Curium Event Privacy Policy

About the CURIUM project

Digital innovation is revolutionizing industries, with advancements like Smart Manufacturing, Industry 4.0, and Digital Twins reshaping business models. However, these developments also bring heightened cybersecurity risks due to increased interconnectivity.

 

To address these challenges, the European Cybersecurity Act (EUCSA) and the Cyber Resilience Act (CRA) create a unified regulatory framework to enhance cybersecurity across ICT products, services, and processes.

 

CURIUM envisions a secure, resilient digital environment by strengthening the security, privacy, and accountability of hardware and software with digital elements. The core of CURIUM’s approach is the Compliance Continuum, a set of tools and services designed to streamline compliance with the CRA.

 

By simplifying and automating compliance processes, CURIUM empowers European SMEs to conduct self-assessments, prepare for third-party certification, and reduce costs, while accelerating time to market. 

 

The CURIUM project is built on a collaboration of 9 organizations.

 

The coordinator of the project and organization authorized to communicate on behalf of the consortium in matters related to this questionnaire, is the Cyber Security Ltd., Croatia. The relevant Project Manager is Miroslav Bača and can be reached at ceo@cyber-security.hr .

 

The postal address of Cyber Security Ltd. Is Zavrtnica 17, Zagreb, Croatia.

 

The objectives of the CURIUM project

CURIUM aims to achieve its vision by: 

  • Developing an innovative Compliance Continuum to automate CRA compliance. 
  • Driving widespread adoption with modular, cost-efficient, and open-source solutions tailored to industry needs. 
  • Fostering knowledge and capacity building to support CRA implementation. 
  • Utilizing an agile validation process with continuous feedback loops. 
  • Fostering long-term sustainability by actively engaging industry stakeholders and policymakers in tool development and training. 

Through these efforts, CURIUM will contribute to a Trustworthy Certified Digital Valley, strengthening Europe’s cybersecurity ecosystem. 

 

Personal data processed by the CURIUM project as part of this activity

CURIUM Validation Workshop on CRA Compliance Tools Registration Form.

Participants will be asked to provide the following mandatory data in order to participate in the event:

  • First Name
  • Last Name
  • Email Address
  • Organization / Institution
  • Role / Job Title

 

This information will be used only for the following purposes:

  • For the elicitation of requirements relevant to the project objectives and
  • For contacting the data subject regarding the activities, developments, plans, news and possible contribution / feedback activities of the CURIUM project.

 

Personal data sharing

The information provided to the CURIUM project by the data subjects will be stored in the main information system and will be kept in a need-to-know basis.

Access to the data may be provided to authorized personnel of each partner of the CURIUM project, to the European Union (staff relevant to the European Projects), to the national authorities of each country (should need arise), to the platform support company and the platform and infrastructure host.

In case it is necessary to share the personal information with others, the data subjects will be duly notified and relevant consent will be requested.

 

Purpose limitation

Personal data collected as indicated above, shall only be processed for the purpose mentioned above.  If there is a need to use this information for any other purpose, the data subjects shall be dully notified and the relevant consent solicitated.

 

Accuracy

At this point, the personal information processed by the CURIUM project, are collected directly from the data subjects.

Due to the limited life-time of the project, it would not be feasible to implement complex processes for keeping the relevant information up to date.

Every reasonable step will be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

 

Storage limitation

Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

Personal data shall be processed only for defined, specific and relevant to the CURIUM project purposes. The duration of the processing will depend on the specific purpose and in no case will it exceed four (4) years (the duration of the project + 2 years to facilitate the project review).

 

Integrity and confidentiality

The personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Through the project lifecycle, the project partners will store the project-related personal data in a secured, password-protected repository. For this purpose, a repository has been selected, implemented and is administered by the project Coordinator.

Each project partner has access through selected staff members, to the extend needed by the project. Access to the repository is governed by access control mechanisms.

The Coordinator will manage the access to the repository and will administer or revoke the access to specific individuals and partners as needed. Moreover, the Coordinator will

ensure that additional security measures are respected (e.g. regular back-ups).

