Last updated 28 September 2022

This privacy policy for popAI, A European Positive Sum Approach towards AI tools in support of Law Enforcement and safeguarding privacy and fundamental rights, describes our policies and procedures on the collection, use and disclosure of your information in terms of Student Photo and Caption Competition about AI and policing in popAI platform.

Any personal information relating to the participants will be used by CERTH in accordance with the GDPR (EU 2016/679) and applicable data protection legislation.

The data controller of popAI Student Photo Competition application, is CERTH/ITI, Thermi Thessaloniki – Central Directorate
6th km Charilaou-Thermi Rd
P.O. Box 60361
GR 57001 Thermi, Thessaloniki
Greece

In terms of the original purpose of the popAI photo competition the user needs to provide the following personal data:

• His/her email.
• His/her full name.
• The organisation that he/she represents (if the user is registering as part of an organization).
• The education field, selecting one of the two main categories:

1. STEAM technologies.
2. Social sciences and humanities studies.

In alignment with the research objective of popAI, the main purpose of the data processing is to ensure the legitimate and ethically aligned registration and participation procedure of the photo competition, as well as proper communication with the participant.

We only rely on your explicit consent as a legal basis for processing your data. You have the right to withdraw consent at any time and we will cease to process data after consent is withdrawn. In that case, please note that the withdrawal of your consent shall not affect the lawfulness of processing based on your consent before its withdrawal.

We do not retain your data for longer than necessary for the purposes set out in this Policy. The longest we will normally hold any personal data is until the end of the popAI project, unless a longer retention period is required by law or for the establishment, exercise or defense of legal claims.

The collected personal data may be disclosed to third parties, if this is required for the fulfillment of our legal obligations or is necessary for the fulfillment of the above data processing purposes, in compliance with the applicable legal framework. Such disclosure could be made to public authorities and judicial authorities if provided by law or by a court’s judgment/order and CERTH’s consortium partners.

We will never pass on, sell, rent, or swap your data to other organizations for marketing purposes.

We comply with the principles and the legal requirements laid down in the applicable legislation (GDPR and eventually national provisions), and we implement technical and organisational measures to ensure appropriate security of the personal data processed. Our security measures include encryption of data, regular cyber security assessments of all service providers who may handle your personal data, security controls that protect our entire IT infrastructure from external attack and unauthorised access, and internal policies setting out our data security approach and training for employees.

You are entitled to all the rights as described under Articles 15-21 of GDPR. More in particular:

• Right to information: you may request information about whether we hold personal information about you, and, if so, what that information is and why we are holding it.
• Right to access: you may access your data and ask for copies of your data whenever you wish to.
• Right to rectification: you may ask us to rectify the information you have provided us in case you consider that something is missing or incorrect.
• Right to restriction of processing: if you consider that your data is inaccurate, that the processing is unlawful, that we no longer need your data, or that you have objections to automated processing, you have the right to request the restriction of the processing.
• Right to erasure: you may ask us to erase your data at any given moment without a specific reason.
• Right to object: you may request to stop processing your data and withdraw from the research at any desired moment.
• Right to data portability: you have the right to request the transfer of your data to another party or directly to you.
• Right not to be subject to automated individual decision-making, including profiling: you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
• Right to withdraw your consent: You have the right to withdraw your consent at any time. We will stop processing your data after its withdrawal. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
• Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement if you consider that the processing of your personal data infringes the data protection framework.

Please note that the aforementioned rights may be restricted in the light of the GDPR or other applicable data protection legislation.

From time to time, we may update Our Privacy Policy, indicating the updated version by an updated ‘revised’ date. Please make sure to review this Privacy Policy periodically for any changes.

If you have any questions about how we use your personal data that are not answered here, or if you want to exercise your rights regarding your personal data, please e-mail us at popai@iti.gr.