ELIXIR privacy statement

This Privacy Policy explains what personal data is collected by ELIXIR, why we collect your data, how it is processed, and how we keep it secure. Information on data transfers to third-party processors acting on our behalf is provided below.

ELIXIR operates under the data protection framework provided by EMBL - known as IP68 - which is adapted to the needs of international scientific research and reflects the principles of European data protection law. Details of your rights under IP68 are summarised below, along with the contact details if you have any queries or requests concerning your data:

For privacy information relating to cookies, see the cookies page.

Way that we collect personal data:

The public website (www.elixir-europe.org)

The data we collect: if you browse the public website then the following information is logged by our server: your browser, operating system, IP address, the date and time of your visit, the pages visited, and the amount of data transferred.

Why we collect the data: the data is used to monitor for suspicious activities (e.g. attempts to hack the site), to diagnose problems on the site, and to create anonymous usage statistics. We do not attempt to identify or profile people based on this data.

Lawful basis for processing the data: processing this data is necessary for our legitimate interest of allowing the website to remain secure and robust.

Who has access to the data: the personal data is only accessible to staff in the ELIXIR Hub who work on the website and the Linode support team (see 'Third party processors' below).

Data transfer: this data is located on a server in London, UK, and is not transferred to any other country.

Data retention: we will keep web logs 30 days and security logs 90 days before anonymising them.

Third party processors: the ELIXIR web server was created using the cloud hosting service Linode. The personal data outlined above is stored on the ELIXIR Hub's Linode server. The Linode support team have access to the server so they can fix problems on it and upgrade it, but the personal data is not processed further by them or transferred to another organisation. See the Linode customer agreement for how Linode comply with the GDPR. For privacy questions concerning Linode contact privacy [at] linode.com, and see the Linode Privacy Policy.

ELIXIR-coordinated projects

ELIXIR coordinates projects funded by organisations such as the European Commission (EC) and the Innovative Medicines Initiative (IMI) (see the EU projects page for the current projects). Participants in these projects are included on the relevant project mailing lists to ensure that they can coordinate their work.

Project Data Management Plan (DMP): Following EC and IMI requirements, a project data management plan is mandatory for each project, and accessible via the EC portal. For additional information please contact grants [at] elixir-europe.org.

The data we collect: the contact details (names and email addresses) of the projects participants. Participants are also asked for their institute address and their phone number, in case we need to send documents or contact them urgently (e.g. to tell them about changes to meetings), but these are optional fields.

Lawful basis for processing the data: legitimate interest, since we need to communicate with participants in order to run the project, and the participants need to communicate with each other to coordinate their tasks within the projects.

Who has access to the data: other members of the project have access to the participants' contact information (name and email address).

Data transfer: Your data is not transferred from ELIXIR to any other organisation.

Data retention: your data will be retained for the duration of the project and deleted from the project records according to the obligations set by funders to keep records for auditing purposes.

Unsubscribing: if you would like to leave the project and unsubscribe from any project mailing lists mailing list please email grants [at] elixir-europe.org.

The intranet and internal mailing lists

The intranet (www.elixir-europe.org/intranet) is a restricted part of the main ELIXIR website (see the section above) and sits on the same server. The intranet is open to members of ELIXIR and its governing bodies only.

When you join a group on the intranet you automatically get subscribed to that group's mailing list. You also automatically become a member of any parent groups and their mailing lists. For example, if you joined the Bioschemas group you would automatically join the Bioschemas mailing list. You would also become a member of the Bioschemas parent group, Interoperability, and join the Interoperability mailing list. This functionality is designed to keep you informed of closely related matters across ELIXIR.

The purpose of the intranet and the mailing lists is to help people across the organisation work together. You log in to the intranet using the ELIXIR Authentication and Authorization Infrastructure (AAI), which allows you to log in using third party identity providers (e.g. using your Google account or your university ID).

The data we collect: the ELIXIR AAI provides us with your name, email and your ELIXIR group memberships. In addition you may enter more information about yourself in your user profile page. Your email address is not displayed to users of the intranet.

Why we collect the data: to allow you to log in to the intranet and see material restricted to ELIXIR members and collaborators, to subscribe you to the mailing list of your groups, and to create a user profile page for you so that you and other members of ELIXIR can see who is a member of which group. We also collect emails so people who have created new group content on the site (like an event or document) can alert other members of the group that this has happened. Emails are not shown to other members of the intranet.

Lawful basis for processing the data: legitimate interest, since in order to carry out your work as part of ELIXIR you need to be informed of deadlines and meetings concerning your work, and need to have access to information restricted to the intranet. If you stop working for ELIXIR, please email webmaster [at] elixir-europe.org so that we can remove you from the groups and mailing lists.

Who has access to the data: other members of the intranet can view your user profile information and group memberships, but only website administrators at the ELIXIR Hub can view your email address.

Data transfer: this data is located on a server in London, UK. Your data is not transferred from the ELIXIR intranet to anywhere else.

Data retention: your data will be deleted after two years of inactivity (of not logging in to the website or sending emails to your groups). It will also be deleted once we are informed that you have stopped working for ELIXIR.

