User Portal to the European XFEL (UPEX)

The controller in the sense of the European data protection laws is European XFEL GmbH, Holzkoppel 4, 22869 Schenefeld, Germany. For further contact details as well as the contact details of our data protection officer see section contact information.

Personal data means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

The use of UPEX requires the user to accept the UPEX Terms and Conditions and to register and create a user account unless the user is accessing UPEX only for administrative or technical reasons. The amount of personal data we collect during the registration process and afterwards during your use of UPEX depends on the purposes you are using UPEX for and whether you are an employee of European XFEL GmbH or of Deutsches Elektronen-Synchrotron DESY (DESY). We mark mandatory information with an asterisk *. If you decide not to provide us with this information, unfortunately you will not be able to register respectively use UPEX.

We process your personal data for the purposes and based on the legal bases listed in the table below. Where the processing is based on legitimate interests (of us or a third party) we have also included a description of the respective interests:

We collect most information we process directly from you. However, additionally we may collect personal data from third parties, namely:

• The main proposer of a proposal who may name you as the principal investigator, as co-proposer, as a member of an experiment team of a particular proposal or as a person with a possible conflict of interest in relation to a particular proposal if engaged in a review; and
• Embargo lists: refer to https://www.xfel.eu/sites/sites_custom/site_xfel/content/e51499/e51509/e120905/xfel_file120906/InformationonEmbargolists_eng.pdf

Your personal data may be transferred to the following categories of recipients:

   a. Service Providers (processors)

We reserve the right to appoint external service providers for the processing of personal data. These service providers will only have access to data they need for the performance of their service. Service providers will be appointed as so-called data processors which are only allowed to process the personal data on our behalf and according to our documented instructions. We disclose your data to the following categories of processors:

• IT service provider, in particular (but not limited to) for storage services, data analysis services, curation services (e. g. Deutsches Elektronen-Synchrotron DESY, for accounts and hosting service, data analysis and curation service, computing infrastructure, Germany; National Centre for Nuclear Research, Poland, for storage, data analysis and curation services),
• Provider of a controlled access system (Deutsches Elektronen-Synchrotron DESY), Germany,
• Provider of security services (security and gate reception staff), Germany,
• Provider of technical emergency services, Germany,
• Provider of an embargo list database system for antiterrorism checks, Germany.

   b. Other Recipients

We may disclose your personal data to the following categories of third parties:

Members of the proposal review panel engaged in the review of a proposal you are associated with (Reviewer) will receive the proposal and certain personal information about all members of the proposal team (i.e., their names, the name of the institute they are working for and their role in the team.

• The main proposer, the principal investigator, all co-proposers and all team members of the proposals you are associated with have access to the respective proposals and to the names of main proposer, principal investigator, all co-proposers and all members of the experiment team.
• Registered users of UPEX while preparing a proposal submission in their role as main proposer have access to information about other registered UPEX users (first and last name, title, UPEX-ID no. and the institute the user is working for).
• Funding Agencies will be provided with information about registered UPEX users associated with a proposal (first and last name, the institute the user is working for, the user's role in a proposal (e.g. proposer or member of experiment team), whether the proposal was successful or not and in some cases the user’s nationality) with the purpose of the provision of funding or support and/or calculating the repartition costs.
• The public will be informed (e.g. on our website, in our annual report) about publicly funded successful proposals and its principal investigator / main proposer (first and last name, the institute the principal investigator is working for and the time schedule for the related experiment).
• The public will be informed on our website about the following basic details of members of European XFEL’s user organization’s executive committee (UOEC): first name, last name, affiliation, address, affiliation country, business telephone number, business email address, professional experience, role in the UOEC as well as the members’ photograph if they chose to consent to this.
• The User Organization Executive Committee (UOEC) may be informed about your first name, last name, affiliation (in addition to the title and ID of the proposal of reference) if these personal data are required for carrying out their representation and mediation activity within our user community.
• If you are funded by a transnational access program of the European Union, we transfer your personal data (e.g. first name, last name, institute, gender, nationality, title, travel dates, scientific area) to the respective program coordinator and the European Commission.
• If you take our offer to conclude a travel, health and accident insurance, we transfer your personal data (e.g. salutation –(Mr./Mrs.) following the gender/sex field in UPEX, title, first name, last name, date of birth, business address, email, travel start date, travel end date, travel country, language) to the insurance company that provides the insurance.
• If you are being assisted by us in your search for suitable accommodation (e.g. guest houses, hotels, apartments) and we book such for you, we transfer your personal data (e.g. first name, last name, arrival date, departure date, email, salutation (Mr./Mrs.) following the gender/sex field in UPEX, in some cases your institute address or billing address ) to the provider of the accommodation; for stays at the European XFEL Guest House due to open in 2021, please refer in addition to the specific privacy policy.
• If we book travels to our facilities for you, we transfer your personal data (e.g. salutation (Mr./Mrs.) following the gender/sex field in UPEX, academic title, first name , last name, date of birth, email address) to the corresponding travel agency, transportation companies and/or airlines; If you decide to provide information on your frequent flyer or any bonus program respectively the membership number in the correspondence with our Travel Office before a reservation, we will transfer these data to the corresponding travel agency, transportation companies and/or airlines for booking/ticketing purposes. The information will not be stored in UPEX or in any other system at European XFEL.
• Bank services, lawyers, tax advisors, consultants, external auditors for administrative purposes.

