Subject

This document outlines the methods for processing the personal data of individuals involved and/or interested in various capacities in the research project of significant national interest (2022 PNRR Call Prot. P2022JSLZW, hereinafter referred to as the “Project”) and examines the compliance of such processing with the applicable regulations.

Applicable Legislation

The preparation of this document has taken into account the current regulatory framework, primarily consisting of the following sources:

1. Regulation (EU) No. 679/2016 of the European Parliament and of the Council of 27 April 2016, establishing the European framework for the protection of natural persons with regard to the processing of personal data and the free movement of such data (General Data Protection Regulation – GDPR, hereinafter referred to as the “Regulation” or “GDPR”);
2. Legislative Decree No. 196 of 30 June 2003, as most recently amended [Legislative Decree No. 196 of 30 June 2003, as amended by Legislative Decree No. 101 of 10 August 2018; Legislative Decree No. 24 of 10 March 2023; Decree-Law No. 139 of 8 October 2021, converted, with amendments, into Law No. 205 of 3 December 2021; and Decree-Law No. 132 of 30 September 2021, converted, with amendments, into Law No. 178 of 23 November 2021.](hereinafter referred to as the “Privacy Code”).

Description of Data Collection and Processing: Identification of Data Controllers and Purpose of Processing

The Project involves the processing of personal data. The personal data involved are common data:

1. Name and surname;
2. Gender;
3. Date and place of birth;
4. Tax identification number;
5. Financial data;
6. Information on corporate roles and shareholdings.

These data pertain to individuals who have been assigned managerial roles within public administrations. The data collected are already public, as they are subject to mandatory publication in compliance with transparency regulations. More specifically, these data are obtained by accessing the “Transparent Administration” section of public administration websites (e.g., data have been collected from sources such as the Municipality of Perugia, Municipality of Milan, Umbria Region, and Lombardy Region). The data are then, if necessary, cross-checked with information available in public professional registers (e.g., for lawyers, engineers, etc.), which are also public.

The data collected are processed solely for scientific research purposes (an activity framed within a research project funded by PRIN-PNRR funds, awarded through a ministerial call, and conducted by the University of Perugia and the Catholic University of the Sacred Heart). The aim of the project is to develop a body of knowledge as well as new theories and content.

The data collected are processed exclusively in the execution of a task carried out in the public interest, pursuant to Article 6(1)(e) of the GDPR and Articles 2-ter(2) and 2-ter(1-bis) of the Privacy Code, as the research activity is conducted by a public administration (the university) in the performance of its institutional mission of public interest (research). This activity is carried out in implementation of a general act (the PNRR), as detailed and integrated by ministerial decrees issued by the Ministry of Universities and Research (MUR) that launched the research project calls under which the ACOI research project was evaluated, approved, and funded.

Specifically, the processing of the data collected is intended for the advancement of the specific research project, as identified above, as well as for the associated monitoring and reporting activities. These activities are carried out by duly authorized individuals with responsibility for these tasks.

The research project is aimed at examining solutions based on the processing of personal data to analyze, map, and detect risks of conflicts of interest among public employees or consultants.

The individuals conducting research activities under this project, who may access or process the collected data, are explicitly identified and are part of the staff of the following institutions: the University of Perugia and the Catholic University of Milan (hereinafter also referred to as the “Controller” or “Controllers” of the data processing).

Identification of the Legal Bases for Personal Data Processing in the Context of the Project

Current personal data protection regulations allow for data processing only if it satisfies one or more of the legal bases outlined in Article 6 of the GDPR.  Therefore, it is necessary to identify the legal bases for each type of processing. In the present case, the processing is carried out by the Data Controller as part of the performance of tasks in the public interest, pursuant to Article 6(1)(e) of the GDPR. Under this provision, personal data processing is lawful when it is necessary for the execution of a task carried out in the public interest or in connection with the exercise of public authority vested in the Data Controller. This necessity requirement is met when data must be processed to pursue the typical purposes of the administration or the entity exercising public authority. In the present case, the necessity arises from the responsibilities of the Data Controller, as the primary purpose of universities is research. This is highlighted in Law No. 240 of 2010, which, in Article 1, states: “Universities are the primary sites for free research and free education within their respective frameworks and are places of learning and critical knowledge development. They operate by organically combining research and teaching to advance the cultural, civil, and economic progress of the Republic.”

In addition to the legal basis provided by the necessity clause, the processing is also explicitly supported by provisions authorized under Italian national law. Article 6(2) of the GDPR states: “Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing, in accordance with paragraph 1(c) and (e), by determining more precisely the specific requirements for processing and other measures to ensure lawful and fair processing in specific situations, as referred to in Chapter IX.”

