CYBER 4.0 - PRIVACY POLICY PROJECT SECURE

CYBER 4.0 – PRIVACY POLICY SECURE PROJECT

Data Controller

Associazione Cyber 4.0
Via Ardito Desio 60 – 00131 Rome
e-mail of Data Controller: privacy@cyber40.it

Contact Details of the Data Protection Officer (DPO – Data Protection Officer)

Pursuant to Article 37 of Regulation (EU) 2016/679, Cyber 4.0 Association has appointed Avv. Tiziana Pica as the Data Protection Officer, who can be contacted at the following e-mail addresses:

E-mail: dpo@cyber40.it

Certified Electronic Mail (PEC): tizianapica@ordineavvocatiroma.org

Categories of Data Collected

Within the framework of the “SECURE Cyber Resilience for SMEs” Call (hereinafter also the “SECURE Project”), Cyber 4.0 acts as the Data Controller for the purposes described in this Privacy Notice.

The Data Controller collects and processes the following categories of personal data: (i) common identification personal data (including first name, last name, place and date of birth, tax code, telephone number, email address, and residential address) of the legal representative of the company registering, as well as of any collaborators and/or employees of the same entity who are active in the registered team; (ii) any special categories of data (possibly concerning racial or ethnic origin); (iii) any judicial data of the legal representative of the registered company.

The Data Subject assumes responsibility for the personal data of third parties obtained published or shared through the channels available on this platform.

Processing Methods and Location of Collected Data

The Data Controller adopts appropriate security measures to prevent unauthorized access, disclosure, alteration, or destruction of Personal Data.

The processing is carried out using IT and/or telematic tools, following organizational methods and logic strictly related to the purposes indicated. In addition to the Data Controller, in certain cases, other parties involved in the organization or management of the Data Controller’s activities (such as administrative staff, legal advisors, system administrators) and/or external parties (such as third-party technical service providers, hosting providers, IT companies, communication agencies) may have access to the Data. These external parties are appointed, where applicable, pursuant to Article 28 of the GDPR, as Data Processors on behalf of the Data Controller. The updated list of Data Processors can always be requested from the Data Controller.

Location

The Data are processed at the operational offices of the Data Controller and at any other location where the parties involved in the processing are located. For further information, please contact the Data Controller.

The Data Subject’s Personal Data may be transferred to a country other than the one in which the Data Subject is located.. For more information on the location of processing, the Data Subject may refer to the section on Details of Personal Data Processing.

Data Retention Period

Personal Data are processed and stored for the period strictly necessary, or for the duration required to carry out verification, accounting, and administrative activities related to the SECURE Project for which they were collected, and may be retained for a longer period where required by applicable legal obligations.

At the end of the retention period, the Personal Data will be deleted. Accordingly, once such period has expired, the rights of access, erasure, rectification, and data portability may no longer be exercised by the individual Data Subject.

Purposes and Legal Basis of the Processing

The Data Controller processes the Personal Data described above in order to carry out the management activities and ensure the proper execution of each company’s participation in the SECURE Project Call.

The Data Controller processes the Data Subject’s Personal Data only where at least one of the following legal bases applies:

the processing is necessary for the performance of the registration relationship of the individual company with the SECURE Project application and for the management of all related funding and reporting activities;
the processing is necessary for compliance with a legal obligation to which the Data Controller is subject;
the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller;
the processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by third parties.

Disclosure of Your Data to Third Parties

In the context of the proper and full performance of the agreement in force between the entities promoting the SECURE Project, the Data Controller may disclose certain of your Personal Data to third parties, such as: the organizations forming part of the SECURE Consortium ( Italy: ACN – National Cybersecurity Agency, Cyber 4.0, IdeaRE; Austria: EDIH-Austria; Belgium: Centre Pour La Cybersécurité; Luxemburg: Luxembourg House Of Cybersecurity; Poland: Naukowa i Akademicka Siec Komputerowa -Panstwowy Instytut Badawczy; Romania: National Coordination Centre; Spain: Instituto Nacional De Ciberseguridad De Espana) as well as organizations or natural persons supporting the Data Controller in the management of the administrative activities related to the procedure, etc.

Data Subject’s Rights under the General Data Protection Regulation (GDPR)

Data Subjects may exercise certain rights in relation to the Personal Data processed by the Data Controller, and in particular the right to:

withdraw consent at any time (Article 7(3) GDPR);
object to the processing of their Personal Data. The Data Subject may object to the processing of their Personal Data when such processing is based on a legal ground other than consent (Article 21 GDPR);
access their Personal Data. The Data Subject has the right to obtain information on the Personal Data processed by the Data Controller, on certain aspects of the processing, and to receive a copy of the Personal Data undergoing processing (Article 15 GDPR);
verify and request rectification. The Data Subject may verify the accuracy of their Personal Data and request that it be updated or corrected (Article 16 GDPR);
obtain restriction of processing. The Data Subject may request the restriction of the processing of their Personal Data. In such cases, the Data Controller shall not process the Personal Data for any purpose other than storage (Article 18 GDPR);
obtain erasure or removal of their Personal Data. The Data Subject may request the erasure of their Personal Data by the Data Controller (Article 17 GDPR);
receive their Personal Data or have it transferred to another controller. The Data Subject has the right to receive their Personal Data in a structured, commonly used and machine-readable format and, where technically feasible, to have such data transmitted without hindrance to another data controller (Article 20 GDPR);
lodge a complaint. The Data Subject may lodge a complaint with the competent personal data protection supervisory authority or seek judicial remedy.

How to Exercise Your Rights

Any requests to exercise the Data Subject’s rights may be submitted to the Data Controller using the e-mail contacts provided in this document. Requests are free of charge, and the Data Controller will respond as soon as possible, in any case within one month, providing the Data Subject with all information required by law. Any rectifications, erasures, or restrictions of processing will be communicated by the Data Controller to each recipient, if any, to whom the Personal Data have been disclosed, unless this proves impossible or involves a disproportionate effort. The Data Controller will inform the Data Subject of such recipients upon request.

Information Not Included in This Policy

Further information regarding the processing of Personal Data may be requested at any time from the Data Controller using the contact details provided.

Changes to This Privacy Policy

The Data Controller reserves the right to make changes to this Privacy Policy at any time, notifying Data Subjects through the “News & Events” section of this website and, where technically and legally feasible, by sending a notification to Users via one of the contact details held by the Data Controller. Therefore, please consult this page regularly, referring to the “last updated” date indicated at the bottom.

If the changes concern processing activities based on consent, the Data Controller will obtain the Data Subject’s consent where necessary.

Last updated: January, 27th 2026