Privacy Notice

PRIVACY NOTICE (December 2023)

How we protect your data and privacy rights and comply with the General Data Protection Regulation (GDPR)

Why Privacy matters to us

The MYSTIC project and its partners take privacy very seriously. We understand that people’s personal information matters to them. We understand that people expect their personal data and privacy to be protected. That’s why MYSTIC has a clear Data Protection and Privacy Policy in place. It complies with the General Data Protection Regulation (GDPR) – which applies in all EU countries in which MYSTIC operates. The policy ensures that we will only use personal information to help us carry out our research and to help us disseminate its results.

This document sets out how we will put the policy into practice over the lifetime of the project. It covers:

Who we are and who is responsible for data protection and privacy in the project
What information we collect
What we do with this information
What legal basis we have for processing your personal data
When we share personal data
Where we store and process personal data
How we secure personal data
How long we keep your personal data for
Your rights in relation to personal data
Use of automated decision-making and profiling
How to contact us.

This Privacy Notice applies to all of the activities carried out in the MYSTIC project. It sets out our approach to personal information and privacy generally. Additional notices on specific project activities – for example a research activity we carry out – will be issued as and when necessary.

Please read this Privacy Notice carefully and contact us with any questions you may have using the contact details set out in the Section below on ‘How to Contact Us’.

This paragraph stes out who is involved in project and who data protection officer is

MYSTIC is a research project funded under the Erasmus+ ‘Youth Together’ programme and managed by the European Education and Culture Executive Agency (EACEA) - Project Number 101089601. It has seven research partners: AGID (Portugal), Smart Bananas (Italy), Spherical Pixel (Spain), ADFP (Portugal), CPIP (Romania), TUCEP (Italy) OTI (Cyprus). The project Data Protection and Ethics Committee is responsible for overall data protection and privacy and has three members. The project Data Protection Officer is responsible for day-to-day data protection and privacy.

We collect the following information:

‘Personal data’ – e.g. names and e-mails - of people who register for our 'Knowledge Community'
‘Personal data’ – e.g. names and e-mails - of people who complete a ‘contact form’, sign up for our ‘Newsletter’ or who ask for information about our Events
‘Personal data’ – e.g. gender, location and economic, cultural and social identity data – and ‘Sensitive Personal Data’ – e.g. ethnic origin – of people who take part in some of our research activities, for example completing a survey questionnaire or an interview on their participation in the MYSTIC project

This para sets out what the project does with the personal data it collects

We use the information we collect to:

Identify whether the outcomes gained from participating in the MYSTIC project are different for people from different backgrounds
Send the results of our research to different audiences
Invite people to take part in project events
Gather information from people who participated in project events on their experience of the event

This paragraph sets out the project's legal basis for processing data

There are six ‘legal grounds’ for processing personal data contained within the GDPR. We process personal data on the basis of two of these legal grounds:

Consent – we only process personal data on individuals who have given their clear consent for us to process their data for a specific purpose - for example analyzing data collected from people who use the MYSTIC 'Knowledge Community' so we can identify the ‘gaps’ in the distribution of knowledge on disinformation. We have very clear rules on ‘consent’. These are set out below in the section ‘What are your rights in relation to personal data’
Legitimate interests – we process personal data when it is necessary to support the project objectives, for example by contacting people who have given us their e-mail contact so we can invite them to a project event

This section sets out the conditions when the project shares personal data

We do not expect any situation arising in MYSTIC where personal data will be shared with any organization other than those partners who are members of the project Consortium – i.e. the seven partners mentioned above. Other data that may possibly be shared outside the consortium – for example databases compiled from information collected through a participant survey – will be completely anonymized.

This section sets out where we store and process personal data

Personal data is stored and processed in secure systems in the organisations of the MYSTIC partners. We treat all personal data confidentially and take steps within the project to ensure it is kept confidential. All partners involved in MYSTIC have been issued with a Project Management Handbook that sets out the MYSTIC data protection, privacy and ethics policy and which includes Guidelines and a checklist of how this policy needs to be put into practice. This policy emphasizes that personal data needs to be protected according to the EU GDPR and the laws of the country in which each partner operates. Each partner has signed a ‘Code of Conduct’ committing them to adhere to this policy and Guidelines.

Each MYSTIC partner is committed to putting systems and processes into place to ensure that personal data is secure. These include:

Protection against accidental loss – by ensuring data are kept in secure systems on partner premises and are ‘backed up’
Prevention of unauthorized access, use and disclosure – through using secure passwords
Restriction of access to personal information – only authorized personnel are allowed to handle personal data
Data Protection and Privacy Impacts Assessments – these are carried out when new technologies are introduced or when data processing is likely to result in a high risk to the rights and freedoms of individuals

We will only keep personal data for as long as is necessary to carry out our research objectives. This means in practice that no personal data will be kept after two months following the official end of the MYSTIC project, which is scheduled for 30th November 2024.

mage result for legal rights icons

In respect of your personal data you have the right to:

have full access to the personal information we collect about you
ensure that incorrect information about you is corrected or deleted
withdraw your consent to the processing of your personal data at any time
obtain and reuse your personal data for your own purposes
receive personal data or move, copy or transfer that data in a safe and secure way, without hindrance
lodge a complaint with a relevant national Information Commission Office or equivalent

You can exercise these rights at any time by contacting us – see the Section below ‘How to Contact Us’ – or by contacting a relevant national Information Commission Office or equivalent.

This section covers automated decision-making and profiling

All personal data processing in MYSTIC is done by humans. We do not use ‘machine-processing’ in decision-making or profiling.

This section provides contact details on personal data issues

If you have questions or concerns about our privacy practices, your personal information, or if you wish to file a complaint you can do so at any time by sending an e-mail to the MYSTIC Data Protection Officer at: This email address is being protected from spambots. You need JavaScript enabled to view it.