JOINT CONTROLLERS’ DATA SHARING AGREEMENT

JOINT CONTROLLERS’ DATA SHARING AGREEMENT

This Data Sharing Agreement is made this the 17th day of June 2022

BETWEEN:

1. UNIVERSITY COLLEGE DUBLIN, NATIONAL UNIVERSITY OF IRELAND, DUBLIN

of Belfield, Dublin 4, Ireland, and

2. UNIVERSITY OF GALWAY (UG: formerly NUI Galway) of University Road,

Galway, H91 TK33, Ireland

3. DEPARTMENT OF HOUSING, LOCAL GOVERNMENT AND HERITAGE (DHLGH)

of Custom House, Dublin, D01 W6XO, Ireland.

4. IRISH RURAL LINK CO-OPERATIVE SOCIETY LIMITED (CWF) of Unit 2A Moate

Business Park Clara Rd, Moate, County Westmeath, Ireland

5. ERINN INNOVATION LIMITED (ERINN) of Unit 3, Olympic House, Pleasants Street,

Dublin 8, Ireland,

7. PROSPEX INSTITUTE (PI) of Victor Oudartstraat 7, Brussels 1030,

8. WWF BULGARIA (WWF-BG) of 147 Knyaz Boris I str., Fl. 1, 1000 Sofia, Bulgaria

9. TARTU ULIKOOL (UTARTU) of Ülikooli 18, 50090, Tartu, Estonia

10. SIHTASUTUS EESTIMAA LOODUSE FOND (ELF) of Staadioni 67, Tartu, 51008,

Estonia

11. RIIGIMETSA MAJANDAMISE KESKUS (RMK) of Sagadi Village, Haljala

Municipality, 45403 Lääne-Viru County, Estonia

12. AS TOOTSI TURVAS (ToTu) of Papiniidu 5, Pärnu, 80010 Pärnu county, Estonia

13. ITA-SUOMEN YLIOPISTO (UEF) of Yliopistonranta 1, FI-70210 Kuopio, Finland

14. GEOLOGIAN TUTKIMUSKESKUS (GTK) of Vuorimiehentie 5, 02151 Espoo,

Finland

15. PLAN BLEU POUR L'ENVIRONNEMENT ET LE DEVELOPPEMENT EN

MEDITERRANEE (Plan Bleu) of Tour la Marseillaise – 16ème étage, 2 bis,

Boulevard Euroméditerranée – Quai d’Arenc, 13002 Marseille, France

16. TOUR DU VALAT (Tour du Valat) of Le Sambuc, Arles, 13200, France

17. MICHAEL SUCCOW STIFTUNG ZUM SCHUTZDER NATUR (MSF), established in

Ellernholzstrasse 1/3, 17489 Greifswald, Germany

18. UNIVERSITA CA' FOSCARI VENEZIA (UNIVE) of Dorsoduro 3246, Venezia 30123,

Italy

19. WE ARE HERE VENICE (WahV) of San Polo 1866, 30125 Venice

20. WAGENINGEN UNIVERSITY (WU) of Droevendaalsesteeg 4, Wageningen 6708

PB, The Netherlands

21. STICHTING WETLANDS INTERNATIONAL (WI) of PO Box 471, 6700 AL,

Wageningen, The Netherlands (Visiting: Horapark 9, 6717 LZ Ede)

