Information Notice on the processing of personal data by SISSA Medialab S.r.l.

Purpose and Legal Basis of the Processing

Purpose and Legal Bases of the Processing Purpose

Participation in activities related to the scientific community such as, for example: 

  • Submission of articles for peer review;
  • Publication of articles and associated personal data (name, institution, country, ORCID id and e-mail address);
  • Participation in the peer review process;
  • Participation both in-person and online in webinars, training and in-depth courses, conferences, focus groups, interviews, etc. as well as related activities.
Legal Basis
  • Contract with the data subject (or pre-contractual measures taken at the data subject’s request), or
  • Statutory obligation, or
  • Legitimate interest of the Controller depending on the contexts in which the Data Subject’s personal data are processed, or
  • Consent where necessary.
Purpose and Legal Bases of the Processing Purpose Process payment in favour of the Data Subject and perform the ensuing tax activities.
Legal Basis
  • Contract with the data subject (or pre-contractual measures taken at the data subject’s request), or
  • Statutory obligation.
Purpose and Legal Bases of the Processing Purpose Publication of personal data and/or images of the data subject.
Legal Basis Consent with retention until the exercise of a legitimate right of the data subject which revokes the legal basis, alternatively, in relation to the legitimate interest of the Controller balanced between the needs to pursue the stated purposes and the fundamental rights of the data subject.
Purpose and Legal Bases of the Processing Purpose Use of contact and identification data (such as name, surname and e-mail address, etc.) for project-related activities involving the data subject.
Legal Basis
  • Contract with the data subject (or pre-contractual measures taken at the data subject’s request), or
  • Legitimate interest of the Controller.
Purpose and Legal Bases of the Processing Purpose Establishment and execution of a contractual relationship.
Legal Basis
  • Contract with the data subject (or pre-contractual measures taken at his or her request), or
  • Statutory obligation.
Purpose and Legal Bases of the Processing Purpose Fulfilment of obligations under applicable regulations and legislation.
Legal Basis
  • Contract with the data subject (or pre-contractual measures taken at the data subject’s request), or
  • Statutory obligation.
Purpose and Legal Bases of the Processing Purpose Administrative-accounting obligations.
Legal Basis
  • Contract with the data subject (or pre-contractual measures taken at the data subject’s request), or
  • Statutory obligation.
Purpose and Legal Bases of the Processing Purpose If necessary, to ascertain, exercise or defend the Controller’s rights in judicial or extrajudicial proceedings.
Legal Basis Legitimate Interest of the Controller.
Purpose and Legal Bases of the Processing Purpose Efficient management of the contractual relationship and handling of data subjects’ requests.
Legal Basis

Depending on the contexts in which the data subject’s personal data are processed:

  • Contract with the data subject (or pre-contractual measures taken at the data subject’s request), or
  • Statutory obligation, or
  • Legitimate interest of the Controller.
Purpose and Legal Bases of the Processing Purpose Commercial Communications.
Legal Basis Consent of the data subject required where and if necessary.
Purpose and Legal Bases of the Processing Purpose Cooperation with law enforcement agencies.
Legal Basis Statutory obligation.

Legitimate interests pursued by the Controller

The controller may use its legitimate interest as the legal basis for a given purpose by balancing its rights with those of the data subject, taking into account his or her “reasonable expectations” in view also of the existing relationship with the controller. When the processing is based on the legitimate interest of the controller, it is not necessary to request the data subject’s consent to pursue that specific purpose. The processing must not adversely affect the rights and freedoms of the data subject. Some examples of legitimate interest:

  • Organisational efficiency of corporate data governance;
  • e-mail communications concerning the functionality of a service and the Controller’s plans for future developments.

Data recipients (by categories)

  • Persons authorised to perform the processing duly instructed and bound to confidentiality;
  • Processors: service providers to whom the data may be transmitted and who process the data on behalf of the Controller on the basis of a legally binding agreement guaranteeing the protection of personal data. The Controller works closely with several third-party providers, who complete processing and provide services (SPRINGER NATURE, IOPP, Abstracting and indexing services, Crossref);
  • Autonomous Controllers with sufficient guarantees to process data subjects’ data and with a valid legal basis for doing so (e.g. authorities and control and supervisory bodies, public or private entities entitled to request data, such as partners or suppliers);
  • Users browsing the website: among the obligations provided for by national legislation is the obligation to publish on the company website identification data and data on the remuneration paid by the company to Independent Contractors, Consultants and/or other persons provided for by the legislation "on transparency and dissemination of information by public administrations" (Legislative Decree No. 33/2013).

