SCZ Privacy Policy

This privacy policy is based on the Elixir AAI privacy policy and the eduTEAMS privacy policy.

Name of the service	SCZ - Science Collaboration Zone
Description of the service	The SCZ service is a technical solution assisting Dutch research infrastructure providers and researchers collaborating in virtual Research and Education organisations to register and manage virtual organizations, users, groups, roles and rights. This information can be used also to allow user access to additional external services provided by or for the virtual organization. Creating and/or joining a virtual organisation is voluntary. The SCZ service is enabling the data subjects (researchers, scientists - users) to participate in virtual organizations as well as accessing to the above-mentioned external services based on the membership with the virtual organization. This privacy notice describes how we process the personal data of you – user – when you use SCZ.
Data controller and a contact person	SURFnet B.V. Raoul Teeuwen, raoul.teeuwen@surfnet.nl
Jurisdiction	NL Netherlands
Personal data processed	As part of your registration into a collaborative organisation, SCZ may process the following data: Profile information Honorific Given Name Middle Name Family Name Suffix Email Telephone number Postal addresses Language Preference Affiliation Username SSH public key(s) B) Information for your virtual organisation The virtual organisation that you have created or joined Group and memberships you may have in the context of your virtual organisation Roles and rights you may have in the context of your virtual organisation C) External Identity Provider Institution information For authentication to the SCZ platform we may request from your home institution or another identity provider of your choice: Given Name Middle Name Family Name Email Affiliation D) Identifiers Identifiers, as provided by identity providers like e.g. a Home Institution or Identifiers from third parties, for example an ORCID All of the above information is provided by you on a voluntary basis, or in case of the information from your institution upon your choice. You may choose not to provide certain information, but this may mean you cannot participate in the virtual organisation. The actual data collected by your virtual organisation may differ. You can consult this at any time by visiting the [User profile Page]. Additionally, during your activity on SCZ we keep technical log consisting of the following data: Your actions on the platform along with timestamps External services that you accessed through eduTEAMS Your IP address The Identity Provider you used
Purpose of the processing of personal data	The SCZ service processes your personal data to identify, authenticate and authorize you as a member of one or more virtual organisations who have chosen to use the SCZ service to register and manage their members. Based on the information provided you may gain access to external services that are available in the context of your virtual organisation. Technical log files produced by the SCZ service components will be used only for administrative, operational, accounting, monitoring and security purposes.
Legal basis of processing	The legal basis for processing your personal data is the SURFnet legitimate interest consisting of providing to the users – members of research and education community – technical solution enabling them to participate in virtual teams (based on voluntary decision of each user) as well as access by the user to external services based on their membership with the virtual team as well as administrative and security maintenance of the SCZ service, what is not overridden by the interests or fundamental rights and freedoms of the user (data subject).
Recipients	The eduTEAMS service may reveal your personal data to other members of the virtual organization you have chosen to join. By joining a virtual organisation that is using SCZ, you agree that the recorded information may be disclosed to other authorized participants of the virtual organisation via secured mechanisms, but only for the same purposes and only as far as necessary to provide the services. The SCZ service will release your personal data to services available to the virtual organisation you choose to become a member of. Data release will be done via secured mechanisms and according to the sections 2.f and 2.l of the Data Protection Code of Conduct [Code of Conduct]. The current listing of associated services for your virtual organisation which are enabled to receive personal data is available at the [User profile Page]. Statistical data is gathered based on the technical logs. This data is anonymized and does not contain any personal data. Statistical data may be made publicly available by SCZ.
Data storage	All data processed by the SCZ service is stored within the EU/EEA. The services are operated under the jurisdiction of the Data Controller. External services that you choose to join may receive your personal data – those maybe based in the EU/EEA, or in countries with less adequate data protection provisions.
Data retention	Your personal data associated with your account is kept as long as you are active in the SCZ service and can be deactivated earlier on request - in case that you have not logged in to SCZ for 13 consecutive months your account will be deactivated. The technical logs and related information are kept independently in order to guarantee the security of the infrastructure and its optimization and will be retained no longer than 18 months.
Security	SURFnet takes the confidentiality, integrity and availability of your personal data very seriously. We take appropriate security precautions to protect your personal data from loss, misuse and unauthorised access, disclosure, alteration and destruction. In particular: access to technical log data is restricted and can only be accessed in a secure way by the SCZ service staff. When accessing a service provided we will have adequate security controls in place to keep your personal data safe in accordance with the classification of the personal data we have collected from you. Although we endeavour to ensure your personal data remains secure, there is no absolute guarantee of security when using services online. While we strive to protect your personal data, you acknowledge that: There are security and privacy limitations on the internet which are beyond our control and what can have negative impact on the confidentiality, integrity and availability of the information. We cannot be held accountable for activity that results from your own neglect to safeguard the security of your log on credentials and equipment which results in a loss of your personal data. If you feel this not enough, then please do not provide any personal data.
Your Rights	To access, rectify the data released by your Home Organisation (e.g. your university or research institute), contact your Home Organisation's IT helpdesk. You may object to processing of your personal data by deactivating your account in the SCZ service at any time by sending email to raoul.teeuwen@surfnet.nl . To access your data, go to the [User profile Page]. You may access and rectify your personal data or deactivate your account by visiting the [User profile Page]. If you have any additional questions connected with your data protection rights contact raoul.teeuwen@surfnet.nl . Moreover, you have the right to file a complaint to the Dutch Data Protection Authority [Autoriteit Persoonsgegevens].
Data Protection Code of Conduct	Your personal data will be protected according to the Code of Conduct for Service Providers [Code of Conduct], a common standard for the research and higher education sector to protect your privacy.
References	[User Profile Page] - the profile page you can access when you log in to the SCZ service, https://comanage.pilot.scz.lab.surf.nl/registry/ [Autoriteit Persoonsgegevens] - https://autoriteitpersoonsgegevens.nl [Code of Conduct] - http://www.geant.net/uri/dataprotection-code-of-conduct/v1