23. PROVINCIE GRONINGEN (GRON) of Sint Jansstraat 4, Postbus 610, 9700 AP

Groningen

24. STAATSBOSBEHEER (SBB) of Smallepad 5, 3811 MG, Amersfoort, The

Netherlands

25. CENTRUM OCHRONY MOKRADEL (CMok) of Zwirki I Wigury 101 lok 1.135,

Warszawa 02-089, Poland

26. UNIWERSYTET WARSZAWSKI (UW) of Krakowskie Przedmiescie 26/28

Warsazawa 00-927, Poland

27. AGENCIA ESTATAL CONSEJO SUPERIOR DE INVESTIGACIONES

CIENTIFICAS, M.P. (CSIC-EBD) of Calle Serrano 117, 28006 Madrid, Spain,

28. UPPSALA UNIVERSITET (UU) of Von Kraemers Alle 4, Uppsala 751 05, Sweden

29. NATURAL ENGLAND (NE) of Suite D, Unex House, Bourges Boulevard,

Peterborough, PEI 1NG, England

30. THE SCOTTISH WILDLIFE TRUST LBG (SWT) of Harbourside House, 110

Commercial Street, Edinburgh, EH6 6NF, Scotland

31. UNIVERSITY OF LEEDS (UNIVLEEDS) of Woodhouse Lane, Leeds, LS2 9JT, United

Kingdom

32. BALKANI WILDLIFE SOCIETY (BWS) of Dragan Tsankov Blvd. 8, ii64 Sofia,

Bulgaria

33. LANDSCAPE FINANCE LAB (LFL) of Alszeile 105/05, 1170 Vienna, Austria

Each a “Party” and collectively the “Parties”

WHEREAS

The Parties, having considerable experience in the field concerned, have committed through

prior Consortium Agreement and Grant Agreement of the European Union to the project

‘Water-based solutions for carbon storage, people and wilderness’, in short

WaterLANDS, hereinafter referred to as the “Project”.

NOW IT IS HEREBY AGREED AS FOLLOWS:

DEFINITIONS

In this Agreement, the following expressions bear the following meanings unless the context otherwise requires:

“Data Protection Incident” means a breach of security, including any suspected breach of security, leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.

“Data Protection Legislation” means:

1.1 the EU General Data Protection Regulation 2016/679/EC;

1.2 the EU ePrivacy Directive 2002/58/EC (as amended);

1.3 any relevant transposition of, or successor or replacement to, those laws and

all other applicable law, regulations and codes of conduct in any relevant jurisdiction relating to the processing of Personal Data and privacy including the guidance and codes of practice issued by a relevant data protection regulator, including the Data Protection Commissioner and the European Data Protection Board or the Article 29 Working Party.

“Data Subject”, “Joint Controller” “Personal Data”, “Processing” each have the same meaning as in the Data Protection Legislation.

“EEA” means the European Economic Area

“Effective Date” means the date at which all parties have signed this agreement;

“Personnel” means the employees and/or contractors of the Joint Controllers.

“Permitted Purpose” means those purposes directly relating to the deliverables of the Project, limited to scientific analysis and interpretation, dissemination, scientific publication or direct restoration goals of the Project.

“Project Personal Data” means all Personal Data relating to contact details, personal accounts or other sensitive personal data collected as part of achieving the Project deliverables.

1. All expressions used in this Agreement beginning with a capital letter (and not defined in this Agreement or elsewhere in this Agreement) have the meaning given to them in the Data Protection Legislation.

2. Each Party will be a Joint Controller in relation to Project Personal Data Processed for the Permitted Purpose.

3. The subject matter of the Processing, the legal basis for processing the data, the duration of the Processing, the nature and purpose of the Processing, the types of Personal Data Processed, the categories of Data Subjects to whom the Project Personal Data relate, and the retention periods for the Project Personal Data are specified at Appendix 1 hereto.

4. Each Controller’s obligations under this Agreement are in addition to, and do not relieve, remove or replace, its obligations under the Data Protection Legislation.

5. Each Controller will, where required by the Data Protection Legislation, appoint a Data Protection Officer, provide details of that person to the other Controller(s) and notify the other Controller(s), as soon as reasonably possible, of any changes in that person or his or her details.

UCD Data Protection Officer, Roebuck Castle, Belfield, Dublin 4, Ireland. Email: [email protected]

UG Data Protection Officer. University Road, Galway, H91 TK33, Ireland. Email: [email protected], [email protected]

DHLGH Data Protection Officer. Custom House, Dublin, D01 W6XO, Ireland. Email: [email protected]

CWF Data Manager, Unit 2A Moate Business Park Clara Rd, Moate, County Westmeath, Ireland. Email: [email protected]

ERINN Data Manager, Unit 3, Olympic House, Pleasants Street, Dublin 8, Ireland. Email: [email protected]

PI Data Protection Officer, Victor Oudartstraat 7, Brussels 1030. Email: [email protected]

WWF-BG Data Protection Officer, 147 Knyaz Boris I str., Fl. 1, 1000 Sofia, Bulgaria. Email: [email protected]

