Privacy Policy

Definitions

• Personal Data
  Any information that directly, indirectly, or in connection with other information — including a personal identification number — allows for the identification or identifiability of a natural person.
• Usage Data
  Information collected automatically through this Website (or third-party services employed in this Website), which can include: the IP addresses or domain names of the computers utilized by the Users who use this Website, the URI addresses (Uniform Resource Identifier), the time of the request, the method utilized to submit the request to the server, the size of the file received in response, the numerical code indicating the status of the server's answer (successful outcome, error, etc.), the country of origin, the features of the browser and the operating system utilized by the User, the various time details per visit (e.g., the time spent on each page within the website) and the details about the path followed within the website with special reference to the sequence of pages visited, and other parameters about the device operating system and/or the User's IT environment.
• User
  The individual using this Website and the other digital tools provide by the Research Infrastructure, who, unless otherwise specified, coincides with the Data Subject.
• Data Subject
  The natural person to whom the Personal Data refers.
• Data Controller
  The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data, including the security measures concerning the operation and use of this Website.
• Data Processor
  The natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller, as described in this privacy policy.
• Cookie
  Cookies are Trackers consisting of small sets of data stored in the User's browser by visited websites.
• Tracker
  Tracker indicates any technology - e.g Cookies, unique identifiers, web beacons, embedded scripts, e-tags and fingerprinting - that enables the tracking of Users, for example by accessing or storing information on the User’s device
• Processing
  Processing is any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
• Restriction of processing
  Restriction of processing is the marking of stored Personal Data with the aim of limiting their processing in the future.
• Profiling
  Profiling means any form of automated processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
• Proposal
  A proposal is an application for access to research infrastructures offered by NFFA-DI through the online proposal system implemented on this Website.
• Consent
  Consent of the Data Subject is any freely given, specific, informed and unambiguous indication of the Data Subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her.

Data Controllers

The Data Controllers are the project partners, here listed with the related points of contact for the management of Personal Data within NFFA-DI:

• Consiglio Nazionale delle Ricerche, Piazzale Aldo Moro 7, Rome 00185, Italy [dpo@cnr.it]
• AREA Science Park, Padriciano 99, Trieste 34149, Italy [TBD]
• Politecnico di Milano, Piazza Leonardo da Vinci 32, Milan 20133, Italy [TBD]
• Università degli Studi di Milano, Via Festa del Perdono 7, Milan 20122, Italy [dpo@unimi.it; supportodpo@unimi.it]

Each of the parties is a joint Data Controller in relation to the Personal Data being processed for providing access to the infrastructure or managing data services. CNR-IOM Director acts as a single point of contact on behalf of the whole group of parties (protocollo.iom@pec.cnr.it).

Types of Personal Data collected

The only Personal Data automatically collected when using this website, by itself or through third parties, are strictly necessary cookies that allow core website functionality such as User login and account management. The website cannot be used properly without strictly necessary cookies. 

Personal Data provided by the User by registering or authenticating are: Last name; Email address; Gender; Nationality; Affiliation; Affiliation address; Affiliation legal status; Job; Research role; ORCID; Password.

The User registers by filling out the registration form and providing the Personal Data directly to this Website.

Mode and place of processing the Personal Data

Methods of processing

NFFA-DI takes appropriate security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of the Personal Data.
The Personal Data processing is carried out using computers and/or IT enabled tools, following organizational procedures and modes strictly related to the purposes indicated. Within our organization, your information is stored on password-protected servers that are accessible only to a limited group of people. All Data Controllers undertake to instruct and educate individuals who will have access to the data. In some cases, the Personal Data may be accessible to external parties appointed as Data Processors by the Data Controllers. The updated list of these parties may be requested by the User at any time.

Legal basis of processing

The legal basis for the processing of Personal Data is the consent of the User, if he/she has registered on the portal but has never submitted a proposal to the infrastructure. On the other hand, once the User submits a proposal using the online form on the NFFA-DI portal, the lawfulness of the processing is related to the need to provide Personal Data for:

• the  execution of a contract with the User and/or for any pre-contractual obligations of the same;
• the fulfillment of a legal obligation to which the Data Controllers are subject;
• the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controllers;
• the purposes of the legitimate interests pursued by the Data Controllers.

Place

The Personal Data is processed at the Data Controllers' operating offices and in any other places where the involved Data Processors are located (Italy).

Retention time

Personal Data shall be processed and stored for a period of 10 years after the end of NFFA-DI project. However, where the processing solely based on the Data Subject consent, processing should not be pursued where the Users’ consent to processing is withdrawn before this date.
After this date all personal information will in principle be deleted from the servers. However, Personal Data may be continuing to be processed, including stored, for longer periods, solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with applicable legislation. This includes processing for statistical purposes by the NFFA-DI infrastructure.
The right of access, the right to erasure, the right to rectification and the right to data portability cannot be enforced after expiration of the retention period.

