Data Privacy Policy
This privacy policy statement is meant to explain to you the way in which we process and protect your personal data on the ECRIN website and beyond. The ECRIN website is a central resource for information about the ECRIN organisation, its services, tools, projects, news, events, and publications as well as other resources related to clinical trials and infrastructure development. Although you can consult our website without giving any personal information, in some cases your personal data is required (e.g. in case you would like to submit a Feedback form, attend an ECRIN organised event, provide feedback in written, video and / or other format, or would like to subscribe to our newsletter).
Our policy on the protection of individuals with regards to the processing of personal data is based on the principles set out by the by the Regulation (eu) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regards to the processing of personal data (the GDPR) as well as the relevant French law, as applicable.
1. WHAT IS THE SCOPE OF THIS DATA PRIVACY POLICY?
This policy covers ECRIN's data processing on our website (www.ecrin.org) as well as links to the ECRIN newsletter, feedback on ECRIN activities and services, ECRIN organised events, trainings and meetings.
ECRIN uses external service providers and tools (Teams, Zoom, Google Forms, Microsoft Forms, RedCap, YouTube) to gather and share opinions as well as organise events, trainings and meetings both on & offline which may require the collection and sharing of limited personal data with third parties.
Please be aware that ECRIN has developed specific data privacy policies for data processing related to other activities such as projects and travel.
Moreover, ECRIN's website may provide links to third-party sites (e.g. LinkedIn, YouTube, ECRIN partner websites to communicate about events). When you click on links to visit third-party websites, you may need to accept their specific terms and conditions and cookie policies as ECRIN has no control over their privacy policies.
ECRIN also may have access to your personal data that you choose to make available on social media (LinkedIn, Twitter, YouTube) if you follow ECRIN or contact one of its personnel on one of their channels. ECRIN will never use this data without your consent. However, ECRIN might use the information freely provided by these providers (as outlined in their privacy policies) as feedback to improve the ECRIN communication strategy.
2. WHAT PERSONAL DATA DO WE COLLECT ABOUT YOU?
The following personal data might be required when you access and use our website or attend an ECRIN organised event:
- Contact details (First name, Last name, Email address, address, phone number) and job information.
- Additional personal information, such as photos and videos, may be collected on rare occasions, in which case ECRIN will inform you and acquire supplementary consent.
We do not collect, but may access your personal data, that you made available on social media, if you follow ECRIN or contact one of its personnel on one of their channels (LinkedIn, Twitter, YouTube):
- First name, Last name, Email address, address, phone number, photos.
In case ECRIN needs to use such data, ECRIN will inform you and acquire specific consent.
3. FOR WHAT PURPOSE DO WE COLLECT YOUR DATA?
Any collection and processing of personal data is for one of the following defined purposes:
- To send you ECRIN's newsletter and to manage your subscription
- To gather your feedback and to improve ECRIN’s services collected via questionnaires on activities related to ECRIN and its projects
- To measure the effectiveness and efficiency of our website.
- To organise events, training and meetings for our user community and provide related information.
- Promotion of ECRIN’s activities, events and success stories
Specific information for each of the above purposes is detailed in the second half of this Data Privacy Policy.
4. DOES ECRIN PUBLISH YOUR DATA ON ITS WEBSITE?
ECRIN does not publish any of your personal data on its website, unless you have specifically provided your consent for a given purpose.
5. ON WHAT GROUNDS DO WE PROCESS YOUR DATA?
As a general rule, we process your personal data on the basis of your CONSENT to ECRIN's processing of your personal data.
In some cases, we could consider other lawful bases such as the legitimate interest of ECRIN, contractual arrangements, or legal obligations. In this case, we will carefully consider your rights and obligations and we will inform you about your data protection rights by adequate means.
6. WHERE DO WE STORE YOUR DATA?
All information provided by you is gathered securely through the SSL (SecureSockets Layer). A SSL is a protocol that encrypts your information into codes so that your information is kept secure while being transmitted via the Internet.
ECRIN looks to store all personal data within the European Union (“the EU”).
However, given the international nature of online services, ECRIN cannot guarantee that all the service providers involved in our activities store your data within EU in which case ECRIN will inform you and request your consent. Before consenting, ECRIN will also invite you to consult their data privacy policy which is freely accessible online. If ECRIN is processing via third party tools the information regarding the specific storage location, will be included in the dedicated consent process.
