Last updated: April 2026
BIO-RED Open Innovation Platform is fully committed to compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"). This page provides a dedicated overview of our GDPR compliance measures, your rights as a data subject, and how to exercise them.
1. Data Controller
The Data Controller for the BIO-RED platform is the BIO-RED Consortium, coordinated by CoLab AccelBio. We are responsible for determining the purposes and means of processing your personal data. For any data protection queries, contact our Data Protection Contact (DPC) at admin@bio-red.eu.
2. Legal Basis for Processing
We process personal data under the following GDPR lawful bases:
- Consent (Art. 6(1)(a)) — For optional profile fields and marketing communications. You may withdraw consent at any time.
- Contract performance (Art. 6(1)(b)) — Processing necessary to provide you with the platform services you registered for.
- Legitimate interests (Art. 6(1)(f)) — To operate and improve the platform, prevent fraud, and ensure platform security.
- Legal obligation (Art. 6(1)(c)) — Where processing is required to comply with applicable EU or national law.
3. Personal Data We Collect
| Category | Data Fields | Lawful Basis |
|---|---|---|
| Identity | First name, last name, email | Contract, Consent |
| Professional | Job title, department, LinkedIn, phone, bio, profile photo | Consent |
| Organisation | Entity name, type, description, country, competencies, technology domains, posted opportunities | Contract, Consent |
| Usage | Login timestamps, page visits, feature interactions | Legitimate interests |
| Communications | A count of chat messages between users for statistical purposes, the content is not accessible | Contract, Consent |
| Consent records | GDPR consent timestamp, Terms acceptance timestamp & version | Legal obligation |
4. Your Rights as a Data Subject
Under GDPR Chapter III, you have the following rights:
Right of Access (Art. 15)
Request a copy of all personal data we hold about you.
Right to Rectification (Art. 16)
Correct inaccurate or incomplete personal data via your profile settings.
Right to Erasure (Art. 17)
Request deletion of your account and associated data ("right to be forgotten").
Right to Restriction (Art. 18)
Request that we limit how we use your data while a complaint is being investigated.
Right to Data Portability (Art. 20)
Receive your data in a structured, machine-readable format.
Right to Object (Art. 21)
Object to processing based on legitimate interests or for direct marketing.
Right to Withdraw Consent
Withdraw consent at any time without affecting the lawfulness of prior processing.
Right to Lodge a Complaint
Lodge a complaint with your national Data Protection Authority (DPA).
5. Data Retention
- Active account data: retained for the duration of your account.
- Deleted account data: purged within 30 days of deletion request, except where legally required.
- Consent records: retained for 5 years to demonstrate compliance.
- Chat messages: retained for the duration of the conversation. If a user deletes their account, the conversation is preserved for the other participant and the deleted user's personal identifiers are anonymised within 30 days, unless retention is required for legal or security purposes.
6. Data Security
We implement appropriate technical and organisational measures (Article 32 GDPR) including encrypted data transmission (TLS), access controls, and regular security reviews to protect your personal data against unauthorized access, alteration, or destruction. A Data Protection Impact Assessment (DPIA) under Article 35 GDPR is currently being prepared by the BIO-RED consortium in coordination with its subcontractor and will be finalised and signed off by the Data Protection Contact prior to opening the platform to general use beyond the initial controlled-access phase. A Record of Processing Activities under Article 30 GDPR is likewise being established by the controller and processor and will be in place before the platform leaves the controlled-access phase. During the controlled-access phase, access to the platform is granted only to approved users following administrator review, and processing is limited to the categories of data and purposes described in this policy.
7. Data Breach Procedure
In the event of a personal data breach, BIO-RED will notify the competent supervisory authority — the Comissão Nacional de Proteção de Dados (CNPD) in Portugal — within 72 hours where required under Article 33 GDPR and inform affected individuals when the breach is likely to result in high risk.
8. International Transfers
Data is stored and processed within the European Economic Area (EEA). Where any sub-processors are located outside the EEA, we ensure appropriate safeguards are in place (e.g., Standard Contractual Clauses) in accordance with Chapter V GDPR.
9. Exercising Your Rights
To exercise any of your rights, please contact our Data Protection Contact (DPC) at admin@bio-red.eu. We will respond within 30 days. You may also update or delete profile information directly via your account settings. If you believe your data protection rights have not been adequately addressed, you have the right to lodge a complaint with the Comissão Nacional de Proteção de Dados (CNPD), the Portuguese supervisory authority (www.cnpd.pt).