UTARTU Data Protection Officer, Ülikooli 18, 50090, Tartu, Estonia. Email: [email protected]

ELF Data Manager, Staadioni 67, Tartu. Email: [email protected]

RMK Data Protection Specialist, Sagadi Village, Haljala Municipality, 45403 Lääne-Viru County, Estonia. Email: [email protected], [email protected]

ToTu Data Manager, Papiniidu 5, Pärnu, 80010 Pärnu county, Estonia. Email: [email protected]

UEF Data Protection Officer, Yliopistonranta 1, FI-70210 Kuopio, Finland. Email: [email protected]

GTK Data Protection Officer, Vuorimiehentie 5, 02151 Espoo, Finland. Email: [email protected]

PB Data Protection Officer, Tour la Marseillaise – 16ème étage, 2 bis, Boulevard Euroméditerranée – Quai d’Arenc, 13002 Marseille, France. Email: [email protected]

TdV Project Manager, Le Sambuc, Arles, 13200, France. Email: [email protected]

MSF Data Protection Officer (External), c/o Ellernholzstrasse 1/3, 17489 Greifswald, Germany. Email: [email protected], [email protected]

UNIVE Data Protection Officer, Dorsoduro 3246, Venezia 30123, Italy, Email: [email protected]

WahV Data Manager and Quantitative Data Manager, San Polo 1866, 30125 Venice. Email: [email protected], [email protected]

WU Data Protection Officer, Droevendaalsesteeg 4, Wageningen 6708 PB, The Netherlands. Email: [email protected]

WI Data Manager, PO Box 471, 6700 AL, Wageningen, The Netherlands. Email: [email protected]

GRON Data Protection Officer, Sint Jansstraat 4, Postbus 610, 9700 AP Groningen, The Netherlands. Email: [email protected]

SBB Data Protection Officer, Smallepad 5, 3811 MG, Amersfoort, The Netherlands. Email: [email protected]

CMok Personal Data Protection Officer, Zwirki I Wigury 101 lok 1.135, Warszawa 02-089, Poland. Email: [email protected]

UW Data Protection Officer, Krakowskie Przedmiescie 26/28 Warsazawa 00-927, Poland. Email: [email protected]

CSIC-EBD Data Protection Officer, Calle Serrano 117, 28006 Madrid, Spain. Email: [email protected], [email protected]

UU Data Protection Officer, Von Kraemers Alle 4, Uppsala 751 05, Sweden. Email: [email protected]

NATURAL ENGLAND (NE), Data Protection Officer, Suite D, Unex House, Bourges Boulevard, Peterborough, PEI 1NG, England Email: [email protected]

IUCN-UK PP (c/o SWT) Data Manager, Harbourside House, 110 Commercial Street, Edinburgh, EH6 6NF, Scotland. Email: [email protected]

UNIVLEEDS Head of Records Management and Information Governance, Woodhouse Lane, Leeds, LS2 9JT, United Kingdom. Email: [email protected]

BWS Data Protection Officer, Dragan Tsankov Blvd. 8, ii64 Sofia, Bulgaria. Email: [email protected]

LFL Data Manager. Email: [email protected]

6. Each Controller will:

6.1 Process the Project Personal Data only for the purpose of carrying out the Project;

6.2 ensure that all persons authorised by it to Process the Project Personal Data, before they have access to the Project Personal Data, have received appropriate training in relation to data protection and the protection and use of Project Personal Data and have committed themselves to keep the Project Personal Data confidential (at least to the same standard of confidentiality as is required by this Agreement) or are under an appropriate statutory obligation of confidentiality;

6.3 maintain a written record of all categories of Processing activities carried out by it, containing:

(a) the name and contact details of any Processor (which for the purposes of this Agreement includes, where the context permits, any Sub- processor) used by it to Process any of the Project Personal Data and, where applicable, of the any Processors’ Data Protection Officers and any Representative;

(b) the categories of Processing of Project Personal Data carried out by it or any Processor used by it to Process any of the Project Personal Data;

(c) where applicable, transfers of the Project Personal Data outside the European Union and documentation of suitable safeguards adopted in connection with that transfer; and

(d) a general description of the technical and organisational security measures taken in respect of any of the Project Personal Data.

