Version 1, last updated: 06-12-2023
USE OF YOUR PERSONAL DATA
For us, data protection is a very important issue, so we would like to inform you how we will use your personal data and what rights you can exercise under the applicable data protection legislation, EU Regulation 2016/679 (here also: “GDPR”) and Dutch privacy laws.
Any capitalized word which is not defined in this document is used in the meaning stated in GDPR. Please refer to the official text, which you can read in the following website: EUR-Lex – 32016R0679 – EN – EUR-Lex (europa.eu) If you don’t understand the text of the relevant legislation and you want to understand more about this topic, please contact us at {email}.
Personal Data is every unique information about your person, regardless of the fact that your name or contact details are present. Personal Data is also, for example, an IP address, information about how you feel, the GPS coordinates of your location, information about your house, your personality evaluation, your performance assessment, your brain scan, and such.
Who controls your personal Data?
The person who controls your data and decides how your data will be used (Data Controller) is:
| The Data Controller University of Turin Department of Law Contacts: Chiara Gallese chiara.gallese AT unito.it | The Data Protection Officer (DPO) rpd AT unito.it |
Whose Data do we collect?
We collect data from participants to the questionnaire/interview/focus group.
What data we collect depends on the methods of this particular research, and on how you choose to interact with us.
What personal data do we collect?
Depending on all the above, we collect:
| Contacts | We collect your name in the privacy form and we will collect your email address if you contact us to exercise your rights or to ask for information. |
| Health data | We do not collect your health data but we need to know if you are a patient. |
| Ethnicity data | We collect information about your ethnic background. |
| Sexual orientation data | We will ask you if you are part of a LGBT+ group. |
| Opinions | We will ask for your opinion regarding the use of health data and the EU data policy. |
| Age | We collect information about your age group. |
| Socio-economic status | We collect information about your profession, education, and income. |
How do we process your data?
Below you can find a table describing how we use your data.
The use of your data is called ‘processing’ and it includes, for example: reading, storing, analyzing, sharing, and modifying your data.
For each category of information regarding you, below it is specified why we use (process) your data (the purpose), why we are authorized to do so (the legal basis), and for how long we will keep your data (retention period).
| We process these data: | with the purpose to: | with the legal basis of: | storing them for: |
| Contact information | communicate with you, helping you | your consent | as long as the research project is over and for additional 10 years |
| Contact information | allowing you to exercise your rights | law | as long as it is required by laws and regulations |
| Ethnicity, and sexual orientation | storing, analyzing, and pseudonimyzing data to answer our research questions and to perform similar research in the future | your consent | as long as the research project is over and for additional 10 years |
| Status as a patient | Understand if you can be included as a participant in the research; perform audit for research integrity purposes | your consent | 10 years |
| Opinions | storing, analyzing, and pseudonimyzing data to answer our research questions and to perform similar research in the future, perform audit for research integrity purposes | consent | 10 years |
| Socio-economic status | storing, analyzing, and pseudonimyzing data to answer our research questions and to perform similar research in the future, perform audit for research integrity purposes | consent | 10 years |
| All your information | anonymize your data, creating a public dataset, allowing other researchers to perform additional research in the same field | consent | the data set will be published in a research repository |
| All your information | be compliant with laws and regulations, making our legal and privacy expert review the way we use your data | legitimate interest | as long as the research project is ongoing |
Profiling and automatic processing
We do not use profiling or automated processing of your data.
However, the results of this research will be made public and therefore in the future they could be used by policy-makers and private entities (such as banks or insurances) to create guidelines, procedures and regulations that could have an impact on the general population, including you and your family. Please let us know if you are concerned about this possibility, then we will find a way to restrict the access of the data set only to universities.
For how long is my data stored? Can I change or delete my data?
We store personal data as long as needed for the purpose described in this document, as explained in the table above.
You can at any time modify, update or delete your data when you ask us to do so by email to chiara.gallese AT unito.it. We will comply with your request promptly and at the latest within 30 days.
If you are voluntarily provide us with your email address to receive a report, your individual survey results or our research findings, your email address will be deleted after 6 months (unless you ask us to keep it for a longer time).
When we don’t need your data anymore, we will delete them; if, due to a particular method of storage, their deletion is impossible or it would require a disproportionate effort, we won’t use your data and we will keep them in a safe place where no one can find them.
However, please note that, after the research is performed, we might be unable to change or delete your data if this requires a disproportionate effort or if this would impair our research.
Further use, sharing or disclosing
Communication. If you have asked to be notified of changes to our policy, to receive your individual report or to be informed about our research, we will use your email address to communicate with you.
Publication of research. Our research results will be published and disseminated through journals, conferences, workshops, seminars, and teaching activities.
Publication of data set/anonymized or aggregate data set. We may disclose or use aggregated or de-identified data to enable other research group to perform further research on the same topics or in the same field.
Change of research team members. If students or researchers leave our team, for example because they change job, we may need to replace them. In that case, some or all your personal data may be shared or transferred to the new team members, provided that we will arrange all the appropriate security and confidentiality measures. We will ensure that the leaving persons don’t have access to your data anymore.
