Privacy Policy of the EOSC Association

This is the Privacy Policy of the European Open Science Cloud Association (EOSC-A), an international non-for-profit organisation under Belgian law (AISBL), with registered office at Rue du Luxembourg 3, 1000 Brussels (Belgium) and registered with the Crossroads Bank for Enterprises under number 0755.723.931 (hereinafter “EOSC-A” or “we”).


CONTENTS

1. Who we are and what is our ambition?

2. Purpose of this policy

3. Types of personal data that we may collect

      3.1. Identification details

      3.2. Contact details

      3.3. Data related to the professional activity

      3.4. Professional interests

      3.5. Browsing data

4. How do we collect these data?

5. For which purposes do we process personal data?

6. On which legal are the personal data processed?

7. With whom does EOSC-A share information?

8. How are personal data secured?

9. How long are personal data stored?

10. What are the data subjects’ rights with regard to their own personal data?

      10.1. Right of access

      10.2. Right to rectification

      10.3. Right to revoke consent

      10.4. Right of erasure

      10.5. Right to restriction of processing

      10.6. Right to object

      10.7. Right to data portability

      10.8. Right to complain

11. How can data subjects exercise their rights?


1. Who we are and what is our ambition?

The EOSC Association is the legal entity established to govern the European Open Science Cloud (EOSC). It was formed on 29th July 2020 with four founding members and has since grown to over 250 Members and Observers.

The Association membership is jointly responsible for delivering the objectives agreed in the Memorandum of Understanding signed by the European Union and EOSC Association to form the official Partnership. The EOSC ecosystem is being co-created in a series of funded projects and initiatives from Member States and Associated Countries. The EOSC Association plays an important role in helping to coordinate and steer these investments via its Task Forces and other governance structures.

As we are well aware of the importance of data and of accessibility of information in this digital age, EOSC-A obviously respects the protection of personal data and is committed to protecting the confidentiality of all information put at its disposal within the scope of its activities.

2. Purpose of this policy

This policy is not only intended to be compliant with the relevant privacy regulations but also to inform all members or partners or any stakeholder of EOSC-A on how we collect, process and save (personal) data directly or indirectly put at the disposal of EOSC-A. We strive to do this with respect for the rights of any identified or identifiable natural person (‘data subject’ as defined by article 4.1 of the GDPR); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. If the data subject has any question about the processing of personal data, please contact us at the following email address: gdpr@eosc.eu.

The Privacy Policy is only applicable to the processing of personal data within the framework of the EOSC-A activities and to the extent that no other specific privacy policy applies.

This Privacy Policy applies to the collection and the use of any information by EOSC-A through, amongst others, its platforms and activities, such as the EOSC-A website (www.eosc.eu), the event registration processes and online event tools, the Association voting procedures, the subscription to newsletter(s), the participation into survey activities.

This Privacy Policy describes, among other things, the types of personal data we collect about data subjects, where we obtain the data, how we use the personal data we collect about data subjects, how long we retain these personal data, to whom we may provide this information, and the rights of the data subjects with regard to the processing of personal data.

This Privacy Policy may be amended, for example in response to new legal, contractual or administrative obligations, new activities or ambitions. We therefore recommend that the data subjects consult this Privacy Policy regularly. All important changes will be communicated separately. This version of the Privacy Policy was last amended in February 2023.

3. Types of personal data that we may collect

Personal data are all data relating to identified or identifiable natural persons (the data subject). An ‘identifiable’ person is one who can be identified, directly or indirectly, by means of a number or by one or more specific elements characteristic of his/her physical, physiological, psychological, economic, cultural, or social identity.

EOSC-A may process the following personal data to the extent and if relevant for the purposes referred to, in this Privacy Policy:

3.1. Identification details

First name and surname, professional title, gender, date of birth, organisation name/type, ID number, primary (and secondary) domain of work/expertise, position, etc.

 3.2. Contact details

Address, email address, telephone number, Twitter handle, LinkedIn profile, possibly other contact details.

3.3. Data related to the professional activity

Position or professional activity, academic title, name of the scientific organisation or university, department or scientific area.

 3.4. Data related to the professional activity

To provide the data subject with information known to be relevant to you or your organisation, we may keep track of your preferences based on the interests we have registered as a result of your scientific position or known interests, your attendance to certain events, your expressed interests in certain types of information.

 3.5. Browsing data

This includes data from visits to our websites or other applications, and your surfing behaviour or other online contacts, but also data that we process based on your social media use in a professional context, such as likes, comments or similar.

The website’s operation, as is standard with any websites on the Internet, involves the use of computer systems and software procedures, which collect information about the website’s users as part of their routine operation. While EOSC does not collect this information in order to link it to specific users, it is still possible to identify those users either directly via that information, or by using other information collected – as such, this information must also be considered personal data.

This information includes several parameters related to your operating system and IT environment, including your IP address, location (country), the domain names of your device, the type of device, the URI (Uniform Resource Identifier) addresses of resources the data subject requests on the website, the time of requests made, the method used to submit requests to the server, the dimensions of the file obtained in response to a request, the numerical code indicating the status of the response sent by the server (successful, error, etc.), and so on.

