Privacy Policy
LAST UPDATED 19/07/23
Thank you for visiting the DIDYMOS-XR website.
- Who we are.
DIDYMOS-XR (hereinafter referred to as “DIDYMOS-XR”, “we”, or “our”) is a three-year project that began in January 2023. The project is funded by the European Union (“EU”) under grant number 101092875, with UK-based consortium partner Trilateral Research Limited, UK (“TRI UK”) funded by UK Research and Innovation (“UKRI”) under the UK government’s Horizon Europe funding guarantee (grant number: 10069394).
For further information, we can be contacted at didymos-xr-office@joanneum.at.
- Scope of this Privacy Policy
This privacy policy concerns the processing of personal data due to the operation of the DIDYMOS-XR project website. It aims to inform website visitors, our partners, and other stakeholders about how we process personal data, and covers both the personal data that you provide us with through the website, and the personal data that you see on our website. We are committed to processing personal data responsibly, securely, and proportionally throughout our activities in compliance with the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter “GDPR”).
- How we collect your personal data
We collect personal data both directly and indirectly from individuals.
Directly:
- We obtain personal data directly from individuals when you subscribe to our newsletter.
Indirectly.
- We obtain personal data indirectly about individuals to, inter alia, identify recurring visitors to the project website. This data is then collected and analysed through a Matomo Analytics plug-in, which provides aggregated statistical information.
- The types of personal data we collect.
We collect and process the following types of personal data about individuals, including:
- Contact details (e.g., name, affiliation, job title, e-mail address).
- Online identifiers (e.g., web visitor profile, IP address, geolocation, etc.) which are collected for research purposes to better understand the types of visitors accessing the DIDYMOS-XR website and what content they are engaging with.
- The lawful bases for processing your personal data.
For the personal data processed through the DIDYMOS-XR website, the GDPR will be applicable. We process personal data on the following bases:
Consent (Art.6(1)(a) GDPR)
- When you provide us with your personal data directly, for example when you subscribe to our newsletter.
- When we have received consent to publish personal data, for example a blog post from one of our researchers.
Legal obligations (Art.6(1)(c) GDPR)
- We may process personal data in order to meet any legal obligation requiring us to do so, e.g., reporting to the European Commission and disseminating project results to multiple audiences, including the media and general public.
Legitimate interests (Art.6(1)(f) GDPR)
- We process personal data when it is necessary for us to achieve the following legitimate interests:
- Enhancing our research delivery; and
- Undertaking dissemination activities.
- What we do with your personal data
We process your personal data for the following purposes:
- Promoting our research to different types of stakeholder;
- Administering, maintaining and ensuring the security of our information systems, applications and website;
- Processing online requests or queries, including responding to communications from individuals;
- Complying with legal and regulatory obligations.
- How we secure your personal data when we process it
We have put appropriate technical and organisational security policies and procedures in place to protect personal data (including sensitive personal data) from loss, misuse, alteration or destruction. Where possible, we aim to ensure that access to your personal data is password-protected. We encrypt all data stored at our central location and data are restricted only to those who need to access it. Those individuals who have access to the data are required to maintain the confidentiality of such information. We install and regularly update all security and anti-virus software in use on all of our systems. Nevertheless, please be aware that the transmission of data via the internet is not completely secure. This means that whilst we do our best to protect your personal data, we cannot completely guarantee the security or privacy of your personal data transmitted to our site.
- Do we share personal data with third parties?
The DIDYMOS-XR consortium will generally not share personal information with anyone except the European Commission if it so requests. All partners will treat information received from other partners as confidential and will not disclose it to third parties, unless it is obvious that the information is already publicly available or there is a legal obligation to do so. The partners will impose the same obligations on their employees and suppliers.
We may occasionally share personal data with trusted third parties, such as those listed below, to help us deliver efficient and quality services. When we do so, we ensure that recipients are contractually bound to safeguard the data we entrust to them before we actually share the data. We may engage with several or all of the following categories of recipients:
- Parties that support us as we provide our services (e.g., cloud-based software services such as NextCloud, Microsoft Sharepoint, Matomo Analytics).
- Our professional advisers, including lawyers, auditors and insurers.
- Payment services providers
- Marketing services providers (e.g., Zoho, Hootsuite)
- Law enforcement or other government and regulatory agencies (e.g., tax authorities such as the HMRC) or to other third parties as required by, and in accordance with, applicable law or regulation.
- The European Commission (EC) when we are required by them to do so in relation to our work with them on EC-funded Horizon Europe projects.
- Do we transfer your personal data outside the European Economic Area?
