The COPKIT consortium, that is referred to in these Terms of Use as “we”, “us”, or “our” is committed to protect and respect the right to data privacy and carries out the project research in full compliance with the data protection principles as outlined in the General Data Protection Regulation (GDPR) 2016/679 and the Data Protection Directive 2016/680, also known as the Law Enforcement Directive.
Transparency is fundamental to trust and this Data Privacy Policy aims at providing the concerned by the project research individuals with all the necessary information regarding the data processing activities in accordance with the transparency requirement under Article 12 GDPR.
Where data is obtained directly from the data subjects, the project consortium provides them at the time when data is obtained, with the necessary information under Article 13 GDPR and obtains their consent via appropriate means (informed consent form & information sheet). In cases where data is not directly obtained from the data subjects, the project consortium makes the necessary information on the data processing publicly available in accordance with Article 14 (5) (b) GDPR via this Data Privacy Policy. However, the provision of such information can be limited where the provision proves impossible or would involve a disproportionate effort.
Further, as COPKIT research is dedicated to the development of methods, tools and techniques for LEAs, the information provided is limited in order to avoid impairment of the project’s pursued purposes, that are outlined in the relevant section below. Within these limitations we have tried to provide you with clear and concise information on the processing.
Please keep in mind that this Data Privacy Policy might be regularly updated to reflect changes in the data processing activities within the COPKIT research that have not yet been defined and/or carried out.
Who we are
COPKIT is an EU-funded project. The COPKIT consortium consists of seventeen partners including technical, academic (criminology) and LEAs from thirteen different European countries. During the COPKIT research, each of these partners will act as the data controller and therefore will be responsible for the implementation of data protection rules in relation with the processing operations it will perform.
However, regarding the entire system under construction, the partners determine jointly the purposes and means of the data processing operations that will be performed by the COPKIT system, or at least of the essential elements of these purposes and means, and therefore they should be considered as joint-controllers.
Purposes of processing
Personal data is processed within the research goal of the COPKIT project, which is adopting and developing an Early Warning/Early Action methodology, which will be implementable by Law Enforcement Agencies (LEAs) in order to support them in the prevention, investigation and mitigation in the context of the fight against Organised Crime and Terrorism (OCT).
COPKIT focuses on providing enabling methods, tools and techniques to support a closed-loop interaction at the local level of LEAs, while at the same time new insights are disseminated across LEAs in different European Member States that provide the latest intelligence on criminal activities from multiple sources. To create this intelligence and knowledge ecosystem, COPKIT needs to process data that might be of personal nature.
Sources and categories of data
Data are collected from open sources – predominantly from social network sites that include location information. Apart from live data, COPKIT also makes use of sources for historical data, such as statistical historical data and historical data from dark-net market places. Examples include:
– Sample of sanitised historical cases from partner LEAs
– Data originating from dark-net forums and marketplaces
– Virtual currency transactions
– Data from Surface web such as news, statistical datasets, government open data etc
– Data from Social media such as Twitter
– Internal statistical LEA data about crime
– Internal LEA data (crime reports and investigation) such as anonymized finished cases and complaints
Please note that only data relevant in the context of the chosen use cases will be collected and analysed. The aim of the research is absolutely not to monitor an identified individual or to take decision against him/her, but to conduct research in order to find out if the cross-referencing of information that is publicly available online might contribute to the strategic and operational combat against OCT. During the research phase, COPKIT partners do not intend to use any of the data mentioned above, in order to identify a natural person.
Privacy and ethical impact assessment
The COPKIT consortium is aware of the risks to fundamental rights and freedoms of the affected individuals and will perform a privacy and ethical impact assessment of the project’s outcomes in order to balance such risks. Several safeguards will be implemented, such as the limited scale of the processing, precautions to ensure that no personal data is used in order to identify an individual or to take a decision against an individual, mainly through strong security measures and awareness of researchers.
