Content of the second layer of the information obligation – common information clause
1. Joint Controllers
The Joint Controllers are:
− PRISM – IMPRESA SOCIALE SRL based in ENNA EN, address: Via Falautano (Palazzo Grimaldi), Italy
− BULGARIAN CENTER FOR PROFIT LAW BCNL, Sofia, address: 3 HRISTO BELCHEV STREET, Bulgaria,
− ATHENS LIFELONG LEARNING INSTITUTE, based in Marousi, address: Kifisias Avenue 62, Greece
− UNIVERSITY OF ŁÓDZKI with its seat at 68 Narutowicza Street, 90-136 Łódź,
2. Data Protection Officer
The Joint Controllers have appointed Data Protection Officers who can be contacted by email at:
− PRISM – IMPRESA SOCIALE SRL – e-mail address: firstname.lastname@example.org
− BULGARIAN CENTER FOR PROFIT LAW BCNL – e-mail address: email@example.com
− ATHENS LIFELONG LEARNING INSTITUTE – e-mail address: firstname.lastname@example.org
− UNIVERSITY OF LODZ – via e-mail: email@example.com.
3. Purpose and legal basis of the processing
The personal data will be processed in order to carry out the tasks assigned to the Joint Controllers
within the Erasmus+ project entitled “Co-creating Hubs for Social Enterprises” with number 621421-EPP-1-2020-1-IT-EPPKA3-IPI-SOC-IN as defined in the Main Agreement.
The legal basis for processing is:
− Article 6(1)(e) of the GDPR in connection with Article 2 and Article 11(1)(3) of the Act of 20 July 2018. Law on higher education and science (i.e. Dz. U. of 2020, item 85) (as it is necessary for the performance of a task carried out in the public interest or in the exercise of public authority entrusted to the Joint Controller in connection with the implementation by the Universities of one of their basic tasks, which is to conduct scientific activities, provide research services and transfer knowledge and technology to the economy serving the mission assigned to the Universities) and Regulation (EU) No 1288/2013 of the European Parliament and of the Council of 11 December 2013. establishing “Erasmus+”: the Union Programme for Education, Training, Youth and Sport and repealing Decisions No 1719/2006/EC, 1720/2006/EC and 1298/2008/EC (as it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Joint Controller in connection with the implementation of the ERASMUS+ Action 3 project);
− Article 6(1)(c) of the GDPR in relation to the requirements of the legislation and internal acts in force at the Joint Controllers; Article 6(1)(a) of the GDPR on the basis of the consent for the processing of personal data (concerns the consent given by the research participant for the processing of his/her personal data in relation to participation in the research carried out within the framework of the Erasmus+ project entitled “Co-creating Hubs for Social Enterprises” with number 621421-EPP-1-2020-1-IT-EPPKA3-IPI-SOC-IN);
4. Voluntariness of data provision
Provision of data is voluntary but necessary to participate in the research carried out within the framework of the Erasmus+ project entitled “Co-creating Hubs for Social Enterprises” with the number 621421-EPP-1-2020-1-IT-EPPKA3-IPI-SOC-IN.
5. Recipients of the data
Your personal data will not be made available to other entities, with the exception of entities authorized under the law and entities with which the Joint Controllers have concluded agreements on the entrustment of personal data processing obliging recipients to ensure an adequate level of data security.
6. Data source
In the case of participation in a study (e.g. interview), your data comes from the information provided to the interviewer, in the case of an invitation sent electronically, your personal data (name, contact details) comes from publicly available sources. In the case of registration for an event via a form, your data comes from the content of the completed form.
7. Information on non-automated decisions
Your personal data will not be subject to profiling and no automated decisions will be made on the basis of this data.
8. Term of processing
Your personal data will be processed for the duration of the project and after its completion, but no longer than 5 years from the date of receipt by the project coordinator of the tranche necessary to settle the project. After the purpose of processing ceases, data will be deleted.
Personal data will be stored by the University of Lodz in a form which permits the identification of data subjects for no longer than is necessary to achieve the purposes for which the data are processed, i.e. for a period of 5 years counting from the date of the last payment of a tranche by the Education, Audiovisual and Culture Executive Agency of the European Commission (EACEA) to the Joint Lead Joint Controller acting as project coordinator. Once the purpose of storage has ceased, the personal data will be deleted by the processor.
9. Rights in relation to processing
You have the right of access, rectification, objection to processing and restriction of processing. In the case of personal data processed on the basis of consent, you have the right to withdraw your consent at any time.
10. The right to lodge a complaint
You have the right to lodge a complaint with:
in Italy: Garante per la Protezione dei Dati Personali Piazza Venezia 11 00187 – Roma, Italy
in Bulgaria: Commission for Personal Data Protection, Boulevard “Professor Tsvetan Lazarov”
in Greece: the Hellenic Data Protection Authority, Kifissias 1-3, PC 115 23, Athens, Greece.
in Poland: to the President of the Office for Personal Data Protection, ul. Stawki 2, 00-193 Warsaw
Where you consider that the processing of your personal data violates the GDPR.
