Privacy policy

The Digital Innovation Zone website (the “Website”) and the related Platforms are operated by Asociația Digital Innovation Zone – Zona de Inovare Digitală (“we”, “us” or “our”), as personal data controller, in accordance with data protection legislation, including Regulation (EU) 2016/679 (“GDPR”). The purpose of this notice is to inform users of the Website and of the Platform, as well as persons registering for eDIH-DIZ 2.0 events and activities, about the personal data processing activities carried out by Asociația Digital Innovation Zone – Zona de Inovare Digitală and by its partners within the Digital Innovation Zone consortium.

If you visit the Website without creating an account or completing forms, your data are processed mainly through cookies, in accordance with the Cookie Policy published on the Website, which we kindly ask you to consult. As a user with an account on the Platform or as a person registered for an event, your data will be processed according to the information below and according to the framework described in the eDIH-DIZ 2.0 Data Management Plan.

Joint controllers

The eDIH-DIZ 2.0 project is implemented by a consortium of partners (Beneficiaries) acting as joint controllers for the processing of your personal data in the context of registration and participation in the project’s events and activities.

Digital Innovation Zone activities are organized by Asociația Digital Innovation Zone – Zona de Inovare Digitală (and the DIZ partners in the Digital Innovation Zone consortium: North-East Regional Development Agency, Atelierul de Idei, Grapefruit, Imago-Mol Cluster, Strongbytes, “Gheorghe Asachi” Technical University of Iași (TUIASI), “Grigore T. Popa” University of Medicine and Pharmacy, Iași University of Life Sciences 1842, RoDIH, “George Enescu” National University of Arts Iași, Alexandru Ioan Cuza University of Iași, and the Employers’ Association of the Software and Services Industry), a European Digital Innovation Hub supporting digital transformation and digital innovation among SMEs and public institutions in the health and manufacturing sectors.

The updated list of partners and their roles in data processing is available on the project website, in the “Data Protection” section.

Data processed

Through this online form, the following data are collected and processed, as applicable:

  • identification data: surname, first name, position, organization, region/county, country;
  • contact data: email address, phone number, position within the organization;
  • data regarding participation in the event: event/activity type, selected sessions, logistical preferences, feedback, completion of satisfaction questionnaires and digital skills assessment questionnaires;
  • optionally, consent for further communications (newsletter, invitations to other events) and for the use of photos and video materials taken during events.
 

In order to provide the functionalities of the Website and of the Platform, as well as to manage registration and participation in events (conferences, working groups, webinars, etc.), we use the data you provide in registration forms or when you apply for opportunities published on the Website. Usually, these data include: surname, first name, position, organization, number of employees (for companies), email address, phone number, city/locality, as well as information regarding your interest in certain services, the type of event and logistical preferences.

Some functionalities of the Website/Platform are intended to assess your company’s level of digital maturity; Digital Maturity Assessment tools analyse dimensions such as digital strategy, digital readiness, human-centric orientation, data management, automation and sustainable digitalization. The results of these assessments are used to propose an appropriate pathway for you within the eDIH-DIZ 2.0 services and for reporting within the project, on the basis of contract performance and reporting obligations.

We may use contact data (email, phone) to contact you for market studies, opinion surveys or satisfaction questionnaires, based on our legitimate interest in monitoring the impact of our services and improving them. If you do not wish to be contacted for these purposes, you may inform us of your choice, and we will respect it.

Purpose and legal basis of processing

Your data are processed for the following purposes:

  • managing registration and participation in events, training activities and other services offered within eDIH-DIZ 2.0 (logistical organization, participant lists, participation certificates) – processing necessary for the performance of a contract / provision of the requested services, within the meaning of Art. 6(1)(b) GDPR;
  • reporting to the funding authority and fulfilling the reporting and monitoring obligations related to funding and state aid (participation indicators, aggregated statistics) – processing necessary for compliance with a legal obligation, Art. 6(1)(c) GDPR;
  • monitoring and improving the quality of services (analysis of feedback, aggregated statistics regarding participation and satisfaction) – processing based on the consortium’s legitimate interest in ensuring the quality and efficiency of services, Art. 6(1)(f) GDPR, with the balancing test carried out and documented in the DMP;
  • sending newsletters, information about future events and activities, as well as using photos and video materials for promotion and reporting purposes – processing based on your explicit consent, Art. 6(1)(a) GDPR, which you may withdraw at any time.
 

