Data Protection Policy for STARLIGHT

As of 21/03/2025.

1. What is STARLIGHT? 

STARLIGHT is an EU HORIZON 2020 research project and stands for “Sustainable Autonomy and Resilience for LEAs using AI against High priority Threats”. The project is funded by the European Commission under grant agreement ID 101021797. 

The rationale of the project is rooted in the increasing complexity of security challenges, combined with the accumulation of significant amounts of digital data, both of which call for better and more widespread use of Artificial Intelligence (AI) capabilities for law enforcement agencies (LEAs). AI can namely provide benefits to LEAs at all levels given the right understanding, tools, data and protection while increased awareness of criminal misuse is providing an immediate and concerning threat that must be tackled rapidly. Furthermore, a community that brings together LEAs, researchers, industry, security practitioners and other actors in the security ecosystem under a coordinated and strategic effort is essential for the realisation of these efforts into operational practices. STARLIGHT presents an inclusive and sustainable vision for increasing the awareness, capability, adoption and long-term impact of AI in Europe for LEAs. 

Against this backdrop, five strategic goals underpin STARLIGHT’s approach: (1) Improve the widespread understanding of AI across LEAs to reinforce their investigative and cybersecurity operations and the need to uphold legal, ethical and societal values; (2) Provide opportunities to LEAs to exploit AI tools and solutions in their operational work that are trustworthy, transparent and human-centric; (3) Ensure that LEAs can protect their own AI systems through privacy- and security-by-design approaches, better cybersecurity tools and knowledge; (4) Raise LEAs’ expertise and capacity to combat the misuse of AI-supported crime and terrorism; and (5) boost AI for LEAs in Europe through high-quality datasets, an interoperable and standardised framework for long term sustainability of solutions, and the creation of an AI hub for LEAs that supports a strong AI security industry and enhances the EU’s strategic autonomy in AI. STARLIGHT will ensure that European LEAs lead the way in AI innovation, autonomy and resilience, addressing the challenges of now and the future, prioritising the safety and security of Europe for all.  

 

I. Why your personal data might be involved and processed by STARLIGHT?  

During the research activities and the rollout of the project, personal information will be inevitably processed. In such case, if your personal data are processed, you will be the ‘data subject’. Hereby, we sum up four main areas where personal data processing operations may take place. Please be aware that the list below is by no means exhaustive. In the circumstance when the consortium will learn about the necessity of a new data processing operation to be initiated, we will update this list as soon as possible 

  1. Testing and integration of STARLIGHT technologies. As you can read above, STARLIGHT is characterised by five strategic goals. Your personal data may be processed to optimize, test, validate or train AI tools, fitting into one or more of these project goals. These AI tools will ultimately be operationalized in six use cases, which comprise a total of 14 possible operationalisation scenarios.  

    These use cases and underlying scenarios are the following:   

    Use Case 1 - counterterrorism     
        - Scenario 1 - Analysis of terrorist online content     
        - Scenario 2 – Investigation of a terrorist attack  

    Use Case 2 – Child Sexual Exploitation    
        - Scenario 3 – Abuse of children and subsequent exploitation of content: identification of CSEM content
        Scenario 4 - Online coercion of children deceived into sharing and producing sexually explicit material
        Scenario 5 - Commercial exploitation of CSE material  

    Use Case 3 – Border and External Security    
        Scenario 6 - Identifying illegal activities at land border territories    
        Scenario 7 - Facilitation of illegal immigration through document fraud  

    Use Case 4 – Cybersecurity and Cybercrime     
        Scenario 8 - Prevention Phase: Information gathering and sharing    
        Scenario 9 - Detection and mitigation Phase  

    Use Case 5 – Addressing information overload in serious organised crime    
        Scenario 10 – Infobesity: information overload fusing investigative analysis    
        Scenario 11 - Criminal activities and data localization and correlation    
        Scenario 12 - Early warning and predictive analytics systems  

    Use Case 6 – Protection of Public Spaces    
        Scenario 13 - Crowd behaviour monitoring and access management    
        Scenario 14 - Protection of large-scale open space public events 
     
