CREST Data Protection Notice for the processing of personal data not obtained from the data subject (art. 14(5)(b) GDPR)

The purpose of this data protection notice is to inform data subjects from whom consent cannot be obtained about the processing of their personal data. In accordance with art. 14(5)(b) GDPR this information is provided via the project’s website.

This notice refers to one module of the CREST platform which is responsible for collection of data from online sources. Data will be collected from Twitter and include the following categories of information: Twitter posts (i.e., tweets), Twitter account information, and Twitter user interactions. Considering the technical nature of the module and limitations imposed by the research design (i.e. scale) it is considered that informing those data subjects directly would involve a disproportionate effort.

  1. The Project

CREST’s (EC Horizon 2020 Project CREST, GA Nr. 833464) overall objective is to improve the effectiveness and efficiency of law enforcement intelligence, operation, and investigation capabilities. These services are built upon the concept of multidimensional integration and correlation of heterogeneous multimodal data streams and delivery of pertinent information to different stakeholders in an interactive manner tailored to their needs.

The CREST solution encompasses the entire lifecycle of law enforcement operations including intelligence gathering and operation planning, as well as mission execution, and investigation. CREST will enhance the operational and (near) real-time situational awareness by developing an innovative prediction, prevention, operation, and investigation platform equipped with tools for the automated detection, identification, assessment, fusion, and correlation of evidence acquired from heterogeneous multimodal data streams. Such data streams include Surface/Deep/Dark Web and social media sources and interactions, IoT-enabled devices, surveillance cameras (fixed, wearable, or mounted on Unmanned Aerial and Ground Vehicles (UxVs)), as well as seized devices and hard disks. CREST will also facilitate the information sharing and exchange of evidence among LEAs from different jurisdictions with the goal to support path-to-court.

CREST will be validated in field test and demonstrations in three Pilot Use Cases (PUCs):

  • PUC1: Protection of public figures in motorcades and public spaces;
  • PUC2: Counter terrorism security in crowded areas;
  • PUC3: Cross-border fight against organised crime.

In these three PUCs data will be collected by simulating real-world events. This data will then be used to assist the development and validation of the CREST platform. To demonstrate the applicability, validity and usability of the CREST platform, each PUC will be tested in three pilot demonstrations. The 1st pilot demonstration is currently scheduled to take place on June/July, 2021 whereas the 2nd and the 3rd pilot demonstrations are planned to run in April/May 2022 and January 2023, respectively.

2. Key Contacts

The following table provides a detailed list of the primary contacts for the CREST PUCs:

Ovidiu DumitracheSPPdumitrache.ovidiu@spp.roProject Coordinator
Dragoș OprianSPPoprian.dragos@spp.roCREST Data Protection Officer Pilot Use Case 1 Data Protection Officer
Eugen BadeaSPPeugen.badea@spp.roPilot Use Case 1 Lead
Max Use Case 2 Lead
Jürgen Use Case 2 Data Protection Officer
Christian Use Case 3 Lead
Holger Use Case 3 Data Protection Officer
Sylvie DiasPJsylvie.dias@pj.ptPilot Use Case 3 Demonstration Lead
Armando MachadoPJepd-dpo@pj.ptPilot Use Case 3 Demonstration Data Protection Officer

3. Data Processing

The purpose of data collection in this project is to help improve law enforcement operation and investigation through research in the development of the CREST platform. The legal basis under which the data shall be processed is article 6(1)(f) GDPR. The legitimate interest of the controllers lies with the pursuit of scientific research purposes confirmed by the European Commission. Such data will be collected by the social media crawling methods that will be tested in the context of the CREST pilots.

Within this Data Protection Notice you have been given the contact details of the relevant project representatives and of CREST DPO (see Section 2) should you have any questions regarding the processing of your personal data.

What personal data is being processed?

The following categories of personal data publicly available on social media will be collected and processed:

  • Twitter posts (i.e., tweets), including the language, textual content, hashtags, images and videos, as well as the number of retweets;
  • Twitter account information, including the usernames(1) , descriptions, locations, as well as the number of friends, followers and favourites;
  • Twitter account interactions, including user mentions.

No special categories of personal data (art. 9(1) GDPR, art. 10 GDPR) will be collected. All data will be collected in accordance with the licenses and terms & conditions of the data providers. All data will be gathered only from public accounts, with the permission defined by the social media platforms/Web forum communities and in compliance with the respective terms of use, thus in accordance with user expectation of privacy. All collected data will be pseudonymised. Data minimization will also be applied, i.e., only data that are necessary for the purposes of the project will be processed. Further, details are provided in the “What is the purpose of the processing” section.