Pursuant to Article 2-ter of the Privacy Code, as recently amended, the Italian legislator has established that valid legal bases for data processing may include not only statutory or regulatory norms but also general administrative acts.

In this context, the data processing carried out is lawful based on the following sources:

1. Primarily, the normative framework at both European and national levels that established the National Recovery and Resilience Plan (PNRR) and its associated missions. The research project in question is a product of this framework;
2. In second place, the call for proposals itself [This refers to the PRIN 2022 PNRR Call for Proposals, issued by Directorate Decree No. 1409 of September 14, 2022] serves as a general administrative act issued by the Ministry of Universities and Research. This document, in Article 1, specifies the following: “The PRIN (Projects of Relevant National Interest) program is intended to fund public research projects to promote the national research system, strengthen interactions between universities and research entities in line with the objectives outlined in the National Recovery and Resilience Plan (PNRR), and encourage Italian participation in initiatives related to the European Union’s Research and Innovation Framework Program.For this purpose, the PRIN program funds two-year projects that, due to their complexity and nature, may require collaboration among multiple professors/researchers whose financial needs exceed the normal availability of individual institutions. Depending on the nature of the project, the research group must include at least two research units belonging to different universities, entities, or institutions."

For the sake of caution, it is important to highlight that the case in question does not fall under the scenarios where prior consultation is required pursuant to Article 36 of the GDPR and Article 110 of the Privacy Code [The cited regulations provide that when a data processing activity may pose a high risk to the rights and freedoms of the individuals concerned (due to factors such as systematic monitoring of their behaviors, the large number of individuals involved, or the processing of sensitive data, or a combination of these and other factors), the Regulation requires the data controllers to conduct a Data Protection Impact Assessment (DPIA) before starting the processing. Furthermore, they must consult the supervisory authority if the technical and organizational measures they have identified to mitigate the impact of the processing are deemed insufficient — that is, when the residual risk to the rights and freedoms of the individuals concerned remains high.] as the condition of a high risk to the rights and freedoms of the individuals concerned is not met. This is primarily due to the nature of the data being processed (mainly personal identification data).

In Subordinate, on the “coverage” provided by Article 5(1)(b) and Article 89 GDPR

For the purposes of carrying out this project, in any case, primarily common data collected by public administrations or entities performing public functions (such as professional associations that manage professional registers) are reused in compliance with the transparency obligations imposed on them by law.

The current regulatory framework allows, in such cases, for the reuse of so-called common personal data—without the need for any separate legal basis beyond that which permitted the initial collection—for scientific research purposes.

This is derived from the following provisions:

1. Recital 50 of the GDPR: “The processing of personal data for purposes other than those for which the personal data were initially collected should only be allowed if it is compatible with the purposes for which the personal data were initially collected. In such cases, no separate legal basis is required other than the one that enabled the collection of the personal data. If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Union or Member State law may establish and specify the purposes and tasks for which further processing is considered lawful and compatible. Further processing for archiving purposes in the public interest, or for scientific or historical research, or statistical purposes should be considered lawful and compatible processing.”
2. Article 5(1)(b) GDPR: “Personal data shall be: (…) collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing of personal data for archiving in the public interest, for scientific or historical research, or for statistical purposes shall not be considered incompatible with the initial purposes (‘purpose limitation’) in accordance with Article 89(1)”;
3. Article 89 GDPR: “Processing for archiving purposes in the public interest, for scientific or historical research, or for statistical purposes shall be subject to appropriate safeguards for the rights and freedoms of the data subject, in accordance with this Regulation. Such safeguards ensure that technical and organizational measures have been put in place, particularly to ensure compliance with the data minimization principle. Such measures may include pseudonymization, provided that the purposes in question can be achieved in this manner. Where the purposes can be achieved through further processing that does not allow or no longer allows the identification of the data subject, such purposes should be achieved in this way. If personal data is processed for scientific or historical research or statistical purposes, Union or Member State law may provide for derogations from the rights set out in Articles 15, 16, 18, and 21, subject to the conditions and safeguards laid down in paragraph 1 of this Article, where the exercise of these rights is likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the achievement of those purposes (…)”.

Information in the case of data obtained from third parties. Methods of communication

The privacy regulations require that the collection of personal data, even when obtained from third parties, be preceded by a specific notice provided to the data subject (cf. Art. 14 GDPR).

This notice must also be communicated individually to each data subject, unless such a communication method would be disproportionate, as it would be excessively burdensome for the data controller; in this case, the obligation to provide the notice can be fulfilled through other public means.

