DATA PROTECTION NOTICE AND CONSENT FOR PARTICIPATION IN THE PROJECT

Information on the project

EUNOMIA aims to raise critical awareness of social media and contribute to the fight against misinformation. In this context, it offers a new platform powered by Mastodon for promoting "trust" over "like" in the comments section of online media. To participate in this project, you need to sign up on EUNOMIA instance of Mastodon federated platform agreeing to its privacy policy (see here). You just need to act as you would normally do in your personal social media (i.e., post, comment, share). EUNOMIA additionally offers the feature “trust”, “don’t trust” button.

EUNOMIA unites a highly complementary consortium of 10 partners from 9 European countries from cross-disciplines and cross-sectors including academic, decentralised social media, public journalism organisations and SMEs. Specifically, University of Greenwich, Blasting News, Trilateral Research, SYNYO, INOV, University of West Attica, University of Nicosia, ORF, Eugen Rochko (creator of Mastodon), SIMAVI. The joint data controllership is between EUNOMIA project partners: University of Greenwich, INOV, University of West Attica and University of Nicosia.

What information do we collect?

EUNOMIA instance collects all information collected from Mastodon platform:

Basic account information: If you register on this server, you are asked to enter a username, an e-mail address and a password. You may also enter additional profile information such as a display name and biography, and upload a profile picture and header image. The username, display name, biography, profile picture and header image are always listed publicly.

Posts, following and other public information: The list of people you follow is listed publicly, the same is true for your followers. When you submit a message, the date and time is stored as well as the application you submitted the message from. Messages may contain media attachments, such as pictures and videos. Public and unlisted posts are available publicly. When you feature a post on your profile, that is also publicly available information. Your posts are delivered to your followers, in some cases it means they are delivered to different servers and copies are stored there. When you delete posts, this is likewise delivered to your followers. The action of reblogging or favouriting another post is always public.

Direct and followers-only posts: All posts are stored and processed on the server. Followers-only posts are delivered to your followers and users who are mentioned in them, and direct posts are delivered only to users mentioned in them. In some cases, it means they are delivered to different servers and copies are stored there. We make a good faith effort to limit the access to those posts only to authorized persons, but other servers may fail to do so. Therefore, it's important to review servers your followers belong to. You may toggle an option to approve and reject new followers manually in the settings. Please keep in mind that the operators of the server and any receiving server may view such messages, and that recipients may screenshot, copy or otherwise re-share them. Do not share any dangerous information over Mastodon.

IPs and other metadata: When you log in, we record the IP address you log in from, as well as the name of your browser application. All the logged in sessions are available for your review and revocation in the settings. The latest IP address used is stored for up to 12 months. We also may retain server logs which include the IP address of every request to our server. Additionally, participants’ trustworthiness votes will be collected to be anonymously displayed to the users.

We recognize the importance to protect and secure the users' personal data and we are committed to adopt and implement all appropriate technical and organizational measures for the security and protection of the users' personal data. It is necessary to process such data for carrying out the project in a proper and effective manner. However, participation in the project is done so on a voluntary basis and based on the user's consent.

What do we use your information for?

Any of the information we collect from you may be used to provide the core functionalities of EUNOMIA toolkit. We rely on your consent as the lawful basis for doing this.

Note, the administrator of this EUNOMIA instance reserves the right to remove a post/ toot and ultimately delete an account, after giving suitable warnings, when there are abusive or inappropriate posts/ toots.

How do we protect your information?

We will pseudonymise and where possible anonymise the data you provide us to the extent possible when and if they will be used, removing all personally identifiable information where appropriate. We will only collect and process data that is strictly necessary for running the project.

What is our data retention policy?

The retention policy follows the one of Mastodon making sure your posts and online interaction will not be disrupted at the end of the project. See following from Mastodon’s privacy policy:

We will make a good faith effort to:

• Retain server logs containing the IP address of all requests to this server, in so far as such logs are kept, no more than 90 days.
• Retain the IP addresses associated with registered users no more than 12 months.

You can request and download an archive of your content, including your posts, media attachments, profile picture, and header image.

You may irreversibly delete your account at any time. Upon deletion of your account all your posts/ toots will also be deleted from all EUNOMIA nodes.

Participant data sharing

We do not share participant personal data with third parties, however, if for any reason future data sharing is necessary we will seek your consent before doing so.

Your rights:

You have the following rights in relation to any of your personal data that we process. You can exercise your rights, explained below, by contacting by phone, in writing or emailing us at: compliance@greenwich.ac.uk.

• Right to withdraw consent– You can withdraw your consent that you have previously given to one or more specified purposes to process your personal data. This will not affect the lawfulness of any processing carried out before you withdraw your consent. It may mean we are not able to provide certain products or services to you and we will advise you if this is the case.
• Right of access– You can ask us to verify whether we are processing personal data about you, and if so, to have access to a copy of such data.
• Right to rectification and erasure– You can ask us to correct our records if you believe they contain incorrect or incomplete information about you or ask us to erase your personal data after you withdraw your consent to processing or when we no longer need it for the purpose it was originally collected.
• Right to restriction of processing– You can ask us to temporarily restrict our processing of your personal data if you contest the accuracy of your personal data, prefer to restrict its use rather than having us erase it, or need us to preserve it for you to establish, exercise, or defend a legal claim. A temporary restriction may apply while verifying whether we have overriding legitimate grounds to process it. You can ask us to inform you before we lift that temporary processing restriction.
• Right to data portability– In some circumstances, where you have provided personal data to us, you can ask us to transmit that personal data (in a structured, commonly used, and machine-readable format) directly to another company.
• Right to object – You can object to our use of your personal data for direct marketing purposes, including profiling or where processing has taken the form of automated decision making. However, we may need to keep some minimal information (e.g., email address) to comply with your request to cease marketing to you.
• Right to make a complaint to the UK Information Commissioner’s Office regarding any concerns you may have about our data handling practices.

If you have any questions about this project or your prospective involvement in it, please contact:

Project coordinator	Data Protection Officer
Dr. George Loukas, University of Greenwich E-mail: G.Loukas@greenwich.ac.uk	Peter Garrod, University of Greenwich E-mail: compliance@greenwich.ac.uk