6.4 provide the other Controller(s), on request, with a copy of the records referred to in paragraph 6.3; and

6.5 make the records referred to in paragraph 6.3 available to any competent Supervisory Authority on request and will, as soon as reasonably possible, notify the other Controller(s) that it has done so.

7. Without prejudice to paragraph 6, each Controller will take appropriate technical and organisational measures:

7.1 in such a way that its Processing of the Project Personal Data will meet the requirements of the Data Protection Legislation and will ensure the protection of the rights of Data Subjects and allow it and the other Controller(s) to fulfil its obligations to Data Subjects;

7.2 to ensure a level of security appropriate to the risk, including amongst other things, as appropriate:

(a) the encryption of the Project Personal Data;

(b) the ability to ensure the on-going confidentiality, integrity, availability and resilience of systems and services Processing the Project Personal Data;

(c) the ability to restore the availability and access to the Project Personal Data in a timely manner in the event of a physical or technical incident;

(d) having and implementing a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing of the Project Personal Data; and

7.3 to ensure the security of the Project Personal Data and the reliability of its personnel who may have access to, or be involved in, the Processing of the Project Personal Data, including by carrying out appropriate verification checks.

8. Without prejudice to the provisions of paragraph 7, each Controller will keep all of the Project Personal Data secure from any unauthorised or accidental use, access, disclosure, damage, loss or destruction.

9. Each Controller will take steps to ensure that any natural person acting under its authority who has access to any of the Project Personal Data does not Process them except on its instructions, unless he or she is required to do so by applicable law.

10. No Controller will transfer any of the Project Personal Data outside the EEA, even if in response to a legal requirement outside Europe without first obtaining the written consent of the other Controller(s) and, notwithstanding any other Controller giving any such consent, the Controller(s) will make any such transfer except in accordance with the Data Protection Legislation and subject to the execution of any document or agreement, which, in the reasonable opinion of the other Controller(s), is required in order to lawfully effect any such transfer of Project Personal Data.

11. Without prejudice to paragraph 10:

11.1 if any Controller Processes any of the Project Personal Data in, or transfers any of it to, a country or territory outside the European Union which does not ensure an adequate level of protection for the rights and freedoms of Data Subjects in relation to the Processing of Personal Data, it will first enter into the standard contractual clauses for the transfer of personal data from the EU to third countries (controller-to-controller transfers) contained in the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the "EU SCCs"); (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR (the "UK SCCs"); with the other Controller(s); and

11.2 without prejudice to paragraph 11.1, if any Controller is in the European Union but will use a Processor in, or will transfer any of the Project Personal Data to a Processor in, a country or territory outside the European Union which does not ensure an adequate level of protection for the rights and freedoms of Data Subjects in relation to the Processing of Personal Data, it will first enter into the standard contractual clauses for the transfer of personal data from the EU to

third countries (controller-to-processor transfers) contained in the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the "EU SCCs"); (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR (the "UK SCCs"); with that Processor on its own behalf and on behalf of, and in the name of, the other Controller(s)

12. Each Controller will, on the request of any other Controller:

12.1 comply with any request from that other Controller to amend, rectify, transfer, block or destroy any of the Project Personal Data;

12.2 provide the other Controller(s) with such information about its and its Processors’ Processing of the Project Personal Data and such assistance as any other Controller may request from time to time to allow each of the other Controller(s) to meet its obligations under the Data Protection Legislation, including the other Controller’s obligations to Data Subjects and in relation to data security and Data Protection Impact Assessments, and to allow the other Controller to be able to demonstrate compliance with the Data Protection Legislation;

12.3 take such other action or refrain from taking any action necessary to comply with, or to allow the other Controller(s) to comply with, the Data Protection Legislation or the order of any competent supervisory authority or court of competent jurisdiction; and

12.4 co-operate with any competent supervisory authority.

13. Each Controller will notify the other Controller(s) as soon as reasonably possible if it becomes aware of any breach of this Agreement, any breach of any of the Data Protection Legislation and/or any Data Protection Incident. That notice must (at least):

13.1 describe the nature and facts of the breach including, where possible, the categories and approximate number of Data Subjects (if any) concerned and the categories and approximate number of data records concerned;

13.2 communicate the name and contact details of the Data Protection Officer or other

13.3 contact point where more information can be obtained;

13.4 describe the likely consequences of the breach; and

13.5 describe the measures taken or proposed to be taken by the Controller(s) to address and remedy the breach, including, where appropriate, to mitigate its possible adverse effects.

