1. General
1.1 The Consortium of the European Health and Data Evidence Network Project (hereinafter referred to as the “EHDEN Consortium”, or the “Consortium”) cares about your privacy and wants you to be familiar with how we collect, use, and disclose information, including your Personal Data (as defined below). This Privacy Policy describes our practices in connection with information that we or our service providers collect through the website [https://www.ehden.eu/] and the European Health Data & Evidence Network Portal [https://portal.ehden.eu/] (hereinafter, the “Website”) operated and controlled by us from which you are accessing this Privacy Policy. By providing personal information to us or by using the Service, you acknowledge that you have read and understand this Privacy Policy.
1.2 The Website is not directed to individuals under the age of eighteen (18), and we request that these individuals not provide personal information through the Website. If your child has submitted Personal Data (as defined below) and you would like to request that such Personal Data be removed, please contact us as explained below under Contacting Us.
2. What data do we collect?
2.1 The information that you give to us, e.g. when some areas of the Website may ask you to submit such information, such as but not limited to your name, your e-mail address, your phone number and your organisation (the “Personal Data”), in order for you to benefit from some specified features, such as newsletter subscriptions.... Also, when you create an account, login in the website, contact us, send us an email, call us. A separate consent will by requested where appropriate.
2.2 Unless we specifically request or invite it, we ask that you not send us, and you not disclose, any sensitive personal information (e.g., Social Security numbers, information related to racial or ethnic origin, political opinions, religion or philosophical beliefs, health, sex life or sexual orientation, criminal background, or trade union membership, or biometric or genetic data for the purpose of uniquely identifying an individual) on or through the Website or otherwise to us.
2.3 We and our service providers may collect certain information automatically as you navigate around the Website. Please read the Cookie Policy [https://www.ehden.eu/cookie-policy/] for detailed information about the cookies and other tracking technologies used on the Website. The Cookie Policy [https://www.ehden.eu/cookie-policy/] includes information on how you may disable these technologies. If you do not disable them and continue to use our Service, we will infer your consent to their use.
We and our service providers may also automatically collect and use information in the following ways:
- Through your browser: Certain information is collected by most browsers, such as your Media Access Control (MAC) address, computer type (Windows or Mac), screen resolution, operating system name and version, and Internet browser type and version. We may collect similar information, such as your device type and identifier, if you access the Website through a mobile device. We use this information to ensure that the Service functions properly.
- IP address: Your IP address is a number that is automatically assigned to your computer by your Internet Service Provider. An IP address is identified and logged automatically in our server log files whenever a user visits the Website, along with the time of the visit and the pages visited. Collecting IP addresses is standard practice and is done automatically by many online services. We use IP addresses for purposes such as calculating Website usage levels, diagnosing server problems, and administering the Website. We may also derive your approximate location from your IP address.
- Device Information: We may collect information about your mobile device, such as a unique device identifier, to understand how you use the Website.
3. Why do we process your personal data?
3.1 We may use your personal data from or about you for the following purposes:
- to respond to your inquiries and fulfil your requests, such as sending you newsletters or e-mail alerts.
- to send you important information regarding our relationship with you or regarding the Website, changes to our terms, conditions, and policies and/or other administrative information.
- for IT purposes, such as enhancing the Website and identifying Website usage trends.
- For the EHDEN grant portal: please consult article 10 for more information.
3.2 We will only process the collected data for the purposes as described above and will not further process the data in a manner that is incompatible with those purposes.
3.3 The data will only be processed in so far necessary to achieve the above-mentioned purposes. Your data will also be kept up to date where necessary (for which your input may be required and asked).
3.4 The personal data will be processed fairly, lawfully and in a transparent manner, meaning that at least one of the following legal bases applies:
- we have received your explicit consent for the processing of your personal data.
- we are obliged to process your personal data according to applicable law or court order.
- the personal data are processed in view of the legitimate interests of the EHDEN Consortium partners.
4. Who can access your Personal Data and why?
4.1 We may disclose information collected through the Website in so far necessary to achieve the above-mentioned purposes:
- to the EHDEN Consortium partners, for the purposes as listed above.
- to our service providers (processors) who provide services such as website hosting and moderating, mobile application hosting, data analysis, IT services, e-mail and direct mail delivery services, auditing services, and other services, in order to enable them to provide services; as we believe to be necessary, if permitted or required by applicable law.
4.2 In transferring data to processors, we will conclude a contract with such processor setting out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. We will only use processors providing sufficient guarantees to implement appropriate technical and organizational measures so that the processing of the data meets the legal requirements.
4.3 In addition, we may use and disclose your information as we believe to be necessary or appropriate: (a) to comply with legal process or applicable law, which may include laws outside your country of residence; (b) as permitted by applicable law to respond to requests from public and government authorities, which may include authorities outside your country of residence; (c) to enforce our terms and conditions; and (d) to protect our rights, privacy, safety, or property, and/or that of the EHDEN Consortium partners, you, or others. We may also use and disclose your information in other ways, after obtaining your consent to do so.
