(Anonymised public version – May 2025)
1. Purpose and Scope
This document summarises the results of Data Protection Impact Assessments conducted by all OPENVERSE consortium partners. It aims to demonstrate compliance with the EU General Data Protection Regulation (GDPR) (2016/679) while ensuring transparency toward citizens and stakeholders. OPENVERSE explores human-centric, open and ethically responsible virtual worlds. The DPIA assesses all data-processing activities required for research, co-creation, communication and evaluation tasks across the project.
2. Legal Framework
All processing is carried out under:
– Regulation (EU) 2016/679 (GDPR), Arts 5–6, 9 and 35.
– Article 29 Working Party Guidelines WP248 rev. 01 on DPIA and high-risk processing criteria.
– The OPENVERSE Grant Agreement No 101135701 and Data Management Plan (D7.7).
3. Overview of Processing
| Processing area | Data category | Purpose | Legal basis | Retention & storage |
| Online & onsite workshops / dialogues | Contact and professional data (name, organisation, email address) | Participant registration, follow-up communication | Art. 6(1)(a) consent | Deleted 12 months after project end |
| Surveys & co-creation feedback | Anonymised opinions, demographic ranges | Research & policy insight | Art. 6(1)(a) consent | Aggregated & anonymised |
| Platform analytics (website & observatory) | IP address, cookies (functional only) | Security & usability monitoring | Art. 6(1)(f) legitimate interest | 6 months, EU-based servers |
| Audio-visual materials (recorded events) | Image and voice data | Dissemination & documentation | Art. 6(1)(a) explicit consent | Consent-based use only |
| Research documentation | Pseudonymised interview notes | Evidence for scientific outputs | Art. 6(1)(e) public interest research | 5 years post-project then archived anonymously |
No automated decision-making, profiling or biometric analysis is performed.
4. Risk Identification and Assessment
The consortium identified limited and well-managed risks:
– Data breach or unauthorised access → mitigated by encrypted storage and access control.
– Re-identification risk in small datasets → reduced via aggregation and pseudonymisation.
– Cross-border transfer risk → none; data stored within EU/EEA servers.
– Inadequate consent management → addressed through standard forms and auditable logs.
Residual risk after mitigation: low.
5. Safeguards and Mitigation Measures
– Data minimisation & purpose limitation: only necessary data collected.
– Encryption & secure cloud storage on EU-based infrastructure.
– Anonymisation/pseudonymisation prior to analysis and sharing.
– Standardised consent templates in plain language, translated for participants.
– Access restriction to authorised personnel with role-based controls.
– Independent Ethics Advisor oversight verifying partner DPIAs and periodic updates.
6. Data Subject Rights
Participants may exercise their rights of access, rectification, erasure, restriction, and withdrawal of consent at any time by contacting the relevant partner controller via the project website. Requests are handled within 30 days without adverse impact on participation.
7. Outcomes and Overall Assessment
All partner-level DPIAs (May 2025) were reviewed and validated by the Ethics Advisor as compliant with GDPR and Article 29 WP248 criteria. No high-risk processing activities remain unmitigated. The overall risk level for data subjects is low, and processing is proportionate and ethical for scientific purposes under Horizon Europe rules.
8. Contact and Governance
Data Controllers: Each OPENVERSE partner for its own processing.
Consortium Coordinator: The Lisbon Council for Economic Competitiveness ASBL (Belgium).
Ethics Advisor: Independent external expert appointed per Grant Agreement.
Contact email: [email protected]
9. Review and Updates
This summary reflects the aggregated DPIA as of May 2025 and will be reviewed annually or upon material changes to processing activities, as required by Art. 35(11) GDPR.
Disclaimer: This public summary contains no personal or institutional identifiers. It is provided solely to demonstrate OPENVERSE’s accountability, ethical responsibility, and transparency in data protection.