EOSC Data Commons Privacy Policy

EOSC Matchmaker and EOSC Data Player

The EOSC Matchmaker and EOSC Data Players and (hereinafter referred to as: “the services”) provide seamless access to high-quality interoperable research outputs and services, enabling researchers to collaborate more easily, be more productive and achieve higher levels of excellence. This privacy notice describes how we, the EGI Foundation (hereinafter referred to as “we” or “the Data Controller”), collect and process data by which project members can be personally identified (“Personal Data”) when the service is used.

The EGI Foundation
Science Park 140
1098 XG Amsterdam
The Netherlands

The EGI Foundation Data Protection Officer
Science Park 140
1098 XG Amsterdam
The Netherlands
E-mail: dpo@egi.eu

Jurisdiction: NL, The Netherlands

EGI Foundation’s lead supervisory authority is the Dutch Data Protection Authority. They can be contacted at https://autoriteitpersoonsgegevens.nl/en/contact-dutch-dpa/contact-us.

The service may process the following personal data:

Identification data:

• Identification numbers (a unique, opaque, persistent and non-reassignable Identifier provided by EGI Check-in service)
• Name
• E-mail address
• Other: affiliation, IP address, tokens/access keys for user VREs.

Behavioural data:

• Usage data
• Other: technical logs with timestamps, conversations and messages (chat history, messages stored as JSONB).

Data allowing conclusions on the personality:

• Other: membership information on group, roles, and communities.

The purpose of the collection, processing and use of the personal data mentioned above is:

• To provide the service functions, i.e. to let users perform searches through chat interface, access datasets and execute analysis tools on the available VREs.
• Identify the users or the administrators accessing the service and track usage of resources for accounting, security management and maintaining service stability and performance.

The legal basis for processing personal data is: compliance with a legal obligation or legitimate interests pursued by the controller or by a third party according to Art. 6 (1) (f) General Data Protection Regulation (GDPR).

Personal data will not be used beyond the original purpose of their acquisition. If a forwarding to third parties should be necessary to answer an inquiry or to carry out a service, the consent of the data subject is considered to have been given when using the respective function or service. In particular, the data you provide to us will not be used for marketing.

For the purpose given in this privacy policy, personal data may be passed to the following third parties:

Within the EU / EEA:

• CYFRONET (resource provider, service administrator)
• CESNET (resource provider, service administrator)

The records of your use and technical log files produced by the Service components may be shared, via secured mechanisms, for security incident response purposes with other authorised participants in the academic and research distributed digital infrastructures authorised by EGI Foundation governance, only for the same purposes and only as far as necessary to provide the incident response capability where doing so is likely to assist in the investigation of suspected misuse of Infrastructure resources.

Any data transfer to a third country outside the EU or the EEA only takes place under the conditions contained in Chapter V of the GDPR and in compliance with the provisions of this privacy policy and any related policies adopted by the EGI Federation.

You can exercise the following rights at any time by contacting our Data Protection Officer using the contact details provided in the Data Protection Officer section:

• Information about the data stored with us and their processing;
• Correction of incorrect personal data;
• Deletion of the data stored by us;
• Restriction of data processing, if we are not yet allowed to delete the data due to legal obligations;
• Objection to the processing of the data by us;
• Data portability.

Project members can complain at any time to the supervisory data protection authority (DPA). The responsible DPA depends on the country and state of residence, of the project member’s workplace, or of the presumed violation. A list of the supervisory authorities with addresses can be found at https://edpb.europa.eu/about-edpb/board/members_en.

You can contact EGI Foundation’s lead supervising authority using the contact details provided in the Jurisdiction and Supervisory Authority section.

The records of your use and technical log files produced by the service components will be deleted or anonymised after, at most, 18 months.

We take appropriate technical and organisational measures to ensure data security and the protection against accidental or unlawful destruction, accidental loss, alteration, unauthorised disclosure, or access.

A comprehensive overview of the technical and organisational measures taken by EGI Foundation can be found at EGI Document 3737: EGI Foundation Technical and Organisational Measures (TOM).

EGI Foundation is conforming to GEANT Code of Conduct and project members personal data will be processed in accordance with the Code of Conduct for Service Providers and the EGI-doc-2732-v3: Policy on the Processing of Personal Data.

This policy is based on AARC Policy development kit (licensed under CC BY-NC-SA 4.0).