It basically says that the Smart CSOs Lab, including our website, requests information from you that, under the General Data Protection Regulation (GDPR) that went into effect on May 25, 2018, would be considered personal data, and describes why we request said data and how it’s treated in accordance with the GDPR as well as any local regulations that apply (the Smart CSOs Lab is registered in Spain, under the name Associació Activistas en Transición).
a) Personal data
Personal data refers to any information about an identified or identifiable natural person. An identifiable natural person can be identified, directly or indirectly, by an identifier, such as a name, an identification number, location data, an online identifier or any other characteristic specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
b) Data subject
A data subject is any identified or identifiable natural person whose personal data is processed by a controller that is responsible for the processing. That is, if you have provided us with your personal data to process, then you are the data subject, and we are the controller.
Processing includes any operation performed on personal data, such as: collecting, recording, organising, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating, sharing, withholding, or deleting/destroying.
d) Restricting of processing
Restricting the processing of stored personal data is labelling said data so that restrictions are placed on any future processing.
Profiling is any form of automated processing of personal data where that data is used to evaluate certain personal aspects about a natural person, especially to analyse or predict aspects about that person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
f) Controller, or controller responsible for the processing
A controller, or controller responsible for the processing, is the natural or legal person, public authority, agency or other body that, alone or jointly with others, determines why and how personal data is processed. If the why and how are determined by E.U. or member-state law, the controller or the criteria for its nomination may be indicated by that E.U. or member-state law.
A processor is a natural or legal person, public authority, agency or other body that processes personal data on the behalf of the controller.
A recipient is a natural or legal person, public authority, agency or other body to which personal data is disclosed and may or not be a third party. However, public authorities that might receive personal data in the framework of a particular inquiry in accordance with E.U. or member-state law are not considered recipients; the processing of that data by those public authorities will be in compliance with the applicable data protection rules according to the purposes of the processing.
i) Third party
A third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor, and persons who are directly authorised to process personal data by the controller or processor.
Consent is a freely given, specific, informed, and unambiguous indication that the data subject agrees, in a statement or other clear affirmative action, to have their personal data processed.
2. Name and address of the controller
The controller, for the purposes of the GDPR, other data protection laws in the E.U., and other provisions related to data protection, is:
Associació Activistas en Transición (Smart CSOs Lab)
Address: Calle del Francolí 12, 08006 Barcelona, Spain
3. Cookies and the collection of general data and information
Our website provider automatically collects and stores information that your browser automatically transmits to us using server log files. This information includes:
- Browser name and version number
- Operating system
- Referrer URL (what website you were on when you clicked and arrived at our website)
- Hostname of the computer you’re using
- Time of server request
- IP address
This data will not be combined with data from other sources. The lawful basis for this processing is Article 6(1) (b) of the GDPR, in which the data processing serves to fulfil a contract or pre-contract measures.
Some cookies, like session cookies, are deleted after you close a website and re-generated the next time you visit. Other kinds of cookies stay in your browser and are used for any future visits to a website.
You can prevent any website from setting cookies using your browser’s settings. You can also delete any cookies that have already been set. These settings are available in any popular Internet browser (e.g. Chrome, Firefox, Safari, Internet Explorer). However, disabling cookies altogether may limit the functionality of our website.
Cookies set by Matomo will remain on your device until you delete them (which you can do in your browser’s settings).
The lawful basis for storing the cookies set by Matomo is Article 6(1) (f) of the GDPR. As the website operator, the Smart CSOs Lab has a legitimate interest in analysing user behaviour in order to optimize our website.
The information on how you use this website will not be disclosed to third parties, and you can prevent these cookies from being stored to begin with (again, by using your browser’s settings). However, we’d like to inform you that our website may not be fully functional for you if you do so.
In the event that you do want to prevent your data from being stored and used, an opt-out cookie will be stored in your browser, which tells Matomo not to store data on how you use our website. Of course, if you delete your cookies (using your browser’s settings), the opt-out cookie will also be deleted. When you return to our site, you will need to reactivate the opt-out cookie if you do not want information on how you use our website to be stored.
5. Subscription to our newsletter
You can subscribe to the Smart CSOs Lab newsletter through a page on our website, using a form operated by MailChimp. That form details what personal data needs to be collected and for what purpose.
Our newsletter, sent about 4–6 times a year, provides you with information and updates on the Smart CSOs Lab, information about and invitations to upcoming events, and musings about what we are reading and thinking about, including links to various articles, videos, and the like.
When you sign up, a confirmation e-mail will be sent to the e-mail address you registered, for legal reasons, as a double opt-in procedure. This confirmation e-mail will function as proof that as the owner of the e-mail address, you authorize us to send you our newsletter.
Additionally, after the newsletter is emailed via MailChimp, it is also published separately in the newsletter archive on our website soon after.
Any personal data collected through this form will be used exclusively to send you our newsletter and event information. This data will not be transferred to any third parties. You may terminate this subscription or revoke your consent to the storage of your personal data by clicking the corresponding link included at the bottom of every newsletter the Smart CSOs Lab sends. You may also directly contact the Smart CSOs Lab regarding this matter at any time.
