Privacy Notice for EMPIAR Deposition System

This Privacy Notice explains what personal data is collected by the specific EMBL-EBI service you are requesting, for what purposes, how it is processed, and how we keep it secure.

1. Who is responsible for the processing?

The EMBL data controller (and joint-controller if applicable) contact details are:

EMBL-EBI Hinxton
Wellcome Genome Campus Hinxton, Cambridgeshire CB10 1SD United Kingdom
+44 (0)1223 494 444
info@ebi.ac.uk

2. What personal data do we process?

The following categories of personal data may be processed:

Core Personal Information:
Basic identifiers (name, date of birth, nationality)
Contact details (email, phone, address)
Professional details (employer, job role, department)

Account & Technical Data:
Digital identifiers (username, IP address, ORCID)
Login credentials

Custom value:
We use analytical cookies to gather statistics about our website (including Google Analytics)

3. For what purposes do we process your personal data?

Your personal data will be processed for the following purposes:

Service Delivery:
Provide and manage service access
User authentication and security

Usernames, ORCID identifiers, and affiliation details are collected as part of the metadata accompanying EMPIAR records for permanent public display. Email addresses are collected for communication with depositors.

4. What is the legal basis for processing?

The legal basis for processing is Article 6(1)(d): processing is necessary for EMBL's day-to-day management, operation and functioning.

5. Who can access your personal data?

EMBL internal recipients:
EMBL-EBI Hinxton: BioImage Archive team

EMBL external recipients:
External recipient categories - Data processors processing data on EMBL’s behalf
Data Processor 1 - Google for Google Analytics

Located in:
Location of Processor, External Recipient or International Organisation: Outside EEA, Within the European Economic Area (EEA)
Countries outside EEA: US

6. How long do we keep your personal data?

Your personal data will be kept for the following period of time:

Retention envisaged time limits:
Personal data will be retained as long as the users use the service

Retention period rational:
Maintaining (private) contact details for depositors is necessary to operate the service. Other information (name, affiliation, ORCID ID) becomes part of the public entry on data release.

7. How do we protect your personal data?

We have adopted the following measures to protect your personal data:

1. Risk Management & Controls: Regular risk assessments of information assets, Implementation of control measures, Periodic review of access rights.
2. Training & Access: Mandatory security awareness and data protection training, Access granted based on job roles, Strict management of privileged accounts, Cryptographic key management.
3. Incident Response & Recovery: Cyber security incident management process, Regular penetration testing, Disaster recovery planning, Business continuity measures.
4. Compliance & Privacy: Protection of personal data in adherence with IP68 and other contractual obligations, Biometric data security, Rigorous due diligence of third party data hosting such as cloud services, Regular compliance monitoring.

8. Data subjects’ rights and oversight mechanism

Under Article 16 of the EMBL Internal Policy No 68, data subjects have the following rights:

• A right not to be subject to a decision made by automated means (i.e. without any human intervention)
• A right to request access to your personal data
• A right to request information on the reasoning underlying data processing
• A right to object to the processing of personal data
• A right to request erasure or rectification of your personal data

When the legal basis to process personal data is consent, please note that you have the right to withdraw your consent at any time.

Please note that those rights can be subject to limitations, as described in Article 16 (2) of the EMBL Internal Policy No 68.

If you wish to exercise your rights or wish to contact the data controller regarding any other data protection related matters, you can contact us by sending an e-mail to: info@embl.de or by sending a letter to: Meyerhofstraße 1 69117 Heidelberg Germany.

Advice on data protection matters can also be obtained from the EMBL Data Protection Officer (DPO), under Article 20 (2) of the EMBL Internal Policy No 68. The DPO can be reached by email at dpo@embl.org or by letter at: EMBL Data Protection Officer, EMBL Heidelberg, Meyerhofstraße 1, 69117 Heidelberg, Germany.

If you wish to complain under Article 25(1) of the EMBL Internal Policy No 68, you may do so with the DPO by email at dpo@embl.org.

If you believe that the response of the DPO is unsatisfactory or if the DPO has failed to respond within three months from receipt of the complaint, you may complain in writing to the Data Protection Committee. It can be reached by email at dpc@embl.org or by post at: EMBL Heidelberg, Data Protection Committee, Meyerhofstraße 1, 69117 Heidelberg, Germany.

Last Updated: 12/05/25 10:19 AM