Privacy Statement concerning Personal Data Processing within the Project “Supporting internationalisation of HE through professionalising services for mobile academic staff”

Erasmus+ Project No. 2020-1-SK01-KA203-078369

 

Contents

 

Introduction

1. Controllers/Joint Controllers and Processors
2. Data Protection Officers
3. Purpose of Personal Data Processing
4. Lawfulness of Personal Data Processing
5. Data Processed and Data Subjects
6. Data Recipients
7. Transfer of Personal Data to the Recipient in the Third Countries
8. Period for which the Personal Data will be Stored
9. Rights of Data Subjects
10. Mandatory Provision of Data Relating to Provision of Service
11. Automated Individual Decision-Making and Profiling

 

 

Introduction

The organisations detailed below in the section concerning Controllers created a consortium to jointly prepare and implement the project entitled “Supporting internationalisation of HE through professionalising services for mobile academic staff” (further referred to as ‘the Project’) within the framework of the Erasmus+ programme, Key action 2: Strategic partnerships. For implementing this Project, the Project coordinator SAIA, n. o. has been awarded a grant from the Slovak Academic Association for International Cooperation – SAAIC, which is the Erasmus+ National Agency for Education and Training (further referred to as ‘NA’) and therefore the coordinator has concluded the Grant agreement No. 2020-1-SK01-KA203-078369 with the NA (further referred to as “Grant agreement”) on behalf of the consortium.  The consortium and its members are also responsible for effective, economical and purposeful management of the funds, having responsibility towards the granting institution. The activities within the Project are also related to the processing of personal data that the organisations shall process in compliance with the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016, on Protection of Natural Persons with regard to the Processing of Personal Data and on the Free Movement of Such Data, repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the “GDPR”) and with other applicable national legislation of countries where the organisations of the consortium are based in (hereinafter referred to as the “national data processing legislation”).

 

 

1. Controllers/Joint Controllers and Processors

Following organisations build the consortium for the implementation of the Project described in the Introduction and therefore act as Controllers when data processing is concerned in relation to the Project:

1. SAIA, n. o.

Sasinkova 10

812 20 Bratislava

Slovakia

website: www.saia.sk

(hereafter referred to as SAIA)

 

2. Academic Cooperation Association

15 Rue d’Egmontstraat

B-1000 Brussels

Belgium

website:  https://aca-secretariat.be

(hereafter referred to as ACA)

 

3. Narodowa Agencja Wymiany Akademickiej

Polna 40

00-635 Warszawa

Poland

website: https://nawa.gov.pl/

(hereafter referred to as NAWA)

 

4. University of Niš

Univerzitetski trg 2

18000 Niš

Serbia

website: www.ni.ac.rs

(hereafter referred to as University of Nis)

 

5. Sofia University "St. Kl. Ohridski"

15, Tzar Osvoboditel

BG-1000 Sofia

Bulgaria 

website: www.uni-sofia.bg

(hereafter referred to as Sofia University)

 

6. Comenius University in Bratislava

Šafárikovo nám. 6

P.O.Box 440

814 99 Bratislava

website: www.uniba.sk

(hereafter referred to as Comenius University in Bratislava)

 

To be able to securely process the data in relation to the Project also jointly where necessary, the organisations of the Project consortium have concluded “Agreement on joint processing of personal data according to Art. 26 of the European General Data Protection Regulation 2016/679”. Moreover, taking into account that one of the Project consortium organisations is located outside the European Union and thus this organisation is not governed directly by the GDPR, all Project consortium organisations have committed themselves to sign bilaterally the “Standard contractual clauses for the transfer of personal data from the Community to third countries (controller to controller transfers)” as set by the European Commission between each Party based on the territory of the European Union on one side and a Party based outside the territory of the European Union on the other side in order to ensure the lawful transfer of data for the purposes of the Project.

