letsbe
/
MOPC-App
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
MOPC-App/docs/gdpr/platform-gdpr-compliance.md

9.5 KiB
Raw Blame History

MOPC Platform - GDPR Compliance Documentation

1. Data Controller Information

Field Value
Data Controller Monaco Ocean Protection Challenge
Contact [Data Protection Officer email]
Platform monaco-opc.com
Jurisdiction Monaco

2. Personal Data Collected

2.1 User Account Data

Data Type Purpose Legal Basis Retention
Email address Account identification, notifications Contract performance Account lifetime + 2 years
Name Display in platform, certificates Contract performance Account lifetime + 2 years
Phone number (optional) WhatsApp notifications Consent Until consent withdrawn
Profile photo (optional) Platform personalization Consent Until deleted by user
Role Access control Contract performance Account lifetime
IP address Security, audit logging Legitimate interest 12 months
User agent Security, debugging Legitimate interest 12 months

2.2 Project/Application Data

Data Type Purpose Legal Basis Retention
Project title Competition entry Contract performance Program lifetime + 5 years
Project description Evaluation Contract performance Program lifetime + 5 years
Team information Contact, evaluation Contract performance Program lifetime + 5 years
Uploaded files Evaluation Contract performance Program lifetime + 5 years
Country/Region Geographic eligibility Contract performance Program lifetime + 5 years

2.3 Evaluation Data

Data Type Purpose Legal Basis Retention
Jury evaluations Competition judging Contract performance Program lifetime + 5 years
Scores and comments Competition judging Contract performance Program lifetime + 5 years
Evaluation timestamps Audit trail Legitimate interest Program lifetime + 5 years

2.4 Technical Data

Data Type Purpose Legal Basis Retention
Session tokens Authentication Contract performance Session duration
Magic link tokens Passwordless login Contract performance 15 minutes
Audit logs Security, compliance Legitimate interest 12 months
AI usage logs Cost tracking, debugging Legitimate interest 12 months

3. Data Processing Purposes

3.1 Primary Purposes

  1. Competition Management - Managing project submissions, evaluations, and results
  2. User Authentication - Secure access to the platform
  3. Communication - Sending notifications about evaluations, deadlines, results

3.2 Secondary Purposes

  1. Analytics - Understanding platform usage (aggregated, anonymized)
  2. Security - Detecting and preventing unauthorized access
  3. AI Processing - Automated filtering and matching (anonymized data only)

4. Third-Party Data Sharing

4.1 Subprocessors

Subprocessor Purpose Data Shared Location DPA
OpenAI AI processing Anonymized project data only USA Yes
MinIO/S3 File storage Uploaded files [Location] Yes
Poste.io Email delivery Email addresses, notification content [Location] Yes

4.2 Data Shared with OpenAI

Sent to OpenAI:

  • Anonymized project titles (PII sanitized)
  • Truncated descriptions (500 chars max)
  • Project category, tags, country
  • Team size (count only)
  • Founded year (year only)

NEVER sent to OpenAI:

  • Names of any individuals
  • Email addresses
  • Phone numbers
  • Physical addresses
  • External URLs
  • Internal database IDs
  • File contents

For full details, see AI Data Processing.

5. Data Subject Rights

5.1 Right of Access (Article 15)

Users can request a copy of their personal data via:

  • Profile → Settings → Download My Data
  • Email to [DPO email]

Response Time: Within 30 days

5.2 Right to Rectification (Article 16)

Users can update their data via:

  • Profile → Settings → Edit Profile
  • Contact support for assistance

Response Time: Immediately for self-service, 72 hours for support

5.3 Right to Erasure (Article 17)

Users can request deletion via:

  • Profile → Settings → Delete Account
  • Email to [DPO email]

Exceptions: Data required for legal obligations or ongoing competitions

Response Time: Within 30 days

5.4 Right to Restrict Processing (Article 18)

Users can request processing restrictions by contacting [DPO email]

