Personal Data Protection Policy for OpenAIRE Services
v.2.3 - Date: 06.04.2021
OpenAIRE places particular emphasis on the security of personal data and the protection of the data subject. For this reason, OpenAIRE has introduced this Personal Data Policy.
OpenAIRE offers a variety of services through OpenAIRE members, cooperating partners and other entities. All entities offering services using the OpenAIRE logo, are OpenAIRE Service providers. In order to be admitted as an OpenAIRE Service Providers they need to protect the data subject’s personal data and to ensure the application proper of the existing legal framework (in particular Regulation 2016/679 and Greek Law 3471/2006).
As a data subject, you must be aware that your personal data is collected and maintained by OpenAIRE Service Providers (henceforth OSPs) for a certain period and for specified, explicit and legitimate purposes. Personal data shall be treated fairly and in a transparent manner in accordance with the applicable legal framework and in such a way as to guarantee the key data protection principles, namely:
- Lawfulness, fairness and transparency
- Processing within the legitimate purpose limits
- Data minimization
- Storage Limitation
- Integrity and confidentiality (security)
Data Controllers and Processors
The personal data controllers for the purpose of the operation of the following services:
- ΟpenAIRE Login service: The OpenAIRE Login service enables the registration and management of users, groups, communities, roles and rights. OpenAIRE Login uses this information to allow user access to external services provided for a community or role.
- OpenAIRE Website: https://www.openaire.eu
of the specified below personal data processing are as follows:
For the OpenAIRE Login:
Athena Research Center (ARC)
Artemidos 6 and Epidavrou
15125, Maroussi, Athens. Greece
tel: + 302106875300, fax: 2106854270
For the OpenAIRE Website:
OpenAIRE AMKE Artemidos 6 and Epidavrou
15125, Maroussi, Athens. Greece
tel: + 302106875300, fax: 2106854270
Henceforth, “the controllers”.
ARC will deploy the following data processors in order to perform the personal data processing for the provision of the OpenAIRE Login:
National Infrastructures for Technology and Research S.A. (GRNET)
7, Kifisias Av.
11523, Athens, Greece
ICM, University of Warsaw
26/28 Street Krakowskie Przedmieście,
00-927 Warsaw, Poland
The controllers may modify this policy to achieve a better protection of personal data by announcing any such modification through its website. Each modification will receive a version no and a date of modification. All previous versions of the personal data policy may be found at . All modification of the personal data policy shall become effective five (5) days after they have been posted on the website at https://www.openaire.eu/policies
By navigating and using these services users acknowledge that they have read, understood and unconditionally accepted this Personal Data Policy.
For any further explanation, you may contact the Data Protection Officer (DPO) of the OpenAIRE and the respective OSPs (data controllers and processors) by sending an e-mail to:
- For Athena Research Center :
- For OpenAIRE
- For GRNET
- For ICM
For the purposes of this Privacy Statement, the terms “processor”, “controller”, “third party”, “supervising authority”, “personal data”, “processing”, “data subject” shall have the meaning ascribed to them by applicable legislation on the protection of personal data.
In addition, for the purposes of the present, the following definitions shall also apply:
“Service” - the OpenAIRE Login online service
“User”- the OpenAIRE Login online service user, whom the data refer to, whose identity is known or may be verified, namely it may be directly or indirectly determined.
“OpenAIRE Service Providers (OSPs)” are the entities that process personal data in accordance with the OpenAIRE data protection policy for the services stipulated in this policy, as data controllers or as data processors.
This Policy does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person.
Collected Personal Data
i. For the Authentication and Authorisation of OpenAIRE Login “Users”
For the sole purpose of the authentication and authorisation of the OpenAIRE Login service "Users", OSPs collect, and process – as co-processors– the following personal data:
- Given name
- Family name
- email address
- Affiliation, in broad categories such as student, faculty, staff, alum, etc, within a particular security domain representing the organisation or sub-organisation of the affiliation
- Unique identifier for the sole purpose of their authentication in the OpenAIRE Login service (Persistent Id).
