2006-BCK-WP3-1-D-GRPD-AX-VF GRPD compliance report

Introduction

The Blackcycle consortium will ensure partners will ensure GRPD compliance. Two aspects of the project will require collecting and managing personal data. Firstly, Axelera will collect personal data for dissemination, communication and networking beyond the consortium. Secondly, Michelin, as project coordinator, will be responsible for maintaining the partner contact database for overall project management. This next section summarises the type of data that will be collected in both cases. The relevant GRPD policies are provided in the annexes of this deliverable.

 Types of data collected in BlackCycle, why it is collected and an overview of the GRPD policy

Axelera – Personal Data for Communication, Dissemination and Networking

In order to build the contact database for BlackCycle (for WP3), Axelera will collect personal contact data. Axelera confirms that all of the data we intend to process is relevant and limited to the purposes of the research project (in accordance with the ‘data minimization principle’ of the GRPD regulation). The purpose is to ensure the dissemination and broad uptake of the results of the BlackCycle project. The personal data will be limited to:

  • Name (mandatory)
  • Organisation (mandatory)
  • Title (mandatory)
  • Email address (mandatory)
  • Telephone number (optional)

Axelera confirms that it has appointed a Data Protection Officer (DPO), Cédric Reignat of Axelera. The DPO’s email address (rgdp@axelera.org) will be provided on the BlackCycle website and in all newsletters and invitations to events so that all data subjects involved in BlackCycle can request that their data be erased. 

For further processing of previously collected personal data, Axelera has lawful basis for the data processing and the appropriate technical and organizational measures are in place to safeguard the rights of the data subjects. Detailed information on the informed consent procedures in regard to data processing are kept on file by Axelera. 

A description of the technical and organisational measures that will be implemented to safeguard the rights and freedoms of the data subjects can be found below and in the GRPD policy in Annex 1 below.

Regarding informed consent, the following cases apply.

  • A data subject can sign-up to be added to the BlackCycle contact list via the BlackCycle website. 
  • A data subject’s contact details may be provided to Axelera by a project partner or third party who considers that the data subject might be interested in joining the Blackcycle contact database. In this case, the link to the informed consent form will be sent by email to the data subject. If no consent is received from the contact, then no newsletters will be sent to the contact by Axelera.  

BlackCycle’s Informed consent form will include the following information:

If you would like to join the BlackCycle Community, please provide your:

  • Name (mandatory)
  • Organisation (mandatory)
  • Title (mandatory)
  • Email address (mandatory)
  • Telephone number (optional)

Please specify for which purpose you consent to be contacted:

  • To receive the BlackCycle 3-monthly newsletters, to be invited to BlackCycle annual workshops, to be contacted by a BlackCycle partner in order to discuss project results and possible collaborations individually

Anyone who has communicated personal data to AXELERA has the following rights over it:

  • The right of access, modification or rectification,
  • The right to erase the data (right to be forgotten), a right to limit processing and a right to object to processing in the cases provided for by the regulations in force,
  • The right to define directives relating to the fate of his personal data after his death,
  • The right to the portability of the raw data transmitted to the cluster,
  • The right to file a complaint with the competent authority (for example, the CNIL in France),
  • The right to object to the receipt of newsletters, emails or invitations.

These rights must be exercised under the conditions provided for by the regulations in force. In particular, proof of identity may be requested. These rights can be exercised by sending an e-mail request to Cédric REIGNAT: rgdp@axelera.org or via post to the following address : 

AXELERA

Rond-point de l’échangeur

Les levées

69360 Solaize

Unless you request that your data be erased, then collected data will be stored for a period of three years following the last correspondence between Axelera (leader of BlackCycle dissemination and networking) and you.

Regarding the storage, correction, use and erasing of personal data in the scope of BlackCycle:

  • Personal data handled by Axelera within the scope of BlackCycle will be collected, stored and processed only within Axelera’s Customer Relationship Management (CRM) Tool, EUDONET, which is a GDPR-compliant and secure tool. Password protected access is limited to Axelera staff, the CRM service provider, Axelera’s website developer and the BlackCycle website developer.  
  • If a data subject requests that their data be corrected, Axelera’s WP3 leader will correct the data in the CRM.
  • If a data subject requests that their data be erased, Axelera’s DPO will erase the data subject in the CRM.
  • The voluntary forms on BlackCycle’s website will feed personal contact data and the purpose for which Axelera has the right to use the contact data to Axelera’s CRM. 
  • The Newsletters and invitations to BlackCycle events will be sent only to those contacts having given consent for each type of emailing.
  • Each emailing will offer the possibility to cancel the subscription to that type of emailing or to request corrections / erasure by sending an email to rgdp@axelera.org. 

