Privacy on the ELIXIR Luxembourg (ELIXIR-LU) websites

1. Preface

This is the privacy policy for the websites that are hosted by the Luxembourgish Node of ELIXIR (“we” “us”, “our”). This policy concerns the following ELIXIR-LU Websites and services accessible through those sites:

Node Website elixir-luxembourg.org
Data submission System elixir-dcp.lcsb.uni.lu
Beacon beacon.elixir-luxembourg.org
Data Catalog datacatalog.elixir-luxembourg.org

In this policy we outline what personal data (“data”) we collect when data subjects (“you”, “your”) visit our sites and use our services, for what purposes this data is collected, where and how long it is kept, your rights regarding data as per EU General Data Protection Regulation (“GDPR”). We also list relevant contact persons regarding requests and inquiries on data and data protection.

2. Who is the data controller?

The data controller is the University of Luxembourg.

University of Luxembourg,
2, avenue de l’Université,
L-4365 Esch-sur-Alzette.

University of Luxembourg’s Data Protection Officer’s contact information is given below. This contact should be used to exercise of your rights regarding personal data and also for general inquiries on data protection.

Dr Sandrine Munoz,
dpo (AT) uni (dot) lu
University of Luxembourg,
Legal Affairs, Central Administration,
Maison du Savoir,
L-4365 Esch-sur-Alzette.

3 ELIXIR-LU Websites

3.1 Site visitor information

Data and its purpose of use

When you visit any of the four ELIXIR-LU websites listed in the preface, we collect the following information:

  • your IP address,
  • your device type, name and id,
  • your browser version,
  • your operating system and language settings,
  • date and time of web resource access request,
  • content of access request,
  • status and size of response to a request.

This information is automatically collected by server-side software that deliver pages to site visitors. We use this data to analyse site usage, which in turn allows us to further optimize and secure our site. The data will be used for statistical purposes only.

Legal basis

The site visitor information is necessary for us in order to deliver the website to you as well as to guarantee the website’s stability and security. It is in our legitimate interest (GDPR Article 6(1)(f)) to collect and use site visitor information.

Storage location and duration

We store site visitor data on servers located in Luxembourg for a period of 12 months. Visitor logs are deleted after this period, aggregated statistics on site visits are stored for an indefinite period.

Transfers

Site visitor information collected by our server-side software is not transferred to any other country.

3.2 Site cookies

Data and its purpose of use

We use cookies on ELIXIR-LU websites. Cookies are bits of information that are created and maintained by your web browser when you visit a website. Cookies are categorized as first-party and third-party. First-party cookies are placed by the website you visit and will not track your activity once you leave that website. Third-party cookies are often set by another site not the one you’re visiting, e.g. advertisements, social media widgets, and they may continue to track your activity across sites.

ELIXIR-LU websites are designed to use cookies listed below:

  • Feature cookies
    When you visit our sites for the first time you will be notified of our cookie policy. We will keep your confirmation of the receipt of this notice as a cookie named “cookiebanner-accepted”.

  • Optimization and security cookies
    Our sites are fronted by load balancers and firewalls managed by the University of Luxembourg. As a result, additional cookies named “LBServer”, “TS*” will be placed in your browser.

  • Authentication cookies
    When you log in to any of our registered services, those described in Section 4, we place authentication cookies. Specifically, two cookies named “remember_token” and “session” will be placed to know your preference to be remembered and the fact that you have authenticated.

Feature, optimization and security and authentication cookies are first-party and there is no personal information stored in them. In addition, our websites make use of the following optional cookies:

  • Twitter (optional)
    Our sites include the Twitter feed of ELIXIR-LU. The Twitter widget does not place any cookies if solely used it to view tweets. However, this widget also includes Like or Share functions. If you choose to interact with these functions then you will make a connection to Twitter.com, which may place cookies, including third-party cookies on your browser. You can reach the Twitter privacy policy here.

  • YouTube (optional)
    Our sites embed YouTube videos of ELIXIR and ELIXIR Luxembourg. We use YouTube in privacy-enhanced mode, which by default, does not place any cookies. Cookies will only be placed in case you watch the videos. Details of YouTube cookies can be found here.

Storage location and duration

Normally cookies are stored on your computer until the end of their expiry period summarized below. You may also choose to clear your browser cookies manually.

Cookie category Cookie name Expiry period
Feature cookie-banner-accepted 1 year
Optimisation & Security LBServer End of browsing session
Optimisation & Security TS* End of browsing session
Authentication Remember_token 1 year
Authentication session End of browsing session

Legal basis

Use of cookies is in our legitimate interest (GDPR Article 6(1)(f)) as it is necessary for us to deliver our sites to you in a stable and secure manner.

Transfers

Essential cookies i.e. the Feature, Optimisation & Security and Authentication categories listed above are required for our websites to function. These cookies are stored on your computer, and information in them is transferred to servers in Luxembourg, when cookie information is used by our site servers.

