ASSEMBLE Plus Privacy policy
version 1.0, May 2019
Preamble
The “Association of European Marine Biological Laboratories Expanded” (ASSEMBLE Plus) is a project funded from the European Union’s Horizon 2020 research and innovation programme. ASSEMBLE Plus pursues the following objectives:
● Enhance access to a coordinated set of state-of-the-art European infrastructures for marine biology and ecology;
● Improve service provision by these infrastructures in line with their areas of excellence in marine biology and ecology, with emphasis on developing novel key enabling technologies and data solutions;
● Strengthen complementarity and interoperability within the consortium and with related infrastructures;
● Lay the logistical and strategic foundations to expand the coverage of the European Marine Biological Resource Centre (EMBRC) in both its scope and its geographical distribution and to consolidate its long-term sustainability.
ASSEMBLE Plus is coordinated by Sorbonne Université, 25 rue de l’Ecole de Médecine, 75006 Paris, France, represented by Jean CHAMBAZ, President.
Definitions
- Personal data
Personal data means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- Data subject
Data subject is any identified or identifiable natural person, whose personal data is processed by the Data Controller responsible for the processing.
- Data Controller
The Data Controller is the legal entity responsible for the processing of the Data.
- Processing
Processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- Restriction of processing
Restriction of processing is the marking of stored personal data with the aim of limiting their processing in the future.
- Profiling
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
- Pseudonymisation
Pseudonymisation is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
- Consent
Consent of the data subject is any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
- Data breach
Data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
- Third party
A third party is a natural or legal person, public authority, agency or body other than the data subject, controller and persons who, under the direct authority of the controller is authorised to process personal data.
- Supervisory authority
A supervisory authority is an independent public authority that is established by a Member State pursuant to Article 51 of the GDPR.
The privacy and security of your personal information is very important to us. This privacy policy explains how and why we use your personal data, and what we do to make sure that you can be confident about giving us your information.
This policy applies whether you are a person involved in the ASSEMBLE Plus project, or a user of any of our services, or if you call, write or email us.
We will only use your personal data on relevant lawful grounds as permitted by the EU General Data Protection Regulation (from 25 May 2018).
We will never sell your personal data and will only share it with organisations we work with when it is necessary to do so and the privacy and security of your data is assured.
In case of personal data breach, find your National Data Protection Authority here https://edpb.europa.eu/about-edpb/board/members_en
Who are 'We'?
ASSEMBLE Plus, the European project funded by the Horizon 2020 programme of the European Commission with Grant Agreement n. 730984 and coordinated by Sorbonne Université, Paris (France).
ASSEMBLE Plus can also be referred to as ‘we’ or ‘us’ in the present agreement.
Our website hosted by the Flanders Marine Institute (VLIZ), in Oostende (Belgium) is available at www.assembleplus.eu.
For its Transnational Access programme, ASSEMBLE Plus makes use of the web platform “ARIA” for receiving and reviewing access proposals. Data and related info are hosted at INSTRUCT-ERIC, Oxford (United Kingdom).
If you have any questions in relation to this privacy policy or how we use your personal data they should be sent to .
What personal data do we collect?
Your personal data will be collected and used by us, but we will only collect the personal data that we need.
We collect personal data in connection with specific activities such as memberships, applying for access visits, training courses and events.
ARIA registration
The ASSEMBLE Plus access programme is managed using the ARIA online access management system, which was developed and is maintained by INSTRUCT-ERIC. Users are required to register an account at ARIA in order to gain access to our research facilities. Your registration data is processed through ARIA, which is operated by INSTRUCT-ERIC and hosted from webservers in Oxford, UK. The legal responsibility for the collected registration information is described in a Data Processing Agreement that has been signed between Stazione Zoologica Anton Dohrn (the Data Controller), on the solely purpose of the Transnational access program of ASSEMBLE Plus and INSTRUCT-ERIC. During registration your name, email address, host institute, nationality, and some additional information will be collected using a form and stored. The Data Processing Agreement ensures GDPR compliance at every stage of data processing.
