How we collect your personal data
We collect personal data both directly and indirectly:
Directly. We obtain personal data directly from individuals in a variety of ways, including but not limited to the following cases:
- an individual registers to attend in meetings and events we host and during attendance at such events;
- an individual participates in an interview or survey organised by us;
- an individual subscribes to our project newsletter;
- we establish cooperative relationships with an individual;
- we provide professional services pursuant to our contract with the European Commission.
Indirectly. We obtain personal data indirectly about individuals from a variety of sources, including:
- our research partners;
- our networks and contacts;
- public and open data sources such as public registers, news articles and internet searches;
- social and professional networking sites (e.g., LinkedIn).
Types of data we collect
We only collect the data that are necessary for the smooth implementation of our project. These data fall into the following categories:
- contact details (name/surname, e-mail address, phone number);
- professional information (job title, organisation, field of expertise);
- demographics (e.g., age, gender, nationality);
- information about what a person knows or believes;
- videos and photos (from people that attend our events).
Technical means of data collection
Your personal data may be collected on publicly available websites, through partners’ databases, via surveying software (e.g., Google Forms, EU Survey, SurveyMonkey) and via direct enquiry to you during project activities. Should we collect your personal data in any other way than through direct enquiry with you, we will make sure to inform you about this and about the source of the data.
Bases of lawful processing
We process personal data on the following legal bases:
- Legal obligations – for processing activities required for compliance both with applicable national and European legislation as well as with the specific legal and regulatory framework of the Horizon 2020 Framework Programme for Research and Innovation of the European Union.
- Consent – for processing activities such as organization of surveys and interviews, completing of questionnaires and dissemination of project’s results.
- Contractual obligations – for processing activities such as reporting to the European Commission and complying with project’s publicity obligations.
What we do with your personal data
We process your personal data with the purpose of:
- Conducting research (e.g., interviews, workshops, surveys);
- Disseminating our project results to different types of stakeholders;
- Sending invitations and providing access to guests attending our events and webinars;
- Administering, maintaining, and ensuring the security of our information systems, applications, and websites;
- Processing online requests or queries, including responding to communications from individuals;
- Complying with contractual, legal, and regulatory obligations.
How we secure your personal data when we process it
We manage your data using software compliant with the GDPR principles, namely the Microsoft 365 package, and security measures were outlined to guide our personnel when processing your data. Furthermore, REGILIENCE appointed a Data Protection Officer, Jen Heemann (IEECP), who can be contacted at firstname.lastname@example.org.
Sharing personal data with third parties
We may occasionally share personal data with trusted third parties to help us deliver efficient and quality services. When we do so, we ensure that recipients are contractually bound to safeguard the data we entrust to them before we share the data. We may engage with several or all the following categories of recipients:
- Parties that support us as we provide our services (e.g., cloud-based software services such as Microsoft Sharepoint);
- Our professional advisers, including lawyers, auditors, and insurers;
- Dissemination services providers (e.g., MailChimp);
- We share visitors’ Personal Information with third parties to help us use their Personal Information. We will use a statistics tracker to help us understand how our audience uses the REGILIENCE website. More about how Google uses visitors’ Personal Information. One can also opt-out of Google Analytics;
- Law enforcement or other government and regulatory agencies or other third parties as required by, and in accordance with applicable law or regulation;
- The European Commission according to our relevant contractual obligations.
Transferring personal data outside the European Economic Area
We do not own file servers located outside the European Economic Area (EEA). However, some partners may use cloud and/or marketing services from reputable providers such as Google Drive, SharePoint, DropBox, MailChimp, etc., situated both inside and outside the EEA. We always check that such providers comply with the relevant GDPR requirements before start using their services.
You have the following rights regarding our processing of your personal data:
- Right to withdraw consent – You can withdraw consent that you have previously given to one or more specified purposes to process your personal data. This will not affect the lawfulness of any processing carried out before you withdraw your consent.
- Right of access – You can ask us to verify whether we are processing personal data about you and, if so, to have access to a copy of such data.
- Right to rectification and erasure – You can ask us to correct our records if you believe they contain incorrect or incomplete information about you or ask us to erase your personal data after you withdraw your consent to processing or when we no longer need it for the purpose it was originally collected.
- Right to restriction of processing – You can ask us to temporarily restrict our processing of your personal data if you contest the accuracy of your personal data, prefer to restrict its use rather than having us erase it, or need us to preserve it for you to establish, exercise or defend a legal claim. A temporary restriction may apply while verifying whether we have overriding legitimate grounds to process it. You can ask us to inform you before we lift that temporary processing restriction.
- Right to data portability – In some circumstances, where you have provided personal data to us, you can ask us to transmit that personal data (in a structured, commonly used, and machine-readable format) directly to another entity.
- Right to object – You can object to our use of your personal data for direct marketing purposes, including profiling or where processing has taken the form of automated decision-making. However, we may need to keep some minimal information (e.g., e-mail address) to comply with your request to cease marketing to you.
- Right to make a complaint to your local Data Protection Authority (DPA) regarding any concerns you may have about our data handling practices (see: https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm).
We will promptly examine your request against the relevant requirements of the laws and regulations governing privacy and personal data protection and we will answer the latest within 30 days after receiving your request. We will ask from you some kind of identification (e.g., photocopy of your identity card or passport) to avoid non-authorized reveal of your personal data. If, for reasons of complexity of the request or a multitude of requests, we are unable to respond promptly, we will notify you within 30 days of any delay, which in no case may exceed two months from the expiration of the 30-day deadline.
How long we retain personal data
We retain personal data to provide our services, stay in contact with you and to comply with applicable laws, regulations, and contractual obligations to which we are subject. Please note that we have an obligation to retain data concerning projects funded by the Horizon 2020 Framework Programme for Research and Innovation of the European Union for up to five years after the end of the project (unless further retention is requested by auditors). After the expiry of the retention period, and unless further legitimate grounds for retention arise, we will dispose of personal data in a secure manner.
Disclaimer of liability for third party websites
We may also provide social media features that allow you to share information on your social networks and interact with our project on various social media sites. The use of these social media features may result in the collection or sharing of information about you. We recommend that you check the privacy policies and regulations of the social networking sites you interact with, so that you can be sure that you understand what information may be collected, used, and disclosed by these sites.