We do not use the data collected through this form for automated decisions producing legal effects or similarly significant effects on you; any recommendations or “beneficiary journey” profiling are subject to human intervention and validation.

You have the right to withdraw your consent regarding the use of photos and video materials at any time; in this case, requests for deletion or anonymization of images may be addressed to the Consortium Coordinator – “Gheorghe Asachi” Technical University of Iași or to the Data Protection Officer (cpdcp@groups.tuiasi.ro), for the events and activities organized by them, or to the data protection officers appointed by each partner, insofar as deletion is possible and does not conflict with the project’s retention or archiving obligations.

Data recipients and transfers

The data are accessible only to authorized persons within the eDIH-DIZ 2.0 consortium involved in organizing and reporting events (project coordinator, work package managers, administrative staff, trainers and experts involved in the activities), based on the “need-to-know” principle.

The data may be communicated to funding authorities and other control bodies only to the extent necessary to fulfil the project’s legal and contractual obligations, under confidentiality conditions.

Data processing takes place within the EU/EEA; no transfers of data to third countries outside the EU/EEA are anticipated.

Where CRM services or cloud platforms are used, for example for managing registrations and communications, they are operated based on Data Processing Agreements (DPAs), with data centres in the EU and with appropriate security measures, including encryption and access controls.

Storage period

Data related to registration and participation in events are stored for the duration of the project and subsequently for the period necessary to fulfil the audit, reporting and archiving obligations provided in the funding contract and applicable legislation.

Data used for newsletter communications are stored until consent is withdrawn or the right to object is exercised, after which they are deleted or anonymized, in accordance with the retention policy in the Data Management Plan.

Your rights

In relation to the processing of your data, you benefit from the following rights, within the limits established by the GDPR:

  • the right of access to personal data and to information regarding their processing (Art. 15 GDPR);
  • the right to rectification of inaccurate or incomplete data (Art. 16 GDPR);
  • the right to erasure of data (“right to be forgotten”), insofar as there are no legal retention obligations (Art. 17 GDPR);
  • the right to restriction of processing, under certain conditions (Art. 18 GDPR);
  • the right to data portability for the data provided by you, in a structured, commonly used and machine-readable format (Art. 20 GDPR);
  • the right to object to processing carried out on the basis of legitimate interest or for direct marketing purposes (Art. 21 GDPR);
  • the right to withdraw your consent at any time, without affecting the lawfulness of processing carried out before withdrawal (Art. 7 GDPR).
 

You may exercise your rights by submitting a written request to the Data Protection Officer (DPO) of the organizing partner, using the contact details mentioned on the project website; requests are usually resolved within no more than 30 days.

Data security

The eDIH-DIZ 2.0 consortium applies “privacy by design and by default” principles and implements appropriate technical and organizational measures to protect data:

  • encryption of data in transit and at rest, strict access control (RBAC), multi-factor authentication for administrative roles;
  • internal data protection policies, periodic staff training, incident response procedures and security breach registers;
  • periodic review of forms and data fields to ensure minimization of collected data and limitation of processing purposes.
 

In the event of a security incident affecting the confidentiality, integrity or availability of your data, the consortium will act in accordance with the notification procedures provided by the GDPR, including, where applicable, informing the supervisory authority and the data subjects.

Supervisory authority

You have the right to lodge a complaint with the National Supervisory Authority for Personal Data Processing (ANSPDCP) or with another competent supervisory authority, if you consider that the processing of your data in the context of the eDIH-DIZ 2.0 project violates the provisions of the GDPR.

Data protection

Within the eDIH-DIZ 2.0 project, the protection of personal data is treated as an operational and compliance obligation applicable to all promotion, registration, assessment, service delivery, monitoring and reporting activities. Data processing is carried out in accordance with Regulation (EU) 2016/679 (GDPR), the requirements of the Digital Europe Programme, the provisions of the Consortium Agreement and the internal rules defined in the project’s Data Management Plan.