This is deduced:

1. from Art. 14, paragraph 5, GDPR, which states: “Paragraphs 1 to 4 shall not apply if and to the extent that: a) the data subject already has the information; b) communicating such information is impossible or would involve a disproportionate effort; in particular, for processing for archiving in the public interest, scientific or historical research purposes, or statistical purposes, subject to the conditions and guarantees under Article 89, paragraph 1, or to the extent that the obligation under paragraph 1 of this article would be likely to render impossible or seriously prejudice the achievement of the objectives of such processing. In such cases, the data controller shall adopt appropriate measures to protect the rights, freedoms, and legitimate interests of the data subject, including making the information publicly available.”
2. from Art. 6, paragraphs 4 and 5, Code of Ethics and Good Conduct for the processing of personal data for statistical purposes, which states: “4. When data are collected from third parties, or the processing for statistical or scientific purposes concerns data collected for other purposes, and the notice would involve a disproportionate effort in relation to the right being protected, the controller shall adopt publicity measures as follows:

• for processing involving large sets of data subjects distributed across the entire national territory, publication in at least one widely circulated national daily newspaper or announcement on a nationally broadcast radio or television channel;
• for processing involving large sets of data subjects distributed across a regional (or provincial) area, publication in a widely circulated regional (or provincial) daily newspaper or announcement on a regionally (or provincially) broadcast radio or television channel;
• for processing involving specific categories of data subjects identified by particular demographic characteristics and/or particular educational or occupational conditions or similar, publication in informational tools typically directed at the data subjects. The controller shall inform the Data Protection Authority in advance of the publicity measures taken.

If the controller considers not to use the publicity forms referred to in paragraph 4, also considering the nature of the data collected or the processing methods, or the burdens involved in relation to the type of research conducted, the controller may identify appropriate publicity measures to be communicated in advance to the Data Protection Authority, which may, in any case, prescribe any necessary measures or precautions” (our emphasis).

In the context of this project, in light of the number of data subjects involved, it would indeed be disproportionate to burden the data controller with the obligation to individually communicate the notice. Therefore, the obligation will be satisfied by publishing the notice on the official website and notifying the Data Protection Authority of this form of publicity.

Respect for Additional Privacy Principles. Data Retention and Possible Dissemination of Data

The data collected during the study will be recorded, processed, and stored until the objectives of the project are achieved and, in any case, for the time necessary to fulfill the purpose of the study.

Personal data will be stored by the Data Controller under the responsibility of the scientific manager of the project.

In order to ensure correct and transparent processing, the data will be kept for no longer than is necessary for the purposes for which they were collected or subsequently processed in accordance with legal obligations.

The retention of personal data collected for other purposes (e.g., education, care, etc.) is permitted exclusively for research purposes, provided that the limits imposed by current regulations are respected, particularly those related to correct information and lawful collection.

Proper data retention is not only necessary to comply with data protection regulations but is also a fundamental requirement to ensure professionalism, rigor, and accuracy in the research activity.

It is allowed to disseminate the results of the research, including through publication, only in aggregated form or in a way that does not allow the identification of the data subjects, even through indirect identifying data, unless the dissemination concerns public variables.

Regulatory framework that led to the call from which the Project originates, legal basis for the processing:

• Regulation (EU) 2021/695 of the European Parliament and of the Council of April 28, 2021, establishing the Horizon Europe Framework Program for Research and Innovation, setting participation and dissemination rules, and repealing Regulations (EU) No. 1290/2013 and (EU) No. 1291/2013;
• Decision (EU) 2021/764 of the Council of May 10, 2021, establishing the specific implementation program of Horizon Europe, and repealing Decision (EU) 2013/743;
• Regulations for the 2014-2020 programming period and for the 2021-2027 programming period;
• Regulation (EU) 2021/1060 of the European Parliament and the Council of June 24, 2021, laying down common provisions applicable to the European Regional Development Fund, the European Social Fund Plus, the Cohesion Fund, the Just Transition Fund, the European Maritime, Fisheries and Aquaculture Fund, and the financial rules applicable to these funds, as well as to the Asylum, Migration and Integration Fund, the Internal Security Fund, and the Instrument for Financial Support for Border Management and Visa Policy;
• Regulation (EU) 2018/1046 of July 18, 2018, laying down the financial rules applicable to the general budget of the Union, amending Regulations (EU) No. 1296/2013, No. 1301/2013, No. 1303/2013, No. 1304/2013, No. 1309/2013, No. 1316/2013, No. 223/2014, No. 283/2014, and Decision No. 541/2014/EU, and repealing Regulation (EU, Euratom) No. 966/2012;
• Regulation (EU) 2020/2094 of the Council of December 14, 2020, establishing a Union instrument for recovery to support the recovery of the economy after the COVID-19 crisis;
• Commission Delegated Regulation (EU) 2021/2106 of September 28, 2021, supplementing Regulation (EU) 2021/241 of the European Parliament and the Council, establishing the Recovery and Resilience Facility, setting out common indicators and detailed elements for the Recovery and Resilience assessment framework;
• Mission 4 “Education and Research” of the National Recovery and Resilience Plan, and in particular Component C2 – Investment 1.1, Fund for the National Research Program and Nationally Relevant Research Projects (PRIN) of the National Recovery and Resilience Plan, dedicated to Research Projects of National Relevance;
• The Operational Arrangements (OA) related to the PNRR of Italy, which establish the mechanisms for periodic verification (valid until 2026) related to the achievement of milestones and objectives (Milestones and Targets) necessary for the recognition of semi-annual reimbursement installments of PNRR resources for Italy, signed on December 28, 2021;
• The obligations to ensure the achievement of targets, milestones, and financial objectives set in the PNRR;
• Decree-Law No. 152 of November 6, 2021, containing “Urgent provisions for the implementation of the National Recovery and Resilience Plan (PNRR) and for preventing mafia infiltration,” published in the Official Gazette No. 265 of November 6, 2021;
• Article 28, paragraph 2-quater, of Decree-Law No. 50 of May 17, 2022, converted with amendments into Law No. 91 of July 15, 2022;
• Decree-Law No. 77 of May 31, 2021, converted with amendments into Law No. 108 of July 29, 2021, concerning the “Governance of the National Recovery and Resilience Plan and initial measures to strengthen administrative structures and accelerate and streamline procedures”;
• Article 64 of the aforementioned Decree-Law No. 77 of May 31, 2021, converted with amendments into Law No. 108 of July 29, 2021, establishing, among other things, the National Committee for Research Evaluation (CNVR);
• Ministerial Decree No. 1004 of July 30, 2021, by which, pursuant to Article 64 of Decree-Law No. 77/2021, the National Committee for Research Evaluation (CNVR) was established;
• Article 1, paragraph 551, of the same Law No. 2021, which states: “In order to simplify the selection and evaluation of research programs and projects as well as the evaluation of their implementation and results, the Ministry of University and Research (MUR) relies on technical-scientific and professional experts, either individually or organized in committees or commissions, for technical-scientific, financial, and administrative-accounting analysis activities and for the subsequent verification, monitoring, and control activities.

1. Object of Study

As part of the PRIN ACOI project, a research line focuses on exploring the potential of data visualization as a tool to highlight relationships between stakeholders and public authorities. Specifically, the research team aims to test the usefulness of data visualization for exploring transparency registers, assessing its added value in terms of readability and understanding lobbying dynamics.

The experiment leverages information from the European Commission’s Transparency Register. The initial research phase concentrated on studying interactions between businesses, Commission members, and Directorate-Generals (DGs), utilizing open-source data provided by the Transparency Register. This tool proved essential in identifying the context, timing, and motivations behind private meetings, forming the foundation for further analytical insights.

To systematically address the complexity of lobbying activities, the team developed a database encompassing information on approximately 12,000 companies registered in the Transparency Register.

Additionally, the team reconstructed the organizational chart of the European Commission and its DGs, covering the period from 2012—the year the Transparency Register was established—to the present. This effort aims to provide a structured and comprehensive view of institutional relationships over time, supporting the identification of strategic nodes in interactions between companies and the Commission. This reconstruction was particularly necessary as the Transparency Register often does not clearly specify which DG was involved in meetings, limiting detailed analyses.

The multidisciplinary research team has initiated the development of advanced graphical visualization tools based on graph drawing techniques to effectively represent the frequency and intensity of interactions among involved parties. These tools aim to simplify the complexity of lobbying networks into clear and accessible visual representations that reveal influence dynamics.

The choice of visualization type is still under development and seeks to ensure alignment with the project’s objectives. The team is evaluating solutions that balance data readability with intrinsic complexity, providing a detailed yet intuitive framework for researchers, policymakers, and other stakeholders.

This integrated approach, combining data analysis, historical reconstruction, and advanced graphic tools, establishes a robust methodological foundation for delving deeper into lobbying phenomena and potential conflicts of interest.

2. Research Development

The research will continue with the introduction of new experimental phases, structured sequentially and preparatory, to further investigate lobbying dynamics and their implications for European policy formulation.

