Updated October 2021

The privacy and security of your personal information matters to us. The below Privacy Policy explains the ways in which we use your personal data, why it is necessary for us to use it in some situations, and the measures we take to ensure your information is safe. 

The EMBRC-ERIC website is a major resource for information about the Research Infrastructure, where the user can find information about EMBRC organisation, contact points, services, events and news and can access the majority of this information without providing any personal information. However, in some instances, your personal data is required, for example applying for access to our services or responding to a survey. 

Our policy on the protection of individuals with regard to processing personal data has been developed in line with the principles set out by the Regulation (EU) 2019/1725 of the European Parliament and of the council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data (General Data Protection Regulation) as well as the relevant French law, ain particular the law n°78-17 of 6 January 1978, known as the law on data processing and freedom, as applicable. When we refer to the ‘law’ or ‘legislation’ in this policy, we are referring to those regulations. 

1.    What is the scope of this privacy policy? 
This policy covers EMBRC-ERIC’s data processing on our website (www.embrc.eu). The EMBRC-ERIC website may include links to third-party websites (e.g. links to news and events; EMBRC-ERIC partner websites; YouTube). When you click on links to third-party websites and navigate away from the EMBRC-ERIC website, you may be asked to accept other terms and conditions pertaining to the third-party website. EMBRC-ERIC has no control over privacy policies for third-party websites. EMBRC-ERIC will not relay through our website any personal information that has been communicated to us, virtually or in-person (for example through email signatures, business cards, newsletter subscription, etc.). 

2.    What are your rights?
Under GDPR you are entitled to see copies of all personal data held by us and to amend, correct, delete or export such data. You can also limit, restrict or object to the processing of your data. If at any point you would like to view your data in a legible format, or exercise any of the above described rights, you can make a request via any of the below contact points:

By post:  EMBRC-ERIC
4 Place Jussieu 
Tour 46/00, 1er étage, Bureau 101
BC 93
75252 Cedex Paris 05
France

By email: secretariat@embrc.eu
By phone: +33 (0) 1 44 27 63 37

When you get in touch, it is our duty to respond to you as soon as possible and within a maximum of 30 days. We may ask you to verify your identity before we provide you with any personal information. GDPR stipulates that each request made must be logged. 

3.    Who is responsible for your personal data?
EMBRC-ERIC is an ERIC (European Research Infrastructure Consortium) established with the European Commission Implementing Decision of 20 February 2018 (reference C(2018) 826), with the goal of providing a single access entry point to a comprehensive portfolio of services and research platforms, marine ecosystems, biological resources, e-infrastructure and metadata. 

Our registered address is 4 Place Jussieu, Tour 46/00, 1er étage, Bureau 101, 75252 Paris Cedex 05, France. 

EMBRC-ERIC is the data controller of the data which we collect from you, and as such we control the ways in which your personal data are collected and the purposes for which your personal data are used. 

4.   Hosting

The EMBRC-ERIC website is hosted by OVH, which is located in France (see the OVH Privacy Policy here). 

5.    What personal data do we collect about you? 
We aim to adhere to the highest standard of data privacy in alignment with GDPR. By using our website and by contacting us by email, telephone or via post, we may collect and process some of the following personal data: 

name, professional position, address, email address, phone number. 

6.    Why do we need your data, and what do we do with it?
Any personal data we collect from our website is collected to fulfil one of the objectives below. These objectives are regularly reviewed to account for changes in information gathering. 

