Stakeholder Participation Page
Index of contents
- Your Involvement in the HOLiFOOD Project
- Processing Your Personal Data
- Your Consent
1. Your Involvement in the HOLiFOOD Project
Thank you for your willingness to participate in EU funded project, HOLiFOOD. This document provides information about your participation. Only after you give your consent will we involve you in the project and process your personal data.
Additionally, we ask you not to share or further process any of the personal data or business sensitive information disclosed to you with any third parties (i.e., with any individual or entity that is not a participant in the project related call or activity).
In order to align with stakeholder priorities, preferences and user requirements, the HOLiFOOD innovations will be designed and tested through a multi actor approach involving stakeholders. Several online and offline workshops, interviews and consultations will be organised, where external stakeholders like you will be invited.
1.1 Your Participation
Your involvement is voluntary and you can discontinue your involvement at any time.
The next lines describe the mechanisms for collecting personal data from HOLiFOOD stakeholders, such as names, email addresses, affiliations, gender, age, and video/audio recordings for workshops, interviews, and consultations. Your involvement advances food safety research, complies with GDPR consent rules, and ensures data security through Microsoft and Intuit Inc. (Mailchimp). Your GDPR rights include access, rectification, erasure, and data processing limitation.
By clicking the button down below you provide your consent for the following:
- Ethical Consent: I consent to participate in the EU funded research project HOLiFOOD (Project number: 101059813).
- Data Protection Law Consent: I consent to the processing of my personal data as outlined in the form.
- Non-Disclosure Declaration. I declare that I will not record, process or the personal data or business sensitive information disclosed to me with any third parties (i.e., with any individual or entity that is not a participant to the call or the project activity).
1.2 Your Main Contact point
Stichting Wageningen Research (WR) – HOLiFOOD Project Coordinator
| Ine van der Fels-Klerx | ine.vanderfels@wur.nl |
| Nathan Meijer | nathan.meijer@wur.nl |
2. Processing Your Personal Data
2.1 Contact Details of the Joint Controllers
Several partners of the HOLiFOOD project concluded a Joint Controllership Arrangement pursuant to Article 26 GDPR outlining the rights and obligations of the Joint Controllers. The essence of the arrangement is made available to you via this document. If you have any specific questions, please feel free to contact any of the Joint Controllers:
| Acronym | Institution | Country | Contact Point | Contact Details |
| WR | STICHTING WAGENINGEN RESEARCH | NL |
Ine van der Fels-Klerx Nathan Meijer |
|
| AGROKNOW | AGROKNOW IKE | EL | Charalampos Thanopoulos | cthanopoulos@agroknow.com |
| APRE | AGENZIA PER LA PROMOZIONE DELLA RICERCA EUROPEA |
IT | Alessia Careccia | careccia@apre.it |
| CREME | CREME SOFTWARE LTD | IE | William O’Sullivan | holifood@cremeglobal.com |
| DIA | DIALOGIK GEMEINNUTZIGE GESELLSCHAFT FUR KOMMUNIKATIONS UND KOOPERATIONSFORSCHUNG MBH |
DE | Ludger Benighaus |
lbenighaus@dialogik-expert.de |
| EUFIC | EUROPEAN FOOD INFORMATION COUNCIL | BE | Debora Serra | debora.serra@eufic.org |
| UVMB | ALLATORVOSTUDOMANYI EGYETEM | HU | Ákos Józwiak | jozwiak.akos@univet.hu |
| INRAE | INSTITUT NATIONAL DE RECHERCHE POUR L’AGRICULTURE, L’ALIMENTATION ET L’ENVIRONNEMENT |
FR | Jeanne-Marie Membré |
jeanne-marie.membre@inrae.fr |
| CNR | CONSIGLIO NAZIONALE DELLE RICERCHE | IT | Vincenzina Fusco | vincenzina.fusco@ispa.cnr.it |
| UNEW | UNIVERSITY OF NEWCASTLE UPON TYNE | UK |
Lynn Frewer Tom Zunder |
2.2 Category of Personal Data and Purpose of the Processing
| Personal Data | Purpose(s) of Processing |
|
– Communication and execution of the workshops, interviews and consultations (including follow-ups after the workshop). – Analysing stakeholders’ preferences and perspectives – Review of the HOLiFOOD project by the Commission |
The overarching purpose of the processing your personal data is scientific research in the field of food safety risk analysis, in particular for the HOLiFOOD project.