- Group membership and role information for the sole purpose of the “User”’s authorised access to the OpenAIRE Login service and the services available to specific groups and roles.
ii. For providing the OpenAIRE Login service
- For the use of the OpenAIRE Login service as well as for the efficient and lawful provision of this service, GRNET and ICM process – as processors – the following personal data:
- The IP address from which the “User “connects to the OpenAIRE Login service
- “Service” use timestamp
- “Users” e-mail address.
iii. For communicating with OpenAIRE Login service “users”
- For communicating with OpenAIRE Login service “users”, GRENT and ICM process - as processors - the following personal data:
- E-mail address
iv. Special categories of personal data
OpenAIRE does not collect, process or gain access in any way to specific data categories, as set forth in the provisions of the legislation in force (in particular data relating to racial or ethnic origin, religion, health data, etc.). In the event that a "user" posts any such special category data on the “website” or on the OpenAIRE Login service, such data will be removed as soon as the OpenAIRE Login service support team becomes aware of it.
v. OpenAIRE website/ OpenAIRE
- email address (for newsletter)
- other information (communication via other means with OpenAIRE)
- IP address
Purposes of collection
In relation to the web site:
We collect personal data only when you wish:
a) if you subscribe to our newsletter, your email address will be solely used for this purpose and shall not be shared with third persons. You will be able to be deleted from the newsletter anytime
b) if you contact by phone, fax or e-mail with OpenAIRE and in order to serve the purpose of communication, personal data are kept as needed to fulfill the purpose of your communication.
During your visit at our website, certain information may be automatically collected, such as the IP address of your computer, but they do not reveal identifiable elements of your physical identity, but they are used solely for statistical reasons for traffic to our web presentation. In addition, cookies are collected and processed at the time of entry.
For more information, please see the relevant Cookies policy below.
In relation to the login service:
OSPs collect and process the personal data of the “Users”, referred to herebelow, for the following purposes:
- Technical capability for a smooth and uninterrupted operation of the "Service".
- Easy and user-friendly operation of the "Service".
- Troubleshooting “User” problems
- Metric Collection
- Service Provisioning
Creating statistics reports and graphics to monitor usage. Information contained in statistics reports and graphics statistics do not comprise any Users personal data.
Sending online updates to the “Users” via e-mail, only in the event of major “Service” changes requiring from “Users” to perform certain necessary actions in order to continue using the “Service” smoothly.
OSPs collect and process the personal data of “Users” solely and exclusively for the purposes mentioned above and only to the extent strictly necessary to effectively satisfy such purposes. These data are always relevant, reasonable and not more than those required to meet the purposes set out above. Moreover, they are accurate and, where appropriate, subject to updates. Furthermore, such data are retained only during the period required for collection and processing purposes as aforementioned, and are deleted at the end of that period.
Hyperlinks to third party sites
What are the legitimate reasons for processing your personal data?
The personal data of "Users" are processed in the context of the provision of the OpenAIRE Login Service and for the purposes described in this Privacy Statement, in line with the need (technical and organisational) to best perform the OpenAIRE Login service as well as to respond to "Users" requests concerning the OpenAIRE Login Service.
The legal basis for processing your personal data is the consent upon the visit of this Website in relation to the personal data collected from cookies and the legitimate interest of OpenAIRE, in relation to all other data collected during the simple visit of the website of OpenAIRE. OpenAIRE collects and processes the personal data of visitors and users only in the fulfillment of its purposes and more precisely in order to serve the communication with you and to provide quality services. No further processing, promotion or exchange is made on personal data without your prior consent.
Access to personal data:
Access to the “Users” personal data shall be granted to the following:
To the OpenAIRE Login service support team, consisting of personnel engaged in a contractual relationship of either a project or an independent service agreement with OSPs.
The processing of OpenAIRE Login service “users” personal data by the aforementioned, is carried out under the supervision and only at the request of OSPs, within the scope of the mission and the role of each associate. Such associates undertake to comply with the same privacy and personal data requirements as OSPs themselves in accordance to the present Personal Data Statement.
Recipients of the data
Recipients of web-site data:
The personal data of the visitors and users of OpenAIRE Website are not passed on to third party recipients. They are processed only by the authorized representatives of OpenAIRE to communicate with you.
Recipients of collected data:
OSPs do not, in any way, transfer/transmit or disclose the personal data of the "Users" to any third party business organisations, natural persons or legal entities, public authorities or agencies or any other organizations, other than those specifically referred to herein.
The OpenAIRE Login service may reveal the personal data of “Users” to other members of the group the “Users” have chosen to join. By joining a group managed by the OpenAIRE Login service, the “User” agrees that the recorded information may be disclosed to other authorised participants of the group via secured mechanisms, but only for the same purposes and only as far as necessary to provide the services.
The OpenAIRE Login service will release the personal data of “Users” to services available to the group(s) the “Users” choose to become members of.
The personal data of the "Users" may be communicated or transferred to government authorities and/or law enforcement officers, if that is required for the above purposes, or within the scope of enforcing a court decision or order, or for complying with a provision of law, or if so required in order to serve the legitimate interests of OpenAIRE as Data Controller, in accordance with applicable law.
