Privacy Notice for EGA Data Access Committee Account

This Privacy Notice explains what personal data is collected by the specific service you are requesting, for what purposes, how it is processed, and how we keep it secure.

Note that this service collects personal data directly provided by the user, and also collects personal data from users that is provided by other organisations.

1. Who controls your personal data and how to contact us?

European Genome- Phenome Archive - EGA offers a service for permanent archiving and sharing of all types of personally identifiable genetic and phenotypic data resulting from biomedical research projects, jointly managed by European Molecular Biology Laboratory – European Bioinformatics Institute (EMBL-EBI) and Fundació Centre de Regulació Genòmica - Centre for Genomic Regulation (CRG).

EMBL-EBI and CRG represent joint Data Controllers’ of processing of your personal data. They and their Data protection officers may be contacted for data protection queries and for exercising your rights under Section 8.

You may contact EMBL-EBI, represented by dr. Thomas Keane, by:

  • email at: or
  • post at EMBL-EBI, Wellcome Genome Campus, CB10 1SD Hinxton, Cambridgeshire, UK.

EMBL’s Data Protection Officer may be contacted by:

  • telephone at +49 6221 387-8590,
  • email at , or
  • post at EMBL Heidelberg, Data protection officer, Meyerhofstraße 1, 69117 Heidelberg, Germany.

You may contact CRG, whose EGA team is represented by dr. Jordi Rambla de Argila, by:

  • email at, or
  • post at Fundació Centre de Regulació Genòmica - Centre for Genomic Regulation (CRG), Dr.Aiguader 88, PRBB Building, 08003 Barcelona, Spain.

CRG Data protection officer may be contacted by:

  • email at
  • post at Fundació Centre de Regulació Genòmica - Centre for Genomic Regulation (CRG), C/ Dr. Aiguader, 88, PRBB Building, 08003 Barcelona, Spain.

2. Which is the lawful basis for processing personal data?

We process your personal data on the grounds of important public interest.

For monitoring your activities on the website, we process your personal data on the grounds of important public interest. Such legal basis is found in Article 5(1)(a) of EMBL Internal Policy No 68 on General Data Protection (hereinafter IP 68), which is equivalent to Article 6 (1)(e) of the EU General Data Protection Regulation (hereinafter GDPR) and upon which personal data are processed for the achievement of the aims laid down in 1973 agreement establishing EMBL, such as the promotion of the cooperation in the fundamental research, in the development of advanced instrumentation and in advanced teaching in molecular biology and dissemination of information.

3. What personal data is collected from users of the service? How do we use this personal data?

We collect the following personal data from you:

  • Name
  • Email address
  • Title/Position
  • Organisation
  • Organisational affiliation
  • Business address
  • Telephone number
  • IP addresses
  • Date and time of a visit to the service website
  • Operating system
  • Amount of data transmitted
  • Browser
  • Username
  • Password

The data controller will use your personal data for the following purposes:

  • To provide DAC user account and authenticated access to the service,
  • To publicly publish some information to facilitate scientific research,
  • To better understand the needs of the data subjects and guide future improvements of the service,
  • To create anonymous usage statistics (from number of DACs, datasets per DAC).

4. Who will have access to your personal data?

The personal data will be disclosed to:

  • Authorised staff in the data controller’s institutions acting on data controller`s behalf and instructions (for all user account data),
  • The general public via Internet will get access to your name, email address, business address, telephone number and organisation you belong to.

5. Will your personal data be transferred to third countries (i.e. countries not part of EU/EEA) and/or international organisations?

Data categories ‘name`, `email address`, `telephone number`, `business address`; `organisation’ of the DAC user are published on the Internet. They thus become accessible to recipients in countries outside the European Economic Area. Insofar as the second joint controller may be subject to GDPR, data transfer to and from the first joint controller (EMBL-EBI), is necessary for important reasons of public interest embedded in the aims of EMBL and justified in the Article 9(4) of IP 68 (equivalent to Article 49(1)(d) of GDPR) read in conjunction with EMBL`s 1973 establishing agreement and Article 179(2) of the Treaty on the Functioning of the European Union

6. How long do we keep your personal data?

Any personal data directly obtained from you will be retained as long as the service is live. Such duration serves the purpose of enabling scientific research and ensures legal compliance and facilitates internal and external audits if they arise.

By contrast, the log files for the data categories related to anonymous usage statistics (raw web service logs) are processed only for 30 days and thereafter erased.

7. The joint Data Controllers provide these rights regarding your personal data

You have the right to:

  1. Not be subject to decisions based solely on an automated processing of data (i.e. without human intervention) without you having your views taken into consideration.
  2. Request at reasonable intervals and without excessive delay or expense, information about the personal data processed about you. Under your request we will inform you in writing about, for example, the origin of the personal data or the preservation period.
  3. Request information to understand data processing activities when the results of these activities are applied to you.

It must be clarified that rights under points 4 and 5 are only available whenever you need support whilst using our website. For other processing based on the grounds of important public interest you cannot exercise your rights to object, rectify or erase your personal data according to the Article 13(2)(a)(b) of IP 68 (equivalent to Article 17(3)(b)(d) and Article 21(6) of the GDPR).

8. Supervisory authority

If you wish to complain against the processing of your personal data, you may do so by post at:

  • EMBL Heidelberg, Data Protection Committee, Meyerhofstraße 1, 69117 Heidelberg, Germany, or
  • Autoritat Catalana de Protecció de Dades (Catalan Data Protection Authority), C/Rosselló 214, Esc A, 1r 1a, Barcelona 08008, Spain.

Published at:

February 6, 2019