Data Privacy Statement

This privacy statement solely concerns the data processing within the EU Migra Tool (EMT) as part of the ITFLOWS project. For the remainder of the project, the EMT is subject to further development and changes that will be reflected in this privavy statement. It should be noted that for the time being, the underlying data processing is conducted for research purposes only. After the project, the EMT is expected to become available for operational use. As a consequence, the underlying legal conditions and responsible parties are likely to change. The changes will be reflected in this privacy statement and registered users will be informed individually.

In general, the EMT is only accessible for registered users. To this end, registration details related to you (data subject) are necessarily stored and processed by the responsible entity (the controller, herewithin “we”, “us” or “controller”) as far as possible to provide this service. In line with the GDPR we generally aim to keep the personal data to a minimum. The relevant details can be found below. There are two versions of this Privacy Statement. The binding version on the left side contains all the important legal and technical details but may be more difficult to read. To ease readability we have added a non-binding version on the right side. This version is shortened, excludes legal terms where possible and is generally written in a simpler way.

Important

The EMT is intended to provide helpful and guiding predictions of possible migration flows. To provide such predicitions the EMT relies on the analysis of multiple publilcy available data sources. The majority of analysed information is derived from aggregated data but some analyses require the use of non-aggregated and sometimes personal data. The processing of such data is not subject of this privacy statement but subject to the responsible parties as described in the Privacy Statement. The EMT/ITLFOWS will at no point publish any personal information that may be embedded in the underlying processing and the EMT only provides aggregated information and no personal data.

Despite this, the information and insights provided by this tool can potentially be related to individual persons in other contexts. Please note that the information is only intended to provide valuable insights for general migration flows and not for indiviual persons migration. Statistical significant indicators might be true for a certain situation but do not necessarily hold true for individual journeys. The use of the EMT is hence restricted as described in the Terms of use . In any case, you are not allowed to connect any of the information to individual persons under any circumstances.

Data Privacy Statement (Version: November 2021)

The EMT is an outcome of the ITFLOWS project (hereinafter ‘ITFLOWS’) aims to provide novel data-driven techniques and solutions to support NGOs and municipalities with important information on migration flows. The information generated in this context will help to adapt necessary organizational measures to handle migration flows and is hence particularly aimed at NGO and municipalities. The available information can be used to in- or decrease aid at a certain location, where migrants are expected to arrive (e.g. after a drought or another catastrophic event). The results of the analysis are made accessible to registered stakeholders/users through the EU Migra Tool (EMT) which is available under https://emt.iflows.eu. In this context, we process personal data as far as necessary to provide this platform in a legal, secure and ethically considerate way. The use of the platform without processing of any personal data is not possible. Beyond that, the technical providers (see below) may access anonymized usage statistics for the website.

Data Privacy Statement (Version: November 2021) – Easy Language

The EMT is a tool that provides information about possible future migration flows. To offer this service, registration with personal details (e.g. email address) is necessary for legal and ethical reasons. The use of the platform without this data is not possible.

1. Contact Details

The EMT is currently run as part of ITFLOWS. There are hence multiple parties involved, that you can find below:

Project Coordinator (Controller)

Dr. Cristina Blasi Casagran
Mail: cristina.blasi@uab.es
Universidad Autónoma de Barcelona
Calle Campus Universitario Sn Cerdanyola V,
08290 Cerdanyola Del Valles, Spain

External Data Protection Advisor (DPA)

Dr. Jonathan Andrew
Mail: dpo@ITFLOWS-project.eu
Geneva Academy
Villa Moynier, Rue de Lausanne 120B
CP 1063
1211 Geneva 1, Switzerland

Technical Provider of the EMT

The Centre for Research & Technology, Hellas – CERTH
Mail: certh@certh.gr
6th km Charilaou-Thermi Rd.
P.O. Box 60361
GR 57001 Thermi, Thessaloniki
Greece
Tel: +30 2310 498100
Fax: +30 2310 498180

Personal data received through these channels will be processed as far as necessary to effectively handle your requests. This data will not be shared with others and deleted when it is no longer required to handle your requests. The rights described in section 5 also apply to this personal data.