ELIXIR Authentication and Authorization Infrastructure (AAI): the ELIXIR intranet uses the ELIXIR AAI to enable people to log in. For information on how your data is processed by the AAI and who to contact about it see the ELIXIR AAI Privacy Policy. You can view the information that the AAI holds about you by going to your global ELIXIR profile page.

Unsubscribing: if you would like to unsubscribe from a mailing list please email webmaster [at] elixir-europe.org and we will remove you from the appropriate group, or from our system altogether. Alternatively, you can log in to the intranet and user the Join/leave groups page to manage your group/mailing list memberships.

Public newsletters

These include the Informed and the Industry stakeholder newsletters. We use the MailChimp mailing service to send these.

The data we collect: the sign-up form for newsletters requires your email address, with optional fields for your name and organisation. In addition, Mailchimp records which newsletters you opened and which links you clicked.

Why we collect the data: to enable us to send emails, to measure the success of the emails, to help us provide reports to funders, and to help us improve the newsletters

Lawful basis for processing the data: this data is only processed with your explicit consent. The sign-up form asks for this consent.

Who has access to the data: the personal data is only accessible to staff in the ELIXIR Hub who manage the emails (members of the External Relations team).

Data transfer: MailChimp is based in the United States and the data is held on servers located there.

Data retention: We will keep your personal data for as long as you wish to remain on the mailing list.

Third party processors: the mailing lists service is run by MailChimp. MailChimp is certified to the EU-U.S. Privacy Shield Framework and the Swiss-US Privacy Shield.

ELIXIR Events

The ELIXIR Hub engages the services of a number of third parties for the registration and delivery of our events. These global operators will be subject to the data protection laws of their respective governments. Third party processors are listed below along with links to their privacy policies.

The data we collect: event registration will require your name, email, and affiliation, and may ask for your gender and dietary requirement.

Why we collect the data: to enable us to organise the event, and to keep registrants informed about the event. Following delivery of the event, your personal details may be retained by ELIXIR to provide a means for follow up and analysis.

Lawful basis for processing the data: Your personal data will be required as part of our service contract when you register. ELIXIR may also process your personal data within our legitimate interests. In such cases, your data would be processed in a transparent and proportional manner. You are not obliged to provide your personal data to ELIXIR. However, without it the ELIXIR Hub will not be able to facilitate your taking part in its events.

Who has access to the data: ELIXIR Hub staff responsible for the event planning, delivery and associated administration. The ELIXIR Hub will also access personal data for impact analysis purposes and measuring equality and diversity targets at our events. Additionally, access needs to be granted to third party processors acting on our behalf.

Data transfer: EventBrite and SurveyMonkey are based in the United States and the data may be transferred there. The EU-US Privacy shield website provides information on data sharing between US, EU and Swiss individuals and companies and contains a searchable list of certified companies.

Data retention: we will keep the personal data as long as we have the account open with the third party processors. We may retain your data following delivery of the event by ELIXIR to provide a means for follow-up and analysis.

Third party processors: we use the EventBrite service to manage event registrations. Please refer to their Privacy Policy for details on how they process your personal data. SurveyMonkey Inc, is used following the event in order for you to provide feedback and you can view their privacy policy for details.

Your rights

Under our data protection framework - IP68 you have a number of rights concerning your data (see the ICO website for an overview of these). If you want to exercise these rights (e.g. to access, modify, or erase your data) then please contact the Data Protection Officer.

You have the right to:

  1. Not be subject to decisions based solely on an automated processing of data (i.e. without human intervention) without you having your views taken into consideration.
  2. Request at reasonable intervals and without excessive delay or expense, information about the personal data processed about you. Under your request we will inform you in writing about, for example, the origin of the personal data or the preservation period.
  3. Request information to understand data processing activities when the results of these activities are applied to you.
  4. Object at any time to the processing of your personal data unless we can demonstrate that we have legitimate reasons to process your personal data.
  5. Request free of charge and without excessive delay rectification or erasure of your personal data if we have not been processing it respecting the EMBL Internal Policy for Data Protection.
  6. It must be clarified that rights 4 and 5 are only available whenever the processing of your personal data is not necessary to:
    • Comply with a legal obligation.
    • Perform a task carried out in the public interest.
    • Exercise authority as a data controller.
    • Archive for purposes in the public interest, or for historical research purposes, or for statistical purposes.
    • Establish, exercise or defend legal claims.

If you want to exercise these rights then please contact the Data Protection Officer (see 'How to contact us' below).

Data controller

Niklas Blomberg, ELIXIR Director
Email: data-controller [at] ebi.ac.uk
EMBL-EBI, Wellcome Genome Campus, CB10 1SD Hinxton, Cambridgeshire, UK

How to contact us

Legally ELIXIR forms part of the European Molecular Biology Laboratory (EMBL) and therefore uses EMBL's legal personality.

EMBL Data Protection Officer
Tel: +49 6221 387-0
Email: dpo [at] embl.org
EMBL Heidelberg, Meyerhofstraße 1, 69117 Heidelberg, Germany