We store all personal data on servers located within the European Economic Area (“EEA”). However, we may also transfer personal data to recipients that may be situated outside the EU. Concerning the processing of personal data by TRI UK, in 2021 the European Commission adopted an adequacy decision to enable the free flow of personal data from the EU to the UK, where it benefits from an essentially equivalent level of protection to that guaranteed under EU law.
- Do we use cookies?
Cookies are small text files that are placed on your computer in order to improve function on websites and to provide information to the owners of the website about its use by visitors. Where cookies are used on our website, a statement will be sent to your browser explaining the use of cookies. Visitors have the option to remove cookies from our website. If you disable the use of cookies, this may result in the loss of website functionalities. To learn more, please refer to our cookie policy.
- Your data protection rights.
By emailing us at didymos-xr-office@joanneum.at, you can exercise your rights as a data subject in relation to your personal data that we process, including:
- Right to Withdraw Consent (Art.7(3) GDPR) – You can withdraw your consent that you have previously given to one or more specified purposes to process your personal data. This will not affect the lawfulness of any processing carried out before you withdraw your consent. It may mean we are not able to provide certain products or services to you and we will advise you if this is the case.
- Right of access (Art.15 GDPR) – You can ask us to verify whether we are processing personal data about you, and if so, to have access to a copy of such data.
- Right to rectification (Art.16 GDPR) and erasure (Art.17 GDPR) – You can ask us to correct our records if you believe they contain incorrect or incomplete information about you or ask us to erase your personal data after you withdraw your consent to processing or when we no longer need it for the purpose it was originally collected.
- Right to restriction of processing (Art.18 GDPR) – You can ask us to temporarily restrict our processing of your personal data if you contest the accuracy of your personal data, prefer to restrict its use rather than having us erase it, or need us to preserve it for you to establish, exercise, or defend a legal claim. A temporary restriction may apply while verifying whether we have overriding legitimate grounds to process it. You can ask us to inform you before we lift that temporary processing restriction.
- Right to data portability (Art.20 GDPR) – In some circumstances, where you have provided personal data to us, you can ask us to transmit that personal data (in a structured, commonly used, and machine-readable format) directly to another company.
- Right to object (Art.21 GDPR)– You can object to our use of your personal data for direct marketing purposes, including profiling or where processing has taken the form of automated decision making. However, we may need to keep some minimal information (e.g., email address) to comply with your request to cease marketing to you.
- Right to make a complaint (Art.77 GDPR) – You can lodge a complaint with the data protection supervisory authority in the Member State in which you reside, work, or where the alleged infringement took place.
- A list of national supervisory authorities can be found here: https://edpb.europa.eu/about-edpb/about-edpb/members_en. Please note that by following the link you will be re-directed to a third-party website.
- For UK-based complaints and/or complainants, please contact the UK Information Commissioner’s Office (“ICO”) regarding any concerns you may have about our data handling practices. Please note the following link will re-direct you to a third-party website: https://ico.org.uk/make-a-complaint/.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information or to exercise any of your other rights. This helps us to ensure that personal data is not disclosed to any person who has no right to receive it. No fee is required to make an initial request unless your request is clearly unfounded or excessive. Depending on the circumstances, we may be unable to comply with your request based on other lawful grounds.
- How long do we retain personal data?
We retain personal data to provide our services, stay in contact with you and to comply with applicable laws, regulations and professional obligations that we are subject to. Unless a different time frame applies as a result of business needs or specific legal, regulatory, or contractual requirements, we retain personal data for a period of 12 months after the research project ends. However, please note that we have an obligation to retain data concerning European Union research projects (e.g., Horizon Europe) for up to 5 years after the end of the project (unless further retention is requested by auditors).
As the records and documentation containing personal data have been collected within the delivery of an EC project, we expect that the EC will process it in compliance with Regulation No 2018/1725 on the protection of natural persons with regard to the processing of personal data by Union institutions, bodies, offices and agencies. After the expiry of the retention period, and unless further legitimate grounds for retention arise, we will dispose of personal data in a secure manner.
- Do we link to other websites?
Our websites may contain links to other sites, including the sites of the consortium partners, which are not governed by this privacy policy. Please review the destination websites’ privacy policies before submitting personal data on those sites. Whilst we try to link only to sites that share our high standards and respect for privacy, we are not responsible for the content, security, or privacy practices employed by other sites.
- Do we change this Privacy Notice?
We regularly review this privacy policy and will post any updates to it on this webpage. This privacy policy was last updated 19/07/23.
- Contact us.
If you have any concerns as to how your data is processed, you can contact us via email at didymos-xr-office@joanneum.at.
We will respond to your queries within 30 days from when we receive them.