Privacy Policy of EMPATIA main site (V1.0)

The following privacy policy outlines our practices for the types of personal information gathered through the use of EMPATIA’s application service (“Service”) on the website empatia-project.org (“Site”).
The Service and the Site are developed and managed under the framework of the EMPATIA project (“Project”), that has received funding from the European Union’s Horizon 2020 Research and Innovation programme under grant agreement No 687920. The Service is managed by the Center for Social Studies (CES) of Coimbra on behalf of the EMPATIA Consortium (“EMPATIA”), led by CES and composed by the following partners: OneSource (Portugal); D21 (Czech Republic); Brunel University London; (United Kingdom); Università degli Studi di Milano (Italy) Zebralog; (Germany); Associação In Loco (Portugal).
This privacy policy explains how EMPATIA uses personal information collected via this Service, with whom this information is shared, how it is used, d managed, archived, and protected.
For a full understanding of the ethical policy of EMPATIA, please check also the Terms of Service.

  1. Roles of the organizations involved
    The data management for this Site is shared between the following organizations:

    • Data Controller and responsible for the enforcement of the Privacy Policy: Center for Social Studies of Coimbra (Portugal);
    • Data Processor(s), in charge of managing data for the purposes specified in the Privacy Policy: Center for Social Studies of Coimbra (Portugal);
    • Responsible for Data Archiving and Preservation: OneSource (Portugal).
  2. Purposes of Data Collection
    The personal data are collected and managed under this policy for the following purposes:

    • To ensure the unique authentication of users, necessary to take part to the Democratic Innovations managed through this Service;
    • To research, monitor and allow independent monitoring of the delivery and outcomes of the Democratic Innovations managed through this platform;
    • To study and research how users and visitors use the Service;
    • To communicate with users regarding eventual updates to the Service and to its policies;
    • To provide periodical information regarding the content of the Site, in accordance with the notification preferences configured by each user;
    • To comply with the law of the European Union and Portugal.

    In any case the Data Controller will not:

    • sell or rent any personal data collected on this Site for any reason.
    • use any personal data collected on this Site for marketing of commercial purpose.
  3. Data collected
    Personal Data:
    The following personal data are collected on this Site to register new users:

    • Name
    • Email address
    • Age
    • Address
    • Gender
    • Profession

    Surveys:
    EMPATIA could propose polls, questionnaires and surveys to the users of this Service including:

    • likes, preferences and votes regarding the content of the Democratic Innovations managed through the Service (eg vote on proposals for Participatory Budgeting)
      users experience with the Service
    • users experience with the Service
    • other topics related to the Democratic Innovations managed through the Service

    Surveys and questionnaires are intended to be for voluntary use and users are free to refuse to answer. The data collected through surveys and questionnaires would be managed as additional personal data, adopting the same security and privacy measures described in this policy.
    Non-personally identifiable information
    The Service also collects non-personally-identifying information of the sort that web browsers and servers typically make available, such as the browser type, language preference, referring site, and the date and time of each visitor request.
    Potentially personally-identifiable information
    The Service collects potentially personally-identifying information like Internet Protocol (IP) addresses. EMPATIA does not use such information to identify its visitors, however, and does not disclose such information, adopting the same security and privacy measures described in this policy for personal data.
    User Generated Content and Personally Identifiable Information
    The Service can host discussions, comments, proposals and other contents generated by users during the use of the platform. This User Generated Content can make the user personally identifiable also to third parties and in some case to the general public. Users shall not make personally identifiable information available through the content published on this Site. Each user can configure the privacy setting related to its content published and to its visibility on the web and use a pseudonym and anonymous email address. For additional information regarding the user generated content please consult the Terms of Service.

