M-ERA.NET Data Privacy Policy
Name and Address of the Data Controller
Data Controller according to the data protection laws regarding the processing on this website is the
Austrian Research Promotion Agency (Österreichische Forschungsförderungsgesellschaft mbH)
1090 Vienna, Sensengasse 1
FN 252263a HG Wien
Tel: +43 (0)5 7755 - 0
Fax: +43 (0)5 7755 - 97900
datenschutz@ffg.at
The Austrian Research Promotion Agency acts as the M-ERA.NET consortium coordinator.
A list of the current consortium members is available at https://m-era.net/about/m-consortium.
Please keep in mind that in some cases a joint responsibility pursuant to Article 26 GDPR between the FFG and the other consortium members might exist.
General information on data processing
The M-ERA.NET data privacy policy describes how we process your personal data when you use our services or visit our website.
For further information and details on the processing of personal data by the different funding agencies, please refer to the specific privacy policy statements of the respective agency.
Your personal data will be deleted or made unavailable by us once the purpose for storing and processing of such data no longer applies, provided that longer retention cannot be justified by statutory obligations or that no legal claims which may still be asserted against us and require retention exist.
Within the scope of electronic data processing, we use IT service providers (data processors) who might obtain access to your personal data in the course of their work in case they require the data to render the respective service. These service providers were obliged by us to take appropriate technical and organisational measures to ensure the security of your data. These service providers are not permitted to pass on your data (except in cases stipulated by law).
Specific processing operations
1. General data processing on the website
1.1 Purpose of data processing
- Data is collected and exchanged during each visit to a website to enable you to access and use the website.
- Some data is used for statistical data analysis in order to measure the demand for web offerings on the M-ERA.NET website.
- Some data is processed to prevent attacks on our infrastructure.
1.2 Scope of the processing of personal data
The M-ERA.NET website automatically collects and stores data transmitted from your browser to our server. This data include:
- type and version of your internet browser
- operating system used
- the page visited
- the page visited before our website (referrer URL)
- time of the server inquiry
- client IP address
It is not possible for us to trace this data back to a specific individual. This data is not merged with other data sources.
1.3 Legal basis for processing personal data
The legal basis for the aforementioned data processing is the legitimate interest pursuant to Article 6(1)(f) GDPR.
The legitimate interest is our interest to protect our website from attacks and misuse and to safeguard the security and stability of our systems, to enable you or services via the website and to use data analysis in order to measure the demand for web offerings on the M-ERA.NET website
1.4 Data retention period
IP addresses are stored for 14 days to detect and prevent attacks on the infrastructure. After that time the IP addresses are deleted.
In all other cases data will be stored in compliance with the statutory retention periods or as long as they are necessary for the relevant processing. Your data will be erased before such period expires if you exercise your right to object.
1.5 Data recipients
Data collected from visits to the M-ERA.NET consortium offers on the internet is transmitted to third parties only when required by law or court order or in cases when attacks on the infrastructure of the M-ERA.NET consortium make it necessary to forward such data for the purposes of legal action or criminal prosecution.
Data will not be transferred for any other reason.
2. Newsletter
To receive the newsletter offered on our website, you can register via our form. We use a double opt-in procedure. This means that a confirmation email is sent to the email address you entered, which in turn requests your confirmation. Your registration becomes effective only after you click on the activation link in the confirmation email. If you do not click on the activation link, your data will be erased after four weeks. We use the data provided by you for the exclusive purpose of delivering the newsletter, which may include information or services.
We deliver our newsletter by rapidmail. Your data is therefore disclosed to the rapidmail GmbH, which is prohibited from using your data for purposes other than delivery of our newsletter. The rapidmail GmbH is not allowed to disclose or sell your data. rapidmail is a certified German newsletter software provider which was selected carefully in accordance with the requirements of the GDPR and the BDSG.
The data provided will be processed on the basis of your consent in accordance with Article 6 (1) (a) of the General Data Protection Regulation (GDPR). You can withdraw your consent to the storage of your data and its use for newsletter delivery at any time, e.g. using the unsubscribe link in the newsletter. The lawfulness of processing your personal data on the basis of the consent provided by you remains valid until your withdrawal of consent has been received.
