In accordance with EU Regulation No. 2016/679 (hereinafter “GDPR”) as well as national legislation (hereinafter collectively “Applicable Law”), this policy statement provides information with regard to the processing of personal data of users and visitors (hereinafter “User”) of Eurac Research’s websites under the subdomain access.chrisportal.eurac.edu (hereinafter “Website”). For information regarding the processing of personal data of users and visitors of other websites of Eurac Research, please refer to the general Eurac Research privacy policy.

Before providing any personal data or completing an electronic online form on the Website, Eurac Research invites the User to carefully read this privacy policy.

1. Data Controller and Data Protection Officer

Data controller is Eurac Research, with headquarters at Viale Druso 1, 39100 Bolzano, Italy, in the person of its legal representative pro tempore. You can contact the Data Protection Officer of Eurac Research under privacy@eurac.edu.

2. Types of personal data subject to processing, purpose and legal basis of the processing

The following personal data relating to the User may be processed by Eurac Research, or on behalf of Eurac Research, when the User interacts with the Website:

2.1. Data provided when creating CHRIS Portal user account or submitting a CHRIS Sample or Data Access Request

The request for registration trough the online form under https://access.chrisportal.eurac.edu/users/register/ requires the User to provide his personal data such as first name, last name, date of birth, email address, phone number, organization (represented by the User or to which the User is affiliated), as well as personal data contained in the curriculum vitae uploaded by the User.

Purpose of the processing of such personal data is enabling Eurac Research to evaluate the Users’ eligibility to submitting research proposals through the Website.

The provision of this personal data is obligatory for submitting a request for registration. The submission and subsequent approval of such request (at the discretion of Eurac Research) is a necessary condition for being able to submit research proposals through the Website.

Any other personal data relating to the User that are provided by the User on a voluntary basis within electronic forms, uploaded documents or following email enquiries with Eurac Research representatives, will be processed by Eurac Research for the purpose of evaluating and documenting research proposals submitted by the User. Whenever the User voluntarily provides personal data relating to third parties, the User assumes full responsibility for the fact of being authorized by the concerned data subjects to submit their personal data for being processed by Eurac Research.

Legal basis of the processing is the User’s consent, collected when submitting a request for registration. The User’s consent can be withdrawn at any time by deleting the account in the account settings section or by writing to access.chrisportal@eurac.edu. Once the User submitted a research proposal, further legal basis for the processing of the User’s personal data becomes the request of the data subject prior to entering into a contract.

The User’s personal data will be deleted if the User remains inactive, not logging into his account, for a period of five years.

However, if a research proposal submitted by the User gets approved by Eurac Research, the User’s personal data will be retained by Eurac Research for a period necessary or permitted to comply with Eurac Research’s accountability obligations and the Applicable Law (e.g. statute of limitation provisions according to art. 2946 and following of the Italian Civil Code); when such period has been reached, the User’s personal data will be deleted or made anonymous.

2.2. Browsing data

The computer systems and software used to run the Website during normal operations acquire certain personal data whose transmission is implicit in the use of Internet communication protocols. Due to their inherent nature, such information could enable an identification of the User via processing and associations with data held by third parties. This category of data includes, for example, the IP addresses or domain names of the Users’ computers connecting to the Website. While browsing the Website, the User’s following information will be collected and stored in the log files of the server (hosting) of the Website: Internet protocol address (IP); type of browser; Parameters of the device used to connect to the Website; date and time of the visit; web page of origin of the visitor (referral) and exit; possibly the number of clicks.

The data is used for the purposes of both obtaining statistical information concerning the Website's use and analyzing them and to monitor the Website's proper operation. Legal basis of such processing is Eurac Research’s legitimate security interest and the need to make the Website available unhindered.

Browsing data may be further used to ascertain liability in a suspected computer crime directed against the Website. Purpose of such processing is the collection of evidence for the establishment, exercise or defense of legal claims and legal basis of such processing is Eurac Research’s legitimate interest to defend its rights.

Browsing data will not be held beyond the time required to meet the above purposes as necessary or permitted under the Applicable Law. Personal browsing data will not be disclosed to third parties; if requested, however, such data must be made available to the Italian Postal and Communication Police Service, legal authorities, and criminal investigation police.

2.3. Data collected through cookies and similar technologies

Cookies and similar technologies are information stored on websites and apps on the Users’ devices during their first visit to the Website. Cookies and related technologies allow websites and apps to remember User actions and preferences (such as login data, the default language, display settings, etc.) so that they will be available in the User’s subsequent visits. These technologies are used to perform IT authentications, session monitoring and to store information about the activities of Users who access a service.

In line with Applicable Law, prior consent for the use of cookies is not always required. In particular, such consent is not required for "technical cookies", e.g. those used solely for the purpose of carrying out the transmission of a communication over an electronic communications network, or to the extent strictly necessary for the provider of an information society service explicitly requested by the contracting party or user to provide that service. In other words, cookies that are strictly necessary for the Website’s operation.

The Website only uses “persistent technical cookies” (small text files that the website temporarily saves directly on the computer) that allow the Website to remember, for example, the User’s preferred language or to show other possible versions of the Website.

The User may authorize, block or eliminate (in whole or in part) the use of cookies by selecting the relevant settings on the User’s browser. Please note, however, that this may impede the operation of the Website’s features.

3. Recipients of the User’s personal data

The User’s personal data collected via the Website is processed by employees of Eurac Research or other persons authorized and instructed to carry out data processing activities under the authority of Eurac Research. Further, the User’s personal data may be processed by persons who carry out occasional maintenance work on the Website and who have been appointed for this purpose and are bound to confidentiality.

The User’s personal data collected via the Website may be processed on behalf of Eurac Research by external companies, consultants, associations, software suppliers and service providers under a data processing agreement. Eurac Research guarantees that the processing of the User’s personal data by such processors shall be carried out accordance with the Applicable Law and appropriate safeguards for the User’s rights under the GDPR.

To provide certain internal IT services, Eurac Research and the Free University of Bolzano (with legal seat in 39100 Bolzano, Italy, Piazza Università 1; DPO contact: privacy@unibz.it) jointly manage the scientific platform “Scientific Network South Tyrol”, connecting their data centers. Eurac Research and the Free University of Bolzano are Joint Controllers of the personal data processed in this context and, accordingly, have entered into an agreement pursuant to art. 26 of the GDPR. The joint controllers have agreed that user’s complaints and requests to exercise their rights under the GDPR will be handled within the framework of the processing purposes set out in the joint agreement. Data subjects may exercise their rights in respect of and against each of the controllers according to art. 26 par. 3 of the GDPR.

When required by law or requested by competent public authorities, the User’s personal data will be forwarded to public administrative bodies and agencies.

4. The User’s rights as data subject

At any time, the User as data subject has the right to request access to its personal data, to correct or delete that data, or to limit its processing. In addition, the User has the right to data portability, as well as the right to lodge a complaint with a supervisory authority. The User may also exercise all other rights pursuant to current data protection regulations (art. 15 et seq. GDPR) by writing to the email: privacy@eurac.edu.

5. Amendments

The content of this privacy policy may be amended or updated to conform to legal and regulatory obligations with respect to data protection, to allow for technological advances on the Website that could impact the modalities of processing or to reflect organizational modifications.