1. Contact Details

The EMT is currently run as part of ITFLOWS. There are hence multiple parties involved, that you can find below:

Project Coordinator (Controller – Project)

Dr. Cristina Blasi Casagran
Mail: cristina.blasi@uab.es
Universidad Autónoma de Barcelona
Calle Campus Universitario Sn Cerdanyola V,
08290 Cerdanyola Del Valles, Spain

External Data Protection Advisor (DPA)

Dr. Jonathan Andrew
Mail: dpo@ITFLOWS-project.eu
Geneva Academy
Villa Moynier, Rue de Lausanne 120B
CP 1063
1211 Geneva 1, Switzerland

Technical Provider of the EMT (Controller – EMT)

The Centre for Research & Technology, Hellas – CERTH
Mail: certh@certh.gr
6th km Charilaou-Thermi Rd.
P.O. Box 60361
GR 57001 Thermi, Thessaloniki
Greece
Tel: +30 2310 498100
Fax: +30 2310 498180

When you reach out to us, we will store your request and the necessary information to provide an answer (e.g. your email address).

2. Controllers

The main controller of project data is the Universidad Autónoma de Barcelona. However, the ITFLOWS project connects 14 partners from various fields who jointly determine the purposes and means of processing within the project (joint-controllers). Each partner fulfills specific tasks in the project. The specific tasks and goals are defined in an agreement between the European Union and the partners (‘Grant Agreement’). The EMT is an output of that agreement and all partners are contributing to it in one way or another. The participating institutions and their respective background are listed below. Questions and requests are handled through our central points of contact (see 1. Contact Details).

The responsible controller for handling your personal data in the context of the EMT is The Centre for Research and Technology (CERTH). Contact details can be found under No.1 “Contact Details”. Beyond that,the following research organisations participate in the project. Except the technical provider, no institution will have access to your personal data related to the EMT. Anonymized usage statistics may be shared between the partners to further improve and develop functionalities of the EMT. Below you find a list of the participating organisations in the project.

2.1. Research organisations

Research organizations in ITFLOWS cover a broad spectrum of activities in the project. Most partners research technological possibilities to meet the requirements of NGOs and municipalities in their respective field of expertise. Others research the legal and ethical implications of the developed tools. All fields (tech, legal, ethics) are put into consideration when determining purposes and means of the processing.

Universidad Autónoma de Barcelona, ES
European University Institute, IT
The Centre for Research and Technology, GR
(Controller regarding the EMT)
Centre for Europena Policy Studies, BE
Kiel Institute for the World Economy, GER
Instituto Affari Internazionali, IT
FIZ Karlsruhe – Leibniz Institut für Informationsinfrastruktur GmbH, GER
Cork Institute of Technology, IE
Brunel University London, UK

2.2. Non-governmental Organisations (NGO)

NGOs are an important part of the project and will provide concrete insights on reasons for migration based on interviews that will be conducted at multiple locations in Spain, Greece and Italy. The following NGOs participate in the project:

OXFAM Italia, IT
Associazione Della Croce Rossa Italiana, IT
Center for the Study of Democracy, BG
Open Cultural Center, ES

2.3. Small & Medium Enterprises (SME)

SMEs in ITFLOWS bring in practical knowledge as well as previously developed tools. The knowledge brought in by this partner will be used to develop the so called “EUMigraTool” which will provide a gateway for end-users (NGOs & municipalities) to access the technology developed in the project. The following SMEs participate in the project:

Terracom Informatics Ltd., GR

2. Joint controllers

The responsible organisation for the processing of personal data in relation to the EMT is The Centre for Research and Technology (CERTH) .
Although ITFLOWS comprises 14 partners from various fields who jointly determine the purposes and means of processing within the project (joint-controllers), only CERTH has access to any personal data provided in the context of the EMT. No personal data will be shared.

3. Purposes of processing

The main purpose of the EMT is to provide predictions of migration flows and support NGOs and municipalities in their decision-making. To do so, the EMT comprises multiple functionalities that are jointly or individually developed by the project partners. The EMT provides a centralized platform to easily access the outcomes of these developments. Beyond the provision of such predicitions, the EMT is also a gatekeeper to ensure functionalities are not misused in any way and to avoid any unwanted legal, ethical or societal impacts of the predictions. The processing of personal data (e.g. name, email) is necessary to enable access and enforce access restrictions.