These data are used to compile statistical information on the use of the website, to ensure its correct operation, as well as restore backup from possible failures of the website and identify any faults and/or abuse of the website. Save for this last purpose, these data are only kept for as long as necessary.

Our website and/or our services do not intend to collect information about persons under the age of 13, unless they have parental or guardian consent or we are bound by our legal obligations. However, we cannot verify whether a website visitor is over 13 years of age. We encourage parents to be involved in their children’s online activities in order to prevent the collection of information about children without parental consent. If the data subject believes that we have collected personal information about a minor without this consent, please contact us at the following email address: gdpr@eosc.eu.(see contact details).

4. How do we collect these data?

Your personal data is usually collected when the data subject decides to provide it to us or our employees. This occurs in the following situations, among others:

  • When visiting the EOSC-A website(s), EOSC Forum or using other third-party applications such as GDPR compliant survey platforms
  • When expressing your interest in EOSC-A services
  • When subscribing to the EOSC-A newsletter
  • In the context of (responding to) EOSC-A surveys
  • When connecting to EOSC-A with its professional social media channels or with its employees
  • From correspondence or contacts with EOSC-A
  • During EOSC-A general assemblies and voting procedures
  • When registering for and participating in EOSC-A events either through www.eosc.eu or through any other application under EOSC-A control. In case such an event is organised online the specific privacy platform of the digital infrastructure (such as f.ex. Zoom or Teams) will apply when the event is being recorded.

We may use both paper and digital documents and forms for the collection of data.

We may also supplement your profile with data from our CRM and ERP systems or other sources of information that have been collected with your consent.

EOSC-A may also receive personal data via other sources of information that are publicly accessible and available. Exceptionally, we may obtain information from other databases or sources of information. Before we do so, we check with the providers of these databases or sources to ensure that they comply with the applicable data protection regulations. Although we apply strict rules before engaging data providers, the final responsibility of the data that these providers and organisations make available to EOSC-A, through surveys or other applications and services, remains with those providers.

5. For which purpose do we process personal data?

Personal data is processed for the following purposes:

  • To allow a data subject to express interest on behalf of an organisation to join the EOSC Association as a Member, Observer or other form of Stakeholder, to send the subscribers informative newsletters and other communications, to respond to enquiries of persons or organisations and requests for support, and to provide any other services which the data subject may request (“Service Provision”)
  • To include information on the data subject as a registered member within the EOSC-A database (“Database Publication”)
  • To ensure compliance with our reporting duties to the European Commission (EC) on the progress of the EOSC partnership, as agreed by the EOSC-A members with the establishment of the co-programmed EOSC Partnership and the signing of the Memorandum of Understanding (“Reporting Duties”)
  • To allow third parties to make reports or overviews based on information collected through survey or other types of enquiries (“Information Processing by Third Parties”)
  • For information purposes, including to carry out research and surveys, via e-mail, push notifications / pop-up banners, as well as events held by EOSC-A, also in collaboration with or hosted by selected third parties (“Active Information”)
  • For future promotional and information purposes, by sending direct e-mail communication regarding events hosted and services provided by EOSC-A (“Soft Opt-in”)
  • For development and administration of the website, in particular by use of data analytics regarding how the data subjects and other users make use of the website, as well as the information and feedback the data subject provides, to improve our offerings (“Analytics”)

The way in which personal details are processed may vary depending on the service EOSC-A provides to the data subject.

6. On which legal basis are the personal data processed?

/*–>*/

When EOSC-A processes personal data it does so based on of one of the following legal grounds:

  • Consent of the data subject: personal data is processed once he has consented thereto.
  • Complying with legal or statutory obligations: personal data must be processed for EOSC-A to comply with its legal or statutory obligations.
  • Performance of an agreement: the personal data processed is required for the performance of an agreement between EOSC-A and its Partners.
  • Legitimate interest: personal data can be processed if it is in the legitimate interest of EOSC-A as an organisation, subject to the data subjects’ personal interests not outweighing EOSC-A interests. Information on the weighing-up of that deliberation can be obtained by sending a motivated request to the following email address: gdpr@eosc.eu.

7. With whom does EOSC-A share information?

In principle, personal data will only be used within EOSC-A. The data will not be shared with third parties, apart from the following exceptions:

  • Personal data may be shared with third parties subject to appropriate contractual and legal guarantees if the data subjects give their explicit consent.
  • Personal data may be shared with public or private third-parties who are partners of  EOSC-A, such as the European Commission (EC), the EOSC Steering Board, EC-project partners and the  services providers, including logistics partners to organise communication and  events.
  • Data will be shared with third parties, such as service providers, if this is necessary for the performance of EOSC-A activities. EOSC-A only cooperates with reputable partners who comply with the applicable regulations and provide the necessary security measures for the protection of personal data and have signed a Data Protection Agreement with the EOSC Association. We expect and impose upon them an adequate level of data protection.
  • Data subject information will be shared with third parties if this is necessary for the execution of your agreement with EOSC-A, or to provide the data subject with more targeted information.
  • Your details may be shared with third parties if EOSC-A is legally obliged to do so (e.g. the government, the tax administration).

