Privacy Notice for EGA User Account

This Privacy Notice explains what personal data is collected by the specific service you are requesting, for what purposes, how it is processed, and how we keep it secure.

Note that this service collects personal data directly provided by the user, and also collects personal data from users that is provided by other organisations.

1. Who controls your personal data and how to contact us?

European Genome- Phenome Archive - EGA offers a service for permanent archiving and sharing of all types of personally identifiable genetic and phenotypic data resulting from biomedical research projects, jointly managed by European Molecular Biology Laboratory – European Bioinformatics Institute (EMBL-EBI) and Fundació Centre de Regulació Genòmica - Centre for Genomic Regulation (CRG).

EMBL-EBI and CRG represent joint Data Controllers’ of processing of your personal data. They and their Data protection officers may be contacted for data protection queries and for exercising your rights under Section 8.

You may contact EMBL-EBI, represented by dr. Thomas Keane, by:

• email at: tk2@ebi.ac.uk or
• post at EMBL-EBI, Wellcome Genome Campus, CB10 1SD Hinxton, Cambridgeshire, UK.

EMBL’s Data Protection Officer may be contacted by:

• telephone at +49 6221 387-8590,
• email at dpo@embl.org, or
• post at EMBL Heidelberg, Data protection officer, Meyerhofstraße 1, 69117 Heidelberg, Germany.

You may contact CRG, whose EGA team is represented by dr. Jordi Rambla de Argila, by:

• email at jordi.rambla@crg.eu, or
• post at Fundació Centre de Regulació Genòmica - Centre for Genomic Regulation (CRG), Dr.Aiguader 88, PRBB Building, 08003 Barcelona, Spain.

CRG Data protection officer may be contacted by:

• email at dpo@crg.eu
• post at Fundació Centre de Regulació Genòmica - Centre for Genomic Regulation (CRG), C/ Dr. Aiguader, 88, PRBB Building, 08003 Barcelona, Spain.

2. Which is the lawful basis for processing personal data?

We process your personal data on the grounds of important public interest.

For monitoring your activities on the website, we process your personal data on the grounds of important public interest. Such legal basis is found in Article 5(1)(a) of EMBL Internal Policy No 68 on General Data Protection (hereinafter IP 68), which is equivalent to Article 6 (1)(e) of the EU General Data Protection Regulation (hereinafter GDPR) and upon which personal data are processed for the achievement of the aims laid down in 1973 agreement establishing EMBL, such as the promotion of the cooperation in the fundamental research, in the development of advanced instrumentation and in advanced teaching in molecular biology and dissemination of information.

3. What personal data is collected from users of the service? How do we use this personal data?

We collect the following personal data from you:

• Name
• Email address
• Title/Position
• Organisation
• Organisational affiliation
• Username and password (to authenticate access to the system)
• IP Address (for anonymous usage statistics)

We process your personal data:

• to provide you with the authenticated access to the EGA service (opening and managing submission and distribution account),
• to publicly publish some aggregate data to facilitate scientific research (e.g. number of accounts, geographic distribution),
• to better understand the needs of the users and to guide future improvements of the service,
• to create anonymous usage statistics.

If you do not provide us with your personal data we will not be able to open the user account and offer you our services or we will only provide you a subset of functionalities available within the service.

4. Who will have access to your personal data?

The personal data will be disclosed to:

• Authorised staff in the data controller’s institutions acting on data controller`s behalf and instructions (for all user account data),
• Requested dataset Data access committee – DAC will have access to the name, email, organization, affiliation, title/position of the distribution user account, using it for their own purpose of granting access to their datasets.

5. Will your personal data be transferred to third countries (i.e. countries not part of EU/EEA) and/or international organisations?

Distribution user account data are in the process of granting access disclosed to dataset(s) DAC, which might be a recipient in countries outside of the European Economic Area. Insofar as the second joint controller may be subject to GDPR, data transfer to and from the first joint controller (EMBL-EBI) is necessary for important reasons of public interest embedded in the aims of the EMBL and justified in the Article 9(4) of IP 68 (equivalent to Article 49(1)(d) of GDPR) read in conjunction with EMBL`s 1973 establishing agreement and Article 179(2) of the Treaty on the Functioning of the European Union.

6. How long do we keep your personal data?

All data are stored for as long as you have the account open. Thereafter the storage is prolonged for as long as our service is live, even if you stop using our services. This prolongation is necessary for further scientific research, to ensure legal compliance and security and to facilitate internal and external audits it they arise.

By contrast, the log files for the data categories related to anonymous usage statistics (raw web service logs) are processed only for 30 days and thereafter erased.

7. The joint Data Controllers provide these rights regarding your personal data

You have the right to:

1. Not be subject to decisions based solely on an automated processing of data (i.e. without human intervention) without you having your views taken into consideration.
2. Request at reasonable intervals and without excessive delay or expense, information about the personal data processed about you. Under your request we will inform you in writing about, for example, the origin of the personal data or the preservation period.
3. Request information to understand data processing activities when the results of these activities are applied to you.

It must be clarified that rights under points 4 and 5 are only available whenever you need support whilst using our website. For other processing based on the grounds of important public interest you cannot exercise your rights to object, rectify or erase your personal data according to the Article 13(2)(a)(b) of IP 68 (equivalent to Article 17(3)(b)(d) and Article 21(6) of the GDPR).

8. Supervisory authority

If you wish to complain against the processing of your personal data, you may do so by post at:

• EMBL Heidelberg, Data Protection Committee, Meyerhofstraße 1, 69117 Heidelberg, Germany, or
• Autoritat Catalana de Protecció de Dades (Catalan Data Protection Authority), C/Rosselló 214, Esc A, 1r 1a, Barcelona 08008, Spain.

Published at: February 6, 2019