3. Purposes of processing

The EMT provides the outcomes of the ITFLOWS project to NGOs and municipalities. To do so, the EMT needs to limit access to certain organisations and persons to avoid misuse. To verify accounts they need to be linked to personss and organisations (i.e. personal data).

4. Limitations to the provision of information and updates to this statement

Pursuant to Article 14 GDPR, where personal data have not been obtained from the data subject, the controller is generally obliged to provide the data subject with information such as the identity and the contact details of the controller and the data protection officer (DPO), and various details on the processing. The ITFLOWS consortium provides this information within this statement.

Nonetheless, pursuant to Article 14 (5) (b) GDPR the extent to which information has to be provided can be limited where the provision proves impossible or would involve a disproportionate effort, in particular for processing for scientific purposes. Where ITFLOWS does not obtain data from the data subject and carries out scientific research, it falls under the scope of this article.
We limit processing of personal data to the absolute minimum to make the EMT work in a legal and ethical way. You can request your personal data as described below. You will be informed individually if your input is intended to used for any researc purposes (e.g. individual feedback on functions) – In these cases, data may fall under the aforementioned exemptions. We take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including the publication of information on the processing within this statement.

Over the course of the project, this statement will be updated, in order to cover further data processing procedures not yet defined and carried out. Limitations under the research clauses

4. Limitations to the provision of information and updates to this statement

We do not expect any legal limitations to the provision of your information (e.g. registration data) at this point. ITFLOWS pursues a full transparency approach and publishes all relevant information in this text or on your request.

5. Data subjects’ rights and limitations

ITFLOWS processes pseudonymous data from the sources stated below. Some sources may contain data, which makes the identification of individuals potentially possible (e.g. where user names match real names in Tweets). ITFLOWS uses technical approaches (e.g. named entity recognition) to erase this information prior to any further processing. Where such technical approaches result in false negatives, the project consortium is not in a position to detect these bits of information without additional data. Data subjects generally have the right to request access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability. These rights may be restricted under the conditions described below. However, any requests to the abovementioned points of contact will be carefully assessed on a case-by-case basis and replied to.
Pursuant to Article 11 (1) GDPR the project consortium is not obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with the GDPR. However, pursuant to Article 11 (2) GDPR where data subjects provide additional information in order to exercise their rights under Articles 15–22 GPDR, the ITFLOWS consortium will handle the request compliant with technical and legal requirements. In this regard, the identity of the data subject, as well as the relation to the data referred to in the request has to be sufficiently verified.
The exertion of some of the data subjects’ rights (4.1 – 4.4) may be further restricted pursuant to Article 89 (2) in conjunction with the respective national legislation. The following rights are generally available to the data subjects.

5.1. Right to access (Article 15 GDPR)

The data subject has the right to obtain confirmation as to whether or not processing of personal data concerning them takes place in the ITFLOWS project. If this is the case the data subject can request access to his/her data. Granting the right to access only occurs where the identification of the data subject is possible.

5.2. Right to rectification (Article 16 GDPR)

The data subject has the right to obtain the rectification of inaccurate personal data concerning them. The exercise of this right is only possible where the data subject can be identified and the inaccuracy of data is verified.

5.3. Restriction of processing (Article 18 GDPR)

The data subject has the right to obtain the restriction of processing, where

the accuracy of the personal data is contested;
the processing is unlawful, the data subject opposes the erasure of personal data and requests the restriction of processing instead;
the controller no longer needs the personal data, but they are required by the data subject for the establishment, exercise or defense of legal claims;
the data subject has objected to processing pursuant to Article 21(1) GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject. (see 4.4.)

The exertion of this right may require provision of further information to allow identification of the data subject as described in section 4.

5.4. Right to object (Article 21 GDPR)

The legal basis for the processing of personal data in the ITFLOWS project is Article 6 (1) (f). The data subject has the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning them unless the ITFLOWS consortium demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.
The exertion of this right may requires provision of further information to allow identification of the data subject as described in section 4.