The project operates as an ecosystem of digital and innovation services for SMEs and public sector organizations, and data are processed only to the extent necessary for managing the relationship with beneficiaries, providing services and complying with audit, reporting and quality obligations. The official online intake form represents the standardized entry point into the onboarding process, and the data collected through it are used for the initial eligibility assessment, lead registration and allocation of the beneficiary pathway within the hub.

Controllers and roles

eDIH-DIZ 2.0 is implemented by a consortium of partners and, depending on the specific processing activity, they may act as joint controllers, independent controllers or processors, according to the relationship between the purposes and means of processing. D5.3 Data Management Plan within the project explicitly provides for the use of controller-to-controller agreements, controller-to-processor agreements and joint controller arrangements, including for jointly managed datasets such as the HubSpot CRM, administered mainly by Asociația Digital Innovation Zone (DIZ NGO) and “Gheorghe Asachi” Technical University of Iași (TUIASI).

The data governance structure includes a Data Management Coordinator at TUIASI, data protection officers within each beneficiary, a CRM Data Manager at DIZ NGO and data protection officers for each partner organization. In the operational architecture of the project, TUIASI has a central role in coordination, WP2 Test Before Invest and WP5 Coordination & Sustainability, DIZ NGO mainly manages the CRM, WP3 Skills/AI Helpdesk activities and WP4 Access to Finance, while the North-East Regional Development Agency (ADRNE) has a relevant role in ecosystem activities, outreach and data associated with WP1.

Partners and roles in data processing

The list below is informative and updated periodically as operational responsibilities or contact persons change.

Partner / entity
Main role in the project
Possible role in data processing
Data/operation examples
Data Protection Officer contact details
TUIASI – “Gheorghe Asachi” Technical University of Iași
General coordination, WP2, WP5
Operator or associated operator for coordination, assessments, PoC, reporting
Project management data, DMA assessment data, TBI technical data, financial and reporting data
dpo@tuiasi.ro
DIZ ONG
CRM management, WP3, WP4, single point of entry for leads
Associate operator / operator for CRM, training, helpdesk, communication with beneficiaries
Contact details, training data, AI Helpdesk interactions, event registrations, newsletters
NERDA – North-East Regional Development Agency
WP1 Ecosystem & Outreach
Operator or associated operator for ecosystem activities and events
Stakeholder databases, event registrations and participation, feedback, communication data
Other consortium partners and affiliated entities
Providing specialized services and operational support
Operators / authorized persons, as appropriate and according to the contractual relationship
Data strictly necessary for the delivery of the assigned service, based on the need-to-know principle

D5.3 provides that each beneficiary and affiliated entity has its own GDPR compliance responsibilities, and that data subject requests are handled through the DPO of the party carrying out the processing or through the common mechanism established at consortium level.

What data we process

Within the project, 14 distinct categories of data are managed, including data about beneficiary organizations, contact persons, digital maturity assessments, roadmaps, PoC data, training data, AI Helpdesk interactions, access logs, financial data, expert data, event and communication data, feedback, and project management data. For interactions through the website and online forms, the most frequent categories are data relating to the beneficiary organization, contact person data, event participation and communication data, as well as feedback provided after activities.

Typically, the following types of data may be collected: first name and surname, organization, position, email, phone number, location, sector of activity, interest in services, information regarding participation in events or courses, questionnaire responses and feedback. In some operational flows, the project may also process data that are more sensitive from a commercial confidentiality perspective, such as data from assessments, prototypes, technical analyses or funding readiness activities; however, access to such data is restricted and contractually governed.

Purposes and legal bases

The data are processed for managing registrations and the relationship with beneficiaries, delivering contracted services, carrying out training and event activities, monitoring quality, reporting to the funder and fulfilling the legal and contractual obligations related to the project. D5.3 establishes that the main legal bases used in the project are performance of a contract, legal obligation, consent and legitimate interest, depending on the specific processing activity.

