1. Introduction
CIBERIA is formed by a consortium of various entities, the composition of which can be consulted at Miembros | CIBERIA (usal.es). The University of Salamanca (USAL) coordinates the project, while the INTERNATIONAL INSTITUTE FOR RESEARCH IN ARTIFICIAL INTELLIGENCE AND COMPUTER SCIENCE FOUNDATION (AIR INSTITUTE) is responsible for executing the activities and providing related services. For this purpose, it is necessary to process personal data, assuming the responsibilities of the data controller.
CIBERIA is committed to protecting the privacy and rights of individuals and organizations involved in its activities. This policy strictly adheres to the General Data Protection Regulation (GDPR) of the European Union and Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights, as well as other applicable data protection laws.
2. Data Controller
Identity: UNIVERSITY OF SALAMANCA
Tax ID (CIF): Q3718001E
Postal Address: Patio de Escuelas, Nº 1, 37008, SALAMANCA.
Contact Phone: +34 923294400
Email: secr.general@usal.es
3. Personal Data Collected
CIBERIA may collect a variety of personal data necessary for its operations, which may include:
- Contact information such as names, email addresses, and phone numbers.
- Identification information such as tax identification numbers.
- Professional information, including positions and institutional affiliations.
- Any category of data necessary for the provision of requested services for which the entity is responsible, through specific forms.
This data collection will be carried out under the principles of lawfulness, fairness, and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, as well as proactive accountability, in accordance with the GDPR and the LOPDGDD.
4. Purposes of Data Processing
The personal data collected by CIBERIA will be used exclusively for legitimate and specific purposes, detailed below, including:
a. Service request management:
When an individual completes a form to request a service or access content related to the CIBERIA project, the personal data provided will be processed solely to manage that request and provide the requested services.
The processing is based on the explicit consent of the data subject (Art. 6.1.a GDPR), who by completing the form consents to the use of their personal data to manage the request. If the data is not provided or is incorrect, we will be unable to process the request or provide the requested services.
b. Cybersecurity diagnostics:
Personal data is used to carry out technical audits of public and private organizations to identify vulnerabilities, map specific needs, and verify compliance with regulations such as Regulation (EU) 2019/881.
This processing is legitimized by legal obligations (Art. 6.1.c GDPR and Art. 8 LOPDGDD), particularly regarding the NIS 2 Directive and the Cybersecurity Regulation, as well as by legitimate interest (Art. 6.1.f GDPR) in ensuring secure digital environments.
c. Cybersecurity Academy:
We manage personal data to train employees and job seekers in cybersecurity, and to raise awareness among citizens and businesses through activities such as scientific conferences, podcasts, and educational videos.
This processing is legitimized by the explicit consent of the data subjects (Art. 6.1.a GDPR and Art. 7 LOPDGDD) to participate in training and awareness activities. It is also supported by the public interest in educational activities (Art. 6.1.e GDPR and Art. 9.2.j GDPR), particularly in the context of promoting security in the CENCYL region.
d. Cybersecurity Best Practices Guide:
To encourage the adoption of secure digital solutions, we produce specific manuals aimed at companies and public organizations. We also offer workshops and personalized advice on acquiring cybersecurity services.
The legal basis for this processing is compliance with a legal obligation (Art. 6.1.c GDPR and Art. 8 LOPDGDD), related to the implementation of necessary measures to comply with current regulations. It is also based on legitimate interest (Art. 6.1.f GDPR) in promoting the resilience and security of organizational systems.
e. Marketplace and Security Operations Center (SOC)
Data will be processed to manage the digital inventory of certified services, evaluate solutions with the Trust Seal, and facilitate secure interaction between companies and users. The SOC also allows for the monitoring of cyber threats, incident management, and coordinated responses with partner organizations.
This processing is legitimized by the legitimate interest (Art. 6.1.f GDPR) of evaluating digital solutions and providing tools that strengthen cybersecurity. Additionally, for specific activities such as the use of data in market development or analysis in the SOC, we rely on the explicit consent of the data subjects (Art. 6.1.a GDPR).
f. Visibility, Transparency and Communication
We process personal data collected through our website to disseminate information about the project through various communication channels, such as newsletters, press releases, social media posts, and by organizing outreach events and cross-border conferences.
We manage contact data of interested parties to include them in these communications, based on their explicit consent (Art. 6.1.a GDPR and Art. 7 LOPDGDD). Data processing is also carried out based on public interest (Art. 6.1.e GDPR) to promote publicly funded initiatives and disseminate projects of general interest.
