ASTRI & Miniarray Archive System - AMAS
Privacy Policy and Data Collection
[ article 13 of E.U. regulation nr. 679/2016 - GDPR]
Dear User and Visitor,
in accordance with article 13 of the E.U. regulation nr. 679/2016 (GDPR) of the European Parliament and Council of April 27, 2016, on the protection of individuals with regard to data processing, as well as to the free movement of such data – from here on, GDPR), we provide you with the following information on the handling of your personal data.
Contact details of the data controller:
Data
controller:
The
holder of the data processing,
i.e. the body deciding how and why your personal data is processed,
is the Istituto Nazionale di Astrofisica (INAF – National Institute
for Astrophysics), based in Viale del Parco Mellini n. 84, IT-00136,
Rome (PEC: inafsedecentrale@pcert.,
switchboard +39 06.355339), which is the National Institute of
reference in the field of astronomical and astrophysical research.
INAF was established by the legislative decree of July 23, 1999, nr.
296, and subsequently reorganized with the legislative decree of June
4, 2003, nr, 138; INAF is supervised by the Ministry for University
and Research.
Contact
Person for data handling:
With
reference to the handling of your personal data, in accordance with
this notice, INAF-Osservatorio Astronomico di Roma, based in Via
Frascati nr. 33, C.A.P. 00078, Monte Porzio Catone (RM)
(PEC: inafoaroma@pcert.postecert.it)
is to be considered in all respects the Data
Controller inasmuch
as the data storage servers are located in the CED/SID of the
Observatory of Rome, with the CED/SID staff responsible for
processing the data.
Data
Protection Officer:
The
Data
Protection Officer is
at the Istituto Nazionale di Astrofisica: you can contact him for all
matters relating to the processing of your personal data and to
exercise the rights arising from the GDPR. The INAF Data
Protection Officer can be contacted by the following means:
Istituto Nazionale di Astrofisica, Viale del Parco Mellini n. 84 - 00136 Roma
Email: rpd@inaf.it
PEC: rpd-inaf@legalmail.it.
Purposes and related legal bases of the processing of your personal data:
Your personal data will be handled in a legal, fair and transparent way towards you with the following aims:
Access to services, including web services and access gateway portals, for the ASTRI-Miniarray, ASTRI-Horne prototype and all the satellite projects with the personal data stored in the LDAP server located and managed by the CED/SID of INAF-Osservatorio Astronomico di Roma, “authorized to processing”, according to the GDPR 2016/679 by letter of appointment, for the pursuit of legitimate interest of the owner of the data treatment and the regular use of services.
Categories of your personal data processed:
Your personal data, stored in the LDAP server and handled by INAF – Osservatorio Astronomico di Roma will be adequate, relevant and limited to the need with respect to the purposes listed above, hence they will only concern the following elements:
your name and surname;
your username and password;
Institution and address;
contact (if expressly provided by the user);
the institutional partner and/or the project with which you collaborate;
the development team and user levels to enable the A&A mechanism;
As a general rule, we will store and process only the personal data strictly necessary to manage the A&A service of the project, the website, the authentication portal, including the access gateway to telescope data, and the proposal handling system.
Other Information automatically collected by the Site.
As with all websites, this one also makes use of log files, for storing the data collected during access by the users. The computer systems and the software procedures responsible for the operation of the Site, indeed, automatically acquire data during use. The transmission of such data is implicit in the use of Internet communication protocols.
The collected information regards the following:
Internet Protocol address (IP), or the name and domain of the device you are using;
browser type and parameters of the device used to connect to the Site;
the addresses in notation URI (Uniform Resource Identifier) of requested resources, or the method used when placing a request to the server;
date and time of visit;
possibly, number of clicks/downloads on a particular proposed action;
numerical code indicating the status of the response given by the server (success, error, etc.);
further parameters related to the operating system and to the IT environment of your device.
Such information will be processed in automated form and collected exclusively in aggregate form, to ensure the website functions correctly, and for computer security exclusively.
In this regard, we declare that this site DOES NOT use Cookies in any way.
Categories of recipients of your personal data being processed:
Recipient means the physical or legal person, the public authority, the service, or another body receiving communication of personal data, except public authorities receiving personal data during a check, according to art. 4, n. 9 of GDPR).