MAIN CONTENTS OF THE JOINT CONSENT (extract from the personal data co-management agreement)
In accordance with Article 26 of the GDPR, we inform you that the Joint Controllers, with the identities set out below, have made the following arrangements:
1. The Joint Controllers of your personal data are:
− PRISM – IMPRESA SOCIALE SRL with registered office in ENNA EN, address: Via Falautano (Palazzo Grimaldi), Italy (Joint Lead Joint Controller),
− BULGARIAN CENTER FOR PROFIT LAW BCNL with registered office in Sofia, address: 3 HRISTO BELCHEV STREET, Bulgaria (Joint Controller 2),
− ATHENS LIFELONG LEARNING INSTITUTE based in Marousi, address: Kifisias Avenue 62, Greece (Joint Controller 3),
− UNIVERSITY OF ŁÓDZKI with registered office at 68 Narutowicza Street, 90-136 Łódź (Joint Controller 4),
2. The Joint Controllers jointly process your personal data in connection with the implementation of the tasks assigned to them under the Erasmus+ project entitled “Co-creating Hubs for Social Enterprises” with number 621421-EPP-1-2020-1-IT-EPPKA3-IPI-SOC-IN in accordance with the principles for processing personal data set out in Article 5 of the GDPR.
3. The provision of this information constitutes access to the main content of the joint arrangements of the Joint Controllers, whose identities are indicated in the first point above, for the joint management of the processing of personal data of research participants carried out under the Erasmus+ project “Co-creating Hubs for Social Enterprises” with the number 621421-EPP-1-2020-1-IT-EPPKA3-IPI-SOC-IN and based on the legal basis indicated in the information obligation addressed to the research participants.
4. As jointly agreed by the Joint Controllers, we inform you that:
1) Each of the Joint Controllers is responsible in its own right for:
a) in case of application for participation in an event organised within the framework of the Erasmus+ project entitled “Co-creating Hubs for Social Enterprises” with the number 621421-EPP-1-2020-1-IT-EPPKA3-IPI-SOC-IN – the use of a joint information clause on the principles for processing personal data by the Joint Controllers, including the main content of their arrangements for complying with their obligations concerning personal data protection;
b) processing of personal data in accordance with the principles set out in Article 5 of the GDPR;
c) the proper safeguarding of personal data from the moment the personal data file is received;
d) the exercise of the rights of natural persons referred to in Articles 15 to 22 of the GDPR, taking into account possible limitations under the law;
e) to ensure accountability in carrying out the duties assigned to each of the Joint Controllers;
f) keeping documentation describing how personal data is processed, including a register of data processing activities (a requirement of Article 30 GDPR);
g) securing personal data in accordance with Article 32 of the GDPR, in particular against unauthorised access;
h) report, in agreement with the other Joint Controllers, to the supervisory authority the breach referred to in Article 33 of the GDPR occurring within its own structures;
i) to notify a data breach to a person if it is likely to result in a high risk of harm to the rights or freedoms of natural persons.
1) The Lead Joint Controller, acting as the project coordinator, is also responsible for:
a) coordinating the exercise of the rights of individuals referred to in Articles 15 to 22 of the GDPR where their requests relate to processing by more than one Joint Controller;
b) Coordinating the notification to the supervisory authority of a breach referred to in Article 33 of the GDPR if the breach has occurred within the structures of more than one Joint Controller;
5. When co-managing personal data, at each stage of the processing, each of the Joint Controllers shall ensure that the data subjects exercise their rights under the GDPR, namely:
− The right to access and obtain a copy of your data in accordance with Article 15 of the GDPR,
− The right to rectification and completion of data in accordance with Article 16 of the GDPR,
− the right to erasure in accordance with Article 17 of the GDPR,
− the right to restrict processing in accordance with Article 18 of the GDPR,
− the right to object to the processing of your data in accordance with Article 21 of the GDPR,
− the right to lodge a complaint with a supervisory authority pursuant to Article 77 of the GDPR.
6. Where a data subject makes a request for the exercise of a right directly to one of the Joint Controllers, each of these Joint Controllers shall be responsible for promptly forwarding the data subject’s request to the relevant Joint Controller.
The Joint Controllers have established contact points for data subjects – they can be contacted by writing to the following email addresses: firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com,
7. Please be advised that notwithstanding the arrangements set out in paragraph 3-4 above, data subjects may exercise their rights under the GDPR against each of the Joint Controllers, which means that a request to exercise rights addressed to each of the Joint Controllers is a request made in accordance with the GDPR.