Contact

GDPR Compliance

Data protection and regulatory compliance

This page documents how Logicon complies with the EU General Data Protection Regulation (GDPR), including the legal basis for processing, data protection impact assessment, data subject rights, and obligations under the EU Dual-Use Regulation 2021/821.

Last updated: 26 April 2026. This document is reviewed annually or upon material changes to processing activities.

1. Data Processing Overview

Logicon processes exclusively open-source intelligence (OSINT) data from publicly available datasets: ACLED (conflict events), UCDP (battle deaths and conflict records), GDELT (media-derived event data), FRED (macroeconomic indicators), OpenSanctions (sanctions and PEP lists), and V-Dem/WGI (governance indices).

No personal data is collected from end-users beyond what is strictly necessary for session authentication. The platform does not deploy cookies for tracking, behavioural profiling, or advertising purposes.

OSINT datasets may incidentally contain personal data — for example, named individuals in conflict event records, sanctions lists, or media reports. This incidental personal data is not the object of processing; it is a by-product of ingesting structured conflict and governance datasets.

Legal basis: Legitimate interest pursuant to Article 6(1)(f) GDPR. The processing is necessary for defence research and conflict forecasting in the public interest. A Legitimate Interest Assessment (LIA) is documented in Section 2 below.

2. Legitimate Interest Assessment (LIA)

The three-part balancing test required under Article 6(1)(f) GDPR:

Purpose Test

Logicon produces calibrated probabilistic forecasts of conflict escalation and geopolitical risk for defence and security decision-support. This constitutes a legitimate interest: supporting the operational planning process of NATO Allied commands and contributing to decision superiority in multi-domain operations. The purpose is specific, real, and presently relevant.

Necessity Test

OSINT analysis is essential for generating the 32-feature vectors that drive predictions. Conflict event records, media tone indicators, and sanctions data cannot be replaced with fully anonymised equivalents without destroying the analytical signal. The processing is limited to what is necessary — no data categories beyond the six documented OSINT sources are ingested.

Balancing Test

The impact on data subjects is minimal. All source data is already publicly available. Logicon does not profile, score, or make decisions about individuals. Individual-level data is used only as input to aggregate statistical models — the output is a country- or region-level probability estimate, not an assessment of any person. No automated decisions with legal or similarly significant effects on individuals are made. The legitimate interest of defence research and conflict prevention outweighs the minimal residual impact on data subjects whose names appear incidentally in public conflict records.

3. Data Protection Impact Assessment (DPIA) Summary

A DPIA has been conducted pursuant to Article 35 GDPR, given that the processing involves large-scale monitoring of publicly available data and systematic evaluation of geopolitical conditions.

Processing Description

Automated ingestion of six OSINT datasets, feature extraction (32 features across four domains), ensemble model prediction, isotonic calibration, and storage of predictions with audit trails. Processing is continuous, with scheduled data refreshes and autonomous retraining upon drift detection.

Risks Identified
  • Incidental processing of personal data in conflict event records (names of combatants, political figures, casualties)
  • Potential re-identification through combination of location, date, and event type in granular conflict data
  • Risk of data subject unawareness — individuals named in OSINT sources may not know their data is processed downstream
Mitigations Applied
  • Data minimisation: only aggregate metrics and statistical features are retained long-term; raw event-level data with personal identifiers is not persisted beyond the feature extraction window
  • Purpose limitation: data is used exclusively for statistical modelling and conflict forecasting — never for individual profiling, surveillance, or law enforcement
  • Access control: API key + HMAC authentication, TLS 1.3, full audit logging
  • Retention limits: raw data retained only for model validation; anonymised or deleted after conflict resolution (see Section 7)
  • Transparency: this compliance page, privacy policy, and DPO contact are publicly available

4. Data Minimisation

Logicon applies data minimisation at every stage of the processing pipeline, consistent with Article 5(1)(c) GDPR:

  • Ingestion: Only the six documented OSINT sources are ingested. No social media scraping, no private communications, no classified intelligence inputs.
  • Feature extraction: Raw event-level data (which may contain personal identifiers) is transformed into 18 base statistical features and 14 temporal derivatives. The resulting 32-dimensional feature vector is numeric and contains no personal identifiers.
  • Storage: Only aggregate feature vectors, model predictions, and audit metadata are retained long-term. Individual event records are processed in memory and not persisted beyond the extraction window.
  • Output: Forecasts are country- or region-level probability estimates. No individual-level predictions, scores, or profiles are produced.

