1. Data collection on our website
Who is responsible for the data collection on this website?
The data collected on this website are processed by the website operator. The operator’s contact details can be found in the website’s required legal notice.
How do we collect your data?
Some data are collected when you provide it to us. This could, for example, be data you enter on a contact form.
Other data are collected automatically by our IT systems when you visit the website. These data are primarily technical data such as the browser and operating system you are using or when you accessed the page. These data are collected automatically as soon as you enter our website.
What do we use your data for?
Part of the data is collected to ensure the proper functioning of the website. Other data can be used to analyse how visitors use the site.
What rights do you have regarding your data?
You always have the right to request information about your stored data, its origin, its recipients, and the purpose of its collection at no charge. You also have the right to request that it be corrected, blocked, or deleted. You can contact us at any time using the address given in the legal notice if you have further questions about the issue of privacy and data protection. You may also, of course, file a complaint with the competent regulatory authorities.
Analytics and third-party tools
You can object to this analysis. We will inform you below about how to exercise your options in this regard.
2. General information and mandatory information
Please note that data transmitted via the internet (e.g. via email communication) may be subject to security breaches. Complete protection of your data from third-party access is not possible.
Notice concerning the party responsible for this website
The party responsible for processing data on this website is:
Premotec GmbH – Switzerland
Represented by: Karl Presser
The responsible party is the natural or legal person who alone or jointly with others decides on the purposes and means of processing personal data (names, email addresses, etc.).
Revocation of your consent to the processing of your data
Many data processing operations are only possible with your express consent. You may revoke your consent at any time with future effect. An informal email making this request is sufficient. The data processed before we receive your request may still be legally processed.
Right to data portability
You have the right to have data which we process based on your consent or in fulfilment of a contract automatically delivered to yourself or to a third party in a standard, machine-readable format. If you require the direct transfer of data to another responsible party, this will only be done to the extent technically feasible.
Information, blocking, deletion
As permitted by law, you have the right to be provided at any time with information free of charge about any of your personal data that is stored as well as its origin, the recipient and the purpose for which it has been processed. You also have the right to have this data corrected, blocked or deleted. You can contact us at any time using the address given in our legal notice if you have further questions on the topic of personal data.
Opposition to promotional emails
We hereby expressly prohibit the use of contact data published in the context of website legal notice requirements with regard to sending promotional and informational materials not expressly requested. The website operator reserves the right to take specific legal action if unsolicited advertising material, such as email spam, is received.
3. Data collection on our website
Most of the cookies we use are so-called “session cookies.” They are automatically deleted after your visit. Other cookies remain in your device’s memory until you delete them (long-term cookies). These cookies make it possible to recognize your browser when you next visit the site.
Server log files
The website provider automatically collects and stores information that your browser automatically transmits to us in “server log files”. These are:
• Browser type and browser version
• Operating system used
• Referrer URL
• Host name of the accessing computer
• Time of the server request
• IP address
These data will not be combined with data from other sources.
The basis for data processing is Art. 6 (1) (b) GDPR, which allows the processing of data to fulfil a contract or for measures preliminary to a contract.
Should you send us questions via the contact form, we will collect the data entered on the form, including the contact details you provide, to answer your question and any follow-up questions. We do not share this information without your permission.
We will, therefore, process any data you enter onto the contact form only with your consent per Art. 6 (1)(a) GDPR. You may revoke your consent at any time. An informal email making this request is sufficient. The data processed before we receive your request may still be legally processed.
We will retain the data you provide on the contact form until you request its deletion, revoke your consent for its storage, or the purpose for its storage no longer pertains (e.g. after fulfilling your request). Any mandatory statutory provisions, especially those regarding mandatory data retention periods, remain unaffected by this provision.
Processing of data (customer and contract data)
We collect, process, and use personal data only insofar as it is necessary to establish, or modify legal relationships with us (master data). We collect, process and use your personal data when accessing our website (usage data) only to the extent required to enable you to access our service or to bill you for the same.
Collected customer data shall be deleted after completion of the order or termination of the business relationship. Legal retention periods remain unaffected.
Data transferred when signing up for services and digital content
We transmit personally identifiable data to third parties only to the extent required to fulfil the terms of your contract with us.
Your data will not be transmitted for any other purpose unless you have given your express permission to do so. Your data will not be disclosed to third parties for advertising purposes without your express consent.
If you would like to receive our newsletter, we require a valid email address as well as information that allows us to verify that you are the owner of the specified email address and that you agree to receive this newsletter. No additional data is collected or is only collected on a voluntary basis.