The data subject may withdraw their consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
g. Newsletter management
Personal data will be used to send newsletters, updates about the CIBERIA project, and other related content, always with the prior explicit consent of users. Interested parties can choose to receive this information and may unsubscribe at any time without affecting access to other services.
This data processing is legitimized by the explicit consent of users, in accordance with Article 6.1.a of the GDPR and Article 7 of the LOPDGDD, which can be withdrawn at any time without affecting the legality of the prior processing.
h. Scientific Research and Knowledge Generation
In all activities generating reports, technical articles or statistical data, we process personal data to conduct analyses and studies on vulnerabilities, cybersecurity needs and the impact of implemented solutions.
This processing is based on the performance of a task carried out for scientific research purposes (Art. 89 GDPR), for which data is anonymized whenever possible and protected by enhanced security measures to safeguard participants' privacy.
If you do not provide your data, or do so inaccurately or incompletely, we will not be able to process your request, making it impossible to provide you with the requested information or to carry out service contracting.
i. Marketplace (Intermediation between applicants and providers)
Data provided through forms will be used to manage and forward requests to cybersecurity or other service providers linked to the CIBERIA project, facilitating communication between interested parties and providers to meet the requested needs. Providers will also be evaluated based on predefined technical criteria, such as the Trust Seal.
This processing is based on the explicit consent of the data subject (Art. 6.1.a GDPR and Art. 7 LOPDGDD), who accepts that their data will be shared to manage their request, as well as on legitimate interest (Art. 6.1.f GDPR) to ensure efficient and secure intermediation within the CIBERIA ecosystem, always upholding the data subject’s rights.
Failure to provide the requested personal data, or providing it incompletely or inaccurately, may prevent the provision of services offered through the CIBERIA Marketplace, the management of your request, or participation in project-related activities, such as training, advisory services, or intermediation processes with providers.
In the forms available on the platform, fields marked with an asterisk (*) are considered strictly necessary to properly address your request. Completion of the other fields is voluntary, and their absence will not affect the handling of your request, unless otherwise stated.
5. Recipients
CIBERIA does not sell, transfer, or lease client or user personal data to third parties in any way, except in the following cases:
- Data processors: Data may be shared with service providers acting as data processors, including AIR INSTITUTE in its capacity as:
- Technical intermediary for the management of the service marketplace.
- Support in provider evaluation (e.g.: verification of the Trust Seal).
- Consortium partners: Personal data may be accessible to other CIBERIA consortium partners, whose full list can be found on our website: Miembros | CIBERIA (usal.es). This collaboration aims to facilitate coordination and implementation of project activities. All partners commit to processing information in accordance with data protection regulations and using it solely for the purposes set out in this document.
- Legal obligations: CIBERIA may also disclose personal data if required by law or by competent authorities, ensuring such disclosure complies with applicable regulations.
6. Legal Basis
The processing of your data is carried out based on the following legal grounds:
- Legitimate interest: Your participation in the CIBERIA project generates a legitimate interest in facilitating digital transition and promoting cybersecurity within organizations, justifying the need to process your contact details and other relevant information.
- Contractual relationship: The relationship established with collaborators and suppliers, as well as with entities requesting services from the CIBERIA project, determines the existence of a legitimate interest in maintaining fluid contact to carry out activities related to digital transition and cybersecurity.
- Express consent: For sending newsletters and promotional communications, your express consent is required. By providing your contact details, you agree to receive this information. You may withdraw your consent at any time, without affecting the lawfulness of the processing carried out prior to its withdrawal.
- Compliance with legal obligations: Data processing is necessary for compliance with legal and regulatory obligations regarding cybersecurity and data protection applicable to the project.
- Public interest: The processing of data is also based on the need to perform tasks of public interest, especially in activities related to improving cybersecurity and protecting critical infrastructure. This basis applies when the processing of personal data contributes to public safety, promotion of cybersecurity, or improvement of digital public policies.
- Scientific research: For research, development, and analysis activities related to cybersecurity, the processing of personal data is also justified for scientific research purposes (Art. 89 GDPR). This processing aims to generate knowledge that enhances cybersecurity solutions. Data will be anonymized whenever possible and protected with enhanced security measures to ensure participants’ privacy.
7. Data Retention
The personal data provided will be retained for as long as necessary for the purposes of the CIBERIA project or until you request opposition or deletion, and during the period in which legal responsibilities related to the services provided may arise.
They will be kept as long as there is a mutual interest in maintaining the purpose of the processing. Once no longer necessary, they will be deleted using appropriate security measures to ensure pseudonymization or complete destruction of the data.