5. Do we transfer your Personal Data?
5.1 Your personal data will not be transferred to other third parties unless required or allowed by applicable law.
5.2 Some non-European Economic Area (EEA) countries are recognized by the European Commission as providing an adequate level of data protection according to EEA standards (the full list of these countries is available here [https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en]. If the processing of your personal data would take place in a third country (e.g. a country outside the European Economic Area) which does not offer an adequate level of protection, this processing shall be carried out in accordance with the requirements and appropriate safeguards under the applicable data protection legislation, such as, entering into EU standard contractual clauses.
5.3 With your explicit consent (in so far required), we may also use and disclose information collected through the Website in other ways and for any other purpose. In addition, we may use and disclose information that is not considered to be personally identifiable and thus not personal data for any purpose. If we combine information that is not in personally identifiable form with information that is identifiable (such as combining your name with your geographical location), we will treat the combined information as personal data as long as it is combined.
6. What are your rights with regard to your personal data?
6.1 You have the right to request, review, correct, update, or delete the personal data that you have provided via the Website as described below:
- Right to inspection: If you are capable of proving your identity, you obtain the right to acquire information about the processing of your data. Consequently, you have the right to the processing objectives, the data categories, the categories of recipients to which the data are sent, the criteria that determine the period of data storage and the rights that you can exercise with regard to your data.
- Right to correct personal data: Inaccurate or incomplete data may be corrected. It is first and foremost the User’s responsibility to make the necessary modifications to his or her “User Profile”. You may also contact us with a request to modify the data.
- Right to delete personal data: You also have the right to obtain the deletion of your personal data under the following circumstances:
- your personal data are no longer necessary for the intended purpose.
- you revoke your consent to process your data and there is no other legal basis for processing your data.
- you have legitimately exercised your right of objection.
- your data has been unlawfully processed.
- your data must be deleted arising from a legal obligation.
- Deleting data is primarily related to visibility; the deleted data may remain temporarily stored.
- Right to restrict processing: In some cases, you have the right to request restrictions on the processing of your personal data. This certainly applies in the case of a dispute relating to the accuracy of data, if the data are necessary in the context of a legal procedure or during the time necessary for EHDEN to determine that you are validly able to exercise your right of deletion.
- Right to object: You have the right to object at any time to the processing of your personal data for “direct marketing” purposes, profiling purposes or purposes arising from the legitimate interests of the data controller. EHDEN will stop processing your personal data unless it can demonstrate that there are compelling legal reasons to process that prevail over your right to object.
- Right to data portability: You have the right to obtain the personal data provided to EHDEN in a structured, common, and machine-readable form. In addition, you have the right to transfer such personal data to another data controller unless this is technically impossible.
- Right to withdraw consent and opt-out or unsubscribe to mailing communication: You are entitled to withdraw your consent at any time, purposes and you will receive an unsubscribe link in every communication e-mail you will receive from us.
6.2 Where consent is asked from you and you are a child below the age of 16 years, your holder of parental responsibility needs to give or authorise such consent.
7. How can I exercise my rights?
7.1 Should you wish to exercise your rights, you must submit a written request and proof of identity by email to [enquiries@ehden.eu] or by using our ehden.eu/feedbackcontact form. We will answer as soon as possible and no later than thirty (30) days after having received your request.
7.2 Option of lodging a complaint: If you are not satisfied with the processing of your personal data by EHDEN Consortium, you are entitled to lodge a complaint with a supervisory authority competent for your country or region. Please click here [http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080] for contact information for such authorities.
8. How do we secure your data?
8.1 We use a variety of measures to keep your Personal Data confidential and secure, including restricting access to your Personal Data on a need to know basis and following appropriate security standards to protect your data.
8.2 We take every reasonable step to ensure that your Personal Data is only processed for the minimum period necessary in connection with:
- the purposes set out in this Privacy Policy.
- any additional purposes notified to you at or before the time of collection of the relevant Personal Data or commencement of the relevant processing; or
- as required or permitted by applicable law; and thereafter, for the duration of any applicable limitation period. In short, once your Personal Data is no longer required, we will destroy or delete it in a secure manner.
8.3 In case of a personal data breach, we will notify the personal data breach to:
- the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons and
- you, the data subject without undue delay if the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.
9. Statement
9.1 Please note that some sites may collect and use data differently. These sites will have a local privacy policy explaining these practices. If the user leaves the Website and visits a website operated by a third party, the EHDEN Consortium cannot be held responsible for the protection and privacy of any information that users provide when visiting such third-party websites. Accordingly, users should exercise caution and review the privacy statement applicable to the website in question.
