WHAT IS ARIA IDSS?
The ARIA Identity and Security Service (“ARIA IDSS”) is an authentication service operated by Instruct-ERIC, the European Research Infrastructure for Structural Biology, and made available to research infrastructures all over the world (“Connected Organisations”), as an identity and security service for the access to the online services provided by those Connected Organisations. Ownership of an ARIA IDSS account allows you to log in to the different Connected Organisations, both those using the ARIA Platform or otherwise providing their online services, as applicable. These Connected Organisations include both external research organisations (“External Organisation”), and our own Instruct-ERIC website giving access to a membership platform.
The accuracy of your information is important to us. If you change your email address, or if any of the other personal data we hold on you is inaccurate or out of date, please update your online profile on the ARIA IDSS. If you have difficulties updating your information, please contact us at firstname.lastname@example.org.
WHO ARE 'WE'?
WHAT PERSONAL DATA DO WE COLLECT?
Personal data is defined as any information or the combination of information that identifies you or can be identified as relating to you personally. For the purpose of the ARIA IDSS, we identify three categories of personal data we might collect about you.
1. CONTACT INFORMATION
In order for you to register an ARIA IDSS account, we only request the information strictly necessary for this purpose. This information consists in particular of (1) your email address, (2) first name and (3) last name, all three required for the initial identification purposes. This information may be requested directly from you or may be obtained indirectly from the organisation you choose for the purpose of logging in to the ARIA IDSS, such as your Google account or your home university account.
Upon registering an account, the ARIA IDSS will generate a randomusername by which you can be identified by Connected Organisations using the ARIA IDSS. This will be randomly generated, independent from any personal data that you have provided to us.
2. ADDITIONAL INFORMATION
In order to facilitate the transmission of your personal data to the Connected Organisations for which you might apply via your ARIA IDSS account, you will be allowed to store additional information on the ARIA IDSS. You will be free to share that additional information with the Connected Organisations on a case by case basis. This implies that the information will never be shared with the Connected Organisations unless you provide us with your explicit and specific consent regarding a particular transfer.
For this purpose, you can volunteer personal data, including your nationality, your country of residence, your employing organisation, avatar, relevant specialisations, etc. This information may be requested directly from you or may be obtained indirectly from the organisation you choose for the purpose of logging in to the ARIA IDSS, such as your Google account or your home university account.
3. TECHNICAL DATA
We collect and store full IP addresses, your browser type, operating system and the specifications of the hardware you use to access the ARIA IDSS. These data are stored within ARIA IDSS, for security reasons. The concerning data may among others be collected by automated means, such as for example cookies.
HOW WE USE YOUR PERSONAL DATA
We use your personal data for the following purposes:
1. IDENTIFICATION AND SECURITY
In order to provide the ARIA IDSS identification and security services in relation to you, we collect, store and process your contact information as stated above.
The processing of the contact information is necessary for the performance of the agreement you conclude with us for the provision of the identification and security services. You remain free at all times to choose whether or not you want to share your contact information. However, if you decide not to share this information with us, we will be unable to perform the necessary identification and security services and you will be unable to register an ARIA IDSS account.
2. STORING OF PERSONAL DATA
The relevant personal data will only be collected based on your consent. You are free to revoke at any time, any consent you have given to us in the manner set out below under the title ‘Your data protection rights’. Please note that if you have consented to transfer any of these data to a Connected Organisation but later remove the data from ARIA IDSS it will not necessarily lead to the automatic removal of the data held by the applicable Connected Organisations.
3. FACILITATING THE TRANSFER OF PERSONAL DATA
When you access a Connected Organisation that uses ARIA IDSS as its identification and security service, for example when registering for a specific project or service, the Connected Organisation might prompt you with a request for relevant personal data stored on the ARIA IDSS. The relevant personal data refers to both the ‘1. Contact information’ and the ‘2. Additional information’ that you have chosen to store on the ARIA IDSS.
The requested personal data will be made clear to you at the moment of accessing the Connected Organisation and you will be asked to grant your explicit and specific consent before any data can be transferred by us to the applicable Connected Organisation. Your consent will only be relied on for the transfer to the specifically selected Connected Organisation, meaning that your consent will be asked for all subsequent transfers to other Connected Organisations you wish to connect your ARIA IDSS account to.
4. ESSENTIAL SYSTEM NOTIFICATIONS
For the purpose of providing you with essential system notifications, we base ourselves on our legitimate interest to keep you informed regarding the functioning of the ARIA IDSS.
5. DEVELOPMENT AND UPDATES
We collect and process technical data based on our legitimate interest to deliver and improve our security services in relation to you and the applicable Connected Organisations. This data is processed and stored for the purposes of detecting and preventing unauthorised system access and ensuring system security.
YOUR DATA PROTECTION RIGHTS
Under the Applicable Data Protection Legislation, you are entitled to exercise certain rights in relation to your personal data stored and processed by us.