For the information retained by the individual partners, repositories or other mechanisms shall be used affording an adequate level of security of the data retained (e.g. access control mechanisms, regular backups, etc.). The main responsibility regarding security of data collected and processed during the project realization as well as after its completeness lies with the owners/managers/ project partners of the repositories where these data are stored.

Personal data are classified as confidential information. As mentioned in the Grant Agreement, (ARTICLE 13 — CONFIDENTIALITY AND SECURITY), “The parties must keep confidential any data, documents or other material (in any form) that is identified as sensitive in writing (‘sensitive information’) — during the implementation of the action and for at

least until the time-limit set out in the Data Sheet (see Point 6).”

 

The rights of the data subjects

The project partners of the CURIUM project shall accommodate the rights of the data subjects.

Specifically, the data subjects have the following rights:

  • Right of access by the data subject. The data subject has the right to find out if the partners of the CURIUM project are using or storing personal data related to her/him. The data subject can submit a data subject access request and receive relevant information and if desired a copy of the related data.
  • Right to rectification. The data subject has the right to ask the partners of the CURIUM project to correct the related personal data used or stored, in order to reflect the reality at any time.
  • Right to erasure (‘right to be forgotten’). The data subject has the right to ask the partners of the CURIUM project to delete her/his personal data. The relevant partner is obligated to examine the request and delete the personal data if there is not relevant obligation prohibiting such an action (e.g. legal or contractual requirements). In any case, the partner shall notify the data subject accordingly and proceed with the erasure when allowed.
  • Right to restriction of processing. The data subject has the right to ask the partners of the CURIUM project to stop using her/his personal data. In contrast to the previous data right, the personal data does not need to be deleted but rather either temporarily or completely stop the processing.
  • Right to data portability*. The data subject has the right to receive her/his personal data from the partners of the CURIUM project, in order to transfer it to another service provider or request to send the data directly to such other service provider in a way that is machine-readable. (*Only processing operations based on the individual’s consent or on a contract to which the individual is party fall under the scope of the right to data portability).
  • Right to withdraw consent***. The data subject has the right to withdraw consent for the processing implemented on her/his personal data. The existence of the right to withdraw consent at any time, does not affect the lawfulness of processing based on consent before its withdrawal. (*** This right is only applicable when explicit consent is used as the legal basis for the processing).

 

No automated decision making is implemented based on the personal data provided.

 

Exercising the rights of the data subjects

At any time, a data subject may submit a relevant request to the following:

  1. The DPO of the CURIUM project
    Partner: APIROPLUS Services Ltd.

    Contact details: Ms. Chatzopoulou Argyro, ac@apiroplus.solutions
    Postal address: APIROPLUS Services Ltd., Costa Ourani 5, Petoussi Court Floor 5,
    CY – 3085, Limassol, Cyprus.

  2. The Coordinator of the CURIUM project
    Partner: Cyber Security Ltd.
    Contact details Miroslav Bača ceo@cyber-security.hr ,
    Postal address: Zavrtnica 17, Zagreb, Croatia 
  3. The DPO of each partner of the CURIUM project as appropriate to the task and purpose of the processing. The contact details of the various partners are provided by their respective websites.

 

Personal data breaches

All project partners shall implement adequate measures to protect the confidentiality of the processed personal data.

In the case of a personal data breach, the controller (the relevant project partner) shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with Article 33 of the GDPR.

The competent authorities have published forms for the reporting of personal data breaches. Each partner is encouraged to access the relevant location in order to identify the minimum information needed to be documented in the case of a personal data breach.

All project partners should implement appropriate continuity plan to ensure safe continuity

of the project activities. In a case of personal data breach, the impact of the incident shall be assessed in order to mitigate adverse effects and prevent any further occurrence. When assessing the significance of the impact of a personal data breach, the parameters such as the number of affected subjects, the extent of impact on the rights and freedoms of the data subjects as well as on project activities, and the duration of the incident shall be taken into account.