  4. Data Security and Integrity
    EMPATIA takes all necessary steps to protect personal data and content of users from loss, misuse and unauthorized access, disclosure, alteration and destruction.
    Physical Data Security
    The datacenter where the data is archived and preserved has strict security policies regarding the physical access. The access to the datacenter is restricted to the CTO and CISO and the its access is managed through two-level of security: physical key and alarm. All the access is logged in the alarm system and documented in the internal procedures of OneSource.
    The infrastructure for data archiving is supported by redundant servers and professional storage systems with active mechanisms of redundancy and protection at the physical level for power supply (UPS systems). Storage uses fiber channel SAN with RAID and multiple servers. The backup system includes automated procedures, to assure data protection at two levels: In-datacenter backups and external-datacenter backups. The in-datacenter backups include daily copies automated and keeping a historic record of two years. The external-datacenter backups are performed on a weekly basis and will keep a history of up to two years. All the levels of backup employ encryption technologies and all access to the backups is controlled in the SIEM of OneSource. Indeed, alerts of level 1 (i.e. marked with high severity) in the SIEM are scaled to the CISO for analysis regarding the possible security threats.
    Logical Data Security
    The platform implements security mechanisms to protect the data and to manage the access to the data. As the platform is composed by several and independent components, these are distributed in different servers. All the data, especially personal data, is protected through specific components, that only allow access to the data and to other components with valid JWT tokens (generated through valid authentication mechanisms). All the tokens have strict policies for expiration (i.e. 10 minutes), requiring new logins to provide valid tokens.
    As stated, all the transactions that require access to data require valid tokens. As such, no access to data can be performed without a valid login and access permissions, which are set according to the role of the user (e.g. if manager of an entity, or simply as a user participating in the PB process).
    All the accesses are analyzed in the SIEM of OneSource, where level 1 events (i.e. marked with high severity) are scaled to the CISO, while level 2 (i.e. marked with medium severity) and level 3 (i.e. marked with low severity) are managed by the network administrator and systems operators of OneSource.
  5. Preservation of personal data
    Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose and in any case no longer than one year after the last access to the Service by the user.
  6. Procedures for accessing personal data
    Each user is entitled to access all its personal data and information collected through this Service and to know how that information is processed. If you would like to know what personal information and data are collected, please write to the Ombudsperson in charge for this Service, according to the procedure identified in the Terms of Service.
  7. Procedures to withdraw
    Each user is entitled to withdraw from the Service and obtain the removal of all its personal data and information collected through this Service. If you would like to withdraw from the service please write to the Ombudsperson in charge for this Service, according to the procedure identified in the Terms of Service.
  8. Open Access
    EMPATIA follows the Open Access principles as defined by the European Union’s Horizon 2020 Research and Innovation programme: the knowledge collected and generated though EMPATIA shall be publicly released in open format for any non-commercial purpose, including especially research and independent monitoring and evaluation. In particular data collected and generated through the use of EMPATIA’s platform shall be released in a public data repository and will be taken measures to make it possible for third parties to access, mine, reproduce and disseminate for any non-commercial purpose, free of charge for any user. In any case EMPATIA will release only non-personally-identifying information, clustering and aggregating information in a manner that will not be possible to identify personal data.
  9. Third parties with access to personal data
    To provide some of EMPATIA’s functionality and a high level of service, EMPATIA may share user data with third parties.
    Google Analytics
    Google Analytics provides insights into EMPATIA’s website traffic and marketing effectiveness.
    Description: https://www.google.com/intl/en/policies/privacy/
    Privacy Policy: https://www.google.com/intl/en/policies/privacy/
    More details about Third Parties Services in the Terms of Service.
  10. Entity responsible for policy approval/review
    This policy has been developed by the Centre for Social Studies of Coimbra, Ethics coordinator of EMPATIA, and approved by the Consortium.
    The Consortium may amend this policy in the future, within the framework of the ethical principles reported in our Terms of Service. Any amended policy is effective upon posting to this Site, and the Consortium will make every possible effort to communicate to you about these changes via email or through the site.
  11. Version and Policy operational date
    The current version of the privacy policy is V1.0.
    It is valid since 01/01/2017 until a new version of the policy is released.
  12. Legal framework of the policy
    The regulatory framework for data protection and management is shaped by the following norms and regulations of the European Union and laws of Portugal, where the Service is actually established:

    • Regulamento (UE) N.º 611/2013 – relativo às medidas aplicáveis à notificação da violação de dados pessoais em conformidade com a Diretiva 2002/58/CE do Parlamento Europeu e do Conselho relativa à privacidade e às comunicações eletrónicas.
    • “Artigo 35º da Constituição da República Portuguesa – utilização da informática
    • Lei 67/ 98 – Lei da proteção de Dados Pessoais
    • Lei 41/2004 – Regula a proteção de dados pessoais no sector das Comunicações Eletrónicas (alterada e republicada)
    • Lei 32/2008 – transpõe a Diretiva da Retenção de Dados, relativa à conservação de dados das comunicações eletrónicas “.

    The body in charge of Data Protection in Portugal is the CNPD (https://www.cnpd.pt/). Process Number: 18275/ 2016

  13. Contact
    Thanks for taking the time to learn about EMPATIA´s privacy policy. EMPATIA strongly believe it’s increasingly important for our users to know exactly how their personal data is treated. If you have any questions or concerns not answered in this policy, please contact the Data Controller in charge for this Service, at the following address:
    EMPATIA project
    Center for Social Studies
    Praça Dom Dinis, 3020 Coimbra (Portugal)
    empatia@empatia.org