14. Each Controller will give written notice to the other Controller(s), as soon as reasonably possible, should it or any of its Processors receive any request, complaint, notice, order or communication which relates directly or indirectly to the Processing of the Project Personal Data or to compliance with the Data Protection Legislation and, at the same time, will forward a copy of that request, complaint, notice, order or communication to the other Controller(s). Each Controller will co-operate with the other Controller(s) and give them such information and assistance as any other Controller may reasonably

require in relation to that request, complaint, notice or communication to enable the other Controller(s) to respond to the same in accordance with any deadline and any requirement to provide information. None of the Controllers will act on any such request, complaint, notice, order or communication without first consulting the other Controller(s).

15. Each Controller will allow any other Controller (or its representatives) at reasonable times and from time to time, to inspect and review its and its Processors’ compliance with this Agreement and the Data Protection Legislation and will give any other Controller any assistance which it may reasonably require in connection with that inspection and review. Each Controller will ensure that its Processors will give any other Controller any assistance the other Controller reasonably requires to carry out that inspection and review.

16. Each Controller will, as quickly as possible, rectify any and all security weaknesses and vulnerabilities reported to it by any other Controller and will confirm to the other Controller(s) in writing when this has been done.

17. In the event of an unexpected event which affects any Controller’s ability to process the Project Personal Data in accordance with this Agreement, including any storm, fire, flood, telecommunications failures, IT systems failures and breaches of security, that Controller will invoke and implement a recovery plan so that it is still able to provide and does Process the Project Data in accordance with this Agreement.

18. No Controller will appoint any Processor without first obtaining the written consent of the other Controller(s). Notwithstanding any other Controller giving any consent to the appointment of any Processor, each Controller will (as a minimum):

18.1 impose on each Processor those obligations which Controllers are obliged to impose on Processors under the Data Protection Legislation;

18.2 monitor each Processor’s compliance with those obligations and ensure that each Processor complies with those obligations; and

18.3 be liable to the other Controller(s) for the acts and omissions of its Processors as though they were its own acts and omissions.

19. This Agreement will, at the request of any Controller, be amended from time to time insofar as is necessary or desirable to achieve any or all of the following:

19.1 to bring this Agreement or any Controller’s obligations in respect of the Project Personal Data into line with the Data Protection Legislation; or

19.2 to allow any Controller to comply with the Data Protection Legislation and the requirements and recommendations of any competent Supervisory Authority.

20. Each Controller will comply with all the duties and obligations imposed from time to time on Controllers by the Data Protection Legislation and, without prejudice to the foregoing, each Controller will:

20.1 establish and document the legal basis or bases on which it Processes the Project Personal Data;

20.2 where any Special Category Data as defined in Article 9 of the GDPR is Processed, establish and document the condition which justifies the Processing of that Special Category Data for the purposes of the Project;

20.3 provide Data Subjects with all information necessary, and obtain any and all Consents from Data Subjects necessary, to allow it to Process their Personal Data in accordance with this Agreement; transfer their Personal Data to the other Controller(s); and allow the other Controller(s) to Process their Personal Data in accordance with this Agreement, including (without limitation) any automated decision making or profiling;

20.4 at the request of any other Controller, provide the other Controller’s with details of the legal basis on which any the Project Personal Data are Processed and the condition which justifies the Processing of any Special Category Data, and with copies of any Consent obtained from any Data Subject;

20.5 if the legal basis for Processing any of the Project Personal Data or the condition to be met to justify the Processing of any Special Category Data for the purposes of the Project is the Data Subject’s Consent, and that Consent is withdrawn, or if any Data Subject objects to any Processing of his or her Personal Data carried out for the purposes of the Project or exercises his or her right to erasure or restriction or any other right under the Data Protection Legislation, as soon as possible, give notice of that withdrawal, objection or the exercise of that right and of the Project Personal Data affected to the other Controller(s). (The other Controller(s) may stop Processing that Project Personal Data and delete it from its systems unless there is another legal basis for Processing that Project Personal Data, or the Processing meets any other condition which justifies the Processing of Special Category Data for the purposes of the Project, or there are compelling legitimate grounds for the Processing which override the interests, rights and freedoms of the Data Subject, or the Processing is necessary for the establishment, exercise or defence of legal claims.);

20.6 carry out any Data Protection Impact Assessments in respect of the Processing of the Project Personal Data necessary to comply with the Data Protection Legislation.

