DATA PROTECTION NOTICE 

 

1. Introduction 

The GANNDALF website and the GANNDALF newsletter are key communication and dissemination tools of the GANNDALF project, funded by the European Union’s Horizon Europe Research & Innovation Programme under Grant N° 101167951. 

The primary purpose of the GANNDALF website is to raise awareness of the project’s objectives, progress, and results among a wide range of stakeholders, including researchers, policymakers, industry actors, civil society organisations, and the general public. The GANNDALF newsletter, distributed periodically to subscribers, complements the website by providing curated updates and highlighting the project’s key milestones, outcomes and events. Subscription is entirely voluntary and based on consent, and users can unsubscribe at any time. 

This data protection notice outlines the collection, processing, and safeguarding of personal data in relation to the GANNDALF website and newsletter. It further outlines the purposes of data processing and the measures taken to ensure compliance with applicable regulations. All data collected through the website or newsletter subscription form is processed in compliance with the General Data Protection Regulation 2016/679 (hereafter ‘the GDPR’), and solely for the purpose of managing communication and dissemination activities, as described in this data protection notice. 

For personal data: 

  • Processed through the website or as a result of emailing us, ITML will act as the data controller.  
  • Processed when subscribing to our newsletter PLC will act as the data controller. 

 

2. Types of personal data collected

Personal data of users may be collected and processed in connection with their interactions with the GANNDALF website or newsletter, including when sending a message through the website’s contact form or via direct email, subscribing to the project newsletter, or simply visiting and browsing the website. 

Depending on the nature of the interaction with the website or the newsletter, the following categories of personal data may be collected and processed: 

  1. Visitor information (e.g., country of residence, IP address) that is collected to understand visitor trends and what content they engage with, as well as to help us comply with legal and regulatory obligations. We will not use this information to identify visitors to the GANNDALF website. 
  2. Content of messages or enquiries sent via contact forms or direct email. 
  3. Technical data related to communications. This primarily includes the browser and operating system used, as well as the time the website was accessed. 
  4. Website usage, including cookie identifiers (as detailed in our Cookies Declaration). 
  5. Subscription data, specifically the email address provided when registering for the GANNDALF newsletter. 

 

3. Purposes of personal data processing

In the context of this project’s website and newsletter, we collect and process personal data for specific, legitimate purposes. Below, we outline the purposes for which your data may be processed: 

  1. Stakeholder and community engagement. Contact is maintained with interested individuals and organisations to share project updates, results, collaboration opportunities, and relevant developments. This includes announcements of forthcoming project activities and events. 
  2. Newsletter subscription and distribution. For newsletter subscribers, contact details (specifically email addresses) are collected and stored to enable the distribution of project information. This ensures proper functioning of mailing systems and delivery of relevant content. Emails are only sent to recipients who have expressed interest or provided explicit consent. Subscription management, including unsubscribing, can be performed via the link included in each newsletter. 
  3. Website analytics and usage statistics. Website performance and user interactions are analysed to improve content accessibility, functionality, and overall user experience. This processing involves anonymised or aggregated data about site visits, navigation patterns, and engagement metrics. 
  4. Contact and enquiries. Personal data provided through contact forms or email (such as name, email address, and message content) is processed exclusively for the purpose of responding to requests and providing appropriate assistance. 
  5. Compliance with legal and funding requirements. As a project funded under Horizon Europe, GANNDALF is required to meet specific obligations related to communication, dissemination, and reporting. Personal data may be processed as necessary to meet these regulatory and contractual requirements. 

 

4. Use of cookies

Cookies are small text files stored on a visitor’s device when accessing websites. These files retain preferences (such as language selection or login credentials) and enable efficient navigation between sessions. Additionally, cookies may collect anonymised usage data to analyse website performance and visitor interactions. For comprehensive information on cookie types, purposes, and management options, please refer to our Cookie Declaration. 

 

5. Legal bases of data processing

We use the following legal bases for processing personal data received through the website or newsletter subscription: 

  • Consent. Processing occurs when individuals provide explicit consent, such as when subscribing to the project newsletter. Processing ceases upon withdrawal of consent, which can be exercised at any time. 
  • Legitimateinterests. We process personal data when it is necessary for us to achieve the following legitimate interests (if they are not overridden by the data subject’s interests): 
  • Enhancing our research delivery by providing information about the GANNDALF project to the individuals we consider likely to be interested in our project or the general public.  
  • Legal obligations. We may process personal data to meet legal obligations, such as reporting to the European Commission.