Performing research activities. We may need to store your data in third-parties storage services, cloud solutions, or software, in order to perform our research. We will make sure that those parties arrange all appropriate security measures to protect your data.
To protect our rights. We have the right to disclose your data to enforce, protect and defend rights, property or safety of our group or third parties, including to enforce contracts. Please contact your attorney if you are not sure of how your national legal system allows the exercise of rights.
To comply with laws. We may disclose your data with our research data stewards, privacy team members, ITC support staff, and other professionals providing consultancy on research data compliance. If we receive a request for information or an inspection, we may disclose the data, if this is required by mandatory applicable laws, regulations, rules, or it is ordered by any public authority. Please check on your government website if you are not sure in what cases it is allowed by law to disclose personal data.
With your consent. We may share personal data and other data with third parties, such as companies involved in the research project when you gave your consent to do so.
Third-Parties
We collaborate with some companies/Institutions to perform our research. Their role is to provide cloud services, data analytics, transcriptions, and translations.
Those third parties will use your data on our behalf and under our supervision (they are called processors). These third parties may, for example, provide and help us with analysis, storage services, archiving documents. When we hire new processors we will sign an agreement (written contract) according to which the processor may access and use your data only following our precise instructions, and can’t use your data for any other purpose. We also make sure that they have the same level of security and confidentiality that we provide.
Where is my data transferred and stored?
Personal data may be transferred to countries outside the European Union as the Data Controller uses Google’s Educational services. Google uses IT infrastructure, equipment necessary to interconnect networks and users, and logging centers located in non-EU states. Google has adhered to the Data Privacy Framework on EU-US data transfer on the basis of the adequacy decision adopted on July 10, 2023 by the EU Commission pursuant to Article 45(3) of the GDPR. As part of its contractual relationship with the University, in addition. Google complies with European data transfer regulations as outlined in the Amendment on the data processing, signed by the University, in which the model contractual clauses are contained (see https://cloud.google.com/terms/sccs/eu-c2p). By Implementing Decision (EU) 2021/914 of June 4. 2021, the European Commission issued the model contractual clauses for the transfer of data personal data to third countries under Regulation (EU) 2016/679 of the European Parliament and the Council.
What are your rights?
Right to be informed. You have the right to be informed about how we use your information. We do this through this document, through our website, by answering questions sent to us, and by providing reports about our research on request.
Website : https://www.datacomproject.eu
Right to access your data. You may request a copy of your data by email to chiara.gallese AT unito.it if you would like to know what personal data we have about you. This copy of your personal data can also be given to you in a common (machine-readable) format.
Right to rectification. You have the right to correct inaccurate or incomplete information about yourself which you can do by email to chiara.gallese@unito.it Please note that, after the research is completed, we might be unable to change your data if this requires a disproportionate effort or if this would impair our research results.
Right to erasure. You have the right to request deletion of your personal data, for example when it is no longer necessary for us to process the data for the purpose it was collected, or when you have withdrawn your consent, which you request by email to chiara.gallese@unito.it Please note that, after the research is completed, we might be unable to delete your data if this requires a disproportionate effort or if this would impair our research results.
Right to restrict processing of your data. If you believe your information is incorrect or you believe we use your data unlawfully, you have the right to ask us to stop or limit the processing, which you request by email to chiara.gallese AT unito.it. Please note that, after the research is completed, we might be unable to restrict the use of your data if this requires a disproportionate effort or if this would impair our research results.
Right to lodge a complaint. You have the right to file a complaint with your national data protection authority, or the Dutch Data Protection Authority. Complaints to the Authority can be made at https://www.garanteprivacy.it/ or by sending written communication to the Authority for the Protection of Personal Data:
Garante per la protezione dei dati personali
Piazza Venezia 11
00187 – Roma
Further information about your rights can be found on our website at: https://www.unito.it/privacy
These rights can be exercised in accordance with GDPR by sending an e-mail to rpd AT unito.it
Age limit
The research is addressed to individuals who are at least sixteen years of age.
Research Code of Conduct
We process your data in accordance with the Netherlands Code of Conduct for Research Integrity. More information can be found at https://www.unito.it/sites/default/files/allegati/01-08-2014/cod_etico_comunita_universitaria.pdf .
Changes to this document
If we need to make changes to the way we use your data, we will immediately contact you. If additional consent from you is required, we will ask you to sign the new document.
CONSENT FORM
PURSUANT TO ART. 7 OF THE EU REGULATION 2016/679
I agree to the collecting, storing, and analyzing of my personal data as explained above:
Yes ☐ No ☐
I give my explicit consent to the collecting, storing, and analyzing of particular categories of data, such as data that reveal ethnicity, sexual orientation, status as a patient, and data about the membership to vulnerable groups:
Yes ☐ No☐
I agree that my anonymized data are used for further research:
Yes ☐ No☐
I agree that my anonymized data will become of public domain:
Yes ☐ No☐
________________ ________________________
(Place and date) (Signature of the person concerned)