5.5. Right to erasure (’Right to be forgotten’) (Article 17 GDPR)

The data subject has the right to obtain erasure of personal data concerning them, if

the data subject objects to the processing pursuant to Article 21 (1) and there are no overriding legitimate grounds (see 4.4);
the personal data have been unlawfully processed;
the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.

Pursuant to Article 17 (3) (d) GDPR the right to erasure may be restricted to the extent that the processing is necessary for scientific purposes and would render impossible or seriously impair the achievement of objectives of the processing. The ITFLOWS consortium will assess the possibilities to erase personal data under the conditions stated in section 4.

5.6. Right to lodge a complaint with a supervisory authority (Article 77 GDPR)

The data subject has the right to lodge a complaint with a data protection supervisory authority in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes the GDPR.
A list of national supervisory authorities can be found here.

5. Your rights

Although there are some exceptions, you can generally exercise specific rights related to your personal data if you disagree with the processing of it. If you are concerned about your rights or how we process your data you can contact our Data Protection Officer (DPO@itflows.eu), so we can find a solution. Please keep in mind, that due to the specific research purposes and setup of the project, some rights may be restricted. However, any requests to the abovementioned points of contact will be carefully assessed on a case-by-case basis and replied to.

5.1. Right to access (Article 15 GDPR)

You can ask us to provide you information if we process personal data related to you. If that is the case you have a right to access the data. As all data are in ITFLOWS are pseudonymous, though, we may ask for further information from your side to demonstrate you are affected and to verify your identity.

5.2. Right to rectification (Article 16 GDPR)

You have the right to request rectification of any errors in your personal data to ensure its accuracy. As all data are in ITFLOWS are pseudonymous, though, we may ask for further information from your side to demonstrate you are affected and to verify your identity.

5.3. Restriction of processing (Article 18 GDPR)

You also have the right to restrict the processing of your personal data, in particular, if personal data is inaccurate, or the lawfulness of the processing is in question. As all data are in ITFLOWS are pseudonymous, though, we may ask for further information from your side to demonstrate you are affected and to verify your identity.

5.4. Right to object (Article 21 GDPR)

ITFLOWS processes data for research purposes in the public interest. Therefore, you have the right to object on grounds relating to your particular situation. We will assess if it is possible to avoid processing your data. If this is the case, your data will be excluded from the processing. As all data are in ITFLOWS are pseudonymous, though, we may ask for further information from your side to demonstrate you are affected and to verify your identity.

5.5. Right to erasure (’Right to be forgotten’) (Article 17)

If you successfully objected, the processing was unlawful or there is another legal obligation, you have the right to obtain erasure of your personal data. This right may be restricted if your data is necessary for the purposes of the processing. We will carefully assess if this is the case and delete any data related to you as far as possible.

5.6. Right to lodge a complaint with a supervisory authority

You can also at any time lodge a complaint with the data protection supervisory authority of the country you live or work in or where the alleged infringements of your rights took place (i.e. the respective countries of the project partners). A list of national supervisory authorities can be found here.

6. Legal basis of the processing

The processing of personal data in relation to the EMT is based either on consent (Article 6 (1)(a) GDPR) or on our legitimate interest (Article 6 (1) (f) GDPR).

Article 6 (1) (f) GDPR allows processing where it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

The common legitimate interest of all partners in ITFLOWS goes along with the project goals that are articulated in the contract between the project partners and the Research Executive Agency (REA) under the powers delegated by the European Commission. The partners aim to effectively participate in the project, development and research of novel data driven techniques to predict and analyse migration flows to create an end-user tool (EUMigraTool) to support NGOs and municipalities. CERTH is providing EMT to end users (controller) and is responsible for the processing of personal data in the EMT context. In some processing scenarios the partners jointly determine and specify the specific purposes and conditions of the processing in the EMT.(see Article 26 GDPR ‘Joint controllers’) within the contractually agreed borders of the Grant Agreement. While most members of the ITFLOWS consortium solely focus on scientific research, others additionally pursue economic interests similar to the private companies mentioned above. Business interests are protected by Article 15 and Article 16 of the Charter of Fundamental Rights of the European Union. Scientific research is protected under Article 13 of Charter of Fundamental Rights of the European Union. Although some of the interests of the partners differ, in the EMT conext the pursue a common goal to develop, research and provide novel data driven techniques to predict migrations flows and make the outcome available to NGOs and municipalities.