Following subscription to the newsletter, your e-mail address is used for our own information purposes until you cancel the newsletter again. You can revoke consent to the storage of your data and email address as well as their use for sending the newsletter at any time, e.g. through the “unsubscribe” link in the newsletter. The data processed before we receive your request may still be legally processed.
The data provided when registering for the newsletter will be used to distribute the newsletter until you cancel your subscription when said data will be deleted. Data we have stored for other purposes (e.g. email addresses for the members area) remain unaffected.
1. DATA CONTROLLER
The Data Controller is the National Research Council of Italy (CNR) – Piazzale Aldo Moro n. 7 – 00185 Roma. The Data Controller point of contact is the legal representative of the Institute of Sciences of Food Production of the CNR (CNR-ISPA), Dr Antonio Moretti at Via Amendola 122/O, 70126 Bari, Italy (email: email@example.com ; Tel. +39 08085929326).
2. DATA PROTECTION OFFICER
Pursuant to Art.37 of the EU Regulation 2016/679, Dr. Raffaele Conte is the Data Protection Officer (DPO) of CNR (CNR Provision 103/2020 of 15/10/2020). The e-mail of the Data Protection Officer (DPO) is firstname.lastname@example.org; PEC: email@example.com at CNR – Piazzale Aldo Moro n. 7 – 00185 Roma.
All beneficiaries in charge for the activity of the project have a Data Protection Officer in their own institution. Beneficiaries not required to appoint a DPO under the General Data Protection Regulation (GDPR 2016/679) have provided a data protection policy. The protection of the privacy of participants is a responsibility of all persons involved in the research with human participants.
3. LEGAL BASIS OF THE PROCESSING
The legal basis of the processing of personal data is represented by the EU Regulation 2016/679 of the European Parliament and Council of 27 April 2016 (from now on “GDPR 2016/679”) in accordance with the provisions of Article 6 paragraph 1) letter a) of the General Data Protection Regulation. In compliance with the Article 13 of the GDPR 2016/679, the Project has defined and formalized an Organizational Model of privacy related liability aimed at the correct processing of personal data.
Data provided to the project are treated in compliance with the individual’s fundamental rights and dignity, with particular reference to privacy, personal identity and the right to personal data protection according to the Italian Personal data protection code (D.lgs 196/2003 “Privacy Law”), and the Legislative Decree no. 101 of the 10th August 2018.
The research activity is performed in compliance with the CNR guidelines for research integrity (CNR Research Ethics and Integrity Committee – www.cnr.it/en/ethics Guidelines for Research Integrity, updated 2019, CNR Prot. n. 0081440/2019); and all data are acquired as detailed in the “Informed Consent in Scientific Research: Ethical Toolkit” of the CNR (https://www.cnr.it/en/doc-ethics).
4. INTRODUCTION AND PURPOSE OF THE STUDY
FoodSafety4EU is a collaborative action to support the European Commission (EC) in shaping the Food Safety System of the future. During its 3 years, the project delivers solutions to support the EC in its endeavour in aligning research, policy and innovation with the societal needs and perspectives and improving food safety across Europe. FoodSafety4EU mission is to enhance quality, reliability, and confidence in food in Europe and make available and share data, information, and digital tools, in order to enhance scientific excellence in the field of food quality and safety and strengthen scientific knowledge, also promoting scientific cooperation and integration. The general objective is to enhance scientific cooperation and encourage interaction between the various stakeholders, particularly engaging and informing the general public and food producers, as well as to create a common and shared base of data, information, and knowledge.
In order to deliver on its mission, FoodSafety4EU collects, generates processes and publishes datasets related to food safety (aggregated and open access results), but also collects contact information (name, surname, email address and affiliation) and feedbacks (opinions) from different stakeholders of the new food safety platform in order to inform them on further actions and improve the user engagement, tools and services provided.
As detailed in the Data Management Plan of the project (Deliverable 8.5), data are acquired by surveys, questionnaires, interviews (audio or video), participation in FSOLabs workshops, registration at FoodSafety4EU conferences, seminars, workshops or training courses. Personal data are used during the implementation of project’s actions for internal and external communication (website, newsletter, publications, video, pictures, etc.) and for statistic information.