6. Participation in our events
The Smart CSOs Lab organises events (workshops, conferences, etc.) from time to time and provides information about them on our website and via email, including using MailChimp. Any personal data that is necessary for your registration for the event, such as your name, contact information, various preferences, and payment details, are collected using third-party tools (such as Google Forms, Paperform, and Stripe).
If you would like to become a supporter of the Smart CSOs Lab by making a financial donation, we will need to ask you for your name, your email address, and any information relevant to drawing up an invoice or a donation request for you, for tax purposes. The lawful basis for processing this data is Article 6 (1) (c) of the GDPR, where the controller needs to process personal data in order to comply with a legal obligation.
8. Routine erasure and blocking of personal data
As a controller, the Smart CSOs Lab will process and store your personal data only for the period necessary to achieve the purpose of storage or for as long as the GDPR or other local regulations allow for.
When the purposes of storing data no longer apply or when a storage period dictated by said regulations expires, the personal data will be blocked or erased in accordance with legal requirements.
9. Your rights as a data subject
a) Right to confirmation
As a data subject, you have the right to obtain confirmation from the Smart CSOs Lab regarding whether or not your personal data is being processed. If you want to exercise this right of confirmation, you may contact any member of the Smart CSOs Lab at any time.
b) Right to access
As a data subject, you have the right to obtain information from the Smart CSOs Lab, free of charge, about your stored personal data at any time, as well as a copy of this information. E.U. directives and regulations also grant you access to the following information:
- the purposes of the processing;
- the types of personal data concerned;
- the recipients to whom the personal data has been or will be disclosed, especially recipients in third countries or international organisations;
- where possible, the time period that the personal data is expected to be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request that the Smart CSOs Lab rectify, erase, or restrict processing of the personal data and the right to object to such processing;
- the existence of the right to file a complaint with the applicable supervisory authority;
- any available information on how the Smart CSOs Lab obtained your data if you were not the one that provided it;
- the existence of automated decision-making, including profiling, (see Article 22(1) and (4) of the GDPR) and, at least in those cases, meaningful information about the logic involved, as well as the expected consequences you may experience due to such processing.
Furthermore, you have the right to obtain information about whether your personal data is being transmitted to a third country or to an international organisation. Where this is the case, you have the right to be informed of the appropriate safeguards surrounding this transmission.
If you want to exercise this right to access, you may contact any member of the Smart CSOs Lab at any time.
c) Right to rectification
As a data subject, you have the right to obtain from the Smart CSOs Lab, without undue delay, the rectification of any inaccuracies in your personal data. Where the purposes of the processing have been taken into account, you have the right to have any incomplete personal data completed, including by providing a supplementary statement.
If you want to exercise this right to rectification, you may contact any member of the Smart CSOs Lab at any time.
d) Right to erasure (‘right to be forgotten’)
As a data subject, you have the right to request that the Smart CSOs Lab erase your personal data, and as controllers, we are obligated to comply without undue delay, in any of the following situations and as long as the processing is not necessary:
- The personal data is no longer necessary for the purposes for which they were collected or otherwise processed.
- The data subject withdraws consent on which the processing is based, according to Article 6(1) (a) or Article 9(2) (a) of the GDPR, and where there is no other legal ground for the processing.
- The data subject objects to the processing pursuant to Article 21(1) of the GDPR, and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) of the GDPR.
- The personal data has been unlawfully processed.
- The personal data must be erased for compliance with a legal obligation in E.U. or member state law to which the controller is subject.
- The personal data has been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.
If one of the aforementioned situations applies, and you want your personal data that we are storing to be erased, you may contact any member of the Smart CSOs Lab at any time. One of us will promptly ensure that the erasure request is complied with immediately.
Where the Smart CSOs Lab has made personal data public and is obliged pursuant to Article 17(1) to erase the personal data, we will take reasonable steps, taking into account available technology and cost of implementation, to inform other controllers that are processing any of your personal data that you have requested that those controllers erase any links to, or copy or replication of, that personal data, as long as processing is not necessary. One of us will arrange the measures that need to be taken on a case-by-case basis.
e) Right to restriction of processing
As a data subject, you have the right to request that the Smart CSOs Lab restriction the processing of your personal data in any of the following situations:
- You contest the accuracy of your personal data, for a period enabling us to verify the accuracy of your personal data.
- The processing is unlawful and you oppose the erasure of your personal data and request a restriction of use instead.
- We no longer need the personal data for the purposes of processing, but you require your personal data for the establishment, exercise or defence of legal claims.
- You object to processing, pursuant to Article 21(1) of the GDPR, pending the verification whether our legitimate grounds as a controller override yours as a data subject.