Under no circumstances will personal data be shared with third parties for purely commercial purposes.

We enter into a processing agreement with the companies/persons who process personal data on our behalf so that the data is only used for the purpose for which the processor obtains it, and in order to ensure an appropriate level of security and confidentiality of your data.

In any situation when personal data are shared with external parties we take, whenever feasible, precautions to prevent unlawful access to personal data, such as pseudonymisation and encryption of personal data.

EOSC-A will not transfer personal data to recipients outside the EU.

8. How are personal data secured?

EOSC takes all reasonable and appropriate measures to secure personal data, at both a technical and organisational level, as well as at an administrative level. In doing so, we take into account the state of the art, the implementation costs, the nature, scope and context of the processing and the probabilities and seriousness of the potential risks as identified by us. In this way, unauthorised access, unwanted destruction, loss or modification of data and data leaks are avoided as much as possible. Our systems are continuously monitored and improved so that security can be guaranteed, and the EOSC-A staff is regularly informed and sensitised on the topic of data protection. Nevertheless, no system or procedure can completely exclude the above-mentioned risks.

9. How long are personal data stored?

In accordance with data protection regulations, personal data will not be kept longer than necessary for the purpose for which it has been processed. EOSC-A is obliged by European and Belgian regulations to retain some personal data for a minimum period of time. For this purpose, EOSC-A takes into account legal retention obligations.

10. What are the data subjects’ rights with regard to their own personal data?

10.1. Right of access

The data subjects have the right to receive confirmation that we process personal data from them, and they have the right to request access to these personal data. Before EOSC-A grants access to these details, we may ask the data subject for proof of identification.

The data subject can request a free copy of the personal data that EOSC processes of him. If they wish to receive additional copies or to inspect the information repeatedly, EOSC-A may charge a fee for this, due to its administrative costs.

10.2. Right to rectification

The data subjects have the right to request, free of charge, that their  personal information be amended, if it is incorrect or incomplete.

10.3. Right to revoke consent

If the processing is based on consent, the data subject may revoke this consent at any time. However, this shall not affect the lawfulness of the processing based on consent prior to its withdrawal.

10.4. Right of erasure

In the following cases, the data subjects can request the deletion of their own personal data, free of charge:

  • The personal data is no longer necessary for the purposes for which it was collected and/or process.
  • The data subject revokes consent and there is no other legal basis for processing those personal data.
  • The personal data have been processed unlawfully.
  • The personal data must be deleted in order to comply with a legal obligation incumbent on EOSC.
  • The data subject objects to the processing and there are no overriding compelling legitimate grounds.
  • In case of direct marketing, the data subject has the right to have his/her personal data erased at any time.

The consequence of such a removal may well be that certain EOSC services can no longer be provided.

10.5. Right to restriction of processing

The data subject has the right to block or limit the processing of his/her personal data if:

  • He disputes the accuracy of the personal data (during the period that allows EOSC to verify the accuracy of the data).
  • The processing is unlawful and he opposes the deletion of the data, but insists on a limitation of the processing.
  • The data is no longer required for processing purposes, but the data subject needs it for legal proceedings.
  • If the data subject has objected to the processing, pending clarification, or if EOSC’s legitimate interests outweigh his/her interests.

If data processing is restricted, EOSC may store the personal data, but may not further process it. The consequence of such restriction may be that certain services of EOSC can no longer be provided.

If the data subject has the right to have the processing restricted, we may in future only process the data – apart from storage – with consent of the data subject, or for the purpose of establishing, asserting or defending legal claims, or protecting a person or important public interest.

10.6. Right to object

A data subject has the right to object:

  • Against the processing of data, unless EOSC invokes compelling legitimate grounds that would outweigh his/her interests, rights and freedoms, or which are related to a legal action
  • At all times against processing for direct marketing
  • Against processing for the purpose of scientific or historical research and statistics, unless the processing is necessary for the performance of a task in the public interest

10.7. Right to data portability

If the processing is based on consent, or on an agreement with EOSC, and the processing is carried out using an automatic process, the data subject has the right to obtain his/her personal data in a structured, commonly used and machine readable format. In such a case, he also has the right to transfer the data in that format to another data processor. If the processing is based on a legal basis other than consent or the agreement with EOSC, the right of transferability does not apply, without prejudice to your other rights.

10.8. Right to complain

EOSC strives to process personal data as transparently and correctly as possible. If a data subject has a query about this processing of his/her personal data, he can always contact us via the email address: gdpr@eosc.eu.

A data subject also has the right to lodge a complaint with the competent supervisory authority. For Belgium, this is the Belgian Data Protection Authority:

Drukpersstraat 35

1000 Brussels

Telephone: 02/274.48.00

Fax: 02/274.48.35

E-mail: contact@apd-gba.be

www.gegevensbeschermingsautoriteit.be

11. How can data subjects exercise their rights?

If the data subject wishes to exercise one of his/her above-mentioned rights, he can send his/her request by registered letter to EOSC-A, or by e-mail to: gdpr@eosc.eu.