5. SUBJECT PARTICIPATION
We estimate that about two thousands of participants (stakeholders) are enrolled by the FoodSafety4EU project. The stakeholders can be classified based on their level:
- macro – governmental organisations, such as food (safety) authorities and policy makers
- meso – supporting organisations, providing services both to the macro- and micro-level actors
- micro – individual food producers, consumers, the general public, media
Scientific network; Research institution; Foundation; University; Government body/committee; Association; Non-profit association; NGO network; Food Safety Authority; Food Safety private lab; Food Safety public lab; Consumer (individuals)- civil society; Consumer organisation; Civil society organisation; Industry/SME federation, network or associaton; Producer organisation; Network industry; Company for food innovation; Industry association; Communication network; Company or Innovation services for food sector.
Their participation in the surveys, questionnaires, interviews or other involve one visit, approximately from 15 to 60 min in length. Participation in FSOLab or focus group workshop (either physical or virtual) involve 1 to 2 days.
6. POTENTIAL RISKS AND DISCOMFORTS
No known risk is foreseen.
7. POTENTIAL BENEFITS
Participants do not receive any personal benefit for their participation in the project study/activity besides possibly learning more about innovative and integrated strategies, policies and initiatives that support stakeholders in the EU Food Safety System of the future and its FoodSafety4EU platform.
8. WHAT DATA DO WE COLLECT
During the FoodSafety4EU project, different types of data. including personal data and metadata, are collected (both in hard copy or in digital form) by the key actors of the project and through several channels as listed below:
- Personal identification information (i.e. name, surname, entity name, email address, gender)
- Registration and attendance records: details of events organized by or on behalf of the project
- Data relating to the web tools of the project, including the internal collaborative platform and the website: device type; operating system; browser type; browser settings; IP address; language settings; dates and times of connecting to a tool; username; password; security login details; usage data; aggregate statistical information;
- Views and opinions: any views, opinions, posts, likes, comments that any FoodSafety4EU project actor and user choose to send to the project, or publicly post about the project on social media platforms;
- Photograph and audio-visual material: pictures or video footage taken during events organized by, or on behalf of the project and that FoodSafety4EU project actors and users may attend;
- Data regarding studies, publications, FoodSafety4EU presentations, and datasets connected to food safety: collected by surveys/questionnaires and harmonised by dedicated metadata models as described below and according to the Data Management Plan of the project (Deliverable 8.5).
In compliance with the Article. 9 of GDPR 2016/679, personal data collected by the project do not include special categories of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, data concerning health or data concerning a natural person’s sex life or sexual orientation, biometric data, with the exception of photographs and audio-visual materials which are gathered during the events organized by, or on behalf of the project (FSO labs, conferences, etc.), and processed with the aim to promote and disseminate information about the activities of the project as detailed below. Personal data are not collected from ‘vulnerable individuals’ in the sense of the young or elderly, or impaired individuals.
9. HOW DO WE COLLECT AND PROCESS YOUR DATA
INFORMED CONSENT FORM
Personal data are collected by the FoodSafety4EU internal collaborative Platform; the website of the project; forms delivered during FSOLabs meetings; registration at conferences, seminars, workshops, training courses, etc.; newsletter or contribution to promotional material for social media; surveys and questionnaires related to the activities of the project; digital audio recording, digital video caption, etc.
Collection of personal data from potential stakeholders and participants are based on a voluntary basis. Data are collected only from participants who give the informed consent [Article 6 paragraph 1) letter a) of the GDPR 2016/679]. The FoodSafety4EU project only handles “minimal data” about users. The data collected are adequate, relevant and limited to what is necessary with respect to the purposes for which they are processed. Specifically, information systems and computer programs are configured by minimizing the use of personal data, so as to exclude their processing when the purposes pursued in individual cases can be achieved through anonymous data or other appropriate ways to identify the data subject only in case of necessity (‘necessity principle’). All systems do not store cookies on the users’ computers to prevent any unauthorized tracking of the users’ activities on the Internet.
FoodSafety4EU project collects also personal data by interviews, records, photographs, video. Audio recordings are coded and transcribed. Audio recordings and any electronic or printed transcripts are stored in encrypted files or in a locked, secure location for five years after the publication of the research, after which, all files are destroyed.
Photographs and video are also taken and used or reproduced in different formats. The images are used for the purposes of display, publicity and in promotional materials by the CNR-ISPA as Coordinator of FoodSafety4EU project and APRE as project Communication and Dissemination Leader. Any intellectual property, including copyright and image rights, which arises in the visual images(s) belongs to the CNR-ISPA.
Datasets (and metadata) related to food safety
In addition, during the FoodSafety4EU project, surveys, interviews, etc. are conducted to collect data about studies, publications and datasets connected to food safety (as detailed in the Data Management Plan and Annex 4). These data are harmonised and dedicated metadata models are defined for each type of resource, taking into account existing models and standards while following the FAIR principles (findable, accessible, interoperable, and re-useable) as well as possible.