8. Data Subject Rights
You may exercise these rights by sending an email to ciberia@usal.es, providing a copy of your ID and indicating your full name, a notification address, and the right you wish to exercise:
- Everyone has the right to obtain confirmation as to whether or not we are processing personal data concerning them.
- Data subjects have the right to access their personal data, as well as to request rectification of inaccurate data or, where appropriate, request its deletion when the data is no longer necessary for the purposes for which it was collected.
- Data subjects may request the restriction of the processing of their data while the accuracy of the data is being verified; when the processing is unlawful but they oppose deletion; when the controller no longer needs the data, but the user requires it for the exercise or defense of claims; or when they have objected to the processing based on the controller’s legitimate interest, while it is verified whether the legitimate reasons override their own. In such cases, we will only retain the data for the exercise or defense of claims.
- In certain circumstances and for reasons related to their particular situation, data subjects may object to the processing of their data. Our organization will stop processing the data unless compelling legitimate grounds override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims.
- You also have the right to data portability, in legally permitted cases.
- Please note that you may withdraw your consent for any or all purposes at any time, without affecting the lawfulness of the processing based on consent before its withdrawal.
- You are also informed of your right to lodge a complaint with the relevant Data Protection Authority (e.g., AEPD – Spanish Data Protection Agency).
You can exercise these rights by contacting us at the email address indicated above.
9. Use of Cookies
CIBERIA informs its users that it uses cookies on its website. Cookies are small text files stored by your browser on your computer’s hard drive. By browsing our website, our server may recognize the cookie and provide information about your last visit. Most browsers automatically accept cookies, but you can configure your browser to display a warning on your screen when receiving cookies and prevent their installation on your hard drive. Under no circumstances can cookie files read information from your hard drive or files created by other sites. To read our Cookie Policy, click the following link: COOKIE POLICY.
10. Accuracy and Update of Data
The User guarantees that the Personal Data provided to CIBERIA is true and is responsible for communicating any changes. The user will be solely liable for any damage or loss, direct or indirect, caused to CIBERIA or third parties by filling out forms with false, inaccurate, incomplete, or outdated data. The User must not include personal data of third parties without their prior informed consent as set out in this data protection policy, being solely responsible for their inclusion. All data requested through the website is mandatory, as it is necessary to provide optimal service. If all data is not provided, it cannot be guaranteed that the information and services provided will be fully tailored to your needs. You must be at least 14 years old to provide your personal data.
11. Social Media
CIBERIA will use social media as a means of communication and promotion of its services. Under no circumstances will we use data for unauthorized purposes. The Foundation is not responsible for content, comments, opinions, or information, whether its own or from third parties, that users post on our Twitter, Facebook, LinkedIn, and YouTube accounts. You may use our content for lawful purposes, provided you mention the source or author. The purpose of the data collected will be to maintain a user and contact database of the company’s social media accounts. Please note that the use of social media is subject to each platform’s privacy policies.
12. Confidentiality and Security of Your Data
CIBERIA has taken the necessary measures to prevent alteration, loss, unauthorized access, or processing of personal data, considering the state of technology. However, Users should be aware that Internet security measures are not foolproof.
Data obtained through the website and/or any other means will be processed by the CONTROLLER with absolute confidentiality, committing to maintaining secrecy.
In compliance with current Personal Data Protection regulations, the CONTROLLER complies with all provisions of the GDPR and the LOPDGDD regarding the processing of personal data under its responsibility, expressly complying with the principles described in Article 5 of the GDPR and Title II of the LOPDGDD, ensuring that data is processed lawfully, fairly, and transparently in relation to the data subject, and is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
The CONTROLLER guarantees that appropriate technical and organizational policies have been implemented to apply the security measures established by the GDPR and LOPDGDD to protect the rights and freedoms of Users and has provided them with adequate information to exercise those rights.
Data protection laws may change, so we strongly recommend that you regularly review our Data Protection Policy.
Please note that the CIBERIA website is not encrypted and that information sent via the internet without encryption may be viewed by others. By submitting our forms, you accept the sending of information without encryption.
13. Modifications to the Data Protection Policy
CIBERIA reserves the right to modify its data protection policy at its own discretion, or due to legislative, jurisprudential, or business practice changes. If CIBERIA makes any changes, the new text will be published on this same website, where the User may consult the current data protection policy of CIBERIA. In any case, the relationship with users will be governed by the rules in effect at the time of accessing the website.
14. Additional Information
For any clarification or comment, you can contact CIBERIA at the email address mentioned above.