3. E-Mails to the M-ERA.NET consortium
3.1 Purpose of data processing
When you send us an e-mail this e-mail and your e-mail address will be used solely for correspondence purposes.
3.2 Scope of the processing of personal data
- E-mail address
- If you enter any personal data in your text message (e.g. name or phone number), these will also be included in the processing.
3.3 Legal basis for processing personal data
The legal basis for this processing is the controller's legitimate interest according to Article 6 (1)(f) GDPR to provide interested parties with a simple and effective way of contacting us directly via e-mail and giving you the optimal support.
Article 6(1)(b) GDPR might also the legal basis in cases where the processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract.
3.4 Data retention period
Your personal data will be stored in compliance with the statutory retention periods or as long as they are necessary for the relevant processing. Your data will be erased before such period expires if you exercise your right to object.
3.5 Data recipients
Your message and your data will only be disclosed to the consortium members involved. The data will not be shared with other third parties without your consent or without a legal obligation.
4. M-ERA.NET database
4.1 Purpose of data processing:
The M-ERA.NET database consists of project data.
Contact data of people involved in proposals/projects are stored to an extent which is necessary for managing the submitted proposals and funded projects.
This contact data are not available to the public and are only used for updating the database or for research purposes (e.g. impact assessments, surveys).
4.2 Scope of the processing of personal data
- First and last name
- Affiliation
- Telephone number
- E-mail address
- CV
- List of publications
- other project data
4.3 Legal basis for processing personal data
In certain cases, we process personal data on the basis of the consent of the data subject within the meaning of Article 6 (1) (a) of the GDPR.
Where processing of personal data is required for the conclusion of contracts, this takes place on the basis of the fulfilment of the contract or the performance of pre-contractual measures within the meaning of Article 6 (1) (b) of the GDPR.
Where we are under legal obligation to process personal data, such as statutory documentation and retention obligations, this is done on the basis of the fulfilment of a legal provision within the meaning of Article 6 (1) (c) of the GDPR.
4.4 Data retention period
Your personal data will be stored in compliance with the statutory retention periods or as long as they are necessary for the relevant processing. Your data will be erased before such period expires if you exercise your right to object.
4.5 Data recipients
Your data will be disclosed to the consortium members involved.
In all other cases your data will only be transmitted to third parties when required by law or court order or in cases when it is necessary to forward such data for the purposes of a legal action or criminal prosecution.
5. Expert Applications
5.1 Purpose of data processing
Management and execution of the application procedure for experts to assist with the evaluation of proposals submitted to the M-ERA.NET Joint Calls and for experts to assist with defining the thematic scope of these calls.
5.2 Scope of the processing of personal data
- Gender
- Name
- E-Mail address
- Country
- Expert keywords
- Organisation
- Type of organisation
- CV
- Bank account data
5.3 Legal basis for processing personal data
If prior informed consent is obtained, processing shall be based on such consent pursuant to Article 6(1)(a) GDPR.
Article 6(1)(b) GDPR might also form the legal basis in cases where the processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract.
The legal basis for this processing can be the controller's legitimate interest according to Article 6 (1) (f) GDPR to enable a quick and effective way to fill in applications for experts.
5.4 Data retention period
Your personal data will be stored in compliance with the statutory retention periods or as long as they are necessary for the relevant processing.
5.5 Data recipients
Your data will only be disclosed to the consortium members involved and the call secretariat.
The data will not be shared with other third parties without your consent or without a legal obligation.
6. Intranet
6.1 Purpose of data processing
Sharing of information necessary for the M-ERA.NET 3 implementation.
6.2 Scope of the processing of personal data
Users of the Database:
- Login-Data (Name, E-Mail, Organisation, Password)
6.3 Legal basis for processing personal data
In certain cases, we process personal data on the basis of the consent of the data subject within the meaning of Article 6 (1) (a) of the GDPR.
Where processing of personal data is required for the conclusion of contracts, this takes place on the basis of the fulfilment of the contract or the performance of pre-contractual measures within the meaning of Article 6 (1) (b) of the GDPR.
The legal basis for this processing can be the controller's legitimate interest according to Article 6 (1) (f) GDPR to grant the data subject involved the controlled access to the necessary information in a quick and effective way.
6.4 Data retention period
Your personal data will be stored in compliance with the statutory retention periods or as long as they are necessary for the relevant processing.
