This privacy policy is based on the Elixir AAI privacy policy and the eduTEAMS privacy policy.
SRAM Privacy Policy, Version 1.0,
October 8, 2018
Name of the service | SRAM - SURF Research Access Management |
Description of the service | The SRAM service helps Dutch led (international) research collaborations and research infrastructure providers to (register and) manage users, groups, roles and rights and connect to services. It saves time on managing infrastructure and builds on the valuable institutional identity/user account. It prevents having to resort to 'zero hour contracts' (nulurencontract) etc. It builds upon standing researching practices to gain access to resources. The services is based on the international AARC blueprint. The SRAM service allows data subjects (researchers, scientists - users) to participate in virtual organizations and access external services based on the membership with the virtual organization. This privacy notice describes how we process the personal data of you – user – when you use SRAM. |
Data controller and a contact person | SURFnet B.V. Raoul Teeuwen, raoul.teeuwen@surfnet.nl |
Jurisdiction | NL Netherlands |
Personal data processed | As part of your registration into a collaborative organisation, SRAM may process the following data: Profile information
B) Information for your virtual organisation
C) External Identity Provider Institution information For authentication to the SRAM platform we may request from your home institution or another identity provider of your choice:
D) Identifiers
All of the above information is provided by you on a voluntary basis, or in case of the information from your institution upon your choice. You may choose not to provide certain information, but this may mean you cannot participate in the virtual organisation. The actual data collected by your virtual organisation may differ. You can consult this at any time by visiting the [User profile Page]. Additionally, during your activity on SRAM we keep technical logs consisting of the following data:
|
Purpose of the processing of personal data | The SRAM service processes your personal data to identify, authenticate and authorize you as a member of one or more virtual organisations who have chosen to use the SRAM service to register and manage their members. Based on the information provided you may gain access to external services that are available in the context of your virtual organisation. Technical log files produced by the SCZ service components will be used only for administrative, operational, accounting, monitoring and security purposes. |
Legal basis of processing | The legal basis for processing your personal data is the SURFnet legitimate interest consisting of providing to the users – members of research and education community – technical solution enabling them to participate in virtual teams (based on voluntary decision of each user) as well as access by the user to external services based on their membership with the virtual team as well as administrative and security maintenance of the SRAM service, what is not overridden by the interests or fundamental rights and freedoms of the user (data subject). |
Recipients | The SRAM service may reveal your personal data to other members of the virtual organization you have chosen to join. By joining a virtual organisation that is using SRAM, you agree that the recorded information may be disclosed to other authorized participants of the virtual organisation via secured mechanisms, but only for the same purposes and only as far as necessary to provide the services. The SRAM service will release your personal data to services available to the virtual organisation you choose to become a member of. Data release will be done via secured mechanisms and according to the sections 2.f and 2.l of the Data Protection Code of Conduct [Code of Conduct]. The current listing of associated services for your virtual organisation which are enabled to receive personal data is available at the [User profile Page]. Statistical data is gathered based on the technical logs. This data is anonymized and does not contain any personal data. Statistical data may be made publicly available by SRAM. |
Data storage | All data processed by the SRAM service is stored within the EU/EEA. The services are operated under the jurisdiction of the Data Controller. External services that you choose to join may receive your personal data – those maybe based in the EU/EEA, or in countries with less adequate data protection provisions. |
Data retention | Your personal data associated with your account is kept as long as you are active in the SRAM service and can be deactivated earlier on request - in case that you have not logged in to SRAM for 13 consecutive months your account will be deactivated. The technical logs and related information are kept independently in order to guarantee the security of the infrastructure and its optimization and will be retained no longer than 18 months. |
Security | SURFnet takes the confidentiality, integrity and availability of your personal data very seriously. We take appropriate security precautions to protect your personal data from loss, misuse and unauthorised access, disclosure, alteration and destruction. In particular: access to technical log data is restricted and can only be accessed in a secure way by the SRAM service staff. When accessing a service provided we will have adequate security controls in place to keep your personal data safe in accordance with the classification of the personal data we have collected from you. Although we endeavour to ensure your personal data remains secure, there is no absolute guarantee of security when using services online. While we strive to protect your personal data, you acknowledge that:
|
Your Rights |
Moreover, you have the right to file a complaint to the Dutch Data Protection Authority [Autoriteit Persoonsgegevens]. |
Data Protection Code of Conduct | Your personal data will be protected according to the Code of Conduct for Service Providers [Code of Conduct], a common standard for the research and higher education sector to protect your privacy. |
References | [User Profile Page] - the profile page you can access when you log in to the SRAM service, https://comanage.pilot.scz.lab.surf.nl/registry/ [Autoriteit Persoonsgegevens] - https://autoriteitpersoonsgegevens.nl [Code of Conduct] - http://www.geant.net/uri/dataprotection-code-of-conduct/v1 |
Contact | Please contact our support desk at scz-support@surfnet.nl for any further information. |