Privacy on the ELIXIR website

This Privacy Policy explains what personal data is collected by the ELIXIR website, and by the services we use that you access via the website. It tells you why we collect your data, how it is processed, and how we keep it secure. It also gives you the contact details you need if you have any queries or requests concerning your data. For privacy information relating to cookies, see the cookies page.

The public website (www.elixir-europe.org)

The data we collect: if you browse the public website then the following information is logged by our server: your browser, operating system, IP address, the date and time of your visit, the pages visited, and the amount of data transferred.

Why we collect the data: the data is used to monitor for suspicious activities (e.g. attempts to hack the site), to diagnose problems on the site, and to create anonymous usage statistics. We do not attempt to identify or profile people based on this data.

Lawful basis for processing the data: processing this data is necessary for our legitimate interest of allowing the website to remain secure and robust.

Who has access to the data: the personal data is only accessible to staff in the ELIXIR Hub who work on the website and the Linode support team (see 'Third party processors' below).

Data transfer: this data is located on a server in London, UK, and is not transferred to any other country.

Data retention: we will keep web logs 30 days and security logs 90 days before anonymising them.

Third party processors: the ELIXIR web server was created using the cloud hosting service Linode. The personal data outlined above is stored on the ELIXIR Hub's Linode server. The Linode support team have access to the server so they can fix problems on it and upgrade it, but the personal data is not processed further by them or transferred to another organisation. See the Linode customer agreement for how Linode comply with the GDPR. For privacy questions concerning Linode contact privacy[at]linode[dot]com, and see the Linode Privacy Policy.

The intranet and internal mailing lists

The intranet (www.elixir-europe.org/intranet) is a restricted part of the main ELIXIR website (see the section above) and sits on the same server. The intranet is open to members of ELIXIR and its governing bodies only.

When you join a group on the intranet you automatically get subscribed to that group's mailing list. You also automatically become a member of any parent groups and their mailing lists. For example, if you joined the Bioschemas group you would automatically join the Bioschemas mailing list. You would also become a member of the Bioschemas parent group, Interoperability, and join the Interoperability mailing list. This functionality is designed to keep you informed of closely related matters across ELIXIR.

The purpose of the intranet and the mailing lists is to help people across the organisation work together. You log in to the intranet using the ELIXIR Authentication and Authorization Infrastructure (AAI), which allows you to log in using third party identity providers (e.g. using your Google account or your university ID).

The data we collect: the ELIXIR AAI provides us with your name, email and your ELIXIR group memberships. In addition you may enter more information about yourself in your user profile page. Your email address is not displayed to users of the intranet.

Why we collect the data: to allow you to log in to the intranet and see material restricted to ELIXIR members and collaborators, to subscribe you to the mailing list of your groups, and to create a user profile page for you so that you and other members of ELIXIR can see who is a member of which group. We also collect emails so people who have created new group content on the site (like an event or document) can alert other members of the group that this has happened. Emails are not shown to other members of the intranet.

Lawful basis for processing the data: legitimate interest, since in order to carry out your work as part of ELIXIR you need to be informed of deadlines and meetings concerning your work, and need to have access to information restricted to the intranet. If you stop working for ELIXIR, please email webmaster[at]elixir-europe[dot]org so that we can remove you from the groups and mailing lists.

Who has access to the data: other members of the intranet can view your user profile information and group memberships, but only website administrators at the ELIXIR Hub can view your email address.

Data transfer: this data is located on a server in London, UK. Your data is not transferred from the ELIXIR intranet to anywhere else.

Data retention: your data will be deleted after two years of inactivity (of not logging in to the website or sending emails to your groups). It will also be deleted once we are informed that you have stopped working for ELIXIR.

ELIXIR Authentication and Authorization Infrastructure (AAI): the ELIXIR intranet uses the ELIXIR AAI to enable people to log in. For information on how your data is processed by the AAI and who to contact about it see the ELIXIR AAI Privacy Policy. You can view the information that the AAI holds about you by going to your global ELIXIR profile page.

