|Name of the service||SRAM - SURF Research Access Management|
|Description of the service|
SRAM helps Dutch led (international) research collaborations and research infrastructure providers to (register and) manage users, groups, roles and rights and connect to services. It saves time on managing infrastructure and builds on the valuable institutional identity/user account. It prevents having to resort to 'zero hour contracts' (nulurencontract) etc. It builds upon standing research practices to gain access to resources. The services is based on the international AARC blueprint.
The SRAM service allows data subjects (researchers, scientists - users) to participate in virtual organizations (VO, also known as CO, collaborative organisation) and access external services based on the membership with the virtual organization.
This privacy notice describes how we process the personal data of you – user – when you use SRAM.
Data processor and contact person
Raoul Teeuwen, firstname.lastname@example.org
|Personal data processed|
SRAM may process the following data:
B) Information for your virtual organisation
C) External Identity Provider Institution information
For authentication to the SRAM platform we may request from your home institution or another identity provider of your choice:
The actual data collected by your virtual organisation may differ. You can consult this at any time by visiting the [User profile Page].
Additionally, during activity on SRAM we keep technical logs consisting of the following data:
Purpose of the processing of personal data
The SRAM service processes personal data to identify, authenticate and authorize someone as a member of one or more virtual organisations who have chosen to use the SRAM service to register and manage their members. Based on the information provided someone may gain access to external services that are available in the context of the virtual organisation they are member of.
When you are added as member of a CO, your personal information will be shared with services connected to the CO, in order to allow you to access and use those services. The CO is responsible for checking whether data is passed to services that have proper data protection measures.
We process limited personal information (email address, name, possibly telephone number) of contact persons for services connected to SRAM to contact them for support, connecting services, forwarding requests tot connect from CO's etc.
We process limited personal information (email address, name, possibly telephone number) of contact persons for organisations (mostly institutions) which in SRAM can configure certain 'organisational level SRAM options', like who from that organisation/institution is allowed to create CO.
To be able to provide support, we process limited personal information (email address, name, possibly telephone number) to reply to requests and support calls.
Technical log files produced by SRAM components will be used only for administrative, operational, accounting, monitoring and security purposes.
|Legal basis of processing||The legal basis for processing personal data is 'Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract'. SURF offers the SRAM service to Dutch led research collaborations. Dutch Institutions can configure if and who from an institution is allowed to create a VO in SRAM. Such a VO falls under the responsibility of the Institution that managed the account the person initially creating the VO logged in with (the underlying assumption being that the VO is created as part of a research collaboration the institition is (jointly) responsible for).|
The SRAM service may reveal personal data to other members of the virtual organization you have chosen to join. By joining a virtual organisation that is using SRAM, you agree that the recorded information may be disclosed to other authorized participants of the virtual organisation via secured mechanisms, but only for the same purposes and only as far as necessary to provide the services.
The SRAM service will release your personal data to services available to the virtual organisation you choose to become a member of. Data release will be done via secured mechanisms and according to the sections 2.f and 2.l of the Data Protection Code of Conduct [Code of Conduct].
The current listing of associated services for your virtual organisation which are enabled to receive personal data is available at the [User profile Page]. Statistical data is gathered based on the technical logs. This data is anonymized and does not contain any personal data. Statistical anonymized data may be made publicly available by SRAM.
All data processed by the SRAM service is stored within the EU/EEA.
The services are operated under the jurisdiction of the Data Controller, which are the Organisations (mostly Dutch Insittutions) that have been defined in SRAM.
External services that you choose to join may receive your personal data – those maybe based in the EU/EEA, or in countries with less adequate data protection provisions. The CO-admin is responsible for taking any necessary measures regarding privacy, data security etc of the external services personal data of VO members is being shared with.
Personal data associated with an account is kept as long as someone is active in the SRAM service and can be deactivated earlier on request. In case that a researcher has not logged in to SRAM for 37 consecutive months their account will be deactivated. Information from contact persons at institutions/organisations and Service Providers are stored indefinitely or shorter if it is absolutely clear they are no longer needed.
The technical logs and related information are kept independently in order to guarantee the security of the infrastructure and its optimization and will be retained no longer than 6 months.
SURFnet takes the confidentiality, integrity and availability of your personal data very seriously. We take appropriate security precautions to protect your personal data from loss, misuse and unauthorised access, disclosure, alteration and destruction. In particular: access to technical log data is restricted and can only be accessed in a secure way by the service staff.
When accessing a service provided we will have adequate security controls in place to keep your personal data safe in accordance with the classification of the personal data we have collected from you.
Although we endeavour to ensure your personal data remains secure, there is no absolute guarantee of security when using services online. While we strive to protect your personal data, you acknowledge that:
Moreover, you have the right to file a complaint to the Dutch Data Protection Authority [
Data Protection Code of Conduct
Your personal data, for the part where it is stored in SRAM, will be protected according to the GÉANT Data Protection Code of Conduct for Service Providers [Code of Conduct], a common standard for the research and higher education sector to protect your privacy.
|References||[User Profile Page] - the profile page you can access when you log in to the SRAM service, https://comanage.pilot.scz.lab.surf.nl/registry/ |
[Autoriteit Persoonsgegevens] - https://autoriteitpersoonsgegevens.nl
[GÉANT Data Protection Code of Conduct] - http://www.geant.net/uri/dataprotection-code-of-conduct/v1
|Contact||Please contact our support desk at email@example.com for any further information.|