With regard to the processing of your personal data carried out by INAF-Osservatorio Astronomico di Roma for the purposes listed above, the recipients of your personal data (individuals duly trained in data protection measures) can be:
members of ASTRI-Miniarray and ASTRI-Horne Prototype Collaboration;
third parties to the project, such as - for example - all partners and associate consortia of institutions (CTA, LST, MST, SST, MAGIC, HESS etc…) collaborating in any capacity in the main project;
system managers and developers of the services provided.
Storage Period of personal data processed:
INAF-Osservatorio astronomico di Roma will retain your personal data in a form allowing your identification until the main project is completed, and/or a decision to cease participation in the project, and/or an explicit request for the (reasoned) deletion of your personal data from the LDAP server.
Yor rights:
As a data subject, you can exercise the following rights by e-mailing rpd-inaf@legalmail.it:
get access to your personal data (according to art. 15 of GDPR) in order to verify the processing of personal data, and, if this is the case:
obtain information on the purposes of this processing;
obtain information on the categories of personal data processed;
obtain information on any categories of recipients of your personal data;
obtain information on the period of retention of personal data;
obtain information on the existence of your right to rectify or delete your personal data, or on your right to limit their processing;
obtain information of your right to lodge a complaint with the data protection authority;
obtain information on the possible use of an automated decision-making processing of your personal data, including the logic used, and the consequences for you because of such processing;
rectify your personal data, according to art. 16 (GDPR), if the accuracy of the data is disputed;
integrate your personal data, according to art. 16 (GDPR), in the event of a dispute of their completeness;
delete your personal data, according to art. 17 (GDPR), unless it is necessary to fulfill a legal obligation to the contrary, or ascertain, exercise or defend a right in court, in the following cases:
no need to process such personal data for the declared purposes;
exercise of your right to object to the processing of data, that excludes the prevalence of the legitimate interest of the data controller over your interests, or fundamental rights and freedom;
supervening unlawful treatment of your personal data;
legal obligation to delete such personal data;
limit the processing of your personal data, according to art. 18 (GDPR), in the following situations:
dispute of the accuracy of such personal data, even if limited to the time necessary for the subsequent verification by the data controller;
supervening unlawful treatment of your personal data, supplemented by the subsequent opposition to their cancellation;
no need to process such personal data for the declared purposes, supplemented by the contemporary need to treat them in order to ascertain, exercise or defend a right in court;
exercise of your right to object to data processing, even if limited to the time necessary for the subsequent verification by the data controller;
receive in structured format – of common use and machine-readable - your personal data, automatically treated by the data controller. Possibly, you can have the data transmitted to another data controller, according to art. 20 (GDPR);
object to the processing of your personal data, according to art. 21 (GDPR), in the event of a dispute of the primacy of the legitimate interest of the data controller over your interests, or fundamental rights and freedom.
INAF-Osservatorio Astronomico di Roma is required to comply with any exercise of the rights listed above, without undue delay.
Your right to lodge a complaint:
As a data subject, you can exercise the right to lodge a complaint with the data protection Authority, in the event of a GDPR compliance dispute on the processing of your personal data carried out by INAF-Osservatorio Astronomico di Roma, according to art. 77 (GDPR), by sending the appropriate form to the certified e-mail address: rpd-inaf@legalmail.it .
Nature of the communication of your personal data:
The communication of your personal data (and/or an update) to INAF-Osservatorio Astronomico di Roma is neither contractually nor legally mandatory, as it is expressly aimed at carrying out the activities within the ASTRI-Miniarray and the ASTRI-Horn prototype projects; however, we remind you that, if you object to the processing of your data, you will not be able to participate and/or use the services provided by the project itself, and therefore leading to the impossibility of fulfilling the afore-mentioned purposes.
------
Regulatory and Legal References:
[1] GDPR: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9745318
According to the provisions of the Data Protection Authority [1], public bodies, when fulfilling “legal obligations” they are subject to, or “tasks of public interest, or connected to the exercise of public authority” they are entitled to, “…are not required to ask for any consent (or authorization) to the interested parties in order to carry out the processing of their personal data. Moreover, as established by the aforementioned European regulation, «when the data controller is a public authority», consent cannot be «a valid prerequisite for data processing», considering that there is a «clear imbalance between the data subject and the data controller». Therefore, it is unlikely that the consent was freely given» and thus validly given (see art. 43 of GDPR) ...” In any case, data processing carried out by public bodies in the light of the conditions of legitimcy referred to in art. 6, par. 1, c) and e), of GDPR, should be conducted in compliance with the principles of art. 5 of GDPR, providing prior and appropriate information to interested parties (artt. 12-13, GDPR).