Information gathered from your involvement will be also anonymised and used in project activities, such as publications, conferences, disseminations on the project website and social media channels. In case we would like to name you in a deliverable or scientific publication, you will be contacted separately for this purpose.
2.3 Legal Basis
The legal basis for processing your personal data is informed consent in accordance with Article 6(1)(a) GDPR.
2.4 Recipients of the Personal Data
As depicted in the table below, the following entities act as Data Processors and are governed by the following data processing agreements (DPA).
|
Data Processors |
Data Processing Agreements |
|
Microsoft |
|
|
Intuit Inc. and the Intuit group companies (Mailchimp) |
2.5 How we share your personal information
When you consent to participating in the HOLiFOOD project, we may share or otherwise process your personal information in the following circumstances:
For data storage and management: We may share your personal information with our data processors to store and manage stakeholder’s data in connection with the research purposes of the project.
For communication and participation: We may share your personal information with our data processors to ensure that we can communicate with you about your involvement in the project.
For research: The Mailchimp platform may be used to facilitate stakeholder participation and to conduct research through sign ups, surveys, consent management and other project related activities.
2.6 Transfer of Data to Third Countries
Microsoft, as one of the processors, is based in the UK. Your data will therefore be transferred there. The transfer is based on the adequacy decision issued for the United Kingdom by the European Commission in accordance with Art. 45 of the GDPR.
With respect to the use of Microsoft Teams all transfer of personal data out of the EU is governed by the 2021 Standard Contractual Clauses implemented by Microsoft and by Article 46 of the GDPR. Microsoft will abide by the requirements of European Economic Area and United Kingdom, data protection law regarding the collection, use, transfer, retention, and other processing of Personal Data. All transfers of Personal Data will be subject to appropriate safeguards as described in Article 46 of the GDPR and the 2021 Standard Contractual Clauses (SCCs).
Intuit Inc. (Mailchimp’s) headquarters, and their servers, are located in the United States. This means data processed may be transferred to, stored, or processed in the United States. In addition, they leverage third-party vendors who process personal data on their behalf, to provide services to Mailchimp, and their servers may be located outside of Europe. Intuit Inc. (Mailchimp) does not sell, rent, or trade user data. Intuit Inc. (Mailchimp) has incorporated SCCs together with a Data Processing Addendum specifying their commitment to security, confidentiality of processing, limitations on international transfers of personal data, cooperation with data subject rights, notice of security incidents and more. For further information read here.
2.7 Period of Data Storage
Once you are enrolled as a participant in the project, your data will be stored within the EU on the Stichting Wageningen Research Repository (project coordinator) using Microsoft Teams. Stichting Wageningen Research (WR), the project coordinator, will keep the joint repository (Microsoft Teams) updated and control data access.
When you sign up or participate in a survey via the Mailchimp platform, your data will be stored by Intuit Inc. Upon termination or expiration of the Data Processing Agreement, Mailchimp shall delete or return all Customer Data (including copies) in its possession or control, except where data retention is required by law.
Personal data will be retained until the end of the HOLiFOOD project including the period of the review of the project by the Commission. Thereafter, Data Processing Agreements will be terminated and the personal data of stakeholders will be deleted by the Joint Controllers. Where Data Processors are responsible for data storage, deletion will be requested. Joint Controllers will process and store your personal data only for the purposes outlined above.
Personal data will be stored until the end of the HOLiFOOD project including the period of the review of the project by the Commission. Joint Controllers will process and store your personal data only for the purposes outlined above.
2.8 Data Security
Microsoft secures all personal data through technical and organisational measures to ensure that it is protected from unauthorised access, alteration, or loss.
Core elements are:
- Azure Active Directory (Azure AD), which provides a single trusted back-end repository for user accounts. User profile information is stored in Azure AD through the actions of Microsoft Graph.
- There may be multiple tokens issued which you may see if tracing your network traffic, including Skype tokens you might see in traces while looking at chat and audio traffic.