For instance, some ECRIN events and meetings are organised through other online meeting service providers (Teams, Zoom) which may store some of your personal data outside the EU as per their data privacy policy which is freely accessible online and which we encourage you to consult.
Some ECRIN events are organised directly on the ECRIN Zoom account subsequent consent for storing and processing of your information on Zoom is required upon registration.
Furthermore, ECRIN uses the tool RedCAP that is hosted on its servers in France for some of its questionnaires. Alternatively, in the case of some questionnaires and feedback forms your information may be stored within a Google Form or Microsoft Forms which may store some of your personal data outside the EU as per their data privacy policies which are freely accessible online and which we encourage you to consult.
7. WHO HAS ACCESS TO YOUR DATA?
ECRIN’s relevant internal parties and, as applicable, ECRIN service providers and organisations that co-host events together with ECRIN.
For instance, ECRIN’s Communications Officer has access to the data that you provide via our website for newsletter subscription or event registration.
Relevant internal parties have access to the data that you provide via the feedback form or questionnaire.
In case we use a service provider for certain data processing or share event organising duties we will disclose this information in the information notice so that you can make an informed decision about the access and use of your data.
On the rare occasion that your personal data is made public on our website or another ECRIN communication channel, this is based on your CONSENT to do so.
We never pass on, sell or swap your data for marketing purposes to other third parties outside ECRIN.
8. HOW LONG WILL ECRIN RETAIN YOUR PERSONAL DATA?
ECRIN will retain and process your personal data for as long as it deems relevant, and subject to applicable law, to fulfil the purpose(s) for which the data were collected. After such time, ECRIN will delete your personal data and will require the service provider to do the same.
9. WHO IS RESPONSIBLE FOR THE PROCESSING OF YOUR DATA ON OUR WEBSITE?
As a general rule, ECRIN acts as the data controller of the processing of your personal data for the purposes stated above. In case ECRIN acts as a joint controller or a data processor, we will inform you via the information notice or other adequate means.
DATA CONTROLLER: EUROPEAN CLINICAL RESEARCH INFRASTRUCTURE NETWORK (ECRIN)
30 boulevard Saint Jacques
75014
Paris, France
Registration number: 801 933 235
10. WHAT ARE YOUR RIGHTS?
ECRIN will ensure that you can exercise your rights pertaining to your personal data.
To that end, ECRIN informs you that you are entitled:
a) to have access, upon simple request, to your personal data – in which case you may receive a copy of such data (if requested)
b) to obtain a rectification of your personal data should your personal data be inaccurate, incomplete or obsolete ("right to rectification")
c) to obtain the deletion of your personal data ("right to be forgotten");
d) to withdraw your consent to the data processing (where your personal data has been collected and processed on the basis of your consent);
e) to request a limitation of the data processing in the situations set forth by applicable law ("right to restrict processing");
f) to receive your personal data (data which you provided to ECRIN) in a structured, commonly used and machine-readable format and to transmit those data to another controller ("data portability right" allowed only where the processing is based on your consent and the processing is carried out by automated means)
g) to file a complaint to the French supervisory authority, CNIL (French data protection authority), located at: 3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07 .
You can also check the CNIL website: https://www.cnil.fr/fr/cnil-direct/question/adresser-une-reclamation-plainte-la-cnil-quelles-conditions-et-comment
In case we are processing your data on a different legal ground, we will inform you about your data protection rights by adequate means.
If you have any questions about how your personal data is being processed within this context or if you would like to exercise your data subject rights, please email your request to legal@ecrin.org and we will refer you to our Legal manager.
SPECIFIC INFORMATION FOR EACH OF THE ABOVE PURPOSES IS DETAILED BELOW (all in an individual accordion for clarity of reading and anchors for easy identification when linking from an external document)
Please note that the content of this Website Privacy Policy may be updated from time to time. Therefore, we advise you to visit the page of this Website Privacy Policy regularly to verify any updates.
What types of personal data do we process for this purpose?
First name, Last name, and Email address.
Who has access to your personal data?
- ECRIN's staff in charge of the website.
- The provider which we use to send you our newsletter. Currently, we use a very popular provider, Mailchimp, which is an online marketing platform operated by Intuit Inc since September 2021, a company headquartered in the State of California in the United States. Their tools are only used to send you ECRIN's newsletter.