We process the personal data we communicate through the website and newsletter according to the following lawful bases: 

  • Consent. When we have received consent to publish personal data, e.g., a blog post from one of our researchers. 
  • Legitimate interests. We process personal data when it is necessary for us to achieve the following legitimate interests (if they are not overridden by the data subject’s interests): 
  • Undertaking dissemination activities. 
  • Legal obligations. We may process personal data in order to meet a legal obligation, e.g., promoting project results to multiple audiences, including the media and the public. 

 

6. Data retention period

We retain personal data only for as long as necessary to fulfil the purposes outlined above. In accordance with our obligations under the Horizon Europe programme, we are required to retain data related to EU-funded research projects for up to five years following the European Commission’s (EC) final payment to the project consortium. This period may be extended if requested by EU auditors.

As the personal data has been collected in the context of an EU-funded project, we anticipate that the European Commission will process such data in accordance with Regulation (EU) 2018/1725, which governs the protection of personal data by EU institutions, bodies, offices, and agencies. Once the retention period has expired—and in the absence of any legal or regulatory grounds for continued storage—we will securely dispose of all personal data. 

 

7. Third-party data sharing and legal obligations

We may disclose personal data to trusted third-party service providers when necessary for the effective delivery of our services. All such recipients are contractually obligated to implement appropriate data protection measures prior to any data transfer. We do not engage in the sale or commercialisation of personal data.

Disclosure may occur in the following circumstances: 

  • When legally required to assist law enforcement or regulatory authorities in preventing or investigating suspected unlawful activities; 
  • When mandated by applicable legislation; 
  • When necessary for compliance with European Commission reporting requirements related to Horizon Europe projects. 

 

8. Data Security

Appropriate technical and organisational measures are implemented to safeguard personal data against unauthorised access, disclosure, alteration, or destruction. Individuals granted access to such data are bound by confidentiality obligations. To further mitigate risks, security and anti-virus software are maintained and regularly updated across all relevant systems. 

 

9. Data subjects rights

Under the GDPR, individuals have the following rights regarding their personal information:

  1. Right of access (Art. 15 GDPR): The data subject has the right to obtain confirmation as to whether personal data concerning them is being processed in the context of the GANNDALF project. If this is the case, the data subject can request access to their data. 
  2. Right of rectification (Art. 16 GDPR): The data subject has the right to obtain the rectification of inaccurate personal data concerning them.  
  3. Right to erasure (Art. 17 GDPR). The data subject has the right to obtain erasure of personal data concerning them, if:
    • The data subject objects to the processing under Art. 21(1) GDPR and there are no overriding legitimate grounds; 
    • The personal data have been unlawfully processed; 
    • The personal data have to be erased to comply with a legal obligation in Union or Member State law to which the controller is subject. 
  4. Right to restriction of processing (Art. 18 GDPR). The data subject has the right to obtain the restriction of processing where: 
    • The accuracy of the personal data is contested; 
    • The processing is unlawful, the data subject opposes the erasure of personal data and requests the restriction of processing instead; 
    • The controller no longer needs the personal data, but they are required by the data subject for the establishment, exercise, or defence of legal claims; 
    • The data subject has objected to processing under Art. 21(1) GDPR pending the verification of whether the legitimate grounds of the controller override those of the data subject. 
  5. Right to data portability (Art. 20 GDPR): In certain circumstances, data subjects may request the transmission of their data, which they have provided to the controller, to another data controller in a structured, commonly used, and machine-readable format. 
  6. Right to object (Art. 21 GDPR): A legal basis for the processing of personal data in the GANNDALF project is Art. 6(1)(f) GDPR. The data subject has the right to object on grounds relating to their situation at any time to the processing of personal data concerning them, unless the data controller demonstrates compelling legitimate grounds for the processing that overrides the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defence of legal claims. 
  7. Right to lodge complaints (Art. 77 GDPR): The data subject has the right to lodge a complaint with a data protection supervisory authority in the Member State of their habitual residence, place of work, or place of the alleged infringement if the data subject considers that the processing of personal data relating to them infringes the GDPR.

To exercise these rights, requests can be submitted via email to info@lists.ganndalf-project.eu. All requests will be handled with due care to ensure the rights are effectively upheld. Verification of identity may be required to guarantee that personal data is disclosed only to the relevant data subject. 

 

10. External links and third-party websites

The website may include links to external sites, including those of GANNDALF consortium partners, which are not covered by this data protection notice. Visitors are encouraged to review the privacy policies of any external sites before submitting personal data. Although efforts are made to link only to reputable sources, no responsibility is assumed for the content, security measures, or privacy practices of third-party websites. 

 

11. Inquiries and contact

For any inquiries regarding this data protection notice, privacy-related matters, or to exercise data subject rights, please contact us at:info@lists.ganndalf-project.eu.

The GANNDALF Website and Newsletter Data Protection Notice was last updated on June 10, 2025.