EUROpest

Privacy Policy

  1. Introduction and Scope

This Privacy Policy describes how personal data is collected, processed and protected when you visit the website www.europest-project.eu (the “Website”) operated in connection with the EUROPEST project (the “Project”). It applies to all visitors of the Website, including persons who subscribe to the Project newsletter or otherwise interact with the Website.

The processing of personal data is carried out in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “GDPR”), the ePrivacy Directive 2002/58/EC as transposed into national law, and any other applicable data protection legislation.

  1. Data Controller

The controller of personal data processed through the Website (the “Controller”) is:

Legal name: Nicolaus Copernicus University in Toruń

Registered address: ul. Gagarina 11, 87-100 Toruń

Registration / VAT number: PL8790177291

E-mail: iod@umk.pl

If the Project is implemented by a consortium of partner institutions, each partner acts as a separate controller for the personal data it processes within its own activities, unless explicitly stated otherwise. Joint-controller arrangements (Article 26 GDPR), where applicable, are made available to data subjects on request.

  1. Data Protection Officer

Where the Controller has appointed a Data Protection Officer (DPO), the DPO can be contacted at: iod@umk.pl. If no DPO is appointed, all data-protection enquiries should be directed to the e-mail address specified in section 2 above.

  1. Definitions

For the purposes of this Policy, the terms “personal data”, “processing”, “controller”, “processor”, “recipient”, “third party” and “data subject” have the meanings given to them in Article 4 GDPR.

  1. Categories of Data, Purposes, and Legal Bases

Depending on how you interact with the Website, the Controller may process the following categories of personal data, for the following purposes and on the following legal bases:

5.1 Newsletter / mailing list

When you subscribe to the EUROPEST newsletter, the Controller processes your e-mail address and, where applicable, your first name, last name, country and professional affiliation (the “Subscription Data”). Provision of the e-mail address is required for the service to be delivered; provision of the remaining fields is voluntary and is used solely to personalise the content.

Purposes and legal bases:

  • Sending the newsletter (information about Project results, events, calls and publications) – Article 6(1)(a) GDPR (consent given by ticking an unchecked checkbox at sign-up and confirmed by clicking the activation link in the double opt-in e-mail).
  • Managing the subscription, including handling unsubscribe requests – Article 6(1)(c) GDPR (compliance with a legal obligation arising from data-protection and electronic communications law).
  • Demonstrating that valid consent was obtained (accountability) – Article 6(1)(f) GDPR (legitimate interest of the Controller in being able to evidence compliance with the GDPR).

You may withdraw your consent to receive the newsletter at any time, with effect for the future, by clicking the “unsubscribe” link included in every newsletter or by writing to the address specified in section 2. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

5.2 Cookies and similar technologies

The Website uses cookies (small text files placed on your device) and similar technologies (e.g. local storage, pixels) to provide the Website, remember your preferences and – subject to your consent – to measure audience and improve content. A separate Cookie Banner is displayed on your first visit and allows you to accept, reject or configure non-essential cookies in a granular way.

We use the following categories of cookies:

  • Strictly necessary cookies – required for the Website to function (e.g. session identifier, security tokens, recording your cookie preferences). Legal basis: Article 6(1)(f) GDPR (legitimate interest in providing a secure, functioning Website) and Article 5(3), second sentence, of the ePrivacy Directive.
  • Analytics / statistical cookies – used to count visitors, identify popular pages and measure the effectiveness of dissemination activities. The Controller uses Google Analytics 4. Legal basis: Article 6(1)(a) GDPR (your consent).
  • Functional cookies – used to remember preferences such as language or display settings. Legal basis: Article 6(1)(a) GDPR (your consent).
  • Embedded third-party content – if pages contain embedded videos (e.g. YouTube, Vimeo), social-media widgets or maps, the relevant providers may set their own cookies. Such embeds are loaded only after you give consent or after you click to load the embed.

You can withdraw or change your cookie choices at any time by clicking the “Cookie settings” link in the footer of the Website, or by deleting cookies in your browser. A current list of all cookies actually deployed (name, purpose, provider, duration) is available in the Cookie Banner / dedicated Cookie Notice.

5.3 Server Log Files

Each time the Website is accessed, the hosting infrastructure automatically records technical information in server log files: IP address (truncated where technically feasible), date and time of the request, the URL requested, the HTTP status code, the amount of data transferred, the referring URL and the user-agent string of the browser. This processing is necessary to ensure the security and stability of the Website and to detect and prevent abuse. Legal basis: Article 6(1)(f) GDPR (legitimate interest of the Controller in operating a secure Website).

5.4 Correspondence

If you contact the Controller by e-mail or other means using contact details published on the Website, the Controller will process the personal data contained in your message (typically: name, e-mail address, content of the message) for the purpose of replying. Legal basis: Article 6(1)(f) GDPR (legitimate interest in handling enquiries) or, where the message concerns the conclusion or performance of a contract, Article 6(1)(b) GDPR.