21. The provisions of this Agreement will continue in full force and effect for so long as any of the Project Personal Data is Processed, notwithstanding the termination of this Agreement or the completion of the Project.

22. Each Controller will indemnify the other Controller(s) and keep them fully and effectively indemnified on demand against any and all costs, claims, demands, damages, expenses and liabilities of any nature and against any and all fines and penalties arising out of or in connection with any breach by it or any of its Processors of this Agreement. This paragraph will survive the termination of this Agreement, the completion of all Processing of the Project Personal Data and the completion of the Project, and will continue in force without limit in time.

23. Each Controller will securely destroy and permanently delete from its and its Processors’ systems (including back-up and archive systems) all copies of any of the Project Personal Data held by it or any of its Processors at the end of the relevant retention period in Appendix 1 of this Agreement and in any case on the termination or expiry of this Agreement (except any of the Project Personal Data which any law to which a Controller is subject requires it to continue to store the Project Personal Data).

24. This Agreement may be executed in one (1) or more counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same instrument. A signed copy of this Agreement delivered by e-mailed portable document

format file or other means of electronic transmission shall be deemed to have the same legal effect as delivery of an original signed copy of this Agreement.

25. This Agreement is governed by the laws and exclusive jurisdiction of the Irish courts.

APPENDIX 1

The Subject Matter of the Processing Work Package 1 – Restoring Services - Observational Data: Qualitative data

from questionary and free text format

based on interview

- Derived/Compiled: Data coming from

meta-analysis and compilation by

literature analysis and the wetland

researchers and practitioners

survey.

Work Package 2 – Engaging Communities - Observational: Anthropological

participant observation during

engagement activities.

- Derived/Compiled: Online surveys

and remote and in-person semi-

structured interviews. Data will also

be derived from registration forms

(Typeform) to engagement events.

- Derived/Compiled: Stakeholder

mapping conducted based on

publicly available information on

stakeholders.

- Observational: Interviews and

workshop contributions captured in

real time through notes and

facilitators.

- Derived/Compiled: Online surveys

for both project participants and

community representatives

- Derived/Compiled: Analysis of

interview/group discussion data

- Derived/Compiled: Qualitative data

from deliberation (interviews/group

discussions).

Work Package 4 – Mobilising Finance - Derived/Compiled: Collection of

market research data on financial

instruments applied at Action Sites

and best-practice elsewhere

amongst WaterLANDS network.

Interview and questionnaire based.

Work Package 5 – Co-creating best practice - Observational: sample and count

data from the citizens, and their

responses to the survey.

- Derived/Compiled: Data from review

and scoring the existing manuals or

from surveys of experts and

practitioners

The WaterLANDS Data Management Plan provides extended detail of this data collection and processing.

The Legal Basis for Processing GDPR - Article 6.1(a) ‘Consent’: The data subject has given consent to the processing of his/her personal data for one or more specific purposes GDPR – Article 6.1(e) ‘Public task’: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller GDPR Article 9.2(a) ‘Explicit consent’: the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject GDPR Article 9.2(j) ‘Archiving, Research and Statistics’: processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject

The Duration of the Processing Processing of data will run for the duration of the Project (Nov. 2022 – Nov. 2026), allowing for a retention period outlined below. Financial and Human Resources data will adhere to individual institutional and national standards, without prejudice to GDPR regulations. Financial data processing will continue until such a time as auditing requirements are achieved, and is a requirement under EC funding requirements for those Parties whose total Direct Costs budget exceeds €325k.

The Nature and Purpose of the Processing The nature of processing will take numerous forms dependent on the research question,

deliverable and research tool required. This could include, but is not limited to;

- generation of aggregated overview

statistics (proportions, percentages,

means, etc.)

- thematic analysis of qualitative data

- coding of qualitative responses and

meta-analyses of same

- modelling of raw quantitative data or

coded qualitative data

- triangulation of responses within

questionnaires, surveys, interviews,

etc.

