Privacy policy of

Last Updated on March 8th, 2021

This privacy policy has been prepared based on provisions of multiple legislations, including Art. 13/14 of Regulation (EU) 2016/679 (General Data Protection Regulation) and Regulation (EU) 2018/1725 of  the  European  Parliament  and  of  the  Council.

This privacy policy relates solely to data acquired through NFFA-Europe Portal (this Website), except for the cases expressly indicated in the text below.

Data Controllers

The data Controllers are NFFA-Europe PILOT project partners, here listed with the related points of contact for the management of personal data:

  1. Consiglio Nazionale delle Ricerche (CNR), Piazzale Aldo Moro 7, Rome 00185, Italy [];
  2. Commissariat a l’Energie Atomique et aux Energies Alternatives (CEA), Rue Leblanc 25, Paris 75015, France [];
  3. Centre National De La Recherche Scientifique (CNRS), Rue Michel Ange 3, Paris 75794, France [];
  4. Agencia Estatal Consejo Superior de Investigaciones Cientificas (CSIC), Calle Serrano 117, Madrid 28006, Spain [];
  5. Deutsches Elektronen-Synchrotron DESY (DESY), Notkestrasse 85, Hamburg 22607, Germany [];
  6. Ecole Polytechnique Federale de Lausanne (EPFL), Batiment CE 3316 Station 1, Lausanne 1015, Switzerland [];
  7. European Synchrotron Radiation Facility (ESRF), 71 Avenue Des Martyrs, Grenoble 38000, France [];
  8. eXact Lab Srl (EXACT LAB), Via Beirut 2-4, Trieste 34151, Italy [];
  9. Idryma Technologias Kai Erevnas (FORTH), N Plastira Str. 100, Irakleio 70013, Greece [];
  10. Forschungszentrum Jülich GmbH (FZJ), Wilhelm Johnen Strasse, Jülich 52428, Germany [];
  11. Fundacio Institut Catala de Nanociencia i Nanotecnologia (ICN2), Campus de la UAB Edifici Q ICN2, Bellaterra (Barcelona) 08193, Spain [;];
  12. Laboratorio Iberico Internacional De Nanotecnologia (LIN INL), Avenida Mestre Jose Veiga Congredados, Braga 4715 330, Portugal [];
  13. Joint Research Centre (JRC), Rue de la Loi 200, Brussels 1049, Belgium [];
  14. Karlsruher Institut für Technologie (KIT), Kaiserstrasse 12, Karlsruhe 76131, Germany [];
  15. Lunds Universitet (ULUND), Paradisgatan 5c, Lund 22100, Sweden [];
  16. Promoscience Srl (Promoscience), Località Padriciano 99, Trieste 34012, Italy [];
  17. Paul Scherrer Institut (PSI), Forschungstrasse 111, Villigen PSI 5232, Switzerland [];
  18. Technische Universität Graz (TU GRAZ), Rechbauerstrasse 12, Graz 8010, Austria [];
  19. Technische Universität München (TUM), Arcisstraße 21, München 80333, Germany;
  20. Universidad Autonoma de Barcelona (UAB), Calle Campus Universitario Sn Cerdanyola V, Cerdanyola Del Valles 08290, Spain [];
  21. Università degli Studi di Milano (UMIL), Via Festa del Perdono 7, Milano 20122, Italy [;;];
  22. Univerza V Novi Gorici (UNG), Vipavska Cesta 13 Rozna Dolina, Nova Gorica 5000, Slovenia [].

With the exception of JRC, each of the Parties is a joint Data Controller in relation to the Data being processed through this Website for providing Transnational Access or managing Data services.
The JRC is a joint Controller exclusively with regard to the processing operations involved in the evaluation of the feasibility of the proposals (TLNet) and the scientific reporting, With regard to the processing operations involved in requesting and providing physical access to the facilities, JRC defines alone the purposes and means of the data processing and will act as independent data Controller, applying its own site access protocols in accordance with applicable law, namely Regulation (EU) 2018/1725 (see


CNR-IOM Director acts as a single point of contact on behalf of the whole group of Parties (
CNR Data Protection Officer can be reached at the following email address:

Types of Data collected

Among the types of Personal Data automatically collected when using this Website, by itself or through third parties, there are: Tracker; Usage Data.
Personal Data provided by the User by registering or authenticating are: Last name; Email address; Gender; Nationality; Affiliation; Affiliation address; Affiliation legal status, Job; Research role; ORCID; Password.

Additional Personal Data required only if an accepted proposal is carried out in presence in one or more sites of the NFFA-Europe infrastructure are: Date of birth; Place of birth; Personal address; Fiscal address; Phone number; Education level; Taxpayer code; Passport or identity document; Visa; Insurance data.