2.1 Phase One: Details on Subsidiaries and Affiliates

In this phase, the database will be enriched with information on subsidiaries and affiliates of major companies. This level of detail will highlight connections within corporate groups and assess the aggregated influence of parent companies. The graphical representation will adapt to reflect the greater weight of companies acting through a network of subsidiaries.

Objectives:

• Enhance the database with detailed information on subsidiaries and affiliates to uncover internal dynamics within corporate groups.
• Assess the aggregated influence of parent companies, considering the role of subsidiaries in lobbying activities.
• Graphically represent corporate connections to improve precision and clarity in visualizing influence networks.
• Identify indirect lobbying dynamics, where subsidiaries act in a coordinated manner to pursue the parent company’s interests.

2.2 Phase Two: Correlation Between Lobbying and Legislative Proposals

This phase will explore potential correlations between lobbying meetings and subsequent legislative proposals advanced by the European Commission or its DGs. The analysis will initially focus on a sample of companies and strategic sectors, such as the Digital Market Act, to ensure manageable data collection and processing. Special attention will be given to determining whether lobbying activity intensifies around regulations relevant to the companies involved. The outcome of the analysis will be binary:

1. False: The case will be archived.
2. True: Proceed to Phase Three.

Objectives:

1. Verify the temporal connection between lobbying meetings and legislative proposals by the Commission or DGs.
2. Determine sectoral relevance, focusing initially on specific regulations like the Digital Market Act to understand lobbying impacts in strategic regulatory contexts.
3. Analyze the intensity of lobbying activities, evaluating whether they increase around proposed regulations of interest to involved companies.
4. Establish criteria for further analyses, identifying cases with clear correlations for deeper exploration in Phase Three.

2.3 Phase Three: Identification and Analysis of Conflicts of Interest

The final research phase focuses on identifying potential conflicts of interest between corporate lobbying activities and the scientific support used to justify certain public policies. Four main types of conflicts are examined:

1. Monetary Conflict: Occurs when researchers or consultants receive compensation, grants, or funding from a company with a direct interest in the research outcomes. This can lead to biased conclusions or data manipulation to favor the sponsor’s interests. Investigation Question: Has the researcher received compensation, consultancy, or grants from the interested company or its affiliates?
2. Career Conflict (Revolving Door): This arises when research outcomes directly impact the researcher’s career, such as facilitating employment with the interested company or enhancing professional prestige. Investigation Question: Has the researcher obtained a role or position with the involved company or its affiliates?
3. Data Conflict: Occurs when the data used in research is not open-source or is controlled by an organization with direct interests in the study’s outcomes, compromising transparency and reproducibility. Investigation Questions: Were the data used in the study provided by the company? Do these data result in findings favorable to the company?
4. Academic Conflict: This occurs when a researcher’s ideology, reputation, or academic prestige is tied to specific outcomes, leading to potential biases in interpretations to confirm pre-existing views. Investigation Question: Does the researcher hold ideological, political, or academic positions that could influence the study’s results?

Analysis Methodology:

The approach is based on the complexity of data retrieval:

1. Simple Sources: Academic articles (PubMed, Google Scholar), company press releases, and research project databases like CORDIS.
2. Intermediate Sources: Financial or transparency reports published by universities or companies, and consultations on institutional transparency monitoring sites.
3. Complex Sources: Direct interviews with researchers or access to specialized databases (e.g., Open Payments).

Objectives:

1. Identify conflicts of interest in interactions between companies and the European Commission, focusing on scientific support provided by firms.
2. Classify conflicts by the four identified types, developing metrics to measure their impact.
3. Evaluate the influence of conflicts on the integrity and transparency of European decision-making processes.
4. Propose actionable recommendations to minimize conflicts, including regulatory and transparency measures based on study results.
5. Establish a replicable methodology for future studies on lobbying and public policy.

3. Conclusions and Perspectives

The work conducted so far has built a solid foundation for understanding lobbying dynamics within the European Commission, highlighting the importance of tools like the Transparency Register and innovative analytical methodologies. However, this represents only the beginning of a broader exploration of the complexity and implications of lobbying in political and legislative contexts.

Future steps include enriching the database with information on subsidiaries and affiliates to better understand the role of multinational corporations in shaping European policy decisions. Additionally, analyzing the correlation between lobbying meetings and legislative proposals offers insights into the transparency and impartiality of decision-making processes.

Finally, a structured approach to analyzing conflicts of interest provides critical insights into the impact of these conflicts on decision-making. This study aims not only to identify the presence of conflicts but to understand their concrete influence, offering strategies to mitigate negative effects.

Ultimately, this project aspires to provide a replicable model applicable to other institutional and geographic contexts, contributing to more transparent and accountable governance focused on the public good.