  2. Benchmarking of AI systems – In addition to the research purposes as described above, STARLIGHT will develop two solutions to facilitate the need for representative, multilingual and multimodal datasets to train, test and benchmark AI tools in a legally and ethically compliant manner. To this end, personal data may be stored even after the finalization of the research project. To safeguard your informed consent to this processing purpose, the informed consent forms will provide an explicit opt-out of this data processing purpose, allowing the option to simply unclick a tick box. More information about this processing purpose and the corresponding storage duration will also be given in the information sheet accompanying the consent form, pursuant to Art 13 GDPR.  
  3. Business-related personal data – This is the case in which you are a project partner. Name, surname, e-mail address, organisation are often processed amongst partners to undertake ordinary project activities, like emailing, planning of assemblies and related attendance lists, decision-making processes and legal compliance duties. Cookies might be installed to enable access to the shared private online working platform of STARLIGHT. 
  4. Visiting the project website or STARLIGHT social media accounts. Our project website is openly available for consultation. In the case you end up navigating our webpages, our cookie policy applies (see specific section). We also have a Twitter profile and a LinkedIn profile. Your account names will solely be processed by the partner in charge of the communication and nobody else from the STARLIGHT project will see it.  
  5. Incidental processing – periodic review and updates of this policy  If your information is not in any of the above-mentioned four areas, your personal data will not be processed by STARLIGHT. However, we cannot ensure the accuracy of this statement with absolute certainty, as other personal data might incidentally be processed. In such case, we would announce this circumstance, update this privacy policy and, if required by law, ask for your explicit consent to process said personal data.  

 

II. The Controller? 

According to the GDPR (Article 4), “controller” denotes “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”. In essence, the controller is the person or entity which leads the personal data processing operation by determining purposes and means for the processing (i.e. the entity that determines the “why” and the “how” of the processing).  

In STARLIGHT, processing operations are handled by different partners. Supervision over such operations and the determination of purposes and means are dealt with by the responsible partners in close coordination with the entity responsible for the project (i.e., project coordinator). Below are the contact points of the project coordinator, should you have any query regarding the way personal data is processed: 

- Coordinating entity: Commissariat A l’Energie Atomique et aux Energies Alternatives (CEA) (mailto: and starlight@cea.fr)   
- Project Coordinator: Nizar Touleimat (Nizar.TOULEIMAT@cea.fr 

 

III. How does the project process personal data? 

Personal information within the STARLIGHT project are processed based on a number of legal bases. The most frequently relied on legal basis for the processing in the context of the project is the legitimate interest of the consortium, which substantiates in the research activities carried out with the purpose of implementing the Grant Agreement n. 101021797, which the STARLIGHT Consortium signed with the European Commission. 

Within STARLIGHT, non-business related personal data processing is necessary for scientific research purposes in accordance with GDPRArticle 89(1) and based on European Union Regulation No 1291/2013 of the European Parliament and of the Council of 11 December 2013 Establishing Horizon 2020 - The Framework Programme for Research and Innovation (2014-2020) and Repealing Decision No 1982/2006/Ec. 

 

IV. Some additional information on the policy of the project and about the ways personal data are processed 

Nonetheless, processing personal information pursuing research interests implies that a number of safeguards and proactive initiatives are to be taken in order to protect the rights of the data subjects at issue. In order to do so, STARLIGHT project partners consider all following principles before, during and after the personal data processing activities: 

