All processing activities will be carried out in compliance with the applicable data protection legislation, with particular regard to the Regulation (EU) 2016/679 (‘GDPR’).
1. DATA CONTROLLER
The Controller is the EDITH Consortium, as made up by all partners listed here (‘Consortium’ or ‘Controller’). Users can at any time send requests to one or more partners, using the individual contacts which are published for each Consortium member.
2. THE WEBSITE
This Website aims to provide information and updates regarding Ecosystem for DIgital Twins in Healthcare (‘EDITH’), a project funded by the European Commission’ Digital Europe Programme.
It is designed to minimize the collection and processing of Users’ personal data.
A cookie is a small file, typically made up of letters and numbers, downloaded on to a device when the User accesses a website. Cookies are then sent back to the originating website on each subsequent visit by the User. Cookies are useful, therefore, because they allow a website to recognize a User’s device and the choices and settings associated to it.
Some cookies are strictly necessary for the correct functioning of Internet and the Website and do not require User’s consent, such as those ensuring web security. Other types of cookies are still important, but not necessary and so can be installed only insofar the Users provided their consent.
This Website installs cookies only to allow the Users to flawlessly navigate through its pages and sections and to smoothly enjoy its contents, as well as to generate fully anonymous statistics regarding the volume of visits. These cookies can be used without User’s consent.
4. CATEGORIES OF PERSONAL DATA COLLECTED
Computer systems and software procedures used to operate the Website acquire, during their normal operation, some personal data needed for the use of Internet communication protocols (e.g. IP addresses, Browser type, Operating System, the time of access and period of User’s staying on a single page). These technical / IT data are collected through cookies and used only in an aggregated and not immediately identifiable manner and can be used to ascertain responsibilities in case of crimes, or upon public authorities’ request.
Personal data provided by the User
There are few sections of the Website (e.g. ‘Contact us’) where Users can freely provide some personal data (e.g. name, surname, email address, working information) for the purposes set out below.
Users are required to register, by providing only first and last name and a valid e-mail, in order to get access to the EDITH-CSA knowledge base (link) Application (‘APP’).
5. PURPOSE AND LEGAL BASES OF THE PROCESSING
The User’s personal data will be processed solely for the following purposes:
a) allowing the User to navigate the Website easily and seamlessly. This processing is necessary to run the Website and to allow the User to access its contents, according to Art. 6.1, b) of the GDPR;
b) receiving, evaluating and, in case, including new use-cases proposed by the User through the descriptive form available on the Website (link). This processing is needed to follow-up the requests submitted by the User, according to Art. 6.1, b) of the GDPR;
c) fulfill any request made by the User through the contact form available on the Website (link), including providing them with the password needed to access the virtual repository of current scientific papers, according to Art. 6.1, b) of the GDPR;
d) permitting the User’s registration needed to access the EDITH-CSA knowledge base APP;
e) complying with decisions and orders issued by competent authorities, as well as with the obligations set forth by applicable laws and regulations, pursuant to Art. 6.1, c) of the GDPR;
f) pursuing the Consortium’s or any of its Partners’ legitimate interest to establish or defend legal claims, as per Art. 6.1, f) of the GDPR.
6. EDITH-CSA KNOWLEDGE BASE APP
By finalizing the registration to access the APP, the User warrants and declare that he/she shall:
a. not use, or permit to use, the APP for: a. any commercial or professional services or purposes;
b. any purpose which is not compliant with its intended scientific nature, or in any manner obscene, inappropriate, defamatory, indecent, offensive, threatening, abusive or discriminatory;
c. purposes that may cause or result in a violation of the applicable law, regulations, or applicable provisions or decisions of competent Authorities;
b. not make unauthorized copies, or modify, reverse engineer, decompile, extract information from, or create derivative works of the APP;
c. not distribute, license (or sub-license), transfer, market, rent, lease or sell all or part of the APP or its components;
d. not interfere or attempt to interfere with the correct functioning of the APP, or cause its interruption of use;
e. bypass any measures adopted by the Consortium to control and limit access to the APP;
f. incorporate the APP, or any part thereof, into any other program or product, unless expressly authorized by the Consortium in writing.
The User declares to be aware that the APP was built based on Large Language Model named GPT which was developed and the sole property of OpenAI. The Consortium shall hold no right over GPT model.