The assessment will also take into account the protection of other fundamental rights, such as the right to non-discrimination, the freedom to communicate, to dignity, and even to physical freedom.
As a step in the privacy and ethical impact assessment the partners will consult with the appropriate national data protection authorities and the European Network of Research Ethics Committees (EUREC) and/or other competent bodies.
Legal basis for processing
COPKIT is a research project and its purpose is lawful and has been clearly articulated. The appropriate legal basis for the processing of personal data by the COPKIT project is the legitimate interest pursued by the joint controllers and therefore is based on Article 6 (1) (f) GDPR.
The processing operations are necessary to fulfil the research purposes: the COPKIT system cannot be built without data. Further, the research presents a real public interest, as the final deliverable will enhance the fight against OCT and therefore overweighs the potential harm -which is in any case limited in scope- on the rights and freedoms of individuals that might be affected due to the COPKIT research.
Personal data storage, retention and minimisation
For the purposes of COPKIT different sets of data are being processed and are being handled accordingly. Data that has a high degree of sensitivity, in terms of security and/or privacy, shall be collected and stored in the secure ICT environment of one of the participating LEAs. COPKIT also collects and stores data that has a medium or low degree of sensitivity. This data is stored in a private secure cloud-environment managed by the project consortium. The appropriate use of that data is monitored. Data that has a low or no degree of sensitivity can be collected and kept in the private environment of the partner who collects the data, however the partner allows consortium members controlled access to that data whenever they need it for the purposes of the project.
Personal data will not be stored longer than necessary for the research purposes of the project. Following the purpose limitation principle, data that might be of a personal nature will be deleted or anonymised as soon as they are no longer necessary or, in any event, as soon as the project is completed in May 2021. Further, according to the data minimisation principle, the collection and use of data that might be of a personal nature will be reduced to the minimum necessary to perform the research.
Personal data transfers
The COPKIT research does not transfer data to third parties. The personal data may be shared between the COPKIT partners strictly for the research purposes of the Project. All partners will treat information received from other partners as confidential and will not disclose it to third parties, unless it is obvious that the information is already publicly available or there is a legal obligation to do so. The partners will impose the same obligations on their employees and suppliers.
Your rights under data protection legislation
Subject access request
You have the right to obtain confirmation as to whether or not personal data concerning you is processed, and, where that is the case, access to it. We will provide you free of charge with a copy of the personal data undergoing processing in a commonly used electronic form.
Right to rectification
You also have the right to obtain the rectification of any inaccurate personal data concerning you. If you have challenged the accuracy of your data and asked for rectification you have the right to request the restriction of processing while we are considering your rectification request.
Right to be forgotten
COPKIT is relying on legitimate interest as basis for its processing activates (please see the Legal basis for processing section above), so in case you object to the processing of your data and there is no overriding legitimate interest, we will comply with your request and erase your data. Please note that your right to be forgotten might be limited, in case erasure is likely to seriously impair the achievement of the research purposes of the project.
Right to object
You can object to the processing of your data; in order to do that, you must provide us with specific reasons based upon your particular situation. Please note that the right to object is not an absolute right, and we can continue with the processing if we can demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms. If that is the case, we will explain our decision to you, otherwise your data will be excluded from processing.
Contact details
If you would like to exercise any of the above-mentioned rights or you want to find out more about how we process your data, you can contact our Ethics and Data Protection Advisor at: agata.gurzawska@trilateralresearch.com.
All requests will be carefully considered on a case-by-case basis. However, given the particularities of the research purposes of the COPKIT project (adopting and developing an Early Warning/Early Action methodology, which will be implementable by LEAs), some requests might not be fulfilled, especially if they are likely to impair the achievement of the project’s purposes.
Right to lodge a complaint
In case you feel that we have not addressed your request appropriately or you consider that the processing undertaken by COPKIT infringes your rights, you are entitled to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement. You are also able to seek to enforce your rights through a judicial remedy.