PLEASE NOTE:
There are two ways to subscribe to the ECRIN newsletter hosted by Mailchimp 1. a double authentication via the subscribe function on our website, 2. Opting in to subscribe to the newsletter when registering for an event. In both cases your first/last name and email address, are collected and shared with Mailchimp on the basis of consent. Please be aware, Mailchimp may automatically collect certain information about your device and usage of the Services and use cookies and other tracking technologies to collect this information as indicated in their policy. Your data will be transferred to, and stored on, data servers of Mailchimp which are located in the USA.
PLEASE BE AWARE:
Mailchimp has developed its own policy with respect to the GDPR and its own terms and conditions. Please read their policy and if you do not agree with their policy and or with ECRIN sending your data to Mailchimp for the purpose stated above, do not subscribe to or unsubscribe from our newsletter.
On what legal basis do we process your personal data?
In order for you to subscribe to our newsletter, we will ask you to consent (1.a consent request is included in our subscription form 2.a separate subscription consent is included in the event registration form) to process your data and to send your contact information (first/last name and email address) to Mailchimp for the purpose of delivering you our newsletter.
How long do we save your data for this purpose?
We will keep your data for as long as your newsletter subscription is active, except where we have to retain your data for longer periods as required or permitted by law.
What happens to your data if you cancel your subscription?
You may choose to unsubscribe at any time by clicking on the 'unsubscribe' link located at the bottom of our newsletter.
ECRIN will then permanently delete your data (name, email) from its mailing list.
How can you exercise your rights?
In case you have any further questions regarding ECRIN’s handling of your data or you want to exercise your rights see please Section 10 of the ECRIN Data Privacy Policy.
However, please be aware that according to the Mailchimp deletion policy, Mailchimp will stop further processing of your data and continue to keep a record of the email address for compliance purposes. As noted in Section 7 of its Data Protection Policy, Mailchimp committed itself to ensure that such information is securely isolated and protected.
Should you have any questions concerning the way in which Mailchimp is processing your data and/or wish to exercise your rights, please let us know so you can direct your request to Mailchimp so they can respond to your request accordingly. You can also contact them directly as described in their policy, ‘Privacy for Contacts’ section.
The questionnaires using Google Forms; Microsoft Forms or RedCAP may be sent to identified stakeholders to gain insight on ECRIN activities.
What types of personal data do we process?
First name, last name, function, and contact information.
On what legal basis do we process your personal data?
Your consent. The choice to submit a questionnaire (individual link) is equivalent to your consent to process your personal data for this purpose as per this Data Privacy Policy. Be sure to read and agree with the terms of the Data Privacy Policy in full before providing your consent.
Who has access to your personal data?
Your data may be shared within ECRIN's organisation. We never pass on, sell or swap your data for marketing purposes to third parties outside ECRIN.
How long do we save your data for this purpose?
ECRIN will retain and process your personal data for as long as it deems relevant, and subject to applicable law, to fulfil the purpose(s) for which the data were collected. After such time, ECRIN will delete your personal data.
How can you exercise your rights?
In case you have any further questions regarding ECRIN’s handling of your data or you want to exercise your rights please see Section 10 of the ECRIN Data Privacy Policy.
ECRIN does not use cookies to track its website use. ECRIN uses a MATOMO cloud based solution (matomo.com) which is a GDPR compliant solution for tracking web site use. ECRIN follows the guidance provided by the French data authority, CNIL, on the set up of its MATOMO configuration. By applying this set up and anonymising IP addresses tracked it is exempt from consent. To ensure that all users can access our website with comfort we also offer the option to fully opt-out of the anonymised tracking activities.
Why does ECRIN track website use?
ECRIN tracks website use to ensure the optimisation of the user experience. Aggregated user data lets us better understand the information that is of interest to our public.
What personal data is collected?
The only personal data taken into consideration by MATOMO is the user IP address which is anonymised through the removal of one block of data directly in the data collection process by the tool.
On what legal basis is my data collected?
The data are collected based on our legitimate interest. They are made available to ECRIN in the anonymised format.. To ensure that all users can use the website we have included an opt-out option where no tracking will take place. It is programmed as such as the use is considered by the CNIL to be consent exempt
How can you exercise your rights?
In case you have any further questions regarding ECRIN’s handling of your data or you want to exercise your rights please see Section 10 of the ECRIN Data Privacy Policy.
ECRIN organises or co-hosts many events and meetings both online and in person. In order to facilitate the organisation of these events participant personal data is required.
What types of personal data do we process?