10. HOW DO WE STORE YOUR DATA AND DATA SECURITY
FoodSafety4EU establishes how to store the data according to the principle of data protection by design. Due to the nature of the investigation activities performed within the project, and evaluating the impact of the personal data processing operation and the relevant threat occurrence probability (also by the means of the ENISA tool), ethically relevant issues are not expected and the evaluation of the level of risk is considered low.
To this end, personal background-related data are stored separately from project activities relevant data. If necessary data are encrypted and when it is possible, they are pseudonymized (Article. 4.5 of GDPR 2016/679). The pseudo-anonymization of data ensures that nowhere within the data a direct connection to the individual can be drawn: each subject is assigned a code to identify his/her respective data. Each code and the subject’s name have to be linked to enable participants to withdraw their data at any state of the project. The beneficiary in charge of the collection has a full list with names and codes to allow subjects to withdraw the data at any point in time during the project. These lists are in hard copy, and stored in a locked filing cabinet. No names or other identifying information are used when discussing or reporting data. The key-file containing identity information is kept separate from the rest of the data. The data containing information about the subjects’ identity is stored in a secure file to which only the ad hoc-Data Protection Officers of the participating institutions have the keys. Encryption of personal data is used in all cases when “in transit” and when available to data “at rest”.
Datasets (and metadata) related to food safety, collected (already existing, arising from external sources) or generated (data record directly emerged from or produced) by the project are organized in catalogues to make the datasets FAIR-er (findable, accessible, interoperable and reusable). Catalogue tools are developed, where the resource owners are able to update the data and metadata they would like to share with the FoodSafety4EU community. The submitted resources are validated prior to publication in the catalogues. Each resource in the catalogue has a unique identifier and even the possibility of use of Global Unique Identifiers (GUID). The catalogues are searchable by external users, based on the metadata provided by the resource owners, hence making the resources findable with all the metadata openly available.
Proper solutions for secure and efficient access and exchange of data are essential for building the electronic platform of the project. As there won’t be a single central repository and all the datasets are stored either in the owners’ facilities or data repositories chosen by the data providers, the data providers have the control over their data access. Several security steps are taken for the data providing systems:
- Access to restricted data or modification of data is only allowed to authenticated and authorised users.
- The communication over the internet use HTTPS (SSL) and secured interfaces such as OAuth to get to the level of Internet banking.
- Physical servers are in access restricted and access-controlled server rooms and use mirrored hard drive setups.
- For each database, a backup is done every night and keep monthly backups for a longer time. The preferred solution is to have daily backups for the last 30 days, monthly backups for the last 12 months and yearly backup for the last 5 years. The server where the backup files are stored follows the same security steps.
- Software server such as database or web servers also need authentication and authorisation for users and are access restricted to administrators.
- All software used like DBMS also have authentication and authorisation for users and are access restricted to administrators.
- User password should not be stored plaintext in the database but encrypted by MD5, SHA family or other asymmetric or one-way encryption.
- Firewalls are used to protect ports of the servers.
- Intrusion detection or intrusion prevention system is used.
- Systems should use a logging mechanism to register what, how and when data was modified.
11. DATA RETENTION PERIOD AND ERASURE
The project ensures that data are only stored for the period required for the purpose of their processing. Personal data are kept in a form that permits the identification of data subjects for no longer than is necessary for the purposes for which the data are collected or for which they are further processed. Personal data that are not necessary any more are erased or truly anonymized. Any time after subscription, Supporting Partners and participants reserve the right to terminate their communication with the FoodSafety4EU consortium and unsubscribe from the network upon request as well as to access and modify their data.
In terms of data retention and destruction, all data are deleted after 5 years from the end of the project.
12. DATA RECIPIENTS, ROLES AND RESPONSIBILITIES
According to the Data Management Plan (DMP) of the project (Deliverable 8.5), the processing of data is carried out by persons in charge of the relevant proceedings, or data processor duly authorized and instructed to process (Article 29 of GDPR 2016/679) also using computerized procedures, in the manner and within the limits necessary to pursue those aims, also in the event of communication to third parties.
In order to properly maintain, execute, monitor and update the DMP, the following roles have been identified:
Data Manager (DM) – The DM is in charge of ensuring the proper data management throughout the project’s life, in strict cooperation with the Project Coordinator and Data Management Committee, by handling transparently the DMP. In particular, the DM will facilitate sharing of data within the consortium, guarantee that any data will be handled transparently and suggest the appropriate way of dissemination and exploitation of any novel data generated by FOODSAFETY4EU in the spirit of Open Science, together with the relevant Beneficiaries and Supporting Partners. DM has been appointed and, according to the GA, is Dr. Giuseppina Avantaggiato (CNR).