All persons coming into contact with personal data within organisations of the Project consortium (in particular, employees involved in the implementation of the Project) have been properly informed about the applicable privacy policy in the personal data obtaining and processing, and are bound by confidentiality obligation regarding the data obtained in any case, unless it is in compliance with the purpose for which they have been obtained.

The organisations of the Project consortium agreed as controllers to jointly determine the range of data collected and processed for the needs of Project implementation.

An organisation of the Project consortium that primarily collects and processes the data in its role as controller may decide to involve a processor to process data on its behalf, however the organisations of the Project consortium agreed jointly that such processor shall oblige with the rules and regulations set in the GDPR and inform other organisations of the Project consortium about such situation. The information about processors contracted and used by individual organisations of Project consortium in general can be found on the websites of the respective organisations within their privacy statements.

 

2. Data Protection Officers

Data protection officers are established at each of the organisations of the Project consortium:

• in case of SAIA, data subjects can contact the contact point at saia@saia.sk;
• in case of ACA, data subjects can contact the contact point at secretariat@aca-secretariat.be;
• in case of NAWA, data subjects can contact the contact point at odo@nawa.gov.pl;
• in case of University of Nis, data subjects can contact the contact point at milan.zdravkovic@gmail.com;
• in case of Sofia University, data subjects can contact the contact point at eliza@fmi.uni-sofia.bg;
• in case of Comenius University in Bratislava, data subjects can contact the contact point at omv@rec.uniba.sk

 

3. Purpose of Personal Data Processing

Organisations of the Project consortium, to be able to fulfil the obligations arising from the Grant agreement may collect and process data in order to:

• successfully implement the Project,
• create required relevant outcomes in line with the Grant agreement,
• provide proof of eligible costs in line with the Grant agreement,
• make the Project and its outcomes visible to a broad public,
• maintain transparency in spending of public resources,
• comply with the respective national laws and regulations, incl. laws on employment, social security, book-keeping/accounting
• promote the achievements and work of Parties in general.

 

4. Lawfulness of Personal Data Processing

Organisations of the Project consortium may process the data to fulfil the obligations arising from the Grant agreement of the Project. As a minimum requirement, the lawfulness of data processing done by the Parties shall follow the rules set by GDPR (especially in the Article 6 of the GDPR).

 

5. Data Processed and Data Subjects

The Parties as controllers jointly determine the range of data collected and processed for the needs of Project implementation.

To successfully implement the Project, the following data may be processed jointly by the organisations of Project consortium as controllers:

• details of the persons responsible for the implementation of the Project (or its activities) and of participants of Project activities, including mostly (but not exclusively) their names, gender and birth dates, institution, they are affiliated to, job position, place of origin/residence;
• contact data of the persons responsible for the implementation of the Project (or its activities) and of participants of Project activities, including mostly (but not exclusively) their postal addresses, e-mail addresses, telephone numbers, as well as other contact details, which allow for electronic communication;
• other data related to the implementation of the Project, especially those necessary for preparation of Project outcomes and those needed as evidence of the successful implementation of Project and its activities, including mostly (but not exclusively) activity specific data about participants of Project activities, such as data on the mobility pathways and funding schemes (grants), and audio-visual recordings and photographs from Project events and activities.

Subject to the processing described above may be (data subjects):

• persons responsible for the implementation of the Project (or its activities), including mostly (but not exclusively) the employees of the organisations of the Consortium;
• participants of Project activities, including mostly (but not exclusively) academic and non-academic staff of universities and other actors with relevance to the Project;
• experts, i.e. academics and/or other experts, whose expertise is necessary for a successful implementation of the Project;
• representatives and employees of the universities and other actors with relevance to the Project who may benefit from the Project activities and results.

The respective organisations of the Project consortium in their role as controllers are in charge of:

• data collection and processing necessary for the implementation of Project activities that are their responsibility in accordance with the Project as well as
• transfer of collected and/or processed data related to the implementation of the Project to other organisations of the Project consortium to the extent necessary for the performance of their tasks or for the fulfilment of their duties within the Project.