  1. Recipients of Personal Data

Personal data may be disclosed to the following categories of recipients, only to the extent strictly necessary for the purposes set out in section 5:

  • Project partner institutions, where joint dissemination activities are carried out.
  • Processors acting on behalf of the Controller on the basis of a written data-processing agreement compliant with Article 28 GDPR, in particular: hosting providers, newsletter service providers (e.g. MailerLite), analytics providers, IT support and maintenance providers.
  • Public authorities and other recipients entitled to receive personal data on the basis of EU or Member State law (e.g. funding authorities, supervisory authorities, courts).

Personal data are not sold and are not made available to third parties for their own marketing purposes.

  1. Transfers Outside the European Economic Area

Whenever possible, personal data are processed within the European Economic Area (EEA). If a processor is located outside the EEA, or transfers personal data to a third country (e.g. analytics or newsletter providers based in the United States), the transfer takes place on the basis of one of the safeguards listed in Chapter V of the GDPR, in particular:

  • an adequacy decision of the European Commission (Article 45 GDPR), including, where applicable, certification under the EU–US Data Privacy Framework, or
  • Standard Contractual Clauses adopted by the European Commission (Article 46(2)(c) GDPR), supplemented – where necessary – by additional technical and organisational measures following a transfer impact assessment.

A copy of the safeguards in place can be obtained by contacting the Controller at the address indicated in section 2.

  1. Retention Periods

Personal data are kept only for as long as is necessary for the relevant purpose:

  • Newsletter subscription data – until you withdraw your consent (unsubscribe). Records of consent and unsubscribe requests are kept for an additional period of up to 3 years for evidentiary purposes (limitation periods).
  • Cookie consents – for the lifetime of the consent cookie (no longer than 12 months) or until the user changes their preferences.
  • Analytics data – in pseudonymised / aggregated form, for no longer than 14 months from collection (or such shorter period as may be set in the analytics tool).
  • Server log files – normally up to 30 days, longer if needed to investigate a security incident.
  • Correspondence – for the time necessary to handle the matter and for any subsequent limitation periods, but not longer than 5 years from the last contact, unless a longer period is required by applicable law.
  1. Your Rights

Subject to the conditions and limitations set out in the GDPR, you have the following rights with respect to your personal data:

  • the right of access (Article 15 GDPR), including the right to obtain a copy of your data;
  • the right to rectification of inaccurate or incomplete data (Article 16 GDPR);
  • the right to erasure / “right to be forgotten” (Article 17 GDPR);
  • the right to restriction of processing (Article 18 GDPR);
  • the right to data portability (Article 20 GDPR), where processing is based on consent or on a contract and is carried out by automated means;
  • the right to object to processing carried out on the basis of legitimate interests (Article 21 GDPR), in particular for direct-marketing purposes;
  • the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal (Article 7(3) GDPR);
  • the right not to be subject to a decision based solely on automated processing (Article 22 GDPR) – see section 11 below.

To exercise your rights, please contact the Controller using the details set out in section 2. The Controller will respond within one month of receipt of the request, in accordance with Article 12(3) GDPR. The Controller may ask for additional information to confirm your identity before fulfilling the request.

  1. Right to Lodge a Complaint

If you believe that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority – in particular in the EU Member State of your habitual residence, place of work or place of the alleged infringement (Article 77 GDPR). In Poland, the competent authority is the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych), ul. Stawki 2, 00-193 Warszawa, www.uodo.gov.pl.

  1. Automated Decision-Making and Profiling

The Controller does not take decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you. Newsletter content may be loosely tailored to general categories of recipients (e.g. country, language), but this does not constitute decision-making within the meaning of Article 22 GDPR.

  1. Security of Processing

The Controller implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk (Article 32 GDPR), including encryption of data in transit (HTTPS / TLS), access controls, segregation of environments, regular back-ups, logging of administrative activities, training of personnel and contractual obligations imposed on processors.

  1. Voluntary Nature of Providing Personal Data

Providing personal data through the Website is voluntary. However, failure to provide data marked as required (e.g. e-mail address for newsletter subscription) may make it impossible to provide the relevant service.

  1. Children

The Website is not directed at children under the age of 16, and the Controller does not knowingly process personal data of such children. If you become aware that a child has provided personal data through the Website without the consent of a person holding parental responsibility, please contact the Controller and the data will be deleted without undue delay.

  1. Changes to This Policy

The Controller may update this Privacy Policy from time to time, in particular to reflect changes in applicable law, in the functionality of the Website or in the processing operations. The current version is always available at www.europest-project.eu/privacy-policy and indicates the date of the last update at the top of the document. Material changes will, where appropriate, be communicated by e-mail to newsletter subscribers or by a notice on the Website.

  1. Contact

Any questions or requests relating to this Privacy Policy or to the processing of your personal data should be addressed to the Controller at the e-mail address indicated in section 2 above.

 

Last updated: 30 April 2026  ·  Version 1.0