Time of data retention
The personal data of OpenAIRE Login service users shall be retained no longer than it is necessary for the needs of the service and the audits the service is subjected to. More specifically:
Categories of personal data collected
Time period and place of personal data retention
IP address, “Service” Use timestamp
18 months in the OpenAIRE Login service database and log files
Kept in the OpenAIRE Login service database as long as the “User” is active in the OpenAIRE Login service. This data can be removed earlier on request
18 months in the OpenAIRE Login log files.
Will be removed from the OpenAIRE Login database 18 months following the removal of the “User” account record
For the duration of the service provision
The processing of personal data by the OSPs is performed in a manner that ensures both confidentiality and security thereof. All appropriate organisational and technical measures shall be taken to safeguard data against any accidental or unlawful destruction, accidental loss, alteration, prohibited dissemination or access or any other form of unfair processing.
- Access to technical log data is restricted and can only be accessed in a secure way by the OpenAIRE Login service staff.
- When accessing the OpenAIRE Login service, adequate security controls are in place to keep your personal data safe in accordance with the classification of the personal data we have collected from you.
- We use encryption (HTTPS) to keep data private while in transit. Data sent using HTTPS is secured via Transport Layer Security protocol (TLS), which provides a) Encryption—encrypting the exchanged data to keep it secure from droppers. b) Data integrity—data cannot be modified or corrupted during transfer, intentionally or otherwise, without being detected. c) Authentication—proves that your users communicate with the intended website.
- The implementation of the OpenAIRE Login service ensures that no unauthorized user can log into the service. An authorised user means a service user, who has an active account with the OpenAIRE service, having passed the authentication process mentioned above.
- We review our information collection, storage, and processing practices, including physical security measures, to prevent unauthorized access to our systems
Although we follow best security practices to ensure your personal data remains secure, there is no absolute guarantee of security when using services online. While we strive to protect your personal data, you acknowledge that:
There are security and privacy limitations on the internet which are beyond our control and can have a negative impact on the confidentiality, integrity and availability of the information.
- We cannot be held accountable for activity that results from your own neglect to safeguard the security of your login credentials and equipment which results in a loss of your personal data. If you feel this not enough, then please do not provide any personal data.
Your personal data will be protected according to the Code of Conduct for Service Providers, a common standard for the research and higher education sector to protect your privacy.
OSPs perform all necessary actions both during collection and at each subsequent processing stage of the “Users” personal data, so that each “User” is fully enabled to exercise the rights guaranteed by applicable data protection laws, namely the rights to access, rectify, erase and restrict processing, as well as the right to data portability, which are described below:
- Right of Access: The data subject has the right to request and obtain from the Controller, within a time-period of one (1) month, confirmation as to whether or not personal data concerning him or her, are being processed, and, where that is the case, access to the personal data and to certain information, as laid out by applicable law. It may also request a copy of the personal data undergoing processing as described herein by sending an email message to the following addresses:
- For Athena Research Center :
- For OpenAIRE
- For GRNET
- For ICM
- Right to rectification: The data subject has the right to require the Controller to rectify inaccurate personal data concerning him/her. Taking into account the purposes of the processing, the data subject is entitled to have incomplete personal data completed, including by means of providing a supplementary statement in accordance with the applicable law.
- Right to erasure: The data subject has the right to obtain from the Controller the erasure of all personal data collected and processed within the scope of the “Service”, in accordance with the applicable law.
- Right to restriction of processing: The data subject is entitled to obtain from the Controller the restriction of processing of his/her data where the accuracy of the data is questioned or where any of the other conditions set out by the applicable law, is met.
- Right to data portability: The data subject shall have the right to receive any personal data relating to him/her and which he/she has provided to the Controller in a structured, commonly used and machine readable format, as well as the right to transmit such data to another controller without objection by the controller to whom such personal data were provided in accordance with the law.
- These rights are subject to various restrictions pursuant to applicable law, including for example if the fulfillment of the data subject's request may disclose personal data of another person or in the event that OpenAIRE is required by law to retain such data.
- To exercise any of the aforementioned rights, the "User" may contact the OpenAIRE Login Support Team at the email address referred to hereinabove. OpenAIRE and OSPs have the right to set a reasonable charge for reasonable management costs to meet these rights.
Right of termination
If any user considers that the protection of their personal data is in any way affected, they may appeal to the Personal Data Protection Authority, at the postal address of the Personal Data Protection Authority, Offices: 1-3 Kifissias Str. 115 23, Athens, tel. +30 210 6475628, e-mail .
During users’ navigation on this website, OpenAIRE may collect identification data of users, by using cookies.
Cookies are short software code texts, which are sent from OpenAIRE server and are stored at your terminal (“browser”). Their basic function is to communicate to us data from your browser. Cookies are either "Temporary" (session cookies) or persistent. Temporary cookies are automatically deleted when you close your browser, while persistent cookies remain stored in your terminal until they expire.