ELIXIR Privacy Policy for Services - ELIXIR-IT University of Padova

Why this notice

In accordance with EU Regulation 2016/679 (hereinafter “Regulation”) and Legislative Decree No. 196 of June 30, 2003, as amended by Legislative Decree 101/2018, this notice describes how personal data of users accessing the services of ELIXIR-IT through the entities that provide them
are processed. These entities are identified within the Service Delivery Plan (SDP): ELIXIR-IT
The Italian node of the European ELIXIR Infrastructure is organized as a Joint Research Unit (JRU) named the Italian Bioinformatics Infrastructure (ELIXIR-IT). It is coordinated by the National Research Council (CNR) and currently includes several partners, including universities, research
institutes, and public providers of Cloud and High-Performance Computing (HPC) services. (hereinafter ELIXIR-IT).
The Italian ELIXIR Node aims to establish an Italian Bioinformatics Infrastructure (IIB) distributed across multiple centers and intends to support Italian researchers in the field of Bioinformatics, promoting the exchange and development of skills, systematizing various internationally recognized and publicly available bioinformatics resources, and contributing to their integration into the European infrastructure.
ELIXIR-IT also provides both basic and advanced training activities in various application areas of Bioinformatics to support the training of young bioinformaticians, a growing demand at national and international level.
The activities of ELIXIR-IT are divided into technological areas, called platforms. They coordinate the provision of high-quality computational services for life sciences and lead the integration of national services into the ELIXIR-IT infrastructure. ELIXIR-IT includes six operational platforms (Compute, Data, Interoperability, Tools, Omics, and Training).
The services provided are open to employees and associates of the entities that are members of the JRU and to third-party personnel participating in activities defined in a contract or agreement with ELIXIR-IT or with any JRU member, as authorized by the JRU manager, upon reading, understanding, and explicitly accepting the terms and conditions specified in this document.

Data Controller

Name of the Service Provider: University of Padova, Department of Biomedical Sciences
Address of the Service Provider: Viale Giuseppe Colombo, 3 – 35131 Padova (PD), Italy
Email: biocomp@bio.unipd.it

Data Protection Officer

Data Protection Officer (for the Service Provider): Ivan Mičetić
Email: biocomp@bio.unipd.it

Processing of Personal Data for Service Use

ELIXIR-IT provides an infrastructure and a set of services for scientific research purposes or for the purposes outlined in the agreement for the establishment of the JRU or defined by other participants in the JRU.
The service is available to JRU members and their employees, or those with access through a project, contract, or agreement with the entity providing the service, as outlined in the Service Delivery Plan of ELIXIR-IT, upon reading, understanding, and explicitly accepting the terms and conditions specified in this document.
The services to which this notice applies are all those described in the technical annex to this contract.
Processing refers to any operation or set of operations regarding the collection, registration, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, deletion, and distribution of data related to the
users of the services.
The Service Provider collects information to improve or develop services, generate technical insights, and ensure support.
The data processed for the use of the services are of the types specified below.

Types of Data Processed

Data provided by the user

These are all personal data provided by the user during navigation on the website, such as when registering, accessing a reserved area, or using a service.
Processing for these purposes is carried out with the explicit consent provided by the user, and the data is kept only for the duration of the requested activity. Specific notices may be published for the provision of certain activities.
The optional, explicit, and voluntary sending of emails to the addresses indicated on this site results in the subsequent acquisition of the sender’s address, necessary to respond to requests, as well as any other personal data included in the message.
Sensitive or judicial data, if provided by the user, will be deleted.

Accounting Data

To access the ICT services provided by ELIXIR-IT through the Service Provider (e.g., CNR-IBIOM), user registration is required through a Life Science AAI authentication service or an identity provider recognized by CNR, as defined in the agreement/contract.

Monitoring Data

As part of the service activities, the Service Provider’s personnel responsible for monitoring and managing user support interventions or conducting periodic security scans may process data related to access logs (including SSH access data).

Communication and Dissemination

The data may be communicated by the Data Controller in the course of their activities and to provide their services, to:

Public Administrations;
Service providers, hosting providers, and cloud service providers;
Judicial Authority.

The collected data will not be disseminated or communicated to third parties, except as provided by the notice and the law, and in any case, only in the manner allowed by them. The data may be accessed by the Service Provider’s personnel within their respective functions and in compliance
with the received instructions, solely for achieving the purposes outlined in this notice.
Recipients will be appointed, if necessary, as Data Processors by the Data Controller, who may be asked for an updated list of the Data Processors. These Data Processors, under the contract, are required to use the personal data exclusively for the purposes indicated by the Data Controller, not
to retain them beyond the specified duration, nor to transfer them to third parties without explicit authorization.

Methods of Processing

Personal data processing is primarily carried out using electronic procedures and supports, and in a lawful, correct, and appropriate manner, limited to what is necessary to achieve the purposes of the processing, for only the time necessary to fulfill the purposes for which they were collected,
and in any case, in compliance with the principles outlined in Article 5 of EU Regulation 2019/679 GDPR.
Specific security measures are implemented to prevent data loss, unlawful or incorrect use, and unauthorized access.

Location of Data Processing

Personal data processing related to the ELIXIR-IT services provided by the Service Provider takes place at the Service Provider’s facilities and is managed solely by technical staff of the office responsible for processing or by Data Processors appointed by the Data Controller who operate
within the European Union. The User’s personal data may be transferred to a country other than the one where the User is located. The User can verify whether any of the transfers described above occur by reviewing the section of this document related to details on the processing of
Personal Data or by requesting information from the Data Controller by contacting them through the provided contact details.

Duration of Processing

The Service Provider processes the personal data collected for the time necessary to enable the use of the requested service and in any case, no longer than 12 months from the cessation of its use.

Rights of the Data Subject

Data subjects have the right to request access to personal data, rectification or deletion of data, limitation of processing, or to object to processing as provided in Articles 15 and following of the Regulation. The request must be submitted by contacting the Data Protection Officer at the contact
details provided above.
Data subjects also have the right to lodge a complaint with the Data Protection Authority (https://garanteprivacy.it) or take appropriate legal action (Articles 77 and 79 of the Regulation).

Updates

This notice is subject to updates in accordance with national and EU regulations. It is recommended to consult it periodically. In case of failure to accept the changes made to this notice, the user can request the deletion of their personal data from the Data Controller.
Unless otherwise specified, the privacy policy published on the site continues to apply to the processing of personal data collected until its replacement.

Application notes

This privacy policy template for services aims to be a “Template” containing key requirements common to all services offered by ELIXIR-IT to ensure compliance with current regulations. The privacy policies for services are mandatory.

Each Service Provider can personalize the privacy policies by including the identification and reference data of the Data Protection Officer and the entity itself.
Each Service Provider customizes it according to the services offered.
Each Service Provider is required to include their own logo (in addition to the ELIXIR-IT logo).
These policies must be signed together with the ToU and AUP for service access and referenced in any contracts/agreements governing access to the services.