The ITFLOWS consortium conducts a continuous data protection impact assessment and is aware of the risks to fundamental rights and freedoms of the data subjects (i.e. the EMT users). These risks may result in interests overriding the interests of the ITFLOWS consortium. Those interests go along with the protection of personal data and the right to privacy protected under Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. The ITFLOWS carefully weighs these different interests to ensure full protection of the fundamental right and freedoms of EU citizens. In general, we only use personal data where it is absolutely necessary to provide the EMT service in a lawful and ethical manner (e.g. to enforce access restrictions.)

6. Legal basis of the processing

The data processing in relation to the EMT is either based on your consten (Article 6 (1) (a) GDPR) or on our legitimate interest (Article 6 (1) (f) GDPR). In line with the purposes described above, these interests cover the provision of the EMT under the necessary legal and ethical safeguards (e.g. access restrictions). ITFLOWS is a scientific research project. The main interest of the project is to develop models to analyse and predict migration flows that are usable within the EMT. To this end, the technical provider (CERTH) may gather aggregated information regarding your use of the platform (e.g. errors when opening visualisations). The research interest is further complemented by business and scientific interests of some ITFLOWS partners, all of which are legitimate interests under the GDPR. We carefully put into consideration contrary interests of the people concerned by our data processing (data subjects), in particular their rights to data protection and privacy. We implemented high safeguards to protect your interests and rights (e.g. technical measures to restrict access to potentially risky data, incidental findings policies, continuous data protection impact assessment, continuous legal and ethical guidance).

7. Categories of personal data

ITFLOWS needs to process the following categories of personal data in order to validate your registration. No special categories of data a processed.

Name
Surname
Organisation
Email
Phone
Address of the organisation

The information will only be processed to validate the registration and provide the EMT. All information will be stored with secure state-of-the-art security measures in place. We may process personal data to collect aggregated information on the usage of certain functionalities. The aggregated information is not linkable to individual users.

7. Categories of personal data

ITFLOWS processes the following data for the provision of the EMT:

Name
Surname
Organisation
Email
Phone
Address of the organisation

The data is only processed to validate the registration, provide the EMT to you and to generate general statistics (e.g. how often do users click a link).

8. Processing details

The EMT stores the aforementioned information on premise of the technical provider (CERTH). User accounts will be categorised based on three roles (ITFLOWS, NGO, Municipalities). Accounts will only be activated after review by an administrator. The EMT is based on a WordPress-Website that is hosted on premise, the same holds true for the realisation of the visualisation (Kibana). Data is hence not shared with third parties. The website may use fonts from external providers such as Google. In this case, the fonts are downloaded from external servers, meaning that Google may have access to the IP-Address of the downloading party. The EMT further uses cookies for aggregated statistical purposes. No individual usage statistics are processed/stored.

8. Processing details

The EMT processes you data (e.g. name, surname) as far as necessary to provide the service to you. The website and the underlying technology is hosted local servers of the ITFLOWS partner “CERTH”. The EMT does not share any data with external parties. However, in some case external content (e.g. Fonts) are loaded from third parties such a Google. This can allow the third party to access your IP-address.

9. Recipients or categories of recipients of the personal data

The necessary personal data for the provision of the EMT is not shared with any third party. As stated above, the access of the website may triggers downloads of fonts from Google. Information will only be shared with authorities if there is a specific legal obligation to do so (e.g. law enforcement requests).

9. Recipients or categories of recipients of the personal data

10. Storage and retention

Personal data are not intended to be stored longer than necessary for providing the EMT pursued by the ITFLOWS project. By default, data of users are stored for three (3) years after the termination of access. If the EMT provision ends prior to this period, the data will be erased with the end of the operational use of the EMT. You can request erasure of your data at any time by reaching out to the technical provider (CERTH)

10. Storage and retention

Personal data is stored during your valid use of the tool. Data is stored three years after the termination of access. You can request erasure of your data at any time.

Cookie	Duration	Description
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".