# MOPC Platform - GDPR Compliance Documentation ## 1. Data Controller Information | Field | Value | |-------|-------| | **Data Controller** | Monaco Ocean Protection Challenge | | **Contact** | [Data Protection Officer email] | | **Platform** | monaco-opc.com | | **Jurisdiction** | Monaco | --- ## 2. Personal Data Collected ### 2.1 User Account Data | Data Type | Purpose | Legal Basis | Retention | |-----------|---------|-------------|-----------| | Email address | Account identification, notifications | Contract performance | Account lifetime + 2 years | | Name | Display in platform, certificates | Contract performance | Account lifetime + 2 years | | Phone number (optional) | WhatsApp notifications | Consent | Until consent withdrawn | | Profile photo (optional) | Platform personalization | Consent | Until deleted by user | | Role | Access control | Contract performance | Account lifetime | | IP address | Security, audit logging | Legitimate interest | 12 months | | User agent | Security, debugging | Legitimate interest | 12 months | ### 2.2 Project/Application Data | Data Type | Purpose | Legal Basis | Retention | |-----------|---------|-------------|-----------| | Project title | Competition entry | Contract performance | Program lifetime + 5 years | | Project description | Evaluation | Contract performance | Program lifetime + 5 years | | Team information | Contact, evaluation | Contract performance | Program lifetime + 5 years | | Uploaded files | Evaluation | Contract performance | Program lifetime + 5 years | | Country/Region | Geographic eligibility | Contract performance | Program lifetime + 5 years | ### 2.3 Evaluation Data | Data Type | Purpose | Legal Basis | Retention | |-----------|---------|-------------|-----------| | Jury evaluations | Competition judging | Contract performance | Program lifetime + 5 years | | Scores and comments | Competition judging | Contract performance | Program lifetime + 5 years | | Evaluation timestamps | Audit trail | Legitimate interest | Program lifetime + 5 years | ### 2.4 Technical Data | Data Type | Purpose | Legal Basis | Retention | |-----------|---------|-------------|-----------| | Session tokens | Authentication | Contract performance | Session duration | | Magic link tokens | Passwordless login | Contract performance | 15 minutes | | Audit logs | Security, compliance | Legitimate interest | 12 months | | AI usage logs | Cost tracking, debugging | Legitimate interest | 12 months | --- ## 3. Data Processing Purposes ### 3.1 Primary Purposes 1. **Competition Management** - Managing project submissions, evaluations, and results 2. **User Authentication** - Secure access to the platform 3. **Communication** - Sending notifications about evaluations, deadlines, results ### 3.2 Secondary Purposes 1. **Analytics** - Understanding platform usage (aggregated, anonymized) 2. **Security** - Detecting and preventing unauthorized access 3. **AI Processing** - Automated filtering and matching (anonymized data only) --- ## 4. Third-Party Data Sharing ### 4.1 Subprocessors | Subprocessor | Purpose | Data Shared | Location | DPA | |--------------|---------|-------------|----------|-----| | OpenAI | AI processing | Anonymized project data only | USA | Yes | | MinIO/S3 | File storage | Uploaded files | [Location] | Yes | | Poste.io | Email delivery | Email addresses, notification content | [Location] | Yes | ### 4.2 Data Shared with OpenAI **Sent to OpenAI:** - Anonymized project titles (PII sanitized) - Truncated descriptions (500 chars max) - Project category, tags, country - Team size (count only) - Founded year (year only) **NEVER sent to OpenAI:** - Names of any individuals - Email addresses - Phone numbers - Physical addresses - External URLs - Internal database IDs - File contents For full details, see [AI Data Processing](./ai-data-processing.md). --- ## 5. Data Subject Rights ### 5.1 Right of Access (Article 15) Users can request a copy of their personal data via: - Profile → Settings → Download My Data - Email to [DPO email] **Response Time:** Within 30 days ### 5.2 Right to Rectification (Article 16) Users can update their data via: - Profile → Settings → Edit Profile - Contact support for assistance **Response Time:** Immediately for self-service, 72 hours for support ### 5.3 Right to Erasure (Article 17) Users can request deletion via: - Profile → Settings → Delete Account - Email to [DPO email] **Exceptions:** Data required for legal obligations or ongoing competitions **Response Time:** Within 30 days ### 5.4 Right to Restrict Processing (Article 18) Users can request processing restrictions by contacting [DPO email] **Response Time:** Within 72 hours ### 5.5 Right to Data Portability (Article 20) Users can export their data in machine-readable format (JSON) via: - Profile → Settings → Export Data **Format:** JSON file containing all user data ### 5.6 Right to Object (Article 21) Users can object to processing based on legitimate interests by contacting [DPO email] **Response Time:** Within 72 hours --- ## 6. Security Measures (Article 32) ### 6.1 Technical Measures | Measure | Implementation | |---------|----------------| | Encryption in transit | TLS 1.3 for all connections | | Encryption at rest | AES-256 for sensitive data | | Authentication | Magic link (passwordless) or OAuth | | Rate limiting | 100 requests/minute per IP | | Session management | Secure cookies, automatic expiry | | Input validation | Zod schema validation on all inputs | ### 6.2 Access Controls | Control | Implementation | |---------|----------------| | RBAC | Role-based permissions (SUPER_ADMIN, PROGRAM_ADMIN, JURY_MEMBER, etc.) | | Least privilege | Users only see assigned projects/programs | | Session expiry | Configurable timeout (default 24 hours) | | Audit logging | All sensitive actions logged | ### 6.3 Infrastructure Security | Measure | Implementation | |---------|----------------| | Firewall | iptables rules on VPS | | DDoS protection | Cloudflare (if configured) | | Updates | Regular security patches | | Backups | Daily encrypted backups, 90-day retention | | Monitoring | Error logging, performance monitoring | --- ## 7. Data Retention Policy | Data Category | Retention Period | Deletion Method | |---------------|------------------|-----------------| | Active user accounts | Account lifetime | Soft delete → hard delete after 30 days | | Inactive accounts | 2 years after last login | Automatic anonymization | | Project data | Program lifetime + 5 years | Archived, then anonymized | | Audit logs | 12 months | Automatic deletion | | AI usage logs | 12 months | Automatic deletion | | Session data | Session duration | Automatic expiration | | Backup data | 90 days | Automatic rotation | --- ## 8. International Data Transfers ### 8.1 OpenAI (USA) | Aspect | Details | |--------|---------| | Transfer Mechanism | Standard Contractual Clauses (SCCs) | | DPA | OpenAI Data Processing Agreement | | Data Minimization | Only anonymized data transferred | | Risk Assessment | Low (no PII transferred) | ### 8.2 Data Localization | Service | Location | |---------|----------| | Primary database | [EU location] | | File storage | [Location] | | Email service | [Location] | --- ## 9. Cookies and Tracking ### 9.1 Essential Cookies | Cookie | Purpose | Duration | |--------|---------|----------| | `session_token` | User authentication | Session | | `csrf_token` | CSRF protection | Session | ### 9.2 Optional Cookies The platform does **not** use: - Marketing cookies - Analytics cookies that track individuals - Third-party tracking --- ## 10. Data Protection Impact Assessment (DPIA) ### 10.1 AI Processing DPIA | Factor | Assessment | |--------|------------| | **Risk** | Personal data sent to third-party AI | | **Mitigation** | Strict anonymization before processing | | **Residual Risk** | Low (no PII transferred) | ### 10.2 File Upload DPIA | Factor | Assessment | |--------|------------| | **Risk** | Sensitive documents uploaded | | **Mitigation** | Pre-signed URLs, access controls, virus scanning | | **Residual Risk** | Medium (users control uploads) | ### 10.3 Evaluation Data DPIA | Factor | Assessment | |--------|------------| | **Risk** | Subjective opinions about projects/teams | | **Mitigation** | Access controls, audit logging | | **Residual Risk** | Low | --- ## 11. Breach Notification Procedure ### 11.1 Detection (Within 24 hours) 1. Automated monitoring alerts 2. User reports 3. Security audit findings ### 11.2 Assessment (Within 48 hours) 1. Identify affected data and individuals 2. Assess severity and risk 3. Document incident details ### 11.3 Notification (Within 72 hours) **Supervisory Authority:** - Notify if risk to individuals - Include: nature of breach, categories of data, number affected, consequences, measures taken **Affected Individuals:** - Notify without undue delay if high risk - Include: nature of breach, likely consequences, measures taken, contact for information ### 11.4 Documentation All breaches documented regardless of notification requirement. --- ## 12. Contact Information | Role | Contact | |------|---------| | **Data Protection Officer** | [DPO name] | | **Email** | [DPO email] | | **Address** | [Physical address] | **Supervisory Authority:** Commission de Contrôle des Informations Nominatives (CCIN) [Address in Monaco] --- ## 13. Document History | Version | Date | Changes | |---------|------|---------| | 1.0 | 2025-01 | Initial version | --- ## See Also - [AI Data Processing](./ai-data-processing.md) - [AI System Architecture](../architecture/ai-system.md)