iNEXT-Discovery Privacy Policy

 

Anyone whose personal data is processed has the right to file a complaint with the competent authority in case of (possible) violations of the applicable law with regard to the protection of personal data. Question and remarks regarding data protection can be addressed to the iNEXT-Discovery Project Manager (h.wienk@nki.nl). If necessary or desired he/she will include the Data Protection Officer of the NKI (privacy@nki.nl) in the communication.

‘Personal data’ means any information, private or professional, which relates to an identified or identifiable natural person.

The iNEXT-Discovery project prioritizes the careful handling of personal data. All beneficiaries of the project consortium that process personal data under the iNEXT-Discovery Grant Agreement must do this in accordance with EU and national law on data protection. Personal data are processed for various categories of people involved in the consortium. The protection of personal data is regulated by law and via this privacy statement, we provide information on how we handle personal data in accordance with the requirements of the GDPR.

This policy covers all activities of iNEXT-Discovery with respect to personal data collection. Please read this policy carefully to understand how we collect and use personal data. It describes the technical and organizational measures that will be implemented to safeguard the rights and freedoms of all participants. It describes the security measures that will be implemented to prevent unauthorized access to personal data or the equipment used for processing.

 

Who is responsible for the processing of provided personal data?

The iNEXT-Discovery website is owned by the NKI-AVL (The Netherlands Cancer Institute - Antoni van Leeuwenhoek Hospital), the coordinator of the iNEXT-Discovery consortium that is funded by the European Commission (Horizon-2020 Project number 871037). On behalf of the consortium, the iNEXT-Discovery website is hosted by Partner Instruct-ERIC. Personal registration to obtain access to the iNEXT-Discovery facilities registration is mandatory and managed through the online access management system ARIA, operated by Instruct-ERIC. The collected personal data are stored in the United Kingdom or in the cloud, in both cases complying with GDPR. The legal responsibility for the collected personal data for iNEXT-Discovery access requests and their protection is described in the Data Processing Agreement that has been signed between NKI-AVL (the Data Controller on behalf of the iNEXT-Discovery consortium) and Instruct-ERIC (the Data Processor). Contact information (email address) will also be made available to the facility in order to directly organize access with the researchers requesting access to their facility.

Registration of personal data for participating in iNEXT-Discovery training, workshops and meetings is with the local organizing iNEXT-Discovery partners. Every iNEXT-Discovery partner shall handle personal data in accordance with GDPR.

 

What personal data do we collect?

All personal data that will be collected and processed will be relevant and limited to the purpose of iNEXT-Discovery.

On behalf of the iNEXT-Discovery consortium, Partner Instruct-ERIC will collect and process the following contact data upon registration: name, email address, nationality, country of residence, employing organization. Further personal information will be collected upon filling out access requests forms, including but not limited to gender, function, biography, IP address by Instruct-ERIC, and other information such as bank information and (home) address by the relevant access providing facility.

 

For what purposes do we process personal data?

Stored registration data (name, email address) are for communication purposes only. The contact details are used to handle requested services, to provide information relating to the requested iNEXT-Discovery activities, to distribute our newsletter, and to handle complaints, disputes and incidents. Statistical research will be performed for internal iNEXT-Discovery monitoring for instance for improvement of diversity, and reported to the European Commission.

iNEXT-Discovery beneficiaries will collect and process personal data including bank information and (home) address to reimburse their users for costs incurred. These data may be passed to the European Commission for verification that costs declared for specific people are eligible.

 

What is the basis for the processing of personal data?

The processing of personal data is necessary for the execution of a request, such as obtaining iNEXT-Discovery access or training. Providers of personal data have provided these personal data on contract basis for their participation in access provision, training and reporting. The processing is necessary to comply with legal compliance requirements of the iNEXT-Discovery consortium to the European Commission.

 

How long do we keep personal data?

The iNEXT-Discovery contract with the European Commission requires that personal data is kept for a period of five years after the iNEXT-Discovery project’s final payment that takes place after February 2024.

 

Who will receive the personal data?

When access to research facilities is requested, the participant registration data will be shared with the relevant iNEXT-Discovery partner(s). For participant research proposal handling, registration data will be shared with iNEXT-Discovery external moderators and peer-reviewers who acknowledge and accept GDPR privacy regulations. For external participants registering for participation in training, workshop or other meeting, their registration data will be collected by the iNEXT-Discovery beneficiaries organizing the event and shared with the iNEXT-Discovery Coordinator.

The iNEXT-Discovery beneficiaries may grant their personnel access only to data that is strictly necessary for implementing, managing and monitoring the Grant Agreement. The iNEXT-Discovery beneficiaries must put in place adequate access controls and retention policies for the data they hold. The beneficiaries must inform their personnel whose personal data are collected and processed that these will be reported to the European Commission.

Contact information of iNEXT-Discovery beneficiary personnel and external participants will be available for the iNEXT-Discovery Coordination team at NKI, for instance to inform registered persons about their obligations or relevant research opportunities. Personal information about employer and nationality, and the soft biometrics gender and nationality are collected and processed to provide statistics for internal monitoring and reports for the European Commission.

Third parties will only receive personal data if this needs to be provided for the implementation of a law or court order, or if this is necessary to protect the interests of iNEXT-Discovery beneficiaries or participants.

 

How do we protect personal data?

The iNEXT-Discovery consortium has taken technical and organizational security measures to protect personal data against unlawful use. We secure our systems according to the applicable standards for information security, and we make agreements about this with our service providers. Personal data will be only accessible to those who are logically allowed to process this data. iNEXT-Discovery affiliates who are involved in the processing of personal data on behalf of the consortium are required to maintain the confidentiality of the personal data of which they are aware. The personal data that will be collected will be minimized and pseudonymized whenever possible. Access to personal data will only be granted to third parties if we have a valid reason for doing so.

 

Rights regarding personal data

- Right of inspection: this concerns the right to view one’s personal data or request a copy;

- Right to rectification and supplementation: this concerns the right to change personal data if it is factually incorrect;

- Right to restriction of processing: this concerns the right to have less data processed;

 

The iNEXT-Discovery website

a) Browsing and contact

One can browse through iNEXT-Discovery webpages without submitting personal details. The iNEXT-Discovery website allows visitors to contact the consortium to an email address, which is moderated by the Coordinating Partner NKI. The personal data provided through this email is used only to the extent necessary to reply. If the mailbox moderator is unable to answer a question, he may forward the email to another iNEXT-Discovery partner.

b) Cookie policy

A cookie is a small file that is stored on a computer, tablet or mobile phone when someone visits a website. Cookies do not contain viruses or other malicious applications. If one does not want us to use cookies, one must turn 'cookies off' in their browser or not accept cookies upon receiving the cookie notification. Turning off cookies may limit the use of our website and services. If the use of cookies is accepted, these will remain on a computer, tablet or mobile phone until they are deleted. The iNEXT-Discovery website also contains links to other websites. If those other websites use cookies, the information is not sent to our servers but to the server of that other website.

The iNEXT-Discovery website makes use of functional cookies for optimization of its website and analysis of visitor behavior. Cookies do not retrieve stored data on a hard-drive and do not affect a computer or data. We use Matomo Analytics to measure which pages are visited and clicked on within our website. Matomo can be configured in any browser to respect “do not track”-requests. The website visitor statistics allow us to track which pages could be improved and may be reported to the European Commission.