a Fraud Notification System to receive allegations anonymously.

Vulnerability reporting email:EC-VULNERABILITY-DISCLOSURE@ec.europa.eu is the designated channel. The Commission requests use of its PGP key to secure sensitive information in reports.

Report fraud to OLAF:Use OLAF's Fraud Notification System for allegations of fraud affecting EU funds. Anonymous reporting is possible and OLAF will acknowledge receipt when a contact address is provided.

Practical implications and risks for applicants

The EIC processes significant and sometimes sensitive company data as part of grant and investment evaluation. Applicants should weigh the benefits of optional consent-based sharing against the wider distribution of material to investors, coaches and national bodies. Data transfers to third party contractors and long retention periods increase exposure. While contractual and technical measures are in place, vendor risk, cross-border transfers and the use of third party conferencing tools are realistic privacy and security points to consider before uploading sensitive personal or proprietary information.

Practical recommendations

Minimise disclosure of unnecessary PII in proposal materials. Use redaction for highly sensitive documents unless explicitly requested. Review coach and investor confidentiality arrangements before consenting to broad sharing. Keep copies of consents you provide and track where proposal material is sent. If you have legal or compliance concerns seek tailored advice before entering the investment due diligence phase.

Where to find the rules and governance documents

Key sources include Regulation (EU) 2018/1725 on data processing by EU institutions, Horizon Europe legal acts and the EIC work programme and EIC Fund investment guidelines. The EISMEA and European Commission websites host the data protection notice, terms of use for EU Login and guidance on National Contact Points and the Funding and Tenders portal.