This privacy policy governs the processing of your personal data on the basis of the European Regulation (EU) N°2018/1725 (“EU-DPR”) by Key Digital Technologies Joint Undertaking (“KDT JU”), set up by Council Regulation (EU) 2021/2085 of 19 November 2021. Specifically, it concerns the evaluation of proposals, management of grants and follow-up.
In this respect:
- for each e-service, the purposes and means of the processing of personal data are specified in their corresponding privacy statement;
- within KDT JU, the Data Protection Officer (DPO, dpo@kdt-ju.europa.eu) ensures that the provisions of the EU-DPR are applied and advises controllers on fulfilling their obligations;
- as for all the institutions, the European Data Protection Supervisor (EDPS) will act as an independent supervisory authority.
This policy is based on the EU-DPR. It may be modified by KDT JU from time to time, on its own initiative or on the advice of the EDPS.
KDT JU's websites may provide links to third-party sites. Since we do not control them, we encourage you to review their privacy policies.
Which personal data do we process?
When you submit a proposal or sign a grant agreement, we process:
- Identity information you provide us with, such as your first name, last name and job title; For more information about the identification data collected via the Funding & Tenders Portal, please consult this page.
- Contact details you provide us with, such as your e-mail address, postal address, country and (mobile) telephone number;
- Professional details, such as information about your career and experience;
- Financial information, such as bank details. However, as a general rule, private addresses or bank account numbers are not processed.
- Any other personal data you provide us with;
- For more detailed information about the data collected for successful proposals, please consult this page.
We receive most of your personal data directly from you (Funding & Tenders Portal). If we receive personal data about you from a third party, we will inform you about this or ask the third party to inform you about this.
In principle, special categories of personal data are not processed, unless these data appear spontaneously in the CV. If you nevertheless provide us with such information on your own initiative, we will derive your explicit, freely given, specific, informed and unambiguous consent to the processing of this data. We might also request you to remove such sensitive data from the pertaining documents.
Why do we process your personal data and what is the legal basis for this?
The purposes and legal bases justifying the processing operations carried out by KDT JU vary. Our processing operations may be based on:
- Your consent (If we are planning to perform one of the processing operations mentioned in this document, we will obtain your consent prior to performing such processing operation);
- A contract or grant agreement with you, in order to perform that contract or in order to take steps prior to concluding a bilateral agreement with you;
- A legal obligation we must comply with;
- The public interest.
We may process your personal data to send you newsletters via e-mail if you subscribe to our newsletter via our website or by attending one of our events and explicitly expressing your wish to receive our newsletter. For this purpose, we rely on your consent.
We process your personal data to evaluate proposals and/or organisations, to award funding if a proposal is successful, to manage grant agreements, and provide follow-up in this regard, as well as to provide you with our services or the information you request via our website, e-mail, telephone, fax or social media channels. We also keep a database of submitted proposals which may contain personal data. For this purpose, we rely on a contract with you and the performance of a task carried out in the public interest, in particular Council Regulation (EU) 2021/2085 of 19 November 2021 establishing the Joint Undertakings under Horizon Europe and Articles 135-142 (exclusion criteria) of the Financial Regulation and Article 167(2) and point 20 of Annex 1 of the Financial Regulation (selection criteria).
We may process your personal data to perform statistical analyses and to evaluate our dissemination activities. If you do not want us to use your personal data in this way, please indicate this when we collect your data. For this purpose, we rely on our task carried out in the public interest, in particular Article 5 (a), (d), (h) of Council Regulation 2021/2085 setting up the Joint Undertakings.
We may process your personal data to comply with legal obligations that we have to comply with. For this purpose, we rely on a legal obligation that we have to comply with. Certain of our legal obligations come from the following legislative documents:
- Council Regulation (EU) 2021/2085 establishing the Joint Undertakings under Horizon Europe;
- Regulation (EU, Euratom) 2018/1046 of 18 July 2018 on the financial rules applicable to the general budget of the Union, amending Regulations (EU) No 1296/2013;
- Early Detection and Exclusion System (EDES).
We may process your personal data to comply with any reasonable request from competent law enforcement agents or representatives, judicial authorities, governmental agencies or bodies, including the EDPS, or to transfer your personal data to the police or the judicial authorities upon our own initiative as evidence or if we have justified suspicions of an unlawful act or crime committed by you through your use of our website, our social media channels or other communication channels. For these purposes, we rely on a legal obligation that we have to comply with.
Whom do we share your personal data with?
We may share your personal data with third parties, such as the European Commission. Third parties are allowed to process your personal data on our behalf on our explicit written instruction, only. We ensure that third parties are committed to observing the safety and integrity of your personal data. Also, please note that, in some cases, a limited subset of your personal data might be published on CORDIS portal or other dedicated websites. For more information, please consult this page.
We may be legally obliged to share your personal data with competent law enforcement agents or representatives, judicial authorities, governmental agencies or bodies.
We do not send your personal data in an identifiable manner to any other third party than the ones mentioned in this section without your explicit consent to do so. However, we may send anonymised data to other organisations that may use those data for improving our activities or services.
Where do we process your personal data?
In principle, we process your personal data within the European Economic Area (EEA). In order to process your personal data for the purposes outlined above, we may also transfer your personal data to third parties who process on our behalf outside the EEA. Each third party outside the EEA that processes your personal data will be bound to observe adequate safeguards with regard to the processing of your personal data.
What quality assurances can be expected?
We do our utmost to process only those personal data which are necessary to achieve the purposes listed above.
Your personal data are only processed for as long as needed to achieve the purposes listed above or until such time you withdraw your consent for processing them. Personal data related to beneficiaries receiving JU funding are kept for 10 years after the closing of the action. If unsuccessful, the personal data is kept up to 5 years after closure of the procedure to allow for all possible appeals. We will delete your personal data when they are no longer necessary for the purposes outlined above, unless there is:
- An overriding interest of the Joint Undertaking, or any other third party, in keeping your personal data identifiable, or;
- A legal or regulatory obligation or a judicial or administrative order that prevents us from deleting them.
We will take appropriate technical and organisational measures to keep your personal data safe from unauthorised access or theft as well as accidental loss, tampering or destruction. Access by our personnel or third parties’ personnel will only be on a need-to-know basis and be subject to strict confidentiality obligations.
What are your rights?
- The right to request access to all your personal data processed by us.
- The right to rectification, i.e. to ask that any of your personal data that are inaccurate, are corrected.
- You have the right to withdraw your earlier given consent for processing of your personal data.
- You have the right to erasure, i.e. to request that your personal data is deleted if these data are no longer required in the light of the purposes outlined above or if you withdraw your consent for processing them.
- You have the right to restriction instead of deletion, i.e. to request that we limit the processing of your personal data.
- You have the right to object to the processing of personal data unless we demonstrate compelling legitimate grounds which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
- You have the right to data portability, i.e. to receive from us in a structured, commonly-used and machine-readable format all personal data you have provided to us if the processing is based on your consent or a contract with you and the processing is carried out by automated means.
Considering Article 25(1) of the EU-DPR, KDT may restrict some of the above rights, such as the right to object to the processing of personal data or the right to erasure, after the closing date of the application for tenders. The restriction shall continue to apply as long as the reasons justifying it remain applicable.
If you wish to submit a request to exercise one or more of the rights listed above, you can contact us by sending an e-mail to dpo@kdt-ju.europa.eu. An e-mail requesting to exercise a right will not be construed as consent with the processing of your personal data beyond what is required for handling your request.
More information on Data Protection at the JU can be obtained in the record of processing activities and in the privacy notices published on the JU’s website.