  1. Fairness and lawfulness. Personal data are processed fairly and for the purposes for which they were collected initially. Any re-purposing is done by an assessment of the compatibility test (i.e. the initial purpose and the research purpose for which partners process personal data must be compatible with one another). Moreover, the legality of personal data processing operations is assessed by the project coordinator in coordination with project partners.  
  2. Security of processing. Personal data processing operations are conducted following the available security measures, both technical and organizational. As an example, access control and authentication-based environments are applied to the access to datasets containing personal data, and the need-to-know principle is implemented in the vetting of any researcher involved in STARLIGHT personal data processing operations.  
  3. Data minimisation. Collection and processing of personal data, including during the technology testing and the data storage, follow the principle of data minimisation. This means, for example, collecting data (and tuning STARLIGHT technologies) in a way that only the strictly necessary amount of personal data is processed. Furthermore, the testing of STARLIGHT technologies will be conducted only in circumscribed perimeters, and whenever personal details will be needed, pseudonymization will be sought.  
  4. Third-party non-disclosure. No personal data will be disclosed to any third-party (i.e. non-consortium entities) unless there is an explicit authorization to do so by the interested individual or a contractual obligation to be fulfilled.  
  5. Use-case-based access. Personal data will remain within the consortium domain. Furthermore, personal data will only be accessed by the partners with an involvement in a given use-case. If the partner does not have any interest or involvement in a use case, personal data processed therein will not be disclosed to them, in accordance with the need-to-know principle.  
  6. Long-term identification is not an objective. It is not in the purposes of this project to retain personal data for long periods and to aggregate such data so as to identify an individual. When personal data are processed for research finalities, such sets will mostly be operated for the duration of the testing and development and will be immediately deleted afterwards unless otherwise indicated. Personal data processed for the benchmarking of AI systems (see before) may be stored for a duration longer than the project term. In case of such prolonged processing, the criteria used to determine the prolonged duration will be documented in this policy. 
    For the processing activities that rely on your consent as a legal basis, the (criteria to determine this) duration shall be specified in the information sheet accompanying the informed consent form. The latter will offer you the possibility to opt out of having your personal data processed for this purpose.  
  7. Accuracy. The STARLIGHT project regularly reviews datasets where personal data are stored in order to ensure the accuracy and reliability of the information therein. Systems to update the information are in place so as to ensure both security and controlled access to datasets.  

 

V. For how long will we retain the information? 

If immediate deletion will not occur, that means we have a legal obligation and/or a research purpose to archive the data either for contractual reasons or for scientific research finalities. In such case, STARLIGHT partners will retain the personal data in question for a maximum of one year from the termination of the project, unless otherwise indicated or requested by a supervisory authority or for auditing purposes and unless the data will be stored as part of the STARLIGHT data repository, for which data will be stored for ten years, pursuant to the storage limitation principle in Article 39 GDPR. Derogations may be made for the “benchmarking AI systems” purpose, as described before, and in case of any such derogations, the criteria used to determine the prolonged duration will be documented in this policy.

 

VI. Your rights upon the personal data we process 

If you, as a data subject, believe that any of your personal data are processed by STARLIGHT, you are entitled to request the controller to undertake the following actions: 

  1. Right to access - Data subjects are entitled to request information regarding their personal data, including purposes, categories of information, recipients, retention, source of collection, transfer to third countries (non-EU Member States). Moreover, the data subject is entitled to receive a copy of such data. 
  2. Right to erasure or rectification - Data subjects may request at any time for their personal data to be amended, updated or erased by the controller. 
  3. Right to restriction of processing - Data subjects have the right to request that their data are suspended from being processed, anytime the data results to be inaccurate or unlawfully or unnecessarily processed.  
  4. Right to data portability - Data subjects shall have the right to receive their personal data in a machine-readable format, anytime they wish to transfer such data to another controller representing a similar service.  
  5. Right to object - Data subjects have the right to object to the processing of their personal data anytime they demonstrate grounds relating to their particular situation, unless the processing is conducted on public interest grounds and pursuant to Article 89(1).  
  6. Right not to be subject to automated decision-making or profiling - Data subjects have the right not to be subjects to automated decision-making processes (including profiling) which substantiates in legal consequences for the data subject.   

 

VII. To whom can you address these questions? 

Commissariat A l’Energie Atomique et aux Energies Alternatives (CEA), LIST Institute  
Email: project_coordination_office@starlight-h2020.eu 
Address: CEA Saclay – Nano-INNOV - LIST/DIR – PC 142 – 91191 GIF-SUR-YVETTE Cedex, France  

 

VIII. Remedies 

The STARLIGHT Consortium is committed to timely respond to any inquiry you may have, and reasonably comply with any exercise of your rights enlisted above. However, data subjects should be aware that each time their requests are not satisfactorily fulfilled by the controller, or they believe their rights have been violated, recourse to data protection authorities or to the ordinary judicial branch is still possible.   