The purpose of processing relates to the following overarching Project goals:

- Ensure the scalable restoration of

wetlands across Europe, engaging

with relevant stakeholders to achieve

this.

- Disseminate the scientific findings of

this process to improve future

attempts at this and feed into the

academic literature

- Support the development of more

effective policy, legal and financial

mechanisms to improve restoration

work.

The Types of Personal Data Processed The interdisciplinary nature of this project necessitates the collection of a variety of personal data types through the lifespan of this project, as outlined in detail within the Data Management Plan of the Project. These include the following:

- Workshop recordings, transcripts,

images, and annotations

- Questionnaire responses (qualitative

and quantitative)

- Administered survey responses

- Postal/ electronic survey responses

- Semi-structured interview notes,

images, transcripts or recordings

- Written accounts of direct

conversations with stakeholders

- Minutes of public meetings

The Categories of Data Subjects to whom the Project Personal Data relate

- Employees of the Project Parties

who are directly involved in the

operation of the Project.

- Human subjects providing data

directly related to the Project aims

and objectives.

The Retention Periods Research Subject Data collected within the duration of this Project will be retained for no longer than 1 year after the completion of the Project (November 2027), to allow sufficient time to publish results relating to this and allow Subjects the option to withdraw involvement. This does not affect the right of Subjects. Aggregated, pseudonymised an securely stored data may be retained for longer periods to ensure that any legal claims against publications made can be defended.

AS WITNESS:

The Parties have caused this Data Agreement to be duly signed by the undersigned

authorised representatives in separate signature pages on the day and year first above

written.

1. UNIVERSITY COLLEGE DUBLIN, NATIONAL UNIVERSITY OF IRELAND, DUBLIN

Signature(s)

Name(s) Eoin O’Neill

Title(s) Head of School

Date 20/7/22

2. NATIONAL UNIVERSITY OF IRELAND GALWAY (NUI Galway)

3. LIFE IP Wild Atlantic Nature, Department of Housing, Local Government and

Housing]

Signature(s)

Name(s): Dr Derek McLoughlin

Title(s): Project Manager

Date 07/09/2022

4. IRISH RURAL LINK CO-OPERATIVE SOCIETY LIMITED (CWF)

5. ERINN INNOVATION LIMITED (ERINN)

7. PROSPEX INSTITUTE

8. WWF BULGARIA (WWF-BG)

Signature(s)

Name(s): Stela Apostolova

Title(s): senior project officer

Date 18/07/2022

9. TARTU ULIKOOL (UTARTU)

10. SIHTASUTUS EESTIMAA LOODUSE FOND (ELF)

11. RIIGIMETSA MAJANDAMISE KESKUS (RMK)

12. AS TOOTSI TURVAS (ToTu)

13. ITA-SUOMEN YLIOPISTO (UEF)

14. GEOLOGIAN TUTKIMUSKESKUS (GTK)

15. PLAN BLEU POUR L'ENVIRONNEMENT ET LE DEVELOPPEMENT EN

MEDITERRANEE (Plan Bleu)

16. TOUR DU VALAT

17. MICHAEL SUCCOW STIFTUNG ZUM SCHUTZDER NATUR (MSF),

18. UNIVERSITA CA' FOSCARI VENEZIA (UNIVE)

19. WE ARE HERE VENICE

20. WAGENINGEN UNIVERSITY (WU)

21. STICHTING WETLANDS INTERNATIONAL (WI)

23. PROVINCIE GRONINGEN (GRON)

24. STAATSBOSBEHEER (SBB)

25. CENTRUM OCHRONY MOKRADEL (CMok)

26. UNIWERSYTET WARSZAWSKI (UW)

27. AGENCIA ESTATAL CONSEJO SUPERIOR DE INVESTIGACIONES CIENTIFICAS,

M.P. (CSIC-EBD)

28. UPPSALA UNIVERSITET (UU)

29. NATURAL ENGLAND (NE)

30. SCOTTISH WILDLIFE TRUST

31. UNIVERSITY OF LEEDS (UNIVLEEDS)

32. BALKANI WILDLIFE SOCIETY (BWS)

33. LANDSCAPE FINANCE LAB (LFL)