- Transport Layer Security (TLS) encrypts the channel in motion. Authentication takes place using either mutual TLS (MTLS), based on certificates, or using Service-to-Service authentication based on Azure AD.
- Point-to-point audio, video, and application sharing streams are encrypted and integrity checked using Secure Real-Time Transport Protocol (SRTP).
- You will see OAuth traffic in your trace, particularly around token exchanges and negotiating permissions while switching between tabs in Teams, for example to move from Posts to Files. For an example of the OAuth flow for tabs, see this document.
- Teams uses industry-standard protocols for user authentication, wherever possible.
More information may be found in the security guide: https://learn.microsoft.com/en-gb/microsoftteams/teams-security-guide.
Intuit Inc. (Mailchimp) secures all personal data through technical and organisational measures to ensure that it is protected from unauthorised access, alteration, or loss. The core elements are:
Data Center Security
- Mailchimp uses multiple MTAs, placed in different world-class data centres around the United States.
- Mailchimp data centres manage physical security 24/7 with biometric scanners and other security measures.
- Mailchimp has DDOS mitigation in place at all of their data centres.
- Mailchimp has a documented “in case of nuclear attack on a data centre” infrastructure continuity plan.
Protection from Data Loss, Corruption
- User accounts are segregated from each other through multiple layers of logic which prevent corruption and overlap.
- Mailchimp’s technology infrastructure includes network devices such as firewalls, and IDS/IPS tools which are strategically placed to control and monitor network traffic for data loss and corruption.
- Account data is mirrored and regularly backed up off site.
Application Level Security
- Mailchimp account passwords are hashed. The staff can’t even view them. If you lose your password, it can’t be retrieved—it must be reset.
- All login pages (from our website and mobile website) pass data via TLS 1.2 or higher.
- The entire Mailchimp application is encrypted with TLS 1.2 or higher.
- Login pages and logins via the Mailchimp API have brute force protection.
- Mailchimp provides the ability to enable email or SMS notifications about key activity.
- Mailchimp provides the ability to enable two-factor (2FA) authentication to your Mailchimp account.
- Mailchimp performes regular external and internal security penetration tests throughout the year using different vendors. The tests involve high-level server penetration tests, in-depth testing for vulnerabilities inside the application, and social engineering drills.
- The findings of pen-testing results are kept strictly confidential. They confirm that any findings are addressed and repaired.
More information may be found in the security page.
Each Data Controller may also store the personal data on local repositories. Each Data Controller ensures that technical and organisational measures are in place to ensure unauthorised access, alteration, or loss.
2.9 Your Rights under GDPR
The General Data Protection Regulation (GDPR) grants you the following rights:
| The right to be informed | This means we must inform you of how we are going to use your personal data. We do this through this form and by informing you of how your data will be used each time we collect it (Article 13). |
| The right of access | You have the right to access your personal data that we store. To request access to your data, please email the Data Controllers identified above. We will respond to your request within one month (Article 15). |
| The right to rectification | If you think the data we store about you is incorrect, please let us know so we can correct it. You can do this by emailing the Data Controllers identified above (Article 16). |
| The right to erasure | You have the right to request that we delete your data and we will do so. You can do this by emailing the Data Controllers identified above (Article 17). |
| The right to restrict processing | Article 18 of the GDPR gives you the right to obtain from any Data Controller restriction of processing in certain contexts (Article 18). |
| The right to data portability | You have the right to receive the personal data concerning you, which you have provided to the Data Controller(s) in a structured, commonly used and machine-readable format, and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided pursuant to Article 20 of the GDPR. |
| The right not to be subject to a decision based solely on automated processing | There will be no automated decision-making and profiling (Article 22). |
| The right to withdraw consent at any time | If you withdraw your consent, Joint Controllers will no further process your data. However, the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal (Article 7). |
| The right to lodge a complaint with a supervisory authority | If you are a data subject in the EU, please find the supervisory authority of your country here. |
If you want to exercise your data subject rights or have questions regarding your involvement in the project, please contact the project coordinator (your main contact)
| Ine van der Fels-Klerx | ine.vanderfels@wur.nl |
| Nathan Meijer | nathan.meijer@wur.nl |