If one of these conditions is met, and you want us to restrict processing of your personal that we are storing, you may contact any member of the Smart CSOs Lab at any time, and we will arrange the restriction of processing.
f) Right to data portability
As a data subject, you have the right to request a copy of the personal data that you provided to the Smart CSOs Lab in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the Smart CSOs Lab, as long as the processing is:
- based on consent pursuant to Article 6(1) (a) or Article 9(2) (a) of the GDPR or on a contract pursuant to Article 6(1) (b) of the GDPR
- carried out by automated means
This right does not apply to any processing that is necessary to perform a task carried out in the public interest or in the exercise of official authority vested in the controller.
Furthermore, in exercising this right to data portability as a data subject, you have the right to have the personal data transmitted directly from one controller to another, where technically feasible and when doing so does not adversely affect the rights and freedoms of others.
To exercise this right to data portability, you may contact any member of the Smart CSOs Lab at any time.
g) Right to object
As a data subject, you have the right to object to the processing of your personal data at any time, on grounds relating to your particular situation, based on Article 6(1) (e) or (f) of the GDPR. This also applies to profiling based on these provisions.
The Smart CSOs Lab will not process personal data in the event of an objection, unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms as a data subject or for the establishment, exercise or defence of legal claims.
You have the right to object to the processing of your personal data by the Smart CSOs Lab for marketing purposes at any time. This applies to profiling to the extent that it is related to such direct marketing. If you object to having your personal data processed for direct marketing purposes, the Smart CSOs Lab will not process your personal data for these purposes.
You also have the right to object to the processing of your personal data by the Smart CSOs Lab for scientific or historical research purposes or for statistical purposes pursuant to Article 89(1) of the GDPR, at any time, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
To exercise your right to object, you may contact any member of the Smart CSOs Lab. In addition, in the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you are free to exercise this right via automated means using technical specifications.
h) Automated individual decision-making, including profiling
As a data subject, you have the right to not be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision:
- is necessary for entering into, or the performance of, a contract between the data subject and a data controller
- is authorised by E.U. or member state law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests
- is based on the data subject's explicit consent.
If points (1) and (3) apply, then the Smart CSOs Lab will take the appropriate measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain the controller’s human intervention, to express their point of view and contest the decision.
To exercise this right to regarding automated individual decision-making, you may contact any member of the Smart CSOs Lab at any time.
i) Right to withdraw data protection consent
As a data subject, you have the right to withdraw your consent to processing of your personal data at any time.
To exercise this right to withdraw your consent, you may contact any member of the Smart CSOs Lab at any time.
10. Data protection provisions about the application and use of YouTube and Vimeo
The Smart CSOs Lab sometimes embeds YouTube and Vimeo videos on our website. YouTube are Internet video portals that enable people to publish, view, review and comment on videos free of charge.
Further information about YouTube is available at youtube.com/yt/about. Further information about Vimeo is available at vimeo.com/about.
Whenever you navigate to one of our website pages that contains an embedded YouTube or Vimeo video, the browser you’re using is automatically prompted to download a display of the corresponding video. This technical procedure informs YouTube and Google or Vimeo, respectively, about what specific page from our website you visited.
If you are logged into a YouTube or Vimeo account, then whenever you navigate to one of our website pages that contains an embedded video from one of these sites, and YouTube or Vimeo identifies what page on our website you visited, YouTube and Google or Vimeo, respectively, associate that information with the particular account you are using at that time. This occurs regardless of whether you click on the video or not. If you do not want YouTube and Google or Vimeo to associate your navigation on our website pages with your account, you can log out of your account before exploring the Smart CSOs Lab website.
11. Lawful basis for the processing
Article 6(1) (a) of the GDPR serves as the lawful basis for processing operations for which the Smart CSOs Lab obtains consent for a specific processing purpose.
If the processing of personal data is necessary for the performance of a contract to which you are subject, then the processing is based on Article 6(1) (b) of the GDPR. The same applies to such processing operations which are necessary for carrying out pre-contractual measures (for example, if you want to come to an event we’re organising and you ask us preliminary questions about it).
Processing your personal data may be necessary when the Smart CSOs Lab needs to comply with any legal obligations we might be subject to, according to Article 6(1) (c) of the GDPR.
In rare cases, the processing of your personal data may be necessary to protect your own vital interests or those of another natural person. This would be the case, for example, if you were injured while attending one of our events and your name, age, health insurance data or other vital information needed to be passed on to a doctor, hospital or other third party. That processing would then be based on Article 6(1) (d) of the GDPR.
Article 6(1) (f) of the GDPR also provides the lawful basis for processing operations that are not covered by any of the aforementioned legal grounds when that processing is necessary for the purposes of the legitimate interests pursued by the Smart CSOs Lab or a third party. The exception is where such interests are overridden by your interests or fundamental rights and freedoms as a data subject, requiring protection of your personal data.
12. The legitimate interests pursued by the controller or by a third party
Where the processing of personal data is based on Article 6(1) (f) of the GDPR, our legitimate interest is to act in favour of the well-being of our Lab members.
13. Period for which the personal data will be stored
The criteria we use to determine how long personal data will be stored is the respective statutory retention period. After that expires, the corresponding data is routinely deleted if it is no longer necessary for fulfilling or initiating a contract.