Data Processing Addendum (DPA)

1. Purpose and Scope

This Data Processing Addendum defines the conditions under which the D4Science infrastructure, operated by the Consiglio Nazionale delle Ricerche (CNR), processes personal data on behalf of third parties.

This document applies when personal data are processed within the infrastructure in the context of Virtual Research Environments, research projects, and collaborative scientific activities in which D4Science provides the technical environment for storing, accessing, or processing such data.

In these situations, D4Science may act as a Data Processor, while the relevant research project, institution, or community remains the Data Controller.

This Addendum is intended to support compliance with Article 28 of the General Data Protection Regulation (GDPR).

2. Parties

The Data Controller is the entity, such as a research project, institution, or scientific community, that determines the purposes and means of processing personal data within a Virtual Research Environment or other context supported by the infrastructure.

The Data Processor is the D4Science infrastructure, operated by:

Consiglio Nazionale delle Ricerche (CNR)
Institute of Information Science and Technologies “A. Faedo” (ISTI)
Pisa, Italy

3. Nature and Purpose of Processing

The processing carried out by D4Science as Data Processor is limited to what is necessary to provide infrastructure services.

This may include storage of research artefacts containing personal data, execution of computational workflows, access control and authentication, transfer of data between integrated services, and technical operations necessary to support the use of the infrastructure.

Processing is performed solely to enable the functionality of the infrastructure and to support the research activities defined by the Data Controller.

4. Categories of Data and Data Subjects

Depending on the specific use case, personal data processed through the infrastructure may include identity data, research-related data contained in datasets, and system-generated usage or access information associated with the use of services.

Data subjects may include researchers, project participants, and individuals whose data are represented in datasets processed within the infrastructure.

The Data Controller is responsible for defining the scope of the data involved and for ensuring the lawfulness of the related processing.

5. Obligations of the Data Processor

D4Science, acting as Data Processor, commits to processing personal data only on documented instructions from the Data Controller, unless otherwise required by applicable law.

D4Science will ensure that personnel authorized to process data are subject to appropriate confidentiality obligations and that suitable technical and organizational measures are implemented to protect the data.

The infrastructure operator will also provide reasonable assistance to the Data Controller, where applicable, to support compliance with GDPR obligations related to security, data subject rights, and incident management.

Processing performed by D4Science is limited to the operation of infrastructure services and does not include independent use of the data for purposes determined by the infrastructure operator.

6. Obligations of the Data Controller

The Data Controller remains responsible for ensuring that personal data are processed lawfully and that the purposes, legal basis, and categories of data involved are clearly defined.

The Data Controller is also responsible for informing data subjects where required, ensuring that personal data uploaded to the infrastructure comply with applicable regulations, and providing instructions to the Data Processor where necessary.

The Data Controller remains fully responsible for the content of datasets and research artefacts containing personal data.

7. Security Measures

D4Science implements technical and organizational measures designed to protect personal data processed within the infrastructure.

These measures include access control mechanisms, authentication and authorization systems, system monitoring and logging, backup and recovery procedures, and security controls aimed at protecting the confidentiality, integrity, and availability of data and services.

These measures are aligned with GDPR requirements, institutional policies, and cybersecurity principles consistent with the NIS2 Directive.

8. Sub-processing

To operate the infrastructure, D4Science may rely on supporting infrastructure providers, including network and research infrastructure providers such as GARR and cloud service providers such as Google Cloud Platform in Europe.

Such providers are used only to support infrastructure operations and are subject to appropriate safeguards consistent with applicable data protection obligations.

Where required, the Data Controller may request information concerning the categories of supporting providers involved in service delivery.

9. Data Transfers

Processing of data may occur across distributed infrastructure resources used to operate D4Science services.

Where external providers are used, processing is limited to environments that comply with applicable data protection regulations and operational safeguards.

D4Science ensures that appropriate safeguards are applied in accordance with GDPR requirements and the nature of the services provided.

10. Data Retention and Deletion

Personal data processed by D4Science on behalf of a Data Controller are retained only for the duration necessary to provide the relevant services, unless otherwise agreed or required by law.

At the request of the Data Controller, or upon termination of the service, data may be deleted or returned where technically feasible and compatible with the operational characteristics of the infrastructure.

Operational constraints may apply depending on the services involved, including shared storage or collaborative environments.

11. Assistance to the Data Controller

D4Science will provide reasonable assistance to the Data Controller in fulfilling obligations related to data subject rights, security incidents, and compliance with GDPR where such assistance is necessary and proportionate to the role of the Data Processor.

Requests for assistance should be submitted through the support portal indicated below.

12. Data Breach Notification

In the event of a personal data breach affecting data processed on behalf of a Data Controller, D4Science will notify the relevant Data Controller without undue delay and provide available information necessary to support incident assessment and response.

The Data Controller remains responsible for evaluating any obligation to notify supervisory authorities or data subjects under the GDPR.

13. Audit and Compliance

D4Science maintains internal procedures designed to support compliance with applicable data protection requirements and to ensure that processing performed within the infrastructure is consistent with the commitments set out in this Addendum.

Where appropriate, the Data Controller may request information necessary to demonstrate compliance with this DPA, taking into account the nature of the services and the operational characteristics of the infrastructure.

14. Liability

Each party remains responsible for its own obligations under the GDPR.

The Data Controller is responsible for the lawfulness of the data and the purposes of processing. The Data Processor is responsible for implementing appropriate technical and organizational measures in relation to the services it provides.

Nothing in this Addendum shall be interpreted as transferring responsibility for the content or legal basis of the processing from the Data Controller to the Data Processor.

15. Contact

Requests and communications related to data processing under this Addendum may be submitted through: https://support.d4science.org

16. Relationship with the Policy Framework

This document complements the D4Science Policy Framework and should be read together with the Privacy and Data Protection Policy, the Terms of Use, and the Security and Incident Response Policy.