Describes how personal data are processed within the D4Science infrastructure, clarifying governance roles, security measures, user rights, and compliance with GDPR.
1. Purpose and Scope
The D4Science infrastructure processes personal data as part of its operation as a shared digital environment supporting scientific research and innovation.
This Privacy and Data Protection Policy explains how personal data are collected, used, stored, and protected within the infrastructure, ensuring that such processing is carried out in a lawful, transparent, and secure manner.
This policy applies to all personal data processed in connection with user registration and authentication, access to infrastructure services, operation of Virtual Research Environments, system administration and monitoring, and the provision of user support.
D4Science is operated as a public research infrastructure and processes personal data in compliance with the General Data Protection Regulation (EU) 2016/679, applicable Italian data protection legislation, and institutional policies governing public research organizations.
2. Roles in Personal Data Processing
The processing of personal data within D4Science may involve different roles depending on the context in which the data are processed.
Understanding these roles is essential to ensure that responsibilities are clearly assigned in accordance with the GDPR.
3. Data Controller
For personal data related to the operation of the infrastructure itself, the Data Controller is the Consiglio Nazionale delle Ricerche (CNR), through the Institute of Information Science and Technologies “A. Faedo” (ISTI), Pisa, Italy.
In this role, CNR determines the purposes and means of processing personal data necessary to manage user identities and authentication, operate infrastructure services, monitor system usage and security, and provide technical support.
This processing is necessary to ensure the secure and reliable operation of the infrastructure.
4. Data Processor
In certain cases, the D4Science infrastructure processes personal data on behalf of third parties.
This typically occurs when personal data are included in research artefacts managed within a Virtual Research Environment.
In these situations, the research project, institution, or community operating the Virtual Research Environment acts as the Data Controller, while D4Science, operated by CNR-ISTI, acts as a Data Processor by providing the technical environment for storage and processing.
Responsibility for ensuring compliance with applicable data protection regulations for such data remains with the relevant Data Controller.
5. Data Protection Governance
The D4Science infrastructure adopts a structured governance model to ensure that personal data are processed securely and in compliance with applicable regulations.
The infrastructure is operated by the D4Science Working Group within CNR-ISTI, which is responsible for the operation and maintenance of services, implementation of security measures, and support to users and communities.
System administrators are formally appointed personnel responsible for the technical operation of the infrastructure. Their responsibilities include managing systems, implementing security controls, monitoring activity, managing authentication services, and ensuring backup and recovery procedures.
An Information Security Manager oversees the implementation of security measures across the infrastructure, including the definition of security policies, monitoring of threats, and coordination of incident response.
Technical support personnel may assist in infrastructure operations, including system maintenance, log monitoring, and support for backup procedures, under the supervision of authorized personnel.
6. Categories of Personal Data
D4Science processes only the personal data necessary to provide its services and ensure the security and operability of the infrastructure.
These data may include identity information such as name, email address, institutional affiliation, and identifiers provided by authentication systems.
They may also include account-related data such as user identifiers, account status, Virtual Research Environment memberships, and user roles.
In addition, the infrastructure may process usage data related to access to services and activity within Virtual Research Environments, as well as system logs generated for security and operational purposes.
7. Legal Basis for Processing
Personal data are processed in accordance with Article 6 of the GDPR.
Processing is based on the performance of tasks carried out in the public interest, the legitimate interests of the infrastructure operator, and the necessity of processing to provide infrastructure services.
These legal bases reflect the role of D4Science as a public research infrastructure supporting scientific communities.
8. Purposes of Processing
Personal data are processed exclusively for purposes related to the operation and governance of the infrastructure.
These purposes include authentication and access control, operation of Virtual Research Environments, system monitoring and security, infrastructure maintenance, and user support.
Processing is limited to what is necessary to achieve these objectives.
9. Authentication and Identity Management
Authentication to the infrastructure is managed through the Identity and Access Management (IAM) system.
The IAM system supports federated authentication through eduGAIN and compatible identity providers, local accounts where permitted by the relevant Gateway, and optional multi-factor authentication where required by a community.
This model supports secure and interoperable access to D4Science services while reducing exposure of internal identity systems.
10. Logging and Monitoring
To ensure the security and integrity of the infrastructure, D4Science monitors system activity and maintains operational logs.
Logs are used to detect anomalies, investigate incidents, and support system operations.
Authentication logs include user identifiers, timestamps, and login and logout events. These logs are retained for a minimum period of six months, unless a longer period is required for security investigations or legal reasons.
11. Data Retention
Personal data are retained only for as long as necessary to provide infrastructure services and comply with legal or operational requirements.
Account data are retained for the duration of the user account. Inactive accounts may be suspended or removed in accordance with infrastructure policies.
When a user account is deleted, private data stored in personal areas are removed, while data previously shared with collaborators may remain accessible to those collaborators in read-only mode, where technically applicable and consistent with the collaboration context.
System logs are retained in accordance with security requirements and institutional policies.
12. Data Sharing and Third Parties
Personal data processed by the infrastructure are not disclosed to third parties except where necessary to operate services, comply with legal obligations, or respond to security incidents.
D4Science may rely on external infrastructure providers, such as network or cloud service providers, to deliver specific infrastructure capabilities. Where such providers are used, processing is carried out in compliance with applicable data protection regulations and subject to appropriate safeguards.
13. Security Measures
D4Science implements technical and organizational measures to protect personal data against unauthorized access, loss, misuse, or alteration.
These measures include access control mechanisms, authentication systems, network protection, monitoring and logging, and backup and recovery procedures.
The infrastructure security model is aligned with recognized best practices and supports the cybersecurity principles promoted by the NIS2 Directive.
14. Data Subject Rights
Users may exercise their rights under the GDPR, including the right to access personal data, request rectification of inaccurate information, request deletion where applicable, restrict processing, and object to processing in cases provided by law.
Requests related to personal data may be submitted through the support channel indicated below.
15. Data Breach Management
In the event of a personal data breach, the infrastructure operator will assess and contain the incident, investigate its cause, and take appropriate corrective measures.
Where required by law, the competent authorities and relevant parties will be notified in accordance with applicable regulations.
Users are encouraged to report suspected incidents promptly.
16. Policy Updates
This policy may be updated to reflect changes in legal requirements, infrastructure services, or operational practices.
Updated versions will be published through official D4Science channels and will become applicable from the effective date indicated in the document.
17. Contact
Questions, requests, or notifications related to data protection may be submitted through the D4Science support portal: https://support.d4science.org
18. Policy Framework
This document forms part of the D4Science Policy Framework.