Bank account Data are required only in the event that the User is eligible for the financial support offered by NFFA-Europe.

Unless specified otherwise, all Data requested by this Website is mandatory and failure to provide this Data may make it impossible for this Website to provide its services. In cases where this Website specifically states that some Data is not mandatory, Users are free not to communicate this Data without consequences to the availability or the functioning of the Service.

Any use of Cookies – or of other tracking tools – by this Application or by the owners of third-party services used by this Application serves the purpose of providing the Service required by the User, in addition to any other purposes described in the present document and in the Cookie Policy.

Users are responsible for their processing of any third-party Personal Data obtained, published or shared through this Website, in accordance with applicable data legislation.

Mode and place of processing the Data

Methods of processing

NFFA-Europe takes appropriate security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of the Data.
The Data processing is carried out using computers and/or IT enabled tools, following organizational procedures and modes strictly related to the purposes indicated. Within our organization, your information is stored on password-protected servers that are accessible only to a limited group of people. All Data Controllers undertake to instruct and educate individuals who will have access to the data. In some cases, the Data may be accessible to external parties appointed as Data Processors by the Data Controllers. The updated list of these parties may be requested by the User at any time.

Legal basis of processing

The Data Controllers may process Personal Data relating to Users if one of the legal grounds set out in Art. 6 GDPR apply, notably:

  • Users have given their consent for one or more specific purposes;
  • provision of Data is necessary for the performance of an agreement with the User and/or for any pre-contractual obligations thereof;
  • processing is necessary for compliance with a legal obligation to which the Data Controllers is subject;
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • processing is necessary for the purposes of the legitimate interests pursued by the Data Controllers or by a third party.

In any case, the Data Controllers will gladly help to clarify the specific legal basis that applies to the processing, and in particular whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract.


The Data is processed at the Data Controllers' operating offices and in any other places where the involved Data Processors are located (European Union and Switzerland).

Retention time

Personal Data shall be processed and stored until 28/02/2031. However, where the processing is based on the Data Subject consent, processing should not be pursued on that basis where the Users’ consent to processing is withdrawn before this date.
After this date all personal information will in principle be deleted from the servers. However, Data may be continuing to be processed, including stored, for longer periods, solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with applicable legislation. This includes processing for statistical purposes by the European Commission (including JRC) and of the NFFA infrastructure.
he right of access, the right to erasure, the right to rectification and the right to data portability cannot be enforced after expiration of the retention period.

The purposes of processing

The Data concerning the User is collected to allow the Data Controllers to provide its Service, comply with its legal obligations, respond to enforcement requests, protect its rights and interests (or those of its Users or third parties), detect any malicious or fraudulent activity, as well as for analytics purposes.
In any case, the processing operations shall be carried out in such a way as to guarantee the security, confidentiality and availability of the data, according to principles of correctness, lawfulness and transparency, aimed at protecting the fundamental rights and freedoms of natural persons.

Specifically, Personal Data is collected for the following purposes and using the following services:

Registration and authentication

By registering or authenticating, Users allow this Website to identify them and give them access to dedicated services.

The Personal Data provided by registering or authenticating are required for:

  • the management and monitor of your activity as a User at the NFFA-Europe facilities;
  • the submission of communications which may be interesting to Users, concerning NFFA-Europe and/or Calls for Proposals;
  • the performance of the activities of NFFA-Europe User Office Network.

The User registers by filling out the registration form and providing the Personal Data directly to this Website.

Personal Data processed: First name; Last name; Email address; Gender; Nationality; Affiliation; Affiliation address; Affiliation legal status, Job; Research role; ORCID; Encrypted Password.

Authentication to NFFA-Europe services and data and metadata management tools

Users’ credentials provided by registering or authenticating to this Website also guarantee the access to different types of services and data and metadata management tools. The Personal Data is collected after the first access of the user to the specific service and stored for registration or identification purposes only. The Data collected are only those necessary for the provision of the services. The updated list of these services may be requested by the User at any time.

Personal Data processed: Email address; Encrypted Password.

Proposal review process

Submitted Proposals are first checked for technical feasibility by technical experts internal to the project (TLNet), then evaluated and ranked according to scientific merit by an external panel of reviewers (ARP).

Data Processors: Access Review Panel members
Personal Data processed:
First name; Last name; Email address; Gender; Nationality; Affiliation; Affiliation address; Affiliation legal status, Job; Research role; ORCID​​.

Internal statistics and periodic reporting purposes

The data collected are required for compliance of NFFA-Europe PILOT project with any legal, contractual and regulatory obligation in relation to the European Commission, auditors and corporate statutory and auditing bodies, project coordinators and/or partners.These Data are also used for internal project statistics.