Optional cookies that may be placed by the Twitter and YouTube widgets are stored on your computer. Information in these cookies may be transferred to servers in the United States and elsewhere, please see the privacy policy of Twitter and YouTube for details.

4 ELIXIR-LU Registered Services; Beacon and Data Submission System

4.1 ELIXIR AAI user information

Data and its purpose of use

We collect additional personal data, beyond the IP address, only when you sign up to our registered services. These services are the Beacon and the Data Submission System. When signing-up and signing-in to these services we use ELIXIR AAI, which is a single sign-on provider for the academic and research community. We collect and store the following personal data from ELIXIR AAI:

  • your unique ELIXIR AAI registration id,
  • your name and surname,
  • your email,
  • your bonafide researcher status,
  • name of ELIXIR groups that you are associated with if applicable.

For information on how your data is processed by the ELIXIR AAI and the relevant contacts, please see the ELIXIR AAI Privacy Policy. You can view the information that the AAI holds about you by visiting your AAI profile page.

We use ELIXIR AAI information to deliver data stewardship services to you. Specifically, for you to oversee your data activity in the Data Submission System and for us to communicate and assist you during data submission. We use ELIXIR AAI information in the Beacon to log the searches you make on genomic datasets.

No personal data collected on our sites and services are used for direct marketing purposes.

Storage location and duration

The data collected by ELIXIR-LU registered services is stored on servers located in Luxembourg.

Your data will be retained for as long as the services are operational, even after you stop using the service. In case the services are decommissioned, we will keep ELIXIR AAI information from registered services for as long as the associated (i.e. submitted or searched) research data is held in ELIXIR Luxembourg. When the research data is no longer hosted at ELIXIR Luxembourg, we will keep ELIXIR AAI information for a duration of 1 year for record keeping purposes.

Legal basis

For the Data Submission System, ELIXIR AAI information is necessary for us in order to take steps at the request of the data submitters prior to entering a data hosting contract with us (GDPR Article 6(1)(b)). We will use it to authenticate you and to provide data stewardship support to you during the course of data hosting.

Furthermore, for the Beacon, we need your ELIXIR AAI information to comply with our legal obligations to protect genomic data against malicious re-identification attempts (GDPR Article 6(1)(c)). A log of your connection to the Beacon service will be kept for analysis of searches you make on genomic datasets.

Transfers

ELIXIR AAI information used in our registered services is not transferred to any other country.

4.2 Study and Data contact information

Data and its purpose of use

When you use the Data Submission System to submit research data to us, we will ask you to provide information about contacts related to the source institution and source study of the submitted data. Specifically, we ask for:

  • Name, surname and institutional email of the person that is considered the primary contact for the submission at your institution, this could be you or others. During the submission process we use this information to communicate information to contacts regarding the status of their submission.
  • Name, surname and institutional email of the data protection officer at your institution, we use this information to conclude a data sharing agreement with data submitters.
  • Name, surname and institutional email of primary and secondary contacts for the research study that generated the data you’re submitting, these would typically be the research principle investigators of the study. We keep this information in order to be prepared for GDPR requests of data subjects that have participated in the research study.

Storage location and duration

The contact information collected by the Data Submission System is stored on servers located in Luxembourg. Contact information will be retained for as long as the Data Submission System is live, even after you stop using the service. In case the services are decommissioned, we will keep the data for the minimum amount necessary for compliance with the GDPR and Luxembourgish Data Protection laws.

Legal basis

We need contact information to meet our legal obligations (GDPR Article 6(1)(c)) in order to maintain a record of processing activities as per Article 30 GDPR.

Transfers

The contact information collected by the Data Submission System is not transferred to any other country.

5 How do we protect your data?

We have put in place a number of organisational and technical measures for the protection of your personal data in compliance with the EU GDPR. These measures include but are not limited to access control, encrypted data transmission, institutional policies, staff code of conduct and training on data protection.

Only authorized personnel at ELIXIR-LU and its host institution, University of Luxembourg, can access the data. Examples of such personnel include system administrators and the ELIXIR-LU data stewards that communicate with data submitters.

6 What are your rights regarding the data we collect?

As per GDPR, you as a “data subject” have rights on your personal data.

You have the right to be informed that ELIXIR-Luxembourg is processing your personal information.

You have the right to access your personal information and in case it is inaccurate or incomplete you have the right to have it rectified without undue delay.

You have the right to ask that we delete your personal data or restrict its use. Where applicable, you have the right to object to our processing of your personal data, and the right to data portability. Your requests for deletion and processing restriction will be assessed by us and we will notify you of the result of this assessment within one month of receipt of the request. This period may be extended by two further months where necessary, taking into account the complexity and the number of applications (in accordance with article 12.3 GDPR).

You can request that we notify you of any changes to your personal data to any other parties to whom your data has been sent.

You have the right to lodge a complaint with the Luxembourgish data protection supervisory authority, CNPD, in case you consider that our processing of your personal data infringes the GDPR.

In order to exercise any of the above rights, you shall contact the University of Luxembourg’s Data Protection Officer in writing. The procedure for this is described in detail here.