Michelin – Personal Data for overall project management

Michelin, as project coordinator, will be responsible for creating an online, shared project space for collaborative work and for maintaining the partner contact database for overall project management. To this end, they rely on the services of D&Consultants will collect email address, phone numbers, names, positions and names of employers for both the shared online space and contact lists for partners. D&Consultants will also add the contact information into their Customer Relationship Management tool. Their Data Policy is found in Annex 2 below.

Annex 1 : Axelera’s GRPD Policy

AXELERA is a French cluster operating at the crossroads of the chemical, environmental and energy sectors. Axelera’s ambition is to create value by bringing our members together to create innovative and competitive solutions for industry and to reach out internationally from a strong regional base in the Auvergne-Rhône-Alpes region.

To this end, Axelera collects and processes certain personal data concerning its members, partners and other contacts for professional purposes. AXELERA attaches the utmost importance to respecting and  protecting the privacy and personal data of its contacts as well as to respecting the regulations in force. The data processing by Axelera is carried out according to the methods described below.

  1. Aim and Nature of the collected data
    1. AXELERA’s members

AXELERA collects personal data concerning its members via the membership form, the member’s area of ​​Axelera’s website, registration for events and subscription to newsletters. This information is collected as part of the management of the cluster and the fulfillment of its missions, namely: promoting the economic development of innovators in the chemical and environmental sectors in the Auvergne-Rhône-Alpes region.

The data collected are: 

  • Last name, 
  • First name, 
  • Professional telephone numbers 
  • Professional email address,
  • Employer entity,
  • Job title.

These personal data are used to :

  • Manage the association and its general functionning (memberships, etc.),
  • Manage event registrations,
  • Manage subscriptions to newsletters,
  • Carry out satisfaction surveys and polls,
  • Manage the contacts file in the CRM,
  • Connect members with potential partners,
  • Send confidential access codes to the AXELERA site extranet.

This data processing is based on the execution of a membership contract, the respect by the pole of its legal obligations as well as its legitimate interests for the purposes of the exercise of its activity and the achievement of its objectives as a competitiveness cluster. In case of refusal to provide the necessary information, the structure will not be able to join the cluster.

    1. Non members

The cluster may collect personal data concerning its contacts, suppliers, partners and institutions, in particular the following data: 

  • Last name, 
  • First name, 
  • Professional telephone numbers 
  • Professional email address,
  • Employer entity,
  • Job title.

This information can be collected in the different cases listed below:

  • Voluntary registration for the cluster’s newsletter or for other newsletters prepared by the cluster.
  • Complete entry of contact details in a form on Axelera’s website or any other website administered by Axelera (contact, registration, etc.),
  • Exchanges between the cluster and the person concerned by telephone or e-mail,
  • Sending a request for consents by e-mail.

The purposes of the processing of the personal data are as follows:

  • To restore the information requested by the data subject if necessary,
  • To manage the file of contacts, prospects and partners in the Customer Relationship Management Tool,
  • To send invitations to events, webinars, activities and events,
  • To send communications and information concerning the cluster’s activities.

The processing is based on the execution of a contract for services provided to companies and the organization of events, demonstrations, the respect by the pole of its legal obligations as well as its legitimate interests for the purposes of the exercise of its activity and achieving its goals. In case of refusal to provide the necessary information, the structure will not be able to benefit from the organized activities and information sent by the pole.

  1. Use of data by AXELERA

Personal data is subject to processing by the cluster for the purposes explained above. The cluster undertakes not to use personal data for any other purpose, or to transmit it to third parties, except in the cases provided for in this data management policy. The cluster may be required to communicate personal data processed to third parties, at the request of a judicial, administrative or public authority, in the context of compliance with a legal obligation or further to a judicial or administrative decision. Personal data may be communicated by the cluster to its administrators, staff, suppliers and partners. The AXELERA division takes all necessary measures to require these recipients and subcontractors to comply with applicable regulations.

Personal data is kept for the purposes explained above for the time necessary to achieve these purposes.

  • Personal data collected for the execution of a contract or legal obligations are archived for the duration envisaged by the said legal obligation and for the duration necessary for the observation, the exercise or the defense of a legal claim, equivalent to the limitation period applicable to the obligations between the division and the person concerned.
  • The personal data used for the purposes of managing the contact file are kept for a period of three years from the last contact between the pole and the person concerned.

The cluster makes every effort to store and archive this personal data under appropriate security conditions in compliance with the applicable provisions, according to current technical means. 

  1. What rights do subjects have to the personal data communicated?

Anyone who has communicated personal data to AXELERA has the following rights over it:

  • The right of access, modification or rectification,
  • The right to erase the data (right to be forgotten), a right to limit processing and a right to object to processing in the cases provided for by the regulations in force,
  • The right to define directives relating to the fate of his personal data after his death,
  • The right to the portability of the raw data transmitted to the cluster,
  • The right to file a complaint with the competent authority (for example, the CNIL in France),
  • The right to object to the receipt of newsletters, emails or invitations.