5. Data Subject Rights

Data subjects whose personal data may be incidentally processed through OSINT ingestion retain the following rights under GDPR:

Right of Access (Art. 15)

Data subjects may request confirmation of whether their personal data is being processed and, if so, access to that data. Given that Logicon processes publicly available OSINT data and does not maintain individual-level records beyond the feature extraction window, access requests will be responded to within 30 days with a description of the processing activities and any data held at the time of the request.

Right to Erasure (Art. 17)

Data subjects may request deletion of their personal data. Where the data has already been transformed into aggregate statistical features (which do not contain personal identifiers), erasure of the original input achieves the practical effect. Where raw event data is still within the processing window, it will be excluded from further processing upon valid request.

Right to Object (Art. 21)

Data subjects may object to processing based on legitimate interest. Objections will be assessed on a case-by-case basis, weighing the individual's particular situation against the compelling legitimate grounds for the processing (defence research and conflict prevention).

Research Exemption (Art. 89)

Certain data subject rights may be subject to derogations under Article 89(2) GDPR where processing is carried out for scientific research purposes in the public interest and appropriate safeguards are in place (pseudonymisation, data minimisation). Logicon's conflict forecasting research falls within this scope. Any reliance on Article 89 derogations will be documented and communicated to the data subject.

All rights requests should be directed to the Data Protection Officer at dpo@logicon.ro. Responses will be provided within 30 calendar days.

6. International Data Transfers

Logicon is operated by a Romania-based entity within the European Union. All primary data processing — ingestion, feature extraction, model training, prediction generation, and storage — occurs on EU-based infrastructure.

Where OSINT source data originates from non-EU providers (e.g., ACLED is UK-based, FRED is US-based), the data transferred consists of publicly available datasets that do not constitute personal data transfers requiring Chapter V GDPR safeguards in the ordinary case. Where incidental personal data is present in these datasets, the transfer is covered by the legitimate interest basis and the public availability of the source data.

For integration with NATO digital warfighting platforms, data sharing is governed by NATO security standards and applicable Status of Forces Agreements (SOFAs). Security measures include TLS 1.3 encryption in transit, AES-256 encryption at rest, API key + HMAC authentication, and containerised deployment compatible with NATO cloud infrastructure (AWS GovCloud, Azure Government).

7. Retention Policy

Data retention periods are calibrated to operational necessity and the principle of storage limitation (Article 5(1)(e) GDPR):

  • Raw OSINT event data: Retained in processing memory only during the feature extraction window. Not persisted to long-term storage in identifiable form.
  • Feature vectors: Retained for model validation and retraining purposes. These are numeric aggregates without personal identifiers. Retained for the operational lifetime of the model version they support.
  • Predictions and audit trails: Retained indefinitely for accountability, reproducibility, and lessons-learned purposes. These contain no personal data — only country/region-level probability estimates, model version identifiers, and feature snapshot hashes.
  • Conflict event records (for validation): Retained with source attribution for model validation until the relevant conflict is resolved plus 24 months. After this period, records are anonymised (personal identifiers removed) or deleted.
  • Session authentication data: Retained for the duration of the active session plus 30 days for security audit purposes. No long-term user profiling.

8. Dual-Use Export Controls

Logicon is aware of its obligations under EU Regulation 2021/821 (the recast Dual-Use Regulation), which establishes a Union regime for the control of exports, brokering, technical assistance, transit, and transfer of dual-use items.

Conflict forecasting software that processes publicly available data and produces probabilistic estimates does not, in its current form, fall within Annex I of Regulation 2021/821. However, Logicon acknowledges the following:

  • The platform is designed for integration with NATO defence systems. Any export or transfer of the technology to non-EU/NATO entities is subject to prior assessment under the catch-all clause (Article 4) of Regulation 2021/821.
  • Cyber-surveillance provisions (Article 5) are not applicable — Logicon does not perform telecommunications interception, network surveillance, or monitoring of individuals.
  • A due diligence process is in place to screen end-users and end-use before any technology transfer outside the EU/NATO framework.
  • The Romanian National Authority for Export Controls (ANCEX) is the competent authority for any licensing requirements arising from the platform's operational deployment.

9. Contact

For any questions regarding data protection, GDPR compliance, or to exercise data subject rights:

Data Protection Officer

Email: dpo@logicon.ro

Entity: Logicon, Romania (EU)

Supervisory authority: Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal (ANSPDCP), Bucharest, Romania

Data subjects who believe their rights have not been adequately addressed may lodge a complaint with ANSPDCP or with the supervisory authority of their Member State of residence.

Applicable legislation: Regulation (EU) 2016/679 (GDPR); Regulation (EU) 2021/821 (Dual-Use Export Controls); Romanian Law 190/2018 (GDPR implementation); NATO AI Responsible Use Principles (2024).

Related pages:

Privacy PolicyTerms of ServiceRisk DisclosureMethodology