Bridge for Researchers in Danger Going to Europe
This data protection plan states the reasons and procedures of processing, the way the Controllers collect, handle and ensure protection of all Personal Data provided, how that data is used, which obligations Controllers have and what rights the refugee researchers may exercise in relation to their data (right to access rectify, block, etc.). The Controllers are the beneficiaries to the Grant Agreement no 788339 of the BRiDGE project. Personal data is any information, private or professional, which relates to an identified or identifiable natural person (for the full definitions (Personal Data, Controller et al.) see Article 2 of EU Directive 95/46/EC).
The Controllers are committed to protect and respect the privacy of the individuals. As the Controllers, in course of serving the mission of the project, collect and further process data which may be considered "personally identifiable", "personal", or "sensitive", national and the EU General Data Protection Regulation No 2016/679 on the protection of individuals with regard to the processing of Personal Data and on free movement of such data, is applicable regarding such data. This data includes information via websites, forms, e-mails, correspondence, or personal communication.
Ethics and data protection issues are to be respected, taking into special account the vulnerability of the participating refugee researchers. The necessary processing of personal data by the Controllers of BRiDGE project have to protect participants' best interests and ensure their involvement will not lead to the jeopardising of their safety or increase their vulnerability.
The Controllers may receive and process Personal Data, including names and personal data provided to them with the explicit consent of the individual for the purposes of providing information or services to them, as project participants, vulnerable individuals seeking assistance, participants in BRiDGE events and activities, trainings, advisory sessions, mentoring meetings.
The process of Personal Data is related to
so of any data, private or professional, which relates to an identified or identifiable natural person (for the full definition, see Article 2(a) of EU Directive 95/46/EC). 'Processing of personal data' means any operation (or set of operations) performed on Personal Data, either manually or by automatic means, as outlined above.
The Controllers must receive prior explicit written consent to process Personal Data of individuals. The Controllers may grant their personnel access only to data that is strictly necessary for implementing, managing and monitoring the project, as outlined in the Grant Agreement. The Controllers must process Personal Data under in compliance with applicable EU law on data protection (including authorisations, ethical clearance or notification requirements which have to be in place before starting any process of Personal Data).
The Controllers take all reasonable efforts to maintain privacy and security of such data.
No secondary use of Personal Data is performed in BRiDGE.
The Controllers respect the rights of individuals to manage their data settings and preferences, including the ability to request modification, correction, removal, or deletion of personal data, subject to legitimate public interests and contractual or legal obligations (for example, obligations to retain limited transaction data for legally required audits).
Access to Personal Data is provided to a limited number of authorized staff of the Controllers. The Controllers are the beneficiaries to the Grant Agreement. The authorized staff is limited to the following departments of the Controllers according to the "need to know" principle. Such staff abide by statutory, and when required, additional confidentiality agreements and contractual provisions:
All permitted and authorized communication about the individuals is pseudonymized. The authorized personnel uses therefore a hash to codify the identity of individuals, for example in e-mails. The Controllers keep completely codified any data that participants wish not to be disclosed for reasons of personal safety or privacy, for example in participants' lists or testimonies.
Transfer of Personal Data to other Controllers to process the individual cases is forbidden.
The Controllers collect and use Personal Data for the case-to-case work with the individuals, their training and mentoring, the developing of a video handbook including their testimonies and dissemination activities and materials, for the survey etc. The work includes creating a mailing list or a list of participants, managing a database, project planning, process of accounting records on personnel costs, time-sheets, grant certificates, legal documents.
Transfer of Personal Data to external parties, as authorities, lawyers etc. is forbidden, unless the respective individual gives prior explicit consent of the individual to each transfer transaction, in order to support the case of the individual.
The collected data will not be given to any third party, except to the extent and for the purpose it may be required by law.
The processing of the data is lawful because:
The personal information required (mandatory) to be supported by BRiDGE is limited to the data necessary to identify a person, which is:
In addition, refugee researchers may provide further and optional information, such as
Individuals are entitled to access their Personal Data and rectify or block it in case the data is inaccurate or incomplete. They can exercise their rights by contacting the responsible data Controller, or in case of conflict the coordinator of BRiDGE or the data protection officer of the Controller or of the coordinator of BRiDGE, if necessary the European data protection supervisor.
The Controllers put in place appropriate organizational, technical and physical safeguards to help prevent unauthorized access, maintain data security and correctly use the data shared with the authorized staff of the Controllers. Personal Data shared with the Controllers, is only accessible by designated employees trained in the proper handling of such data, and used only for the purposes for which the data was shared.
Personal Data is retained up to one year after the end of the project BRiDGE, to ensure that the case has been properly closed. The latest one year after the end of the project all data will be destroyed. Individuals can nevertheless request to have their data deleted anytime.
All data in electronic format (personal information, e-mails, documents etc.) is stored either on the servers of the controllers or of their contractors, if applicable, and are password-protected. If applicable, the Controllers ensure that also their contractors comply with this data protection policy and the underlying and EU General Data Protection Regulation No 2016/679.