10. EHDEN Open call application portal
10.1 Article 10 is applicable to the processing of Personal Data when using the EHDEN Open call Application Portal only.
10.2 The Open call application portal is a dedicated portal on the EHDEN website designed to receive applications for the EHDEN SME certification procedure, or the financial support of Data Partners to map their data to the OMOP common data model.
10.3 You can access the EHDEN Open call Application Portal by following the link provided on the respective open call pages when an open call is running. You can register yourself as a grant applicant on the main page of the application portal.
A. Purpose and legal basis for handling personal information
A.1 Personal Data that the EHDEN Consortium collects via the grant application portal is used for
- handling and administration of the Open call applications
- communication with applicants
A.2 To the register is being stored:
- the information requested in the Open call application forms, including Personal Data
- the information regarding given grant awarding or certification and information requested in the final report, including personal information.
- contact information regarding the Open call applicant, members of a working group (…) This information, including personal Data, is collected directly from the Open call applicant in the portal.
A.3 In addition to this, the technical server log information and information regarding the messages between the Open call applicant and EHDEN is being collected in the portal.
A.4 The basis for collecting and handling Personal Data is in the consent of the Open call applicant. If the applicant includes Personal Data of other parties, such as project partners, to the grant application, then s/he needs to make sure in beforehand that it is fine for these third parties to have their Personal Data stored in the grant application portal.
A.5 In order for EHDEN to be able to process the application, it is required that the Open call applicant provides all the Personal Data required to complete the application form. If the Personal Data required in the form is insufficient, EHDEN Consortium reserves the right to leave the application in question unprocessed.
B. Who handles the Personal Data over the grant applicant in the portal?
B.1 Following groups have the right to handle the personal information over grant applicants in the portal:
- Project management office of EHDEN Consortium
- Employees of the EHDEN Consortium partners and their affiliates
- Evaluators of the applications, designated by EHDEN Consortium
- Persons giving technical support regarding the application portal and applications
- Auditor of EHDEN Consortium and other possibly appointed persons
B.2 Access is granted on a need-to-know basis only and only the Personal Data relevant for the group in question (evaluators/auditor… etc.) is being shown to them in the application portal.
C. How is Personal Data in the grant application portal being protected?
C.1 The right to use the Open call application portal requires a personal username. The main user of the portal defines the level and the extent of rights in the portal regarding individual users.
C.2 In order to be able to log in, a user needs his/her own personal password to the portal. The portal is used through a protected SSL connection. The use of the portal and sign-ins are being continuously monitored.
C.3 All the information in the portal is stored in a database. The database is protected with firewalls and other technical means. The database is physically located in a closed and guarded space, accessed only by certain designated persons.
D. How long is Personal Data being stored in the application portal?
D.1 Usernames
- Username and personal information connected to it remains saved if the user in question has incomplete/completed applications in the portal.
- If a username remains inactive, then it will be removed. A username is automatically removed, if it has not been used during the last 4 years in the portal.
D.2 Incomplete applications
- A user can him/herself remove his/her own incomplete applications in the portal.
- EHDEN Consortium will remove all the incomplete applications after a year from the end of the grant application period.
E. The right of a user of the Open call application portal
E.1 As an applicant, a user has the access to their information by signing into the portal and opening the application form. A user has the right and the obligation to correct possible faulty information. If a user has inquiries regarding faulty information, s/he can address a question to EHDEN using the contact form or by sending a message in the application portal.
E.2 We will use your information in accordance with our Privacy Policy to respond to your inquiries and fulfil your requests with regards to the creation of an Open call application profile, as necessary for our legitimate interest and possibly to comply with our legal obligations.
E.3 The data collected will be your name, your e-mail address, your phone number and your organisation in order for you to benefit from the Open call portal features such as creating an account, login in the website, contacting us, sending us an email, calling us.
E.4 Registration helps us communicate with you better and permits you to participate and submit an application. We will use the information you provide during the enrolment for the purposes mentioned herein, and in accordance with our Privacy Policy.
E.5 Please note that your rights related to your Personal Data remain unchanged. You are entitled to request your data, change it, ask for its deletion, ask for a copy in a machine-readable format and even lodge a complaint if you consider that we didn’t respect your rights. Please refer to the article 6 of this Privacy Policy for a precise list of your rights.
11. Updates to this Privacy Policy
11.1 This Privacy Policy may be changed and updated from time to time. Changes and updates will be announced on our Website. Any changes or updates to this Privacy Policy will become effective when the revised Privacy Policy is posted on the Website. This policy was last updated on February 2, 2021.
12. Contact us
12.1 If you have any questions about this Privacy Policy, please contact us by sending an e-mail to enquiries@ehden.eu[or by using our contact form (available at https://portal.ehden.eu/) if you are a EHDEN-portal user].