If you would like further information on your rights or wish to exercise them, please write us at Instruct Admin Team, Oxford House, Parkway Court, John Smith Drive, Oxford, OX4 2JY, UK, or contact us at GDPR@instruct-eric.eu. We ask of you to properly identify yourself when exercising your data protection rights in order to enable us to execute your request within the provided delays.
The exercise of your rights is free and will be executed within one (1) month of the receipt of your request to exercise your rights. This delay may be extended with an additional two (2) months for a total delay of three (3) months, should your request prove to be particularly complex. If we decide to extend the delay, you will always be informed of this decision in due time.
In those cases where we deem your request to exercise your rights manifestly unfounded or excessive, we reserve the right to charge you an administrative fee for the execution of your request or to refuse to act on your request. You will always be informed within the abovementioned timeframe of one (1) month of our decision.
Please note that exercising your right to rectification, right to erasure, right to restrict the processing of your right to object to processing in relation to us, will not necessarily result in the same effect with any of the External Organisations you have linked your ARIA IDSS account to. You will need to contact the applicable External Organisation directly to make any of the aforementioned requests, as the concerning External Organisation will be considered a separate controller of such information.
1. WITHDRAWAL OF CONSENT
You have the right to withdraw your consent at any time where you have previously given us your consent for such processing. Withdrawing your consent will not impact the validity of the lawful processing activities performed on your personal data before exercising your right of withdrawal.
2. RIGHT OF ACCESS
You are entitled to request a copy of the data we process and hold on you. If we process and/or hold personal data about you, you will receive a copy of the information in an understandable format together with an explanation of why and how we hold and use it.
Additionally, you can ask to receive information regarding the recipients or categories of recipients to whom your personal data has been disclosed, including any recipients from third countries, meaning countries outside the EEA. For the personal data sent to third countries, you will be entitled to receive information regarding the appropriate safeguards we have taken in order to ensure the security of your data. For more information regarding the transfer of your personal data to third parties and/or third countries, we refer to the relevant sections below.
3. RIGHT TO RECTIFICATION
You have the right to ask us to correct your personal data. This includes the right to have us correct spelling mistakes, change an address, email addresses, phone numbers, etc.
Additionally, depending on the purposes of the processing, you have the right to complete any incomplete information we process or hold on you.
You are also able to perform the aforementioned actions yourself on the profile management pages on the ARIA IDSS.
Please note that any rectification of your data on the ARIA IDSS might not lead to the same effect on services provided by the Connected Organisations.
4. RIGHT TO ERASURE
You have the right to request the deletion of a part or the whole of the personal data we process or hold on you, including your ARIA IDSS account. We can object to the deletion if the processing of your data is necessary for the exercise of our freedom of expression or information, to comply with legal obligations, for reasons of public interest or for the establishment, exercise or defence of legal claims, whenever applicable.
Should you decide to exercise your right to permanently delete your ARIA IDSS account, you will no longer be able to log in to the ARIA IDSS or access the other services it provides. Furthermore, you might lose access to the historical record of any proposals that you may have submitted to any Connected Organisations, previously accessible via your ARIA IDSS account.
You are able to delete your account directly, using the profile management pages of the ARIA IDSS. After deletion, the ARIA IDSS will retain the permanent randomly generated username to prevent its reassignment following account deletion.
Please note that deleting your ARIA IDSS account does not necessarily delete all the personal data you have released to the Connected Organisations. We have put in place the appropriate measures in order to inform the Connected Organisations of your exercise of the right to erasure. However, if you subsequently wish to delete personal data from such a Connected Organisation, you will need to contact that service directly to make this request.
If the Connected Organisation is Instruct-ERIC you can make a combined request for deletion of all the information we hold on you, including the ARIA IDSS information and the information we hold on you as a Connected Organisation, by contacting us via the contact information we provided in the general part of this section.
5. RIGHT TO RESTRICT THE PROCESSING
You have the right to restrict our processing of your personal data. Please note that in exercising this right the relevant personal data will remain in our possession, but we will not be able to further process it.
6. RIGHT TO OBJECT TO THE PROCESSING
In those cases where we process and collect your personal data based on our legitimate interest, you have the right to object to our processing of such data. Please note that if you decide to exercise your right to object to our processing of your personal data, we have the right to provide you with our legitimate grounds in order to continue the processing of your data. Our decision to continue the processing of your personal data does not preclude you from filing a complaint at the relevant data protection authority as set out further below.
7. RIGHT TO DATA PORTABILITY
You are entitled to receive the personal data we process or hold on you in a structured, commonly used and machine-readable format. Furthermore, you have the right to have these personal data transmitted to another data controller, unless we consider this action not to be technically feasible.
Your personal data are only processed for as long as needed to achieve the purposes which are described above or, when we asked for your consent, up until such time where you withdraw your consent. In this section we provide you with the information you need to assess how long we will keep your personal data identifiable. As a general rule, we will de-identify or delete your personal data when they are no longer necessary for the purposes outlined above or when the retention period as explained in this article has expired. However, we cannot de-identify or delete your personal data if there is a legal or regulatory obligation or a judicial or administrative order that prevents Instruct-ERIC from de-identifying or deleting them.