The purposes of processing

The Personal Data concerning the User is collected to allow the Data Controllers to provide its Service, comply with its legal obligations, respond to enforcement requests, protect its rights and interests (or those of its Users or third parties), detect any malicious or fraudulent activity, as well as for analytics purposes.
In any case, the processing operations will be carried out in such a way as to guarantee the security, confidentiality and availability of the data, according to principles of correctness, lawfulness and transparency, aimed at protecting the fundamental rights and freedoms of natural persons.

Specifically, Personal Data is collected for the following purposes and using the following services:

Registration and authentication

The Personal Data provided by registering or authenticating are required for the management and monitor of your activity as a User at the NFFA-DI facilities and the submission of communications which may be interesting to Users, concerning NFFA-DI and/or Calls for Proposals.

Authentication to NFFA-DI services and data and metadata management tools

Users’ credentials provided by registering or authenticating to this Website also guarantee the access to different types of services and data and metadata management tools. The Personal Data is stored for registration or identification purposes only. The Personal Data collected are only those necessary for the provision of the services. The updated list of these services may be requested by the User at any time.

Proposal review process

Submitted Proposals are first checked for technical feasibility by technical experts internal to the project (TLNet), then evaluated and ranked according to scientific merit by an external panel of reviewers (ARP).

Data Processors: Access Review Panel members

Internal statistics and periodic reporting purposes

The Personal Data collected are required for compliance of NFFA-DI project with any legal, contractual and regulatory obligation in relation to the European Commission, auditors and corporate statutory and auditing bodies, project coordinators and/or partners. Personal Data are also used for internal project statistics.

User database management

The database allows the Data Controllers to build user profiles by using the information that the User provides to this Website and to manage authorizations. Some of the services also enable the sending of timed messages to the User, such as emails based on specific actions performed on this Website and on related platforms.

Data Processors: Promoscience Srl, eXact Lab Srl

Hosting and backend infrastructure

This type of service has the purpose of hosting the password-protected servers that enable this Website and NFFA-DI Datashare platform to run and be distributed as well as to provide a ready-made infrastructure to run specific features or parts of this Website. It also allows to save and manage backups of this Website on external servers managed by the service provider itself. The backups may include the source code and content as well as the data that the User provides to this Website. The partner offering these services is Università degli Studi di Milano.

The rights of Users

Users may exercise the following rights regarding their Personal Data processed by the Data Controllers:

• Withdraw their consent at any time: Users have the right to withdraw consent where they have previously given their consent to the processing of their Personal Data.
• Object to processing of their Personal Data: Users have the right to object to the processing of their Personal Data if the processing is carried out on a legal basis other than consent.
• Access their Personal Data: Users have the right to learn if Personal Data is being processed by the Data Controllers, obtain disclosure regarding certain aspects of the processing and obtain a copy of the Personal Data undergoing processing.
• Verify and seek rectification: Users have the right to verify the accuracy of their Personal Data and ask for it to be updated or corrected.
• Restrict the processing of their Personal Data: Users have the right, under certain circumstances, to restrict the processing of their Personal Data. In this case, the Data Controllers will not process their Personal Data for any purpose other than storing it.
• Have their Personal Data deleted or otherwise removed: Users have the right, as long as their Personal Data are no longer necessary in relation to the purposes for which they were collected or otherwise processed or other compatible purposes, to obtain their erasure from the Data Controllers.
• Receive their Personal Data and have it transferred to another Controller: Users have the right to receive their Personal Data in a structured, commonly used and machine readable format and, if technically feasible, to have it transmitted to another Controller without any hindrance. This provision is applicable provided that the Personal Data is processed by automated means and that the processing is based on the User's consent, on a contract which the User is part of or on pre-contractual obligations thereof.
• Lodge a complaint: Users have the right to bring a claim before their competent data protection authority.

Any requests to exercise User rights can be directed to the Data Controllers through the contact details provided in this document.

Additional information

Legal action

The User's Personal Data may be used for legal purposes by the Data Controllers in Court or in the stages leading to possible legal action arising from improper use of this Website or the related Services.
The User declares to be aware that the Data Controllers may be required to reveal personal data upon request of public authorities.

Changes to this privacy policy

The Data Controllers reserve the right to make changes to this privacy policy at any time by notifying its Users on this page. It is strongly recommended to check this page often, referring to the date of the last modification listed at the bottom.
Should the changes affect processing activities performed on the basis of the User’s consent, the Data Controllers shall collect new consent from the User, where required.