  • To create your user login in the online access management system ARIA, a platform operated by Instruct-ERIC, third-party provider and data processor of ARIA for EMBRC-ERIC (in this respect, the 'Terms of submission for the use of EMBRC services' also apply).
  •  To send you the EMBRC-ERIC newsletter and manage your subscription (note: when you sign up to receive EMBRC news via the sign-up bar in the website footer, you are submitting your email address to our MailChimp account; MailChimp is a third-party provider. You may access their Privacy Policy here; for information on MailChimp's compliance with GDPR in particular, click here.)
  • To measure the effectiveness and efficiency of our website

According to the legislation, we only have the right to use your personal information for one or more of the following reasons:

-    To fulfil a contract we have with you; 
-    If we have a legal duty to use your data; 
-    When you consent to your data being used (prior consent can be withdrawn at any time); 
-    When it is in our legitimate interests;

We require your personal data in order to provide you with the information you request from us (such as a request for access), or to provide you with information regarding events and activities related to our research infrastructure and services. Crucially, we process personal data based on your consent.

We collect and process personal information about members and staff of EMBRC-ERIC partner institutions within the EMBRC-ERIC research infrastructure or organisations we connect with. We process this information in light of our legitimate interests, including our interest in providing our services to our users (members and partners), managing ongoing joint activities and fostering further scientific collaborations.  

We collect and process personal data needed to carry out any of our obligations arising from any contracts between you and us, on the legal basis of performance of a contract. 

The EMBRC-ERIC access portal allows users to submit access requests and apply for research infrastructure access visits. These applications are made by submitting a proposal through the online access management system ARIA, operated by Instruct-ERIC, and applications are peer reviewed. Additional personal data is required in the form of your research references and biography. Personal data will be kept private and only visible to EMBRC-ERIC Headquarters staff, external reviewers bound by a non-disclosure agreement and staff members within EMBRC partner site(s) who will host your visit. 

More specifically, we use the personal data you provide for the purpose of reviewing your application, arranging the services, and to communicate with you throughout the access process. We process your data on the basis of the access contract we ask you to agree to at the final stage of the online proposal. We are required to maintain personal data for the purposes of reporting to our General Assembly and funders and to comply with EU or French law related to financial recording. 

/node/25837.    Applying for use of EMBRC-ERIC services
Users can access EMBRC-ERIC services by two means: 1) by sending a request via email (writing to access@embrc.eu) or 2) through the submission of an online application (by the means of the online access management system ARIA, operated by Instruct-ERIC, third party and data processor for EMBRC-ERIC of such requests). The terms on which you may use the EMBRC website to submit applications for EMBRC services through ARIA are set by the 'Terms of submission for the use of EMBRC services'

The collected personal data from ARIA are stored in the United Kingdom or in the cloud, in both cases complying with GDPR. The legal responsibility for the collected personal data for access requests and their protection is described in the Data Processing Agreement that has been signed between EMBRC-ERIC (the Data Controller) and Instruct-ERIC (the Data Processor).

Such access requests may go through peer review. Personal data in the form of your research history, biography and your project proposal are required to be submitted in the access request. Personal data will be kept private and will only be visible to EMBRC partners involved in your project, to check your access request and to assist with the organisation of your visit. We use the personal data you provide for the purpose of reviewing your application, arranging the services, and to communicate with you throughout the process. We are required to maintain personal data for the purposes of reporting and to comply with applicable EU and national laws on data protection. Limited personal information (name, home country) of successful applicants might be published on the EMBRC-ERIC website, and may be shared with funders on request. 

In certain cases, peer reviewers of access requests may be located outside of the EEA, in which case your access request data may leave the EU GDPR jurisdiction. However, reviewers will still be bound by non-disclosure agreements. As of 2020, one EMBRC-ERIC partner site (EMBRC-IL) is outside of the European Economic Area (EEA). If your visit is scheduled to a research infrastructure partner outside of the EEA, your personal data will be shared with the EMBRC-ERIC Headquarters and the associated partner site(s) facilitating your visit. All reasonable steps will be taken to ensure that your data is treated securely and in accordance with this privacy policy. 

8.    Does EMBRC publish your data on its website? Is your data shared by EMBRC?
EMBRC-ERIC does not publish your data on our website and it is our responsibility to ensure the user’s consent before publishing any personal data, such as name and location, before integrating this into internal or external documents such as reporting or case studies.