Personal Data processed: First name; Last name; Email address; Gender; Nationality; Affiliation; Affiliation address; Affiliation legal status, Job; Research role; ORCID.

User database management

The database allows the Data Controllers to build user profiles by using the information that the User provides to this Website and to manage authorizations. Some of the services also enable the sending of timed messages to the User, such as emails based on specific actions performed on this Website and on related platforms. The companies offering these services are NFFA-Europe partners Promoscience and eXact lab.

Personal Data processed: All the data.
Place of processing: Italy

Hosting and backend infrastructure

This type of service has the purpose of hosting the password-protected servers that enable this Website and NFFA Datashare platform to run and be distributed as well as to provide a ready-made infrastructure to run specific features or parts of this Website. It also allows to save and manage backups of this Website on external servers managed by the service provider itself. The backups may include the source code and content as well as the data that the User provides to this Website.

Personal Data processed: All the data.
Place of processing: Italy


Google utilizes the Data collected to track and examine the use of this Website, to prepare reports on its activities and share them with other Google services.
Google may use the Data collected to contextualize and personalize the ads of its own advertising network. This integration of Google Analytics anonymizes your IP address.

Data Processor: Google Analytics (Google Ireland Limited)
Personal Data processed:
Tracker; Usage Data.
Place of processing: Ireland – Privacy PolicyOpt Out.

Interaction with external social networks and platforms

This type of service allows interaction with social networks or other external platforms directly from the pages of this Website. The interaction and information obtained through this Website are always subject to the User’s privacy settings for each social network. This type of service might still collect traffic data for the pages where the service is installed, even when Users do not use it.

Youtube (Google LLC)Privacy Policy
Google Maps (Google LLC)Privacy Policy
Facebook (Facebook, Inc.) Privacy Policy
Twitter (Twitter, Inc.)Privacy Policy
LinkedIn (LinkedIn Corporation)Privacy Policy

The rights of Users

Users may exercise the following rights regarding their Data processed by the Data Controllers:

  • Withdraw their consent at any time: Users have the right to withdraw consent where they have previously given their consent to the processing of their Personal Data.
  • Object to processing of their Data: Users have the right to object to the processing of their Data if the processing is carried out on a legal basis other than consent.
  • Access their Data: Users have the right to learn if Data is being processed by the Data Controllers, obtain disclosure regarding certain aspects of the processing and obtain a copy of the Data undergoing processing.
  • Verify and seek rectification: Users have the right to verify the accuracy of their Data and ask for it to be updated or corrected.
  • Restrict the processing of their Data: Users have the right, under certain circumstances, to restrict the processing of their Data. In this case, the Data Controllers will not process their Data for any purpose other than storing it.
  • Have their Personal Data deleted or otherwise removed: Users have the right, as long as their personal Data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
    or other compatible purposes, to obtain the erasure of their Data from the Data Controllers.
  • Receive their Data and have it transferred to another Controller: Users have the right to receive their Data in a structured, commonly used and machine readable format and, if technically feasible, to have it transmitted to another Controller without any hindrance. This provision is applicable provided that the Data is processed by automated means and that the processing is based on the User's consent, on a contract which the User is part of or on pre-contractual obligations thereof.
  • Lodge a complaint: Users have the right to bring a claim before their competent data protection authority.

Any requests to exercise User rights can be directed to the Data Controllers through the contact details provided in this document.


This Website uses technical cookies. To find out more, the User can consult the Cookie Policy.

Additional information about Data collection and processing

Legal action

The User's Personal Data may be used for legal purposes by the Data Controllers in Court or in the stages leading to possible legal action arising from improper use of this Website or the related Services.
The User declares to be aware that the Data Controllers may be required to reveal personal data upon request of public authorities.

Additional information about User's Personal Data

In addition to the information contained in this privacy policy, this Website may provide the User with additional and contextual information concerning particular Services or the collection and processing of Personal Data upon request.

System logs and maintenance

For operation and maintenance purposes, this Website, the services offered as Virtual Access and any third-party services may collect files that record interaction with this Website (System logs) and/or use other Personal Data (such as the IP Address) for this purpose.

Information not contained in this policy

More details concerning the collection or processing of Personal Data may be requested from the Data Controllers at any time. Please see the contact information at the beginning of this document.

Changes to this privacy policy

The Data Controllers reserve the right to make changes to this privacy policy at any time by notifying its Users on this page. It is strongly recommended to check this page often, referring to the date of the last modification listed at the bottom.
Should the changes affect processing activities performed on the basis of the User’s consent, the Data Controllers shall collect new consent from the User, where required.


Cookie policy