Additionally, personal data might be transferred to third parties if we are obliged to transfer the data by statutory provisions or by an enforceable order of a court or an administrative authority. We may also release your data when we believe this is appropriate to comply with the law or one of our policies (e.g. our Scientific Data Policy), or to protect our or others' rights. Furthermore, we may transfer data which has been rendered anonymous to third parties for statistical purposes.

The parties mentioned above can be located in the European Economic Area (EEA) as well as in other countries. For transfers of personal data to countries outside the EEA see next section.

We will store your personal data as long as it is necessary for the performance of the contract respectively as long as we have a legitimate interest in the storage. In all other cases we will delete your personal data with the exception of those data that we need to store further in order to comply with contractual or statutory retention periods. We keep your personal data for the following periods:

• Data from registered UPEX users and travel data:
• Data collected via the registration process will be stored for ten years from the end of the calendar year in which your last login in UPEX took place or for a maximum period of three months after your user account was terminated by you or European XFEL GmbH, whichever storage period is shorter.

• Travel data contained in Personal Arrival Forms (e. g. passport number, travel dates) will be deleted three years from the end of the calendar year in which respective travel has taken place.
• Data in relation to proposals you are associated with as Main Proposer, Principal Investigator, Co-proposer, experiment team member and/or reviewer:
• Data in relation to proposals will be stored for ten years from the end of the calendar year in which your last login in UPEX took place or for a maximum period of three months after your user account was terminated by you or European XFEL GmbH, whichever storage period is shorter.
• Data we collect from embargo lists:
• Data will be kept for ten years from end of the calendar year in which the last embargo list verification was made.
• Data collected from users only for the purpose to become or to be a member of the UOEC (e. g. professional experience, expertise area, photograph):
• Data will be kept for three years from the end of the calendar year in which the membership has ended.

As regards the storage of scientific data see our Scientific Data Policy.

We might transfer personal data to service providers or third parties located outside the European Union (EU) respectively outside the European Economic Area (EEA) in so-called third countries (e. g. reports to funding agencies located outside the EU).

In such cases typically the transfer will be necessary for the performance of the contract we have concluded with you when registering for UPEX (e.g. information required for the peer-review of the proposal will be sent to a reviewer in the U.S.). If neither this nor any other exception for transfers of personal data to third countries applies (under Art. 49 (1) of the General Data Protection Regulation – GDPR), we ensure prior to the transfer that

• The European Commission has decided that the third country ensures an adequate level of protection (Art. 45 GDPR, e.g. Switzerland); or
• That the transfer is subject to appropriate safeguards (Art. 46 GDPR), for example by  entering into so-called standard data protection clauses of the European Union with the recipient of the data .

In specific situations we might also ask for your explicit consent to the transfer or base the transfer on another exception provided for in Art. 49 (1) GDPR.

You are entitled to receive an overview of third country recipients and a copy of appropriate or suitable safeguards in place. For your request please use the details provided in section "Contact Information".

We will store your personal data as long as it is necessary for the performance of the contract respectively as long as we have a legitimate interest in the storage. In all other cases we will delete your personal data with the exception of those data that we need to store further in order to comply with contractual or statutory retention periods. We keep your personal data for the following periods:

• Data from registered UPEX users and travel data:
  • Data collected via the registration process will be stored for ten years from the end of the calendar year in which your last login in UPEX took place or for a maximum period of three months after your user account was terminated by you or European XFEL GmbH, whichever storage period is shorter.
  • Travel data contained in Personal Arrival Forms (e. g. passport number, travel dates) will be deleted three years from the end of the calendar year in which respective travel has taken place.
• Data in relation to proposals you are associated with as Main Proposer, Principal Investigator, Co-proposer, experiment team member and/or reviewer:
  • Data in relation to proposals will be stored for ten years from the end of the calendar year in which your last login in UPEX took place or for a maximum period of three months after your user account was terminated by you or European XFEL GmbH, whichever storage period is shorter.
• Data we collect from embargo lists:
  • Data will be kept for ten years from end of the calendar year in which the last embargo list verification was made.
• Data collected from users only for the purpose to become or to be a member of the UOEC (e. g. professional experience, expertise area, photograph):
  • Data will be kept for three years from the end of the calendar year in which the membership has ended.

As regards the storage of scientific data see our Scientific Data Policy.

UPEX makes use of so-called cookies. Cookies are small text files that your internet browser downloads and stores on your computer. If a website is accessed again the internet browser sends the information stored in the cookie back and enables the recognition of the user. Some cookies will be deleted at the end of the browser session (so-called session cookies), other cookies will be deleted after a stated term (so-called persistent cookies).