INSTRUCT-ERIC is based at Oxford House, Parkway Court, John Smith Drive, Oxford, OX4 2JY. It was established in July 2017 according to European ERIC Council regulation number 723/2009, implementation reference 2017/C 230/01.
How we use your personal data
Below are the main uses of your data which depend on the nature of our relationship with you and how you interact with our website and our various services, and activities.
1. Membership
We use the personal data you provide for the purpose of servicing your membership. It is provided as legitimate interest. This includes, but is not limited to: administering your membership, ensuring the security and communicating with you about our services. We will normally contact you via email, although we might occasionally need to write to you or phone you. We never sell your information and we will not pass your information on to a third party.
The accuracy of your information is important to us. If you change your email address, or if any of the other information we hold is inaccurate or out of date, please contact us to .
2. Training Courses, Events and Conferences
We use the personal data you provide as a delegate to events for the purpose of managing your attendance. It is provided as legitimate interest. Your data will be used to communicate with you throughout the process, including to confirm we have received your registration and payment, to clarify where we might need more details to fulfil a booking, or to resolve any issues that might arise with your booking. We will retain your data to provide you, by email, with details of our future training courses (Staff Exchange and Knowledge Exchange), events and conferences. Should you at any time prefer us not to retain it for this purpose and ask us not to, we will delete your information. We never sell your information and we will not pass your information on to a third party, except to partners that help us provide these services, which is strictly regulated.
3. Newsletter
If you wish to receive ASSEMBLE Plus news and information, we will collect and process your data on the basis of consent. We never sell or pass your information on to a third party. Should you at any time prefer us not to retain your personal information for this purpose and ask us not to, we will delete your information.
4. Applying for Transnational Access
ASSEMBLE Plus offers the opportunity to apply for research infrastructure access visits with a Transnational Access programme through the ARIA web platform. Such applications are made by submitting proposals which go through peer review. Additional data are required in the form of your research history, biography and your project proposal. Personal data for the Transnational Access programme will be kept private and will only be visible to those involved within ASSEMBLE Plus who check the eligibility and feasibility of your proposal and host your visit, to the User Selection Panel members who peer review your proposal, and to ARIA web platform administrators.
We use the personal data you provide for the purpose of reviewing your application, arranging the services, and to communicate with you throughout the process. We process your data on the basis of the “Terms of submission” contract (Appendix V), which we ask you to agree with at the last step of the online proposal submission process. We are required to maintain personal data for the purposes of reporting to the European Commission, and to comply with applicable EU and national laws on data protection.
As stated in the “Terms of submission” (Appendix V), limited personal information (name, home institute country, project title, selected access provider) of successful applicants will be published on the ASSEMBLE Plus website.
If your visit is scheduled for a research infrastructure outside of the EEA, your personal data will be shared with the ASSEMBLE Plus Access Provider facilitating your visit. All reasonable steps will be taken to ensure that your data is treated securely and in accordance with this privacy policy.
Use of "cookies" on our website
Our website refers to the website of ASSEMBLE Plus, hosted by the Flanders Marine Institute (VLIZ), Oostende (Belgium) at www.assembleplus.eu.
VLIZ keeps logs of website visits - which contain: an IP address, time information, and the URL visited - for bug tracking and to monitor for malicious visits. This information is held as a legitimate interest for the purposes of detecting and preventing unauthorised system access, and ensuring system security. Along with the web-server logging, an anonymous visitor-tracking system is in place, to track which pages on the website are accessed. We also use cookies to enhance the surfing experience. For more information, please refer to the VLIZ privacy policy.
Use of "cookies" on the web platform ARIA
The web platform ARIA uses Matomo software for data analytics. The data is collected, processed and stored by INSTRUCT-ERIC on their servers (see https://matomo.org/privacy). Matomo uses some additional cookies to help INSTRUCT-ERIC to analyse how users use ARIA in order to improve the user experience. You may refuse the use of these cookies using appropriate settings in your browser. You can also prevent the tracking on ARIA by setting “Do not track” in your browser. Cookies set by Matomo start with “_pk_”. For more information about the cookies used for Matomo please see https://matomo.org/faq/general/faq_146.