If we do publish any personal data, such as names, it will be for a specific purpose, such as listing members of an EMBRC advisory or governance body. This will only be done if your consent is explicitly provided (in writing) for this purpose. 

EMBRC-ERIC does not share your data with third parties for commercial or marketing purposes. Your personal data may only be shared in the context of specific scientific activities and research collaboration opportunities. Some personal information may be shared with our third-party service providers (such as web hosting, newsletter software providers, online surveys, access management system, etc.) solely for the purpose of realising these services. As and when third parties have access to personal data in order to execute the above processing activities, we take the necessary organisational and contractual measures to ensure that your personal data is processed exclusively for the purposes mentioned here. 

We may be obliged to share your personal data with the competent authorities, only if we are required to do so by law. 

9.    How long do we keep your data?
Your data is only kept for as long as we need it or for as long as the data agreement between the user and EMBRC-ERIC lasts, and at least as long as is required for legal purposes (e.g. accountancy). For purposes concerning proof in judicial disputes, EMBRC-ERIC may store personal data for up to 10 years after the fact, which is the maximum legal term for placing personal claims. 

We will actively review the information we hold and when there is no longer a legal or business need for us to hold it, we will delete it securely. 

Personal information we hold for the purpose of distributing the newsletter will be kept until you notify us that you no longer wish to receive this information. If you have previously opted in to receiving emails from us, you can unsubscribe by clicking on the link in all emails from EMBRC-ERIC. 

10.    Who has access to your data?
EMBRC-ERIC’s relevant internal parties have access to the data that you consent to us using.

For example, the EMBRC-ERIC Access Officer and the concerned partners to whome you have submitted an access request have access to the data you provide via the online access management system ARIA. 

We will never pass on, sell or exchange your data for marketing purposes to third parties outside of EMBRC-ERIC. In case we use a service provider for certain data processing, we will disclose this information in the specific data policy and, as applicable, in the information notice so that you can make an informed decision about using our tools. 

11.    What are cookies and how are they used?
What are cookies? Cookies are short text files placed on your computer or device by websites that you visit. The log we keep of website visits includes the following information: IP address, time information, and the URL visited, for bug tracking and to monitor for malicious visits. We also use cookies to enhance the surfing experience. 

The EMBRC-ERIC website uses Google Analytics cookies. The user can accept or reject the cookies on the site by choosing to accept or reject the initial cookies notice.

Through cookies, we collect standard information and details of visitor behaviour such as time spent on the website and on specific pages. This is done by checking for the unique identifier in a cookie left there on a previous visit. This information is collected in a way that does not identify the visitor(s). EMBRC does not associate any data gathered from this site with any personally identifying information from any source. All of our cookies are anonymous and session based and we hold no personal information in any of our cookies.

11.    Links to other websites
The EMBRC-ERIC website contains links to other websites, for example through the News section or to other project pages. When you follow the links to other websites from the EMBRC-ERIC website, we advise you to be aware of and read their privacy policy. EMBRC-ERIC is not responsible for the privacy practices of other websites. 

12.    What to do if you have a complaint
If you wish to raise a complaint on how we have handled your personal data, you can contact us to have the matter investigated at secretariat@embrc.eu. 

If you are not satisfied with our response or believe that we are not processing your personal data in accordance with the legislation, you have the right to make a complaint to the supervisory authority which is responsible for the protection of personal data in the country where you live or work, or in which you think the breach of data protection regulation might have taken place. In France you can contact the Commission Nationale de l'Informatique et des Libertés, 3 Place de Fontenoy, 75007 Paris France; telephone: +33 (0) 1 53 73 23 79; website: https://www.cnil.fr/fr.  

EMBRC-ERIC is bound to inform the data protection authority for France (CNIL) of a data breach within 72 hours and must also contact identifiable affected users within this same timeframe. 

13.    Changes to the Privacy Policy
We may periodically update our Privacy Policy. If we make any substantial changes, these will be posted on our website so please check our Privacy Policy on a regular basis.