You can prevent cookies from being installed by changing the settings on your browser software accordingly. However, UPEX only uses cookies which are mandatory for the provision of UPEX (so-called strictly necessary cookies). These cookies are strictly necessary for the safe provision of UPEX. They include, for example, cookies which serve the purpose of identifying or authenticating our users and cookies that temporarily store certain user entries (e. g. a prior log in so that our users do not have to log back into UPEX after every click or information our users have previously entered to complete a form). Therefore, you will not be able to use UPEX if you do not accept these cookies.

Please find a list of the cookies we use, their purpose and retention periods below.

UPEX does not use web analytics tools or tracking tools for interest based advertising.

UPEX does not use social plugins.

Your personal data will be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures. Please note that, regarding any communication via email, confidentiality cannot be guaranteed as third parties may be able to access the information during the transmission process. Therefore, please refrain from using emails for confidential information.

You have the following rights:

   a. Right of access and rectification:

You have the right to obtain confirmation from us as to whether or not your personal data is being processed and a right to access your personal data that is being processed by us.

You also have the right to obtain without undue delay the rectification of any inaccurate personal data relating to you and to have any of your personal data that is incomplete completed. Please note that you might also be able to correct your data in UPEX yourself.

In case we have transferred your personal data to third parties, we will inform them about this rectification and completion if required by law.

   b. Right to erasure ('right to be forgotten'):

You have the right to obtain the erasure of your personal data from us without undue delay and we have the obligation to erase your personal data without undue delay if one of the following grounds applies:

• your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
• the processing of your personal data is based solely on your consent and you have withdrawn your consent;
• you have objected to direct marketing;
• you have objected to the processing that is based on our legitimate interest on grounds that relate to your particular situation and there are no overriding legitimate grounds for the processing;
• your personal data have been unlawfully processed; or
• your personal data have to be erased for compliance with a legal obligation.

In case we have transferred your personal data to third parties, we will inform them about this erasure if required by law.

Please keep in mind that there are limitations to your right to erasure. We are for example not allowed to erase data that we are legally obliged to store. Also, your right to erasure does not apply if we need to store the data for the establishment, exercise or defence of legal claims.

   c. Right to restriction of processing:

You have the right to restrict our processing of your personal data where

• you contest the accuracy of the personal data until we have taken sufficient steps to correct or verify its accuracy;
• the processing is unlawful but you do not want us to erase the data;
• we no longer need your personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims; or
• you have objected to processing based on our legitimate interest (see below) pending verification as to whether we have compelling legitimate grounds to continue processing.

Where personal data is subjected to restriction in this way, we will only process it with your consent or to a very limited extent, e. g. for the establishment, exercise or defence of legal claims.

   d. Right to object:

You have the right to object to the processing of your personal data that is based on our legitimate interest, on grounds relating to your particular situation, at any time. You also have the right to object to the processing of your personal data for marketing purposes at any time. Please also refer to section "Information on your rights to object".

   e. Right to data portability:

Where we are relying upon your consent or the fact that the processing is necessary for the performance of a contract to which you are party as the legal basis for processing, and that personal data is processed by automatic means, you have the right to receive all such personal data which you have provided to us in a structured, commonly used and machine readable format, and also to require us to transmit it to another controller where this is technically feasible.

   f. Right to withdraw consent:

In case you gave us your consent for the processing of data you may withdraw your consent at any time. The withdrawal of your consent does not affect the lawfulness of processing based on consent before its withdrawal.

You may exercise your rights by contacting us via the contact details provided in section "Contact Information". Please ensure for this purpose that we are able to verify your identity.

You may lodge a complaint with a supervisory authority. You may file your complaint at your local supervisory authority or at the data protection authority competent for us. This is:

Unabhaengiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD)
Holstenstraße 98
24103 Kiel
Germany

Telephone: +49 (0) 431 988-1200
Fax: +49 (0) 431 988-1223
Email: mail@datenschutzzentrum.de

If you have comments or questions, any concerns or a complaint regarding the processing of your personal data, please feel free to contact us at:

European X-Ray Free-Electron Laser Facility GmbH
Holzkoppel 4
22869 Schenefeld
Germany
Email: useroffice@xfel.eu
Telephone: +49 8998 6767

You may also contact our data protection officer Carsten Porthun at the following email address: carsten.porthun@desy.de

Right to object to processing based on legitimate interest

You may have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on the legal basis legitimate interests.

Right to object to direct marketing

You may at all times object to the processing of your personal data for direct marketing purposes. Please take into account that, due to logistical reasons, there might be an overlap between your objection and the usage of your data within the scope of a campaign which is already running.

You may address your objections to:

European X-Ray Free-Electron Laser Facility GmbH
Holzkoppel 4
22869 Schenefeld
Germany
Email: useroffice@xfel.eu
Telephone: +49 8998 6767