For the services provided to beneficiaries, the legal basis is mainly the performance of a contract, pursuant to Art. 6(1)(b) GDPR. For reporting to the funding authority, compliance with state aid rules and audit obligations, the legal basis is legal obligation, pursuant to Art. 6(1)(c) GDPR. For monitoring satisfaction and improving the quality of services, D5.3 indicates legitimate interest, with the balancing test documented. For photographs, video recordings at events, newsletters and other marketing communications, the legal basis is the data subject’s consent, pursuant to Art. 6(1)(a) GDPR.

Sharing and access

Access to data is granted based on the “minimum necessary access” principle and through role-based control mechanisms, so that each partner or team member can access only the information necessary for their tasks. D5.3 describes four main access levels in the CRM: full access for administration and coordination, WP-level access for work package leaders, service-level access for delivery teams and read-only reporting for aggregated statistics and indicators.

When services are co-delivered by several partners, data transfers between them take place only after the appropriate data processing agreements have been concluded, in accordance with Consortium Agreement 4.5 and the DPA framework described in D5.3. Data may be made available to managing authorities, audit bodies, the European Commission, OLAF, EPPO or other legally competent entities, strictly to the extent necessary and, whenever possible, in aggregated or anonymized form.

The project follows the principle “As Open as Possible, As Closed as Necessary”, which means that aggregated methodological materials, event presentations and certain non-personal results may be published openly, while individual beneficiary data, expert data, financial information and confidential technical details are not made public.

Storage, retention and security

According to the Data Management Plan, most categories of data relevant to the relationship with beneficiaries and to service delivery are retained for 5 years after the final grant payment, while certain categories, such as financial data, may have a longer retention period of 10 years, based on tax and audit obligations. For data in the event communication category, the retention period is governed both by the minimum project obligations and by the terms of consent, especially for photo-video materials or further communications.

Data security is ensured through encryption at rest and in transit, role-based access control, multi-factor authentication for administrative access, audit logging, internal data protection policies, staff training and incident response procedures. For technical activities within WP2, testing and development are carried out in isolated sandbox environments, with strict segregation of beneficiary data and audited access.

In the event of a security incident, the project applies a formal breach response procedure, with rapid internal notification, impact assessment, notification of the competent authority within the legal timeframe and, where applicable, informing the data subjects without undue delay.

Rights of data subjects

Persons whose data are processed within the project benefit from the rights provided by the GDPR, including the right of access, rectification, erasure, restriction, portability, objection and withdrawal of consent, where processing is based on consent. D5.3 provides that requests are usually resolved within one month, and where deletion is not possible due to retention obligations, the data may be restricted instead of deleted.

Requests regarding the exercise of rights may be submitted to the data protection officer of the relevant partner or through the contact channel published in this section of the website. The project maintains registers for data subject requests, data access and deletion operations, so that responses and measures adopted can be tracked and demonstrated.

Use of GenAI tools

D5.3 introduces a separate governance framework for the use of generative artificial intelligence tools in the project, with a focus on data sovereignty, documentation of use, risk assessment and mandatory human oversight. Any significant use of such tools must be justified by a clear purpose, documented and validated by a responsible person before the output is used in services, materials or deliverables.

The use of personal GenAI accounts for project activities is prohibited, and the input of beneficiaries’ personal data, confidential information or sensitive project data into external GenAI tools is prohibited without a legal basis, risk assessment, contractual agreements and appropriate technical safeguards. Where the use of GenAI is permitted, the project applies the data minimization principle and favours the use of anonymized, aggregated or synthetic data.

Contact

For questions regarding data protection, the exercise of GDPR rights or clarifications regarding the roles of partners, this page must include a single point of contact and, where applicable, the contact details of the DPO or responsible person within each relevant partner. In addition, data subjects have the right to lodge a complaint with the National Supervisory Authority for Personal Data Processing if they consider that the processing of their data does not comply with applicable legislation.

For questions regarding the processing of personal data within eDIH-DIZ 2.0, for the exercise of GDPR rights or for clarifications regarding the partners involved in processing, please use the contact details published in this section. If you consider that your rights have been violated, you may lodge a complaint with ANSPDCP, under the conditions provided by law.