The Ideathon is a joined initiative between EU and India, implemented by Global Service Facility, later referred as the Organiser aiming to bring together individuals from diverse backgrounds to develop creative and practical solutions for addressing marine plastic pollution effectively.
PROTECTION OF PERSONAL DATA
Personal data will be collected and processed throughout Ideathon. The Organiser responsible for the Ideathon initiative will ensure the protection of individuals with regard to the processing of personal data – informed consent, data protection, privacy, confidentiality, security of data storage and processing – complying with all applicable EU (incl. GDPR 2018; Directive 2001/20/EC; Directive 99/5/EC; Directive 2002/58/EC and Directive 2009/136/EC), Charter of Fundamental Rights, and national-level legislation for data protection and personal rights at all times and in all respects.
Safeguard, security and storage
Safeguard of the data will be ensured through pseudonymisation, ensuring integrity, confidentiality, availability and resilience of processing systems, regular testing, assessing and evaluating security measures. All data systems used will comply with safety by design principles. Security measures to prevent unauthorized access to personal data will be developed.
Data transfer
When personal data are transferred from the EU to a non-EU country, it will be confirmed that such transfers are in accordance with Chapter V of the General Data Protection Regulation 2016/679. When personal data are transferred from a non-EU country to the EU (or another third state), it will be confirmed that such transfers comply with the laws of the country in which the data was collected.
Purpose of data processing
Data will be processed and used only to fulfil the objectives of the Ideathon initiative. The project will generate a large amount of data and no personal information will be disclosed when processing data related to the implementation of the Ideathon initiative.
All the individuals that will be requested to disclose their personal data will be made aware of the specific policies and will need to sign a declaration that states they understand and agree with how the personal data will be processed and used within the Ideathon Initiative.
Access to personal data
The ideathon organiser will have access to the personal data stored within the Ideathon archives. Access to personal data collected, generated, processed, and stored during the implementation of the Ideathon will be managed by the Organiser. Also, the Ideathon Organiser will ensure that the right of access for the data subject to its own personal data is respected, as mentioned in Article 15 of the GDPR.
Storage period of personal data
The personal data that has been collected, generated, and processed during the Ideathon implementation will be stored in the project’s archive until the end of the implementation period (June 2024). The Organiser will be responsible for storing the data and for making sure that the data will not be damaged or estranged over time.
In compliance with Article 17 of the GDPR, upon request from the data subjects, the Organiser will respect the “Right to erasure” of data subjects and erase all personal data that is no longer relevant for fulfilling the initiative’s objectives. Personal data, research data, and other type of data stored during the project implementation phase, upon legitimate request or with no more relevance for the project, will be erased from all the storing spaces and physical documents that no longer have relevance will be shredded and recycled.
Collection and processing of personal data
Personal data will be collected during the Ideathon implementation phase after informing the data subjects about how their data will be used, receiving the data subjects’ consent, taking the form of a written declaration, so the Organiser shall be able to demonstrate the legitimacy of the action.
GDPR states that personal data processing is governed by the following principles: lawfulness, fairness, and transparency; purpose limitation; data minimisation; accuracy; storage limitation integrity and confidentiality.
In compliance with Article 5 of GDPR, the Ideathon organisers will be responsible for following the recommended principles in the give provisions when processing personal data:
• personal data will be process lawfully, fairly and in a transparent manner in relation to the data subject
• personal data will be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
• personal data that will be processed for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purpose
• personal data processed will be adequate, relevant, and limited to what is necessary in relation to the purpose for which they are processed
• personal data processed will be accurate and kept up to date
• personal data processed will be kept in a form which permits identification of data subjects for no longer than is necessary for the purpose for which the personal data are processed
• personal data processed that will be stored for longer periods of time will be processed solely for archiving purposes in the public interest, scientific or historical purposes
• personal data will be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised on unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
Organiser shall assist the Participant to comply with GDPR or other applicable national data protections obligations, including, but not limited to:
obligation of the Participant to report Personal data breach to the Supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the Personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons (Art. 33 GDPR),
obligation of the Participant to communicate Personal data breach to the Data subject without undue delay, when Personal data breach is likely to result in a high risk to the rights and freedoms of natural persons (Art. 34 GDPR).
Organiser shall immediately, but no later than 12 (twelve) hours after becoming aware of, notify the Participant by e-mail and in writing about any incident and (or) Personal data breach that has occurred or is likely to occur, related to the Personal data processed by Processor under this DPA, including, but not limited to the following: (i) unauthorized access to Personal data by third parties, including if caused by negligence of Organiser or sub-processor, (ii) loss of documents, containing Personal data, (iii) cyber-attack or suspicious software, threatening the security and confidentiality of Personal data.
The notification of an accident or Personal data breach, shall include the description of an incident, its nature, categories of affected Data subjects, significance, likely consequences, and measures taken or intended to be taken by the Organiser and (or) the Participant to reduce or prevent the negative consequences of the incident. The relevant notification shall be accomplished by all necessary documents and information necessary to enable the Organiser to comply with its obligations described above, if applicable.
Data subject´s rights and how can data subject exercise them?
You have specific rights as a ‘data subject’ under Chapter III (Articles 14-25) of Regulation (EU) 2018/1725, in particular the right to access your personal data and to rectify them in case your personal data are inaccurate or incomplete. Under certain conditions, you have the right to erase your personal data, to restrict the processing of your personal data, to object to the processing and the right to data portability.
You have the right to object to the processing of your personal data, which is lawfully carried out pursuant to Article 5(1)(a), on grounds relating to your particular situation.
You can exercise your rights by contacting the Data Controller, or in case of conflict the Data Protection Officer. If necessary, you can also address the European Data Protection Supervisor. Their contact information is given under Heading 9 below.
Where you wish to exercise your rights in the context of one or several specific processing operations, please provide their description (i.e. their Record reference(s) as specified under Heading 10 below) in your request.
In accordance with Article 14(3) of Regulation (EU) 2018/1725, your request as a data subject will be handled within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. In such case, you will be informed of the extension of the time limit, together with the reasons for the delay.
Intellectual property
The ownership of any intellectual property developed by Ideators during and within the scope of the Ideathon will remain with the individual Ideators. Within the Ideator Team, the Ideators should agree among themselves on the distribution of the intellectual property rights. Ideators can choose, at their own discretion, to open source the intellectual property and license it, e.g. under one of the licenses referenced in https://choosealicense.com. The Action, and their original website content (excluding Content provided by Ideators), features and functionality are and will remain the exclusive property of the Organisers. The Action and the Platforms are protected by copyright, trademark, and other laws of Lithuania. Our trademark and trade dress may not be used in connection with any product or service without the prior written consent of the Organiser. Nothing in these Terms constitutes a transfer of any Intellectual Property rights from us to you. You are permitted to use the Action and the potential associated Platforms only as authorised by us. Our Intellectual Property must not be used in connection with a product or service that is not affiliated with us or in any way brings us in disrepute.