 

IX. How we embed privacy within the consortium 

The STARLIGHT project values the respect for privacy and data protection as both a legal requirement and an ethical standard. For this reason, we indicate below the periodical actions and initiatives we undertake in order to frequently review the way the project observes and respects privacy standards.  

a) Respect for the GDPR and its obligations in the scientific research domain - The main legal act we rely upon for complying with privacy and data protection rights is the GDPR. In this respect, we continuously assess our activities, particularly if or when involving personal data processing operations for scientific research purposes, against the rights of the individuals and our legal obligations enshrined in the GDPR. 

b) Accountability - We maintain and regularly update internal policies enabling the consortium to keep records and documentation of the relevant personal data processing operations. These actions include the assessment of the risks that our research may pose to the rights and freedoms of individuals. Such processes aim at identifying mitigation measures and enabling safeguards against privacy violation and are recorded in the so-called DPIA (data protection impact assessment). 

c) Awareness raising - We regularly undertake activities aimed at informing our consortium partners about the data protection obligations and standards that we abide to. Initiatives are performed on a periodical basis and include webinars, presentations and ad-hoc sessions on privacy, data protection and the respect for fundamental rights in research activities. Privacy sessions are organized in the course of every face-to-face general assembly organized by the consortium.   

d) Ethical standards - As said above, we do not only regard the protection of personal data and privacy as a legal requirement to meet. The STARLIGHT project considers personal data protection obligations as an ethical standard of best practice. For this reason, the consortium implements and assesses privacy beyond what is imposed by law and as a by-design principle, including in the development of any technology and its integration within use-case scenarios.   

e) Further research guidelines - The STARLIGHT project makes extensive use as a benchmark and as a code of conduct of further ethical guidelines issued by the European Commission on responsible research. Such manuals inform researchers and projects funded under the Horizon2020 and similar EU funding programs about the best practices to be adopted when the research involves the processing of personal data.  

 

X. How can you make use of the STARLIGHT website? 

The STARLIGHT project website is committed to user privacy. The policy on protection of individuals with regard to the processing of personal data is in compliance with the relevant GDPR provisions. This general policy covers the use of this website by any user. Although you can browse through most of this website’s pages without giving any information about yourself, personal information is processed for the following purposes: (I) During your visit to this website, personal data, including your IP number, may be used for the sole purpose of generating anonymous and aggregated statistics about the use of the site (e.g. the geographical use and the indication of the number of one time and returning users…); (II) We monitor the non-personal information collected in our server log files. This information includes for example number of visitors to the site, most popular pages, operating system, and browser type. We use this information to help us improve our website and enhance your viewing experience. The server log files do not collect Personal Data since all data mentioned above is anonymized.  

Unless you were to use proxies or other obfuscation tools, you will provide this information automatically by connecting to the website. Such data will not be transferred to third parties except as necessary to process it for the statistical purposes already mentioned.  

Information About Cookies 

 What are cookies? 

As is common practice with almost all professional websites this site uses cookies, which are tiny files that are downloaded to your computer, to improve your experience.  

 Disabling cookies 

You can prevent the setting of cookies by adjusting the settings on your browser (see your browser Help for how to do this). Be aware that disabling cookies will affect the functionality of this and many other websites that you visit. Disabling cookies will usually result in also disabling certain functionality and features of this site 

The STARLIGHT project commits to the following: 

  1. To use the above-mentioned data in a fair, proportionate and transparent way.  
  2. It will store data securely and for a limited period of time (no more than 3 months after the termination of the project), and reminds you that you can, at any time, request more information about it.  
  3. For this website, a controller determines the purposes and means of the processing of personal data and ensures conformity with the privacy policy. 

Contact:

  1. For any query you may have regarding your privacy and personal data, you can contact the project coordinator at project_coordination_office@starlight-h2020.eu 
  2. In case you may want to seek remedy for any privacy violation, you may want to refer to a Data Protection Authority within any European Union’s Member State.  
  3. Any dispute arising from or related to the use of this website or to the acceptance, interpretation or observance of the Privacy Policy shall be submitted to the exclusive jurisdiction of the competent Court of Paris, which shall apply French law. 

The DPO contacts can be made available upon request (starlight@cea.fr), and the full list of contacts has been provided to the EC.