Participants: Contact details and professional information.
Speakers: Contact details, professional information, on occasion this can include photo, video and or audio content.
On what legal basis do we process your personal data?
Participants: Your consent. For ECRIN coordinated events, dedicated event registration page are developed, with specific information sheet and or specific data privacy policy. Your consent to participate in the event and to share your information with ECRIN, other organisers and services providers are required.
Speakers: Your consent. For ECRIN coordinated events, dedicated information sheet outlines the personal data and the purposes of its use. A signed consent is required to share your personal data at the event.
All: For ECRIN coordinated meetings that use online meeting tools by choosing to join the meeting you are consenting to the processing of your personal data by ECRIN and the service provider.
Who has access to your personal data?
Participants: ECRIN’s relevant internal parties and, as applicable, ECRIN service providers and organisations that co-host events together with ECRIN
Speakers: Some of your personal data may be made public in order to promote the event, to participate in the event and to provide information on the event after the fact. In other cases where it is not made public your personal data (first name, last name, image, video & audio) would be made available to the participants and ECRIN’s relevant internal parties and, as applicable, ECRIN service providers and organisations that co-host events together with ECRIN
How long do we save your data for this purpose?
All: ECRIN will retain and process your personal data for as long as it deems relevant, and subject to applicable law, to fulfil the purpose(s) for which the data were collected. After such time, ECRIN will delete your personal data.
How can you exercise your rights?
In case you have any further questions regarding ECRIN’s handling of your data or you want to exercise your rights see please Section 10 of the ECRIN Data Privacy Policy.
You may also reach out to the service provider who processed your data as per their Terms & Conditions to exercise your rights within the GDPR.
For the purpose of enhancing the understanding of ECRIN’s operations promotional materials will be developed on ECRIN’s activities, events and success stories to be shared in writing & video on ECRIN’s website, print material, and social media.
Examples are the written and video interviews developed within the ECRIN annual report.
The publication of these promotional materials may involve sharing the participant’s image, views, voice as well as associated personal data.
What personal data will be processed?
Contact details, job information, image, voice and video.
On what legal basis do we process your personal data?
Your specific signed consent to the various types of personal data outlined for this purpose. A dedicated consent form will be provided in advance to the recording or sharing of any personal data for the creation of promotional material. In the case of an event, this may be the same consent form (with separate consent for publication for promotional activities).
Who has access to your personal data?
ECRIN will process interviewees names, emails and images for the purposes of the promotional material. The resulting promotional material, once approved by the relevant parties, will be made widely available on ECRIN’s communication channels.
For the recording process, when in person interviews are not possible, ECRIN will be conducting the interview using the videoconferencing service (Zoom) as data processor and wherepossible will only record to a local computer. Use of Zoom requires the processing of the user's email address.
Any video interview or footage will be hosted by the video provider YouTube. The footage will include video of the interviewee in their area of expertise, their name and affiliation. While the interviewee name may be included in the title no other personal data (ie email) will be included. Youtube has developed a Data Privacy policy to meet the GDPR requirements. According to their policy, the data will be processed by Google Ireland Limited (Ireland) and only for the purpose of provision of service.)
For photos taken during ECRIN coordinated meetings and events, the photos will be available on ECRIN communication channels, including social media for as long as the accounts are active, and they may also be included in print materials such as ECRIN's annual report.
ECRIN will retain the exclusive right to use, reuse, share, publish or reproduce and to authorise others to use, publish or reproduce, internally and publicly, all or part of my participation (video footage, photographs and/or audio recording of me) without restrictions as to changes or alteration, as they are used for the promotional material for which they were developed.
In addition, the recorded material and photographs may be used without notice and without compensation, or obligation of any kind to the interviewee. ECRIN's publications can be seen throughout the world, and not just in the European Union where the data protection regulation (i.e. the GDPR) applies.
ECRIN will not use and will not authorize Zoom and/or Youtube to use the photographs/your name for other purposes than those for which they act as data processors ( see above)
How long do we save your data for this purpose?
ECRIN will retain and process your personal data for as long as it deems relevant, and subject to applicable law, to fulfil the purpose(s) for which the data were collected. After such time, ECRIN will delete your personal data.
How can you exercise your rights?
In case you have any further questions regarding ECRIN’s handling of your data or you want to exercise your rights see please Section 10 of the ECRIN Data Privacy Policy.
Updated: 21/06/2024