 

6. Data Recipients

The organisations of the Project consortium shall not disclose any personal data to third parties (recipients) without the provision of personal data being in compliance with the purpose for which the data have been collected, or in the demonstrable interest of the data subject. The organisations of the Project consortium shall not trade with personal data (i.e., in particular, they do not buy or sell contacts or other data to other recipients, e.g. for marketing purposes) since it is not in line with the Project.

 

7. Transfer of Personal Data to the Recipient in the Third Countries

Pursuant to the GDPR, third countries are all the countries that are not member states of the European Union or the European Economic Area, and, thus, the GDPR does not apply to them.

The organisations of the Project consortium abstain from any data transfer to any subject outside the European Union unless it is in line with the GDPR.

Since one of the Project consortium organisations is located outside the European Union and thus this organisation is not governed directly by the GDPR, all Project consortium organisations have committed themselves to sign bilaterally the “Standard contractual clauses for the transfer of personal data from the Community to third countries (controller to controller transfers)” as set by the European Commission between each Party based on the territory of the European Union on one side and a Party based outside the territory of the European Union on the other side in order to ensure the lawful transfer of data for the purposes of the Project.

 

8. Period for which the Personal Data will be Stored

The period for which the personal data will be stored depends on the respective applicable national legislation of the country where the respective organisation of the Project consortium is based. However, based on the Grant agreement and obligations arising from it for the organisations of the Project consortium the data shall be stored as minimum for the duration of the Project extended for five years starting from the date of payment of the balance in order to carry out eventual checks, audits or  evaluations of Project outcomes and documentation by the Project financing agency and/or other authorised subjects. Based on this requirement the data are usually stored for 10 years if the applicable national legislation does not require otherwise.

 

9. Rights of Data Subjects

In compliance with the GDPR, the data subject has the following rights:

• right to information and access to personal data (Art. 13 – 15 of the GDPR),
• right to rectification (Art. 16 of the GDPR, considering Art. 5, para. 1, letter d of the GDPR),
• right to erasure (Art. 17 of the GDPR, considering Art. 5, para. 1, letter d of the GDPR),
• right to restriction of processing (Art. 18 of the GDPR),
• right to data portability (Art. 20 of the GDPR),
• right to object (Art. 21 of the GDPR).

You can exercise your rights under the GDPR by sending an email to contact points stated under “2. Data Protection Officers”. It is recommended to send such an email to the organisation of the Project consortium that primarily collected the data from you as data subject for the purpose of Project implementation. The Project consortium will carefully deal with such a complaint and inform you about the result of our actions in the respective case. Please note that the transfer of data via the Internet (e.g. via e-mail) may have security deficiencies and that full protection against the access of third parties to the data sent this way cannot be guaranteed. Thus, we assume no liability for damages caused by such security risks. Our websites are protected by the SSL secure connections.

You, as a data subject, are also entitled to file a complaint for the violation of your rights at the supervisory authority in the Slovak Republic, as the organisations of the Project consortium have agreed that their joint agreement on joint processing of personal data is governed by the laws of the Slovak Republic:

• Office for Personal Data Protection of the Slovak Republic (Úrad na ochranu osobných údajov Slovenskej republiky), Hraničná 12, 820 07 Bratislava 27, Slovakia.

10. Mandatory Provision of Data Relating to Provision of Service

In the following case, the provision of personal data by the data subject is a prerequisite for the provision of service:

1. provision of data is connected with the organisation of a specific event for which the person applies with binding effect, and thus creating a contractual relationship for the provision of service.

The aforementioned services cannot be provided, or the contractual relationship cannot be concluded without providing the data.

 

11. Automated Individual Decision-Making and Profiling

The organisations of the Project consortium do not use any means for automated decision-making or processing in its operations in relation to the Project.

 

Version: 2 Feb 2021