Data Controllers – Who are the controllers of the personal data that you supply hereunder?

Bright Pixel

Company name: Bright Development Studio, S.A.

VAT: PT513885013

Email contact: hello@brpx.com

Postal address: Lugar do Espido, Via Norte, Edifício 1D, 4470-177 Maia, Portugal

CIVITTA

Company name: UAB CIVITTA

VAT: LT100005180610

Email contact: info@civitta.com

Postal address: Gedimino Avenue 27, Vilnius 01104, Lithuania

F6S

Company name: F6S Network Limited

VAT: GB166239787

Email contact: support@f6s.com

Postal address: Kemp House City Road 152-160, London EC1V 2NX, United Kingdom

Together, these companies constitute the BlockStart Consortium (hence, the “Controllers” for the purpose of this Policy).

Purpose – Why do we process your personal data?

The Controllers process the personal data you supply to manage the BlockStart project. Under this Horizon 2020 project, the Controllers will exclusively share the collected personal data within the members of the BlockStart consortium, all of them based in Europe. Only when BlockStart participants sign a contract with the consortium and receive funding from the project could their personal data be supplied to European Commission, since it is the funding body of the BlockStart project. The processing regarding personal data that may occur under the Project will be strictly related to its use for the purposes of: sending communications by email to the professional contacts of the potential interested entities related to the relevant calls and events; involving the participating entities in the developed activities under this Project; executing the due fund transfers for the involved entities under the Project terms and conditions; complying with any reporting obligations in relation to the European Commission under the Project; compliance with reporting and/or other legal obligations resulting from the Horizon 2020 legal framework.

Personal Data Categories

For clarity purposes, the types of personal data that may be subject to processing by the Controllers for the purposes above defined are the following: – full name; – professional email; – professional telephone contact; – country of establishment; – short CV and/or LinkedIn profile; – bank accounts of beneficiaries (DLT developers, SMEs, DLT experts), in order to enable the due fund transfers to the aforementioned sub-grantees; – attendance sheets (with names and signatures of people present at events); – photo and video recording of events (e.g.: ideation kick-offs, workshops, demo days, webinars). Such recordings (e.g.: general perspective of an auditorium, video of a beneficiary pitch, testimonials by the participants), to the extent applicable in accordance with the applicable personal data protection laws, will only capture people that had expressed consent for the use of their image (limited to the promotion of BlockStart’s open call and results).

Legal ground – What is the legal basis to process your data?

The Controllers may process your collected personal data for the purposes stated above. The legal basis for the said processing may be (i) necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (e.g., in order to enter a sub-grant agreement); (ii) necessary for compliance with a legal obligation to which the Controllers are subject to (e.g. reporting and/or other legal obligations resulting from the Horizon 2020 legal framework); (iii) necessary for the purposes of the legitimate interests pursued by the Controllers or by a third party (e.g. professional contacts for divulging calls that may be of interest of the recipient entity); and/or consent, if applicable in accordance with the applicable laws (previous consent, if applicable, may be requested in case of video, audio or image collection of participants in an event).

Data Processors – Who will be able to process your data?

Processing your personal data does not imply that we can share data with third parties. This will not be the case unless there is legal framework to do so. Besides, we will not make international transfers (that is, personal data transfers outside the EEE – EU) of the collected personal data. The Controllers will not transfer your personal data to third parties, except where needed for the execution of Project activities and/or for compliance with legal obligations that are applicable to the Controllers. Such transfer to third parties will be, in any case, made in accordance with the applicable data protection laws, and within the defined purposes and legal basis. The Controllers may, namely, share the personal data, to the extent strictly necessary, with the following entities: – public entities, within the necessary compliance of legal obligations applicable to the Controllers within the Project; – participating entities within the BlockStart Project; – service providers of the Controllers on a need to know basis and strictly regarding the purposes defined hereunder within the BlockStart Project. In these circumstances and where necessary, the Controllers will only use subcontracted entities which present sufficient guarantees to carry out appropriate technical and organizational measures in a way that the processing meets the requirements of the applicable standards in accordance with the level of security appropriate to the risk and sensibility of the personal data in question, and such guarantees will be established by contract signed between the corresponding Controller and each of these third parties.

Storage – How long will we keep your data?

The gathered personal data will be kept until the end of the project (February 2022). Data needed to answer to potential audits by the European Commission Services (e.g.: data that enables the assessment of BlockStart activities’ impact), may be kept for up to 5 years after the end of the project (prospectively until May 2027). However, any personal data may always be deleted earlier, if you request its deletion and the applicable requirements to the exercise and execution of the right to erasure are fulfilled. In order to follow the principle of data minimization, personal data will be deleted/destructed the earliest possible, in accordance with the applicable criteria and requirements resulting from the applicable personal data protection laws, namely, the General Data Protection Regulation (“GDPR”).

Rights – Which are your rights when you supply your data?

Under the, and in accordance with, the applicable personal data protection laws, as data subject and in relation to the personal data processed by the Controllers, you have the right to request from the Controllers access to, rectification or erasure of your personal data or restriction of processing concerning you or to object to processing, as well as the right to data portability. We will use reasonable efforts, within our legal duty, to supply, correct or delete personal data about you on our files. For the said purposes, please contact us through the following e-mail contact: hello@brpx.com To the extent applicable, where the processing is based on your consent for the relevant processing and purpose, you have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. Without prejudice of all the means of contact between you and the Controllers, you have, in any case, the right to lodge a complaint with a supervisory authority.

Security – How is the data collected protected?

Your personal data will be treated in a confidential manner and subject to suitable technical and organization measures to avoid their loss or unauthorized access and processing. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risks, of probability and variable severity, for your personal data, the Controllers will apply the appropriate technical and organizational measures to ensure a level of safety appropriate to the relevant risk. The Controllers use a variety of security technologies and procedures to help protect your personal data from unauthorized access, use, or disclosure. In case of need to subcontract services to third parties that may have access to your personal data, each Controllers subcontractors will adopt the security and organizational measures, as well as the necessary technical measures, necessary to the protection of the confidentiality and security of your personal data, in order to prevent, namely, unauthorized access, loss or destruction of your personal data.