6.5 Data recipients
Your data will only be disclosed to the consortium members involved.
The data will not be shared with other third parties without your consent or without a legal obligation.
Regarding the data transfers to other consortium members
Some consortium members are not from a EU or EEA – member state.
We will transfer personal data to third countries if the requirements of the GDPR are met and sufficient safeguards are in place.
These requirements can be for example
- An adequacy decision of the European Commission pursuant to Art. 45 GDPR;
- Standard contractual clauses for the transfer of personal data to third countries pursuant to Article 46 GDPR.
Data transfers might occur in the following cases as well:
- You have explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
- The transfer is necessary for the performance of a contract between you and us or the implementation of pre-contractual measures taken your request.
- The transfer is necessary for the conclusion or performance of a contract concluded in your subject between the controller and another natural or legal person.
- The transfer is necessary for the establishment, exercise or defence of legal claims.
Rights of the data subject
- Right to access
You have the right, vis-à-vis us, to request access to all data concerning you processed by us.
- Right to rectification and right to restriction of processing
You may request the rectification of inaccurate data or have incomplete data completed.
- Right to data portability
You may demand that we transmit to you - or if technically feasible to a third party indicated by you - a copy of your data in a structured, commonly used and machine-readable format. In addition, you have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where
- the processing is based on consent pursuant to Article 6(1)(a) GDPR or Article 9(2)(a) GDPR or on a contract pursuant to Article 6(1)(b) GDPR, and
- the processing is carried out by automated means.
In exercising this right, you also have the right to have the relevant personal data transmitted directly from one controller to another, where technically feasible. Rights and freedoms of others shall not be adversely affected by the above.
- Right to erasure
Under certain circumstances, you have the right to obtain erasure of your data, e.g. if your data is not processed in accordance with data protection requirements.
If you have asserted your right to rectification, erasure or restriction of processing vis-à-vis us, we are obligated to communicate such rectification or erasure of data or restriction of processing to each recipient to whom the personal data concerning you have been disclosed, unless this proves impossible or involves disproportionate effort.
- Right to object
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Article 6(1)(e) or (f) GDPR, including profiling based on those provisions.
In that case, the controller shall no longer process your personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.
- Right to withdraw consent
You have the right to withdraw your declaration of consent at any time.
The withdrawal of consent shall not affect the lawfulness of any consent-based processing performed until the withdrawal.
- Supervisory authority
You have the right to lodge a complaint with the national supervisory authority in your place of residence if it is assumed that the processing of personal data is carried out unlawfully.
Each national supervisory authority shall be competent for the performance of the tasks assigned to and the exercise of the powers conferred on it in accordance with this Regulation on the territory of its own Member State.
Where processing is carried out by public authorities or private bodies acting on the basis of point (c) or (e) of Article 6 (1), the supervisory authority of the Member State concerned shall be competent.
If you have a complaint, please contact the competent supervisory authority.
The list of the national data protection authorities is available on the website: https://edpb.europa.eu/about-edpb/board/members_en
Contact
In connection with any of the above matters, in particular, with regard to exercising your rights as data subject, as well as in case you have any further questions, please contact the following e-mail address:
Cookies
Please note that the providers Twitter, YouTube and Google are based in a so-called third country, here the USA, within the meaning of the GDPR. In its decision of July 16, 2020, Case C-311/18 ("Schrems II"), the Court of Justice of the European Union (CJEU) invalidated the European Commission's decision on EU-US data protection obligations (Privacy Shield Decision 2016/1250) explained. A data protection level that is essentially comparable to the European data protection standards does not exist for the USA.
As a result, there is no valid adequacy decision by the European Commission with regard to the transfer of personal data to the USA within the meaning of 45 Para. 1, 3 GDPR. Furthermore, there are no so-called suitable guarantees within the meaning of Art. 46 Paragraph 2, 3 GDPR, which enable a corresponding level of protection without further measures. It cannot be ruled out that a company based in the USA may grant government agencies access to the processed personal data. Personal data could therefore be passed on to third parties. The rights of those affected may not be able to be enforced.
Therefore, the transmission of the data (IP address) in the context of the use of Twitter, YouTube or Google is only possible with your express consent in accordance with Article 49 Paragraph 1 lit.