Your IP address in ARIA
ARIA uses anonymised IP addresses for Matomo analytics.
ARIA also collects full IP addresses in server logs for security reasons. This information is held as a legitimate interest for the purposes of detecting and preventing unauthorised system access, and ensuring system security.
Data Retention Period
Users may request deletion of personal data at any time. If you have not submitted a Transnational Access application, review or evaluation, nor any application, review or evaluation elsewhere using the ARIA system, your ARIA account and all associated personal data will be deleted upon your request. We will maintain indefinitely some minimal personal data detailing your request for deletion.
If you have submitted an application (for Transnational Access or any other access route) using ARIA, your personal data will be maintained as a consequence of the contract that you have entered into whilst submitting the application. These data are required for reporting demand and usage of our services both internally and to our funders.
Personal data associated with Transnational Access proposals will be stored for minimum of 5 years after the payment of the final balance according to the ASSEMBLE Plus grant agreement. Afterwards they will be deleted.
Your Data Protection Rights
In compliance with the GDPR, and where ASSEMBLE Plus is using your personal data on the basis of consent, you have the following rights:
a) Right of confirmation
You are entitled to obtain from the Data Controller the confirmation as to whether or not your personal data are being processed. Therefore, and to do so, you may, at any time, contact any employee of the Data Controller.
b) Right of access
You are entitled to request a copy of the data we hold on you. In your request, you would need to provide information to confirm your identity. If we hold personal information about you, we will give you a copy of the information in an understandable format together with an explanation of why we hold and use it. Once we have all the information necessary to respond to your request, we will provide your information to you within one month. This timeframe may be extended by up to two months if your request is particularly complex.
If you would like further information on your rights or wish to exercise them, please contact us at .
c) Right to rectification
You are entitled to obtain from the controller without undue delay the rectification of inaccurate personal data which concerns you.
d) Right to erasure (Right to be forgotten)
You shall have the right to obtain from the controller the erasure of your personal data without undue delay, and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies, as long as the processing is not necessary:
• The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
• Consent is withdrawn, where consent was the legal basis for data processing.
• Objection to the processing.
• The personal data have been unlawfully processed.
• The personal data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
e) Right of restriction of processing
You are entitled to obtain from the controller restriction of processing
f) Right to data portability
Each data subject shall have the right to transmit its data to another controller without hindrance from the controller to which the personal data have been provided.
Furthermore, in exercising his or her right to data the data subject shall have the right to have personal data transmitted directly from one controller to another, where technically feasible and when doing so does not adversely affect the rights and freedoms of others.
However, if you are a user of the Transnational Access programme, you will no longer be able to log-in to the ARIA system.
Erasure and blocking of personal data
If you have submitted a proposal or participated in an event, your personal information need to be stored on our servers until five years after the end of the ASSEMBLE Plus project for potential reporting purposes towards the European Commission.
After this date all personal information will be deleted from our servers but will still be part of the statistics of the European Commission.
Otherwise, we will be able to remove your data within 72 hours from our servers upon personal demand. If you wish your personal data to be deleted from our servers, please send an e-mail to .
Name and address of the Data Controller
The responsible for the data processing in ASSEMBLE Plus is its Scientific Coordinator. Questions or issues about your personal data sent in the context of the Transnational Access program of ASSEMBLE Plus can be addressed at wiebe.kooistra@szn.it. All other questions should be addressed at .
Name and address of the Data Protection Officer
Any data subject may, at any time, contact our Data Protection Officer directly with all questions and suggestions concerning data protection. The Data Protection Officer of ASSEMBLE Plus is its Project Manager and can be reached at .
Amendments
We may update this policy from time to time by publishing a new version on our website. You should check this page occasionally to ensure you are happy with changes to this policy. We may notify you of significant changes to this policy by email.
What to do if you are not happy
Please talk to us directly so we can resolve any problem or query contacting us at .