Unsubscribing: if you would like to unsubscribe from a mailing list please email webmaster[at]elixir-europe[dot]org and we will remove you from the appropriate group, or from our system altogether.

Public newsletters

These include the Informed and the Industry stakeholder newsletters. We use the MailChimp mailing service to send these.

The data we collect: the sign-up form for newsletters requires your email address, with optional fields for your name and organisation. In addition, Mailchimp records which newsletters you opened and which links you clicked.

Why we collect the data: to enable us to send emails, to measure the success of the emails, to help us provide reports to funders, and to help us improve the newsletters

Lawful basis for processing the data: this data is only processed with your explicit consent. The sign-up form asks for this consent.

Who has access to the data: the personal data is only accessible to staff in the ELIXIR Hub who manage the emails (members of the External Relations team).

Data transfer: MailChimp is based in the United States and the data is held on servers located there.

Data retention: We will keep your personal data for as long as you wish to remain on the mailing list.

Third party processors: the mailing lists service is run by MailChimp. MailChimp is certified to the EU-U.S. Privacy Shield Framework and the Swiss-US Privacy Shield, which are designed to protect your data in the U.S.. See also the Data Processing Agreement that customers in the EU (like the ELIXIR Hub) sign with MailChimp. This outlines how your data will be processed by MailChimp.

Event registration

We use the EventBrite service to manage event registrations.

The data we collect: this depends on the event. The event registration form normally ask for your name, email, and affiliation, and may ask for your gender and dietary requirement.

Why we collect the data: to enable us to organise the event, and to keep registrants informed about the event.

Lawful basis for processing the data: this data is only processed with your explicit consent. The registration forms ask for this consent.

Who has access to the data: the personal data is only accessible to staff in the ELIXIR Hub who manage the event.

Data transfer: EventBrite is based in the United States and the data may be transferred there.

Data retention: we will keep the personal data for two months after the event.

Third party processors: the registration service is run by EventBrite. EventBrite is certified to the EU-U.S. Privacy Shield Framework and the Swiss-US Privacy Shield, which are designed to protect your data in the U.S.. See also the EventBrite Privacy Policy and their EU Data Protection statement, which describes EventBrite's compliance to the GDPR.

Your rights

Under the General Data Protection Regulation (GDPR) you have a number of rights concerning your data (see the ICO website for an overview of these). If you want to exercise these rights (e.g. to access, modify, or erase your data) then please contact the Data Protection Officer.

You have the right to:

  1. Not be subject to decisions based solely on an automated processing of data (i.e. without human intervention) without you having your views taken into consideration.
  2. Request at reasonable intervals and without excessive delay or expense, information about the personal data processed about you. Under your request we will inform you in writing about, for example, the origin of the personal data or the preservation period.
  3. Request information to understand data processing activities when the results of these activities are applied to you.
  4. Object at any time to the processing of your personal data unless we can demonstrate that we have legitimate reasons to process your personal data.
  5. Request free of charge and without excessive delay rectification or erasure of your personal data if we have not been processing it respecting the EMBL Internal Policy for Data Protection.
  6. It must be clarified that rights 4 and 5 are only available whenever the processing of your personal data is not necessary to:
    • Comply with a legal obligation.
    • Perform a task carried out in the public interest.
    • Exercise authority as a data controller.
    • Archive for purposes in the public interest, or for historical research purposes, or for statistical purposes.
    • Establish, exercise or defend legal claims.

If you want to exercise these rights then please contact the Data Protection Officer (see 'How to contact us' below).

Data controller

Niklas Blomberg, ELIXIR Director
Email: data-controller[at]ebi.ac[dot]uk
EMBL-EBI, Wellcome Genome Campus, CB10 1SD Hinxton, Cambridgeshire, UK

How to contact us

Legally ELIXIR forms part of the European Molecular Biology Laboratory (EMBL) and therefore uses EMBL's legal personality.

EMBL Data Protection Officer
Tel: +49 6221 387-0
Email: dpo[at]embl[dot]org
EMBL Heidelberg, Meyerhofstraße 1, 69117 Heidelberg, Germany