These rights must be exercised under the conditions provided for by the regulations in force. In particular, proof of identity may be requested. These rights can be exercised by sending e-mail request to Cédric REIGNAT: rgdp@axelera.org or via post to the following address : 

AXELERA

Rond-point de l’échangeur

Les levées

69360 Solaize

  1. HYPERTEXT LINKS AND COOKIES

Le website www.axelera.org, as well as any website prepared by Axelera, contains a number of hypertext links to other sites. However, AXELERA does not have the possibility to check the content of the sites thus visited, and therefore will not assume any responsibility. The user should inquire about the privacy and practices of these sites before sending any personal information to them.

The www.axelera.org  website, as well as any website that Axelera prepares, uses cookies, but it may also use third-party technologies to present a better display and certain services, in particular to track audiences. The user is informed that, during his visits to the website, a cookie can be automatically installed on his browser software. The cookie is a block of data which does not identify the user but is used to record information relating to the browsing of the latter on the website. These are mainly used to study and optimize the user experience on the website.

When visiting, the www.axelera.org  website, as well as any website that Axelera prepares, the user will be informed upon connection to the website that the website uses cookies. Before gaining access to the page, the user will be given the choice between accepting cookies and learning more. If the user requests to learn more, he or she will gain access to a summary of the GRPD policy of Axelera and will be given the choice between:

  • Essential and strictly necessary cookies – These are cookies essential for the proper functioning of the site and strictly necessary for the provision of a service that the user has expressly requested. These essential cookies make it possible to memorize from one page to another the information that a user communicates to the website during his/her navigation, for example the language of use.
  • Site audience analysis cookies – They allow Axelera to establish anonymous statistics of visits to the pages of its site in order to improve its ergonomics and content. 

Annex 2 D & Consultants GRPD Policy for the online project shared space

D & Consultants is hereby designated as the controller within the scope of these Terms and Conditions. D & Consultants undertakes to comply with the regulations in force concerning the processing of personal data and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the “RGPD”) applicable to from May 25, 2018. The personal data of the Client, his legal representative and / or the Customer’s agents are collected by D & Consultants for the sole purpose of providing the Services, invoicing and proof of the provision of the Services. The personal data of the Customer, his legal representative and / or the agents and / or interlocutors of the Customer on the place of performance of the Service are the surname, first name, mobile phone (or fixed) and address (es) professional and / or personal e-mail.

This data is hosted on the D & Consultants server for the necessary period of retention, in accordance with the recommendations of the CNIL. The Customer undertakes to provide accurate information and does not prejudice the interests or rights of third parties. The recipients of the personal data collected are D & Consultants and, where applicable, its IT service providers. 

The Client and / or the legal representative and / or the Customer’s agents and / or interlocutors at the place of performance of the Service have the right to request access to their personal data, rectification or erasure of these, a limitation of treatment that concerns him, the right to oppose such treatment and the right to portability of its data. They may exercise their rights above by mail and / or e-mail to the addresses previously communicated to them by D & Consultants. In the event of a request by the Customer for the erasure of the personal data collected or the limitation of the processing addressed to D & Consultants, the latter shall refrain from having access to them on the common hosting servers in accordance with this request. The Client is informed that the exercise of these rights could have the effect of preventing or slowing down the performance of the Services. The Client and / or the legal representative and / or the Customer’s agents and / or interlocutors at the place of performance of the Service have (s) the right to lodge a complaint with the Data Protection Supervisory Authority personal.

D & Consultants is committed to:

  • process the data only for the purpose mentioned above,
  • guarantee the confidentiality of the personal data processed within the framework of these General Conditions,
  • ensure that the recipients of the personal data undertake to respect the confidentiality,
  • take into account the principles of data protection from conception and protection of data by default.

D & Consultants is authorized to use one or more specified third-party companies after having obtained the Customer’s written, prior and specific authorization to conduct defined processing activities. The subsequent subcontractor is subject to the same obligations as D & Consultants, which must ensure that the subsequent subcontractor provides sufficient guarantees as to the security measures. Customer acknowledges and agrees that D & Consultants may use the services of an IT provider to fulfill its obligations.

D & Consultants undertakes to implement the appropriate technical and organizational security measures, as referred to in Article 32 of the GDPR, to ensure the security and integrity of the personal data they process. When deleting the Customer’s account for any reason whatsoever, and upon Customer’s request, D& Consultants undertakes to:

  • destroy all personal data, or
  • return all personal data to the Customer, or
  • return the personal data to the third party designated by the Customer.

In this case, D & Consultants undertakes to destroy all existing copies of its information systems and will certify in writing the destruction to the Customer. D & Consultants communicates to the Client the name and contact details of his Data Protection Officer in accordance with Article 37 of the GDPR. D & Consultants declares to keep in writing a register of all categories of processing activities performed. 

The data will be made accessible to the Customer only via secure connections (SSL).