Accordingly, the User is aware and accepts, on the one hand, that the proper functioning of the APP is totally dependent on GPT and totally out of the reasonable control of the Consortium, and on the other hand, to hold the exclusive control over any contents generated through the APP.
7. METHODS OF THE PROCESSING AND DATA SECURITY
The personal data are collected and processed lawfully and fairly, solely for the purposes described above and in accordance with the fundamental principles established by the applicable legislation.
Personal data may be processed either manually, through information technology tools or electronically, in any case under technical and organizational measures that enable ensuring their security and confidentiality, especially for the purposes of preventing any risk arising from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data.
Processing activities will be carried out, under the Consortium’s control, only by personnel duly authorized to access and process the Users’ personal data in accordance with specific data protection and security instructions provided by each Partner, with a particular view to safeguarding the rights of the Users under the GDPR.
Under no circumstances personal data may undergo automated decision-making processes, including profiling.
8. COMMUNICATIONS TO THIRD PARTIES
The personal data collected by the Consortium will not be shared or communicated to third parties, unless upon specific consent of the data subject, or as otherwise required by applicable laws.
Should the communication to third-party vendors or partners of the Consortiums (e.g. service providers, hosting providers, IT companies, communication agencies) be necessary for organizational, administrative or support needs, it will be the Controller’s responsibility to appoint such parties as data processors by virtue of their capacity, experience and reliability, as per Art. 28 of the GDPR.
It is understood that the Users’ personal data can be made available to third parties, such as public or judicial authorities, whenever this is required by applicable law or by an order issued by them.
9. DATA RETENTION
a. Internet data will be kept for no longer than 7 days;
b. personal data provided by the Users in relation to the application for new use-cases will be retained until the end of the EDITH project, in case of inclusion, or for a maximum of 6 months, in case of refusal;
c. personal data provided through the contact form will be retained for no longer than 2 months after fulfilling the relevant request;
d. registration data will be kept until the User requests the cancellation of his/her registration.
Subject to the above, Users’ data will be kept for those further periods which are required or expressly permitted by applicable laws and regulations, with particular reference to the fulfilment of orders issued by competent authorities and the enforcement and/or protection of the Controller’s rights (consistent with the retention periods and statutes of limitations provided for by the law), where necessary. When no longer necessary, the data will be immediately cancelled or made anonymous.
10. TRANSFER OF DATA ABROAD
The User’s personal data will not be transferred outside the European Economic Area (hereinafter, the ‘EEA’).
In any case, should the need to transfer Users’ data to third countries arise in the future for any reason, the relevant transmission will be subject to specific data protection guarantees by the Consortium, as required by the law, e.g. through the adoption of Standard Contractual Clauses as approved by the European Commission, or other equivalent safeguards.
11. REDIRECT TO OTHER WEB SITES
The Website may incorporate links which allow the User to connect to other websites run by third parties. The Controller is not responsible for the data processing carried out through and/or in connection with such third parties’ websites.
Therefore, each User who accesses other web pages through the Website must carefully read their privacy policies to better understand how their personal data will be processed by the third parties which, as autonomous controllers, will provide and manage such websites.
12. DATA SUBJECTS’ RIGHTS
The Users can exercise their rights at any time, including:
a) accessing their personal data, obtaining evidence – among others – of the purposes pursued by the Consortium, the categories of data involved, the recipients to whom they may be disclosed, the applicable storage period, the existence of automated decision-making processes;
b) having incorrect personal data referred to them rectified without delay;
c) having their data erased in the cases provided for by the law;
d) obtaining restrictions to processing, where possible;
e) requesting portability of the data provided to the Consortium, i.e. receiving them in a structured, commonly used and machine-readable format, also for transmitting such data to another controller, without any hindrance by the Controller, in all situations where it is required by the law in force;
f) easily withdrawing any consent they have previously given, without this affecting in any manner the lawfulness of the processing operations carried out before;
g) lodging a complaint to the competent Supervisory Authorities (here is an updated list of DPAs in Europe).
To exercise these rights, or for any further information and/or clarifications, please write to the Consortium, by sending an email to email@example.com.
13. POLICY UPDATING
This Policy may be updated periodically at the Consortium’s sole discretion. Therefore, Users are recommended to read it every time they access the Website.
Below is highlighted the date when the last version of this Policy has been uploaded.
Last Update: 27/10/2023