What is the purpose of the processing?

All PUC pilots will include the validation of proof-of-concept tools that aim to crawl the Twitter platform to simulate the gathering of online material relevant to an investigation. In particular, online social media keyword-based searches will take place in the context of the CREST pilots, where content posted by real users will be collected. The scope of keyword-based searches cannot be technically limited to the point where it would exclude real users; therefore for testing this functionality it is necessary to involve participants who have not signed a consent form.

The data collected from identified social media will be pseudonymised. The username will be hashed during collection (implementing the privacy by design principle) based on a one-way cryptographic hash function (e.g., SHA 256), ensuring that from the derived hash value it is infeasible to obtain the original username, while the content of the social media posts will remain as is. In accordance with the data minimisation principle, only the parts of the social media posts that are deemed necessary for the project’s objectives will be processed subject to a privacy-by-design technique, while the majority will be deleted immediately. These data will be required for the duration of the project: (i) for scientific research purposes, (ii) to facilitate the functionality of other modules of the project, and (iii) for demonstration purposes. After the end of that period (February, 2023), secure deletion tools will be applied by the members of the CREST Joint Controllership agreement (see section “Will the collected data be shared?” for more details), that will make the data irretrievable.

All data will be collected in accordance with the licenses and terms & conditions of the data providers. All data will be gathered only from public accounts, with the permission defined by the social media platforms and in compliance with the respective terms of use, thus in accordance with user expectation of privacy.

Will the collected data be shared?

The information collected will be jointly shared with members of the CREST Consortium, with the exception of the University of Vienna (UNIVIE), Victim Support Europe AISBL (VSE), National University of Ireland Maynooth (NUIM)  and Serviciul de Protecţie şi Pază de Stat (SPPS). All other members of the Consortium (as listed in the following table) are part of a Joint Data Controllership Agreement. This is in accordance with Article 26 of the GDPR and any interested party may contact the Project Coordinator Mihai Simionescu ( for further information. The collection and sharing of this data is necessary for the evaluation process and assessing the validity of the results, and using the results will help develop the CREST platform. Collected data will be shared with joint controllers based outside the EU, i.e. in Israel (MSIL) and the UK (SHU). The transfers will be based on either an adequacy decision (MSIL) or Standard Contractual Clauses (SHU). A copy of Standard Contractual Clauses can be obtained via the CREST DPO.

Participant no.Participant organisation nameParticipant short nameCountry
9COPTING GMBHCoptingGermany

Who will be responsible for all of the data when this study is over?

All CREST partners acting as Joint Controllers of the collected personal data (see above).

Will it be stored? How long for?

The information will be kept for the lifetime of the CREST project which is expected to end in February 2023.

Will the collected personal data be used for other purposes?

No. Social media users’ information gathered in CREST will not be used for any other purposes outside of those specified in this document.

Will the collected data be processed by automated tools supporting decision-making?

Your data will be used for developing a proof-of-concept platform which involves automated tools processing the content gathered with the goal to support the platform operators in decision-making. Data collected from you will only be used to test the capabilities of the CREST platform and you will not suffer any consequences of such automated processing supporting decision-making. After hashing of your account information the researchers will not be able to trace back your data back to you.

4. Your Rights

You have the right to:

  • Request information about whether we hold personal information about you, and, if so, what that information is and why we are holding it. This information shall be provided within a reasonable period after obtaining the personal data, but at the latest within one month.
  • Request access to your personal information. This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
  • Request rectification of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it.
  • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you.
  • Request transfer of your personal information in an electronic and structured form to you or to another party (right to “data portability”). This enables you to take your data from us in an electronically useable format and to be able to transfer your data to another party in an electronically useable format.
  • Lodge a complaint with the Romanian Data Protection Authority (
  • For the exercise of your rights and for any other data-related information you may contact CREST/SPP Data Protection Officer, Mr. Dragos Oprian:

(1) All usernames collected are pseudonymised before stored in the CREST platform. See section “What is the purpose of the processing?” for more details.

(2) MPD will replace Police Service Northern Ireland (PSNI) which has withdrawn its participation from CREST consortium in January 2021. At the time of this writing, an Amendment addressing this issue is under review by the European Commission.