Response Time: Within 72 hours

5.5 Right to Data Portability (Article 20)

Users can export their data in machine-readable format (JSON) via:

  • Profile → Settings → Export Data

Format: JSON file containing all user data

5.6 Right to Object (Article 21)

Users can object to processing based on legitimate interests by contacting [DPO email]

Response Time: Within 72 hours

6. Security Measures (Article 32)

6.1 Technical Measures

Measure Implementation
Encryption in transit TLS 1.3 for all connections
Encryption at rest AES-256 for sensitive data
Authentication Magic link (passwordless) or OAuth
Rate limiting 100 requests/minute per IP
Session management Secure cookies, automatic expiry
Input validation Zod schema validation on all inputs

6.2 Access Controls

Control Implementation
RBAC Role-based permissions (SUPER_ADMIN, PROGRAM_ADMIN, JURY_MEMBER, etc.)
Least privilege Users only see assigned projects/programs
Session expiry Configurable timeout (default 24 hours)
Audit logging All sensitive actions logged

6.3 Infrastructure Security

Measure Implementation
Firewall iptables rules on VPS
DDoS protection Cloudflare (if configured)
Updates Regular security patches
Backups Daily encrypted backups, 90-day retention
Monitoring Error logging, performance monitoring

7. Data Retention Policy

Data Category Retention Period Deletion Method
Active user accounts Account lifetime Soft delete → hard delete after 30 days
Inactive accounts 2 years after last login Automatic anonymization
Project data Program lifetime + 5 years Archived, then anonymized
Audit logs 12 months Automatic deletion
AI usage logs 12 months Automatic deletion
Session data Session duration Automatic expiration
Backup data 90 days Automatic rotation

8. International Data Transfers

8.1 OpenAI (USA)

Aspect Details
Transfer Mechanism Standard Contractual Clauses (SCCs)
DPA OpenAI Data Processing Agreement
Data Minimization Only anonymized data transferred
Risk Assessment Low (no PII transferred)

8.2 Data Localization

Service Location
Primary database [EU location]
File storage [Location]
Email service [Location]

9. Cookies and Tracking

9.1 Essential Cookies

Cookie Purpose Duration
session_token User authentication Session
csrf_token CSRF protection Session

9.2 Optional Cookies

The platform does not use:

  • Marketing cookies
  • Analytics cookies that track individuals
  • Third-party tracking

10. Data Protection Impact Assessment (DPIA)

10.1 AI Processing DPIA

Factor Assessment
Risk Personal data sent to third-party AI
Mitigation Strict anonymization before processing
Residual Risk Low (no PII transferred)

10.2 File Upload DPIA

Factor Assessment
Risk Sensitive documents uploaded
Mitigation Pre-signed URLs, access controls, virus scanning
Residual Risk Medium (users control uploads)

10.3 Evaluation Data DPIA

Factor Assessment
Risk Subjective opinions about projects/teams
Mitigation Access controls, audit logging
Residual Risk Low

11. Breach Notification Procedure

11.1 Detection (Within 24 hours)

  1. Automated monitoring alerts
  2. User reports
  3. Security audit findings

11.2 Assessment (Within 48 hours)

  1. Identify affected data and individuals
  2. Assess severity and risk
  3. Document incident details

11.3 Notification (Within 72 hours)

Supervisory Authority:

  • Notify if risk to individuals
  • Include: nature of breach, categories of data, number affected, consequences, measures taken

Affected Individuals:

  • Notify without undue delay if high risk
  • Include: nature of breach, likely consequences, measures taken, contact for information

11.4 Documentation

All breaches documented regardless of notification requirement.

12. Contact Information

Role Contact
Data Protection Officer [DPO name]
Email [DPO email]
Address [Physical address]

Supervisory Authority: Commission de Contrôle des Informations Nominatives (CCIN) [Address in Monaco]

13. Document History

Version Date Changes
1.0 2025-01 Initial version

See Also