Data Management Committee (DMC) – The DMC will audit activities around data management and propose solutions for data management issues to the GA, elaborating the details, licensing included, in agreement with data owners and bringing proposals to the consortium where final decision is taken. In particular, it needs to be checked if data owners have a procedure for data management that must be followed. The committee is a group of persons with knowledge in food data, management and ICT and has no formal decision authority, it can also be considered as a working group. The following persons are proposed as the members of the committee: Claudia Zoani (ENEA), Agnes Matuszczak (PMT), Pasquale Del Vecchio (CNR).
Data Providers/WP Leaders – WP Leaders are responsible for ensuring the proper implementation of the DMP in their respective WPs and in informing the DM and DMC when new data have been generated or collected during project activities. Furthermore, they are in charge to interact with the DM, informing them when new open data/papers for publication are available and providing an appropriate description of related data or publication.
13. TRANSFER OF PERSONAL DATA TO / FROM NON-EU COUNTRIES
By default, data are not automatically shared and no contact data are shared without consent. Personal contact data are kept internally within the FoodSafety4EU consortium and are not published, accessible and shared with external organizations or individuals. Data sharing and diffusion applies just to data for which consent has been given, and in accordance with the diffusion terms expressed by the consent.
The project assures that data collected in EU are never transferred to entities in non-EU countries.
In case personal data are collected by Beneficiaries in non-EU countries (namely, Albania and Tunisia) and transferred to the EU countries (or another third state), Beneficiaries confirm that the transfer complies with the laws of the country in which the data are collected.
Furthermore, the consortium guarantees that all personal data collected during the project in non-EU countries are kept secure and unreachable by unauthorized persons. The data are handled with appropriate confidentiality and technical security, as required by EU laws and recommendations (see § 10).
Data transfer among EU Beneficiaries, and from non-EU countries to EU countries, is performed by data transfer models for identified dataset types, using existing standards and methodologies. In case of absence of these methodologies new data transfer models are proposed with the focus on machine-readability of the (meta)data. In general, the possible use of APIs (Application Programming Interfaces), especially using standards like REST and JSON, are implemented where applicable. As JSON is a general-purpose file format, it can be particularly useful for third party tools, which therefore are able to access data from FoodSafety4EU in a unified way.
14. RIGHTS OF DATA SUBJECTS
The EU Regulation 2016/679 grants to data subjects the following rights:
right of access (art. 15 of GDPR 2016/679): participants have the right to request FoodSafety4EU for copies of their personal data;
right of rectification (art. 16 of GDPR 2016/679): participants have the right to request that FoodSafety4EU corrects any information they believe is inaccurate. They have also the right to request FoodSafety4EU to complete the incomplete information;
right to deletion (art. 17 of GDPR 2016/679): participants have the right to request that FoodSafety4EU erases their personal data, under certain conditions;
right to restriction of processing (art. 18 of GDPR 2016/679): participants have the right to request that FoodSafety4EU restricts processing of personal data, under certain conditions;
right to data a (art. 20 of GDPR 2016/679): participants have the right to request that FoodSafety4EU transfers the data collected to another organization, or directly to them, under certain conditions;
right to object (art. 21 of GDPR 2016/679): participants have the right to object to FoodSafety4EU processing of personal data under certain conditions;
right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the individual or that significantly affects the individual (art. 22 of GDPR 2016/679).
In relation to data processing, the data subjects may contact Dr. Antonio F. Logrieco, Data Controller point of contact, to exercise their rights
15. HOW TO CONTACT US
Veronica Lattanzio (FoodSafety4EU Project Coordinator): firstname.lastname@example.org, Phone: +39 080 5927364
Giuseppina Avantaggiato (FoodSafety4EU Project Ethics Manager): email@example.com, Phone: +39 080 5929348.
16. Right to Complain
If participants, in the event that they consider that the processing of personal data relating to them is carried out in breach of the provisions of GDPR 2016/679, or feel that FoodSafety4EU project has not addressed their concern in a satisfactory manner, have the right to lodge a complaint with the Guarantor, as provided for in Article 77 of GDPR 2016/679, or to bring the issue before the competent courts pursuant to article 79 of GDPR 2016/679. They may also contact the Italian Data Protection Authority.