The Controller will not sell or pass on personal data of data subjects to third parties to be used for marketing purposes.

Transfers to third countries pursuant to Articles 46, 47, 49 GDPR

Transfers to third countries will take place in accordance with current legislation:

  • in countries recognised as safe by the EU Commission;
  • in countries with which Europe has international data protection agreements;
  • with entities with which the Controller has entered into legally binding agreements providing adequate guarantees for the protection of the Data Subjects as required by law;
  • if there are exemptions provided for:
    • consent of the data subject;
    • by necessity and not continuously for types and amounts of data that permit it.

Further details on the location, appropriate safeguards and copy of the data can be requested from the Controller and/or will be provided in special reference notices.

Data intended for publication on Internet sites will be accessible to any user visiting the site that published them. Such processing will have an appropriate legal basis and will be carried out on data for which the data subject has been informed of the specific purpose.

Criteria for determining the data retention period

The Controller applies the principle of data minimisation for all processing.

For some processing, the retention period can be determined more precisely than others, for example:

  • 10 years after termination of the contract for administrative and accounting data in compliance with the statutory obligation to retain them;
  • In the event of litigation, for the duration of the litigation and the time limits for appeals;
  • For newsletter subscribers until the data subject unsubscribes or the information channel is no longer maintained.

For other processing operations, the criteria for determining the retention period is assessed on a case-by-case basis, sometimes in view of regulatory indications (e.g. Covid), others on the basis of balancing the legitimate interests of the Controller, contractual obligations, and the rights of the data subjects. Where possible, the retention period set or at least the criteria used will be indicated in a separate notice.

Rights of Data Subjects

  • Obtaining confirmation of whether or not processing is taking place and, if so, obtaining access to the data concerning the data subject;
  • Knowing the origin of the data processed by the Controller;
  • Verifying the accuracy of the data concerning the data subject;
  • Opposing, for legitimate reasons, the processing;
  • Requesting the integration, erasure, updating, rectification, blocking of personal data processed in violation of the law, portability.
Requests can be addressed to the Controller via the contact details in page footer, via email privacy@medialab.sissa.it or to the Data Protection Officer at:
LawOneTax Legal Associates | Viale Bianca Maria, 45 - 20122 Milano – Italy | dpo@medialab.sissa.it
Communications with the data protection officer are confidential.

Data subjects also have the right to:

  • Be informed of breaches that may result in a high risk for the data subjects;
  • Complain to the competent supervisory authority in the Member State where they habitually reside or work or in the State where the alleged breach occurred.

Consent

Where required, consent is free, optional and revocable on the part of the data subject. It is collected for processing that requires it in a specific location for specific types of data or purposes.

Compulsory conferment

The disclosure of certain personal data is a statutory or contractual obligation or a necessary requirement for the conclusion of a contract. Where the data subject is under an obligation to provide personal data and does not do so, it will be impossible to pursue the purposes for which the data are requested, including, by way of example:

  • the possibility of using the Controller’s services;
  • processing of payments;
  • signing of Contracts, etc.

Categories of personal data concerned

For some of the Controller’s activities, the personal information collected relates to common data (this could include name, address, email address, IP address, affiliation, payment information, place and date of birth, ORCID ID), and sometimes to data belonging to special categories under Article 9 of the GDPR (only where there is an appropriate legal basis, for example where the Controller needs to exercise employment and social security law rights or the data subject has given consent). In connection with site navigation, information is collected on which pages are visited and when.

Source of origin of personal data

Personal data are generally collected from the data subject but, in some cases, may come from third parties who provide them to the Controller having a legitimate legal basis (e.g., University, institution or company to which the data subject belongs, employer or colleagues of the data subject). If the data subject also provides data from third parties [e.g., family members, employees or colleagues], he/she will do so on the basis of a legal basis that enables the Controller to process those data.

Further purposes

If the Controller intends to further process personal data for a purpose other than that for which they were collected, the Controller shall, prior to such further processing, provide the data subject with information about that other purpose and any further information relevant to the new purpose. Such communications may take place by updating the Information Notice and/or by contacting the person data subject.

Version and date

Last modified April 2023 (v04-2023-en)