The iFLEX project (which includes its pilots) is in compliance with the General Data Protection Regulation (GDPR) which governs the way that organisations use personal data. Personal data is information relating to an identifiable living individual.
The project partners in iFLEX are Joint Data Controllers and have therefore entered into a Joint Controller Agreement. Contact details are provided below. If you are a participant in one of the project’s pilots, your pilot host is your main point of contact.
We may collect your personal data if you participate in one of our public surveys and/or if you participate in a specific pilot. You can find more details on public surveys below in the section “Public Surveys”.
Transparency is a key element of the GDPR and this Privacy Notice is designed to inform you:
- how and why the iFLEX project uses your personal data for research,
- what your rights are under GDPR, and,
- how to contact us if you have questions or concerns about the use of your personal data.
Some surveys will also offer respondents to participate in a prize draw. In this case, you must provide your email address to enter the prize draw. Generally, email addresses will be kept for one month after the prize draw ends; the exact duration will be stated in the terms and conditions of the prize draw.
Why are we processing your personal data?
The project undertakes research, which includes co-creation and validation activities, as contracted by its Description of Action and Grant Agreement with the EC. Data Protection laws allow us to use personal data for research within the scope of the project with appropriate safeguards in place.
We will always tell you about the information we wish to collect from you and how we will use it. We will seek your consent for the collection and use of your data in the specific pilot and for specific project activities, e.g. surveys and focus groups as part of our co-creation and validation activities. The project has implemented a consent procedure to ensure participant rights are protected. Full details will be given to all participants in an information sheet as part of the informed consent procedure.
The project’s involvement of human participants in its pilots, co-creation and validation activities is governed by ethical principles, policies, and procedures. An Ethics Advisory Board consisting of the representatives for the pilots’ Data Protection Officer and two external experts has been established to support and monitor that the project complies with ethical and legal requirements. The project will undergo ethical scrutiny to ensure that it is conducted in such a way as to protect your interests and is of a high standard. The results will be documented in annual monitoring compliance reports which will be reviewed by the EC.
Collecting and Using Personal Data
The project will only collect the personal data that is essential for the purpose of the project’s objectives. Personal data is normally pseudonymised as quickly as possible after data collection to reduce the risk of identifying you. Pseudonymisation is a technique that replaces or removes information in a data set that identifies an individual. Pseudonymisation may involve replacing names or other identifiers which are easily attributed to individuals with, for example, a reference number. It would therefore require the use of additional information in order to identify you.
Who do we share your data with?
To communicate the project research and results to the public, relevant industry, and the academic community anonymised data is likely to form part of a research publication or conference presentation or public talk. Where researchers wish to use any information that would identify you, specific consent will be sought.
Your privacy is paramount and personal data will not be disclosed unless there is a justified purpose for doing so. The project NEVER sells personal data to third parties.
Your data may be shared with:
The project partners’ team members who are authorised to work on the project and access the data. As part of the project team, they (the project partner they represent) act as joint data controllers. The project partners involved in collecting and/or processing your personal data will be clearly identified in your information sheet if you choose to participate in a project activity.
In the case of complaints related to data protection and privacy rights or any issue of an ethical matter, project partners’ internal and/or national Ethics Committees may require access to the data.
Storage and Security
The project takes a robust approach to protecting the data it holds with dedicated storage areas for research data with controlled access.
Alongside these technical measures there are comprehensive and effective policies and processes in place to ensure that users and administrators of project information are aware of their obligations and responsibilities for the data they have access to. People are only granted access to the information they require to perform their duties.
In case of a data breach, the project consortium will follow the guidelines set forth in Article 33 and 34 of the GDPR. This means that the relevant supervisory authority will be notified no later than 72 hours after the project consortium has become aware of the personal data breach. The details of the relevant supervisory authority will be listed on the information sheet you receive in connection with your participation in an iFLEX pilot. If the personal data breach is likely to result in a high risk to your rights and freedoms, you will also be informed immediately. The project’s Ethics Advisory Board will also be notified of any data breach.
Your information will not be kept for longer than necessary and is usually kept in a pseudonymised format. We will retain your personal data according to the following:
- for the duration of your participation in the iFLEX project
- as required under our project contract with the EC, or with regard to our statutory obligations
- only for as long as necessary for the purpose for which it was collected, is processed, or longer if required under any contract, or by applicable law.
If you are a participant in one of the iFLEX pilots, please refer to your Information Sheet for detailed information.
Your Data Protection Rights
Under data protection law, you have rights including:
- The right to be informed – You have the right to be informed that we are processing your personal data.
- The right of access – You have the right to ask us for copies of your personal information.
- The right to rectification – You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
- The right to erase – You have the right to ask us to erase your personal information in certain circumstances.
- The right to restrict processing – You have the right to ask us to restrict the processing of your personal information in certain circumstances.
- The right to object to processing – You have the right to object to the processing of your personal information in certain circumstances.
- The right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
- Rights in relation to automated decision making and profiling – You have the right not to be subject of a decision based solely on automated processing and profiling.
You are not required to pay any charge for exercising your rights. Request can be made by contacting our Ethical Manager at firstname.lastname@example.org. Alternatively, you can simply fill in our Subject Access Request form available for download below. When you make a request, we will respond to you within one month from the date we receive your request
The project partners in iFLEX are Joint Data Controllers:
How to complain
If you have any concerns about our use of your personal information, you can make a complaint to our Ethical Manager, Trine F. Sørensen, at email@example.com
You may also contact our Project Co-Ordinator, Markus Taumberger at Markus.Taumberger@vtt.fi
Each pilot site has representative on the iFLEX Ethics Advisory Board whom you may also contact:
For Finland, please contact: Anne Immonen at Anne.Immonen@vtt.fi
For Greece, please contact: Marion Paraschi at firstname.lastname@example.org
For Slovenia, please contact: Andraž Javernik at email@example.com
You can also complain to your local data protection authority if you are unhappy with how we have used your data.