All personal data we collect through the creation of an ARIA IDSS account will be stored and processed at least for as long as your ARIA IDSS account remains active.
All personal data we collect through our interactions with you via the website, phone, e-mail and other digital communication channels are stored and processed for as long as required to communicate with you, but also to keep a historical archive of our communications. This allows us to revert back to earlier communications if you return to us with new questions, requests, remarks or other input.
All personal data we collect in the context of a contractual relationship with you or the organization you represent, we will keep for the duration of the contractual relationship and at least until 7 years thereafter.
We retain the technical data for the period of time necessary for the purposes set out above, including to investigate issues relating to the ARIA IDSS service. We delete any unused technical data collected and processed after 180 (one hundred eighty) days.
TRANSFERS OF DATA TO THIRD PARTIES
For the functioning of the ARIA IDSS services, we can additionally share your personal data with external service providers acting as our processors for the purpose of storage, security and identification. We will always make sure that the appropriate safeguards are put in place in relation to these external service providers, in order to ensure the safe transfer and storage of any personal data you make available to us through the ARIA IDSS service. We specifically make use of Amazon Web Services (AWS) in order to host our ARIA IDSS.
Your personal information can be shared with judicial or administrative authorities or any other authorities or third parties, regardless of their qualification under the applicable national law, if the transfer of personal data is necessary or obligatory to fulfil any legal obligations imposed on us by any applicable laws and regulations.
Please contact us, should you require more information regarding the third-party recipients, so that we can help you, however possible.
INTERNATIONAL DATA TRANSFERS
1. WITHIN THE INSTRUCT-ERIC FRAMEWORK
Furthermore, when subscribing to the Instruct-ERIC services, offered as a Connected Organisation, by giving your explicit consent to share your personal data, the applicable personal data might be shared with services or projects taking place in associated countries, not forming part of the EEA but part of Instruct-ERIC, or international organisations part of the Instruct-ERIC framework.
For a full and updated list of our Instruct-ERIC locations over the world, our associated country members of the Instruct-ERIC framework, including the members qualifying as an international organisation, please see https://instruct-eric.eu/countries or contact us at GDPR@instruct-eric.eu.
We ensure that the appropriate safeguards necessary for the safety and security of your personal data are in place for all personal data processed and transferred within the Instruct-ERIC framework, including at our facilities outside the EEA. Instruct-ERIC has concluded the necessary agreements with its members to ensure appropriate safeguards necessary for the safety and security of your personal data. These agreements include the standard data protection clauses adopted by the European Commission.
2. EXTERNAL ORGANISATIONS
Your personal data might be shared with External Organisations offering services on the ARIA platform, established in a country located outside the EEA. As set out above, this personal data will only be transferred based on your explicit and specific consent. For the purpose of transferring this personal data, we make certain that the appropriate safeguards are put into place in order to ensure that the level of protection provided by the Applicable Data Protection Legislation is guaranteed. This is done by sharing your personal data only with External Organisations established in third countries which have been deemed to provide an essentially equivalent protection of your personal data by the European Commission or, where applicable, by concluding an agreement containing the standard contractual clauses drafted by the European Commission.
3. EXTERNAL SERVICE PROVIDERS
Lastly, your information might also be shared with external service providers located outside the EEA in order for ARIA IDSS to be able to perform the processing activities set out above in the most secure manner possible. This is done by only sharing your personal data to external service providers established in third countries which have been deemed to provide an essentially equivalent protection of your personal data by the European Commission or, where applicable, by concluding an agreement containing the standard contractual clauses drafted by the European Commission. These external service providers will wherever possible be considered data processors of ARIA IDSS.
For an updated list of external service providers located in countries outside the EEA, we invite you to contact us via the contact information provided above.
We protect your personal data by providing the appropriate technical and organisational security measures to minimise the risk of data loss, misuse, unauthorised access, unauthorised disclosure or unauthorised alteration. For this purpose, we use, among others, firewalls, data encryption procedures, internal authorisation procedures in order to receive access to your ARIA IDSS account, etc.
These measures are under constant revision and will be updated regularly in order to provide the necessary guarantees.
WHAT TO DO IF YOU ARE NOT HAPPY
The Applicable Data Protection Legislation gives you the right to file a complaint with your local supervisory authority (depending on your place of residence, your place of employment or the place of infringement on data protection law) or with the lead Supervisory Authority being the Information Commissioner’s Office (ICO). You can contact the ICO if you have any questions about Data Protection or wish to file a complaint against Instruct-ERIC. You can contact them using their helpline 0303 123 113 or at www.ico.org.uk.
However, we would appreciate it if, prior to filing any complaint, you contact us in order for us to assist you however possible with your requests or concerns.
When you log in using ARIA IDSS, your computer may be issued with a small file (a "cookie") for the purpose of managing and improving the services on the website.