Privacy Statement EURAXESS Netherlands
Useful information | Privacy statement
This privacy statement explains the scope and the purposes for the processing of your personal data through EURAXESS and the ways we collect, process and secure all personal data you provide, be it directly or indirectly. We explain how long we retain your data and how you can exercise your data protection rights (such as the right to access, rectify and block your personal data).
2. Who are we? Nuffic and the European Commission
The website euraxess.nl is maintained by the Foundation Nuffic the Dutch organisation for internationalisation in education. Nuffic is the bridgehead organization for EURAXESS in the Netherlands
Nuffic is dedicated to adhering to a high compliance level with the EU’s General Data Protection Regulation (GDPR).
The website euraxess.nl is part of the European EURAXESS initiative. This initiative aims at facilitating the mobility of researchers in the European Research Area (ERA) and beyond. Over 40 countries are part of the network which has more than 500 service centers. These centers offer assistance on visa, work permits, school enrollment applications, social security, medical insurance to researchers and their accompanying family members.
The portal (maintained by the European Commission) enables users to register. Registered users can use the portal to share their CV and find job and funding opportunities. The EURAXESS initiative is based on the Horizon Europe program, EU’s key funding programme for research and innovation.
The European Commission, specifically the Head of Unit A.3. of the Directorate-General for Research and Innovation (DG RTD) is the data controller for the data processing via EURAXESS. Nuffic is the data processor when processing personal data for this program. Nuffic is funded by the Dutch Ministry of Education to support euraxess.nl.
3. Why do we process your data?
he main purpose of the processing operations is the collection and processing of personal data
- a. HR professionals of research institutions
- b. Researchers to operate a pan-European network of researchers and recruiters/funders.
As data processor, Nuffic follows the instructions from the DG RTD, and processes personal data from visitors and registered researchers for the following specific sub purposes:
- Access information provided by researchers to create an account;
- Verify and approve registrations from HR professionals of Dutch research institutions;
- Collect and process analytic information about the traffic to the .nl website (see paragraph 4.2 on website analytics below);
- Organise courses, seminars or other events;
- Organise on- and offline meetings (see paragraph 4.4 below about Teams);
- Communicate about activities. Nuffic processes personal data, when you have provided consent for such;
- Connect accounts to the right EURAXESS Contact Point (a University in the Netherlands)
- Conduct surveys (see paragraph 4.3 on surveys below)
- Facilitate learning and network building among HR professionals in Europe regarding the mobility of researchers.
The processing is based on the legal ground of article 6(1) e of the GDPR, because:
The data processing is necessary for the performance of the public interest task of DG RTD, namely to promote and support the mobility of researchers in the Union and worldwide, based on the Horizon Europe program.
DG RDT ensures that the personal data are collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with this purpose. As data processor, Nuffic only processes the personal data in accordance with these legitimate purposes.
4. What data do we collect and process?
4.1 Data provided by users to create a EURAXESS account
Data provided by HR professionals en researchers to create a EURAXESS account.
The personal information required for the creation of a EURAXESS account is limited to the data necessary to identify a person. The required data are:
- e-mail address
- first and last name
- the current living country
Additional information that is required or optional can be found in this oversight of required and optional information for different EURAXESS profiles (97.74 KB) .
There is an option to hide the public profile from Search / partnering, and there is an option to hide the first and last name and email from the public profile.
4.2 Web useage statistics
All EURAXESS' webpages register the IP address of users visiting the site. The Commission and Nuffic process these data in a de-identified format. This prevents the data from being linked to individual persons. These data are collected for statistical analysis to develop and improve webpage content. The statistics are used to find out the number of times different pages are viewed, the duration of these visits, from what websites users are visiting (URL referrers) and which browsers are being used. Nuffic uses Google Analytics to collect these website statistics. Nuffic follows the guidance from the Dutch Data Protection Authority to minimise the data protection risks of this data processing by Google, by applying all measures advised by the Dutch DPA in its Google Analytics manual.
4.3 Surveys/data collection
Nuffic uses the survey tool SurveyMonkey to collect personal data through questionnaire-based surveys. Nuffic has negotiated a GDPR compliant data processor agreement with Survey Monkey. Survey participation is voluntary, and it is easy for recipients of survey invitations to opt-out of receiving these requests in the future.
Nuffic processes names and email addresses to manage survey invitations. The distribution list includes users of our services, newsletter subscribers, event registrants and users. Nuffic uses Microsoft Dynamics 365 as CRM system, with the strict conditions in the data processing agreement with Microsoft negotiated by the Dutch ICT cooperatives and the Dutch central government. Data are hosted in data centres in the EU.
Nuffic can also collect data through e-mails but only if you provide consent.
The basis for this data processing in part involves weighing the legitimate interest of improving performance of our tasks as an organization for internationalisation in education, to best serve the interests of our users and society at large, and in part an assessment of how this activity aligns with other primary purposes for personal data collection. More information about this is available upon request.
4.4 Office 365
Nuffic may process personal data at your request to provide you with access to Microsoft communication systems such as Microsoft Teams.
5. How long do we keep your data?
Personal data are retained as long as the user continues to use EURAXESS. Accounts are removed after five (5) years of inactivity. After one year, an email is sent to the data subject to offer the possibility to delete or update his/her account.
Users can request to have their account deleted at any time, by clicking a button after they have logged in to their account. When an account is deleted, all related data are deleted with.
Information requests of researchers through firstname.lastname@example.org are stored for a maximum of three years. After that, they are automatically deleted.
Nuffic may be required by the statutory framework, notably the Act relating to archiving (Archiefwet) to retain personal data relating to relevant acts and decisions for a longer period of time. Nuffic applies strict purpose limitation. Therefore, data that are retained to comply with such a legal requirement, can only be used for the purposes of that specific legal requirement, not for any other purpose.
6. How do we secure your data?
We secure personal data by administering them in line with our rigourous internal procedures for information security.
Our procedures govern how we organise work activities with regard to information security; how and when we apply secure data storage, encryption or masking; how we authorise, manage and restrict access to data or physical locations; contractually ensure the same high security level from our suppliers and adequately and timely respond to security incidents that may arise. The Key policy rule is that people get access to personal data as long as they need it to perform their tasks.
All data in electronic format (e-mails, documents, uploaded batches of data etc.) are stored either on the servers of the European Commission or of its contractors, or, in case of Nuffic, in Microsoft Office 365.
The European Commission is responsible for the maintenance and risk and vulnerability assessments of the EURAXESS sites and database.
The Commission’s contractors are bound by a specific contractual clause to act as data processors, and only perfom any processing operations of your data on behalf of the Commission. All contractors are additionally bound by confidentiality obligations as required by article 28(3), under b, of the GDPR.
We conduct regular risk and vulnerability assessments of our activities related to personal privacy, information security and of the IT systems we use, and use the results of these analyses to adjust how we work. Our efforts are supported by our system administrators, Security Officer, Privacy Officer and Data Protection Officer.
7. Who has access to your data and to whom are they disclosed?
Access to your data is provided to authorised staff of Nuffic and its subprocessors according to the “need to know” principle.
Nuffic uses three subprocessors to process personal data from EURAXESS:
- Microsoft Office 365 and Dynamics
- Survey Monkey
- Google Analytics
Processors may only process personal data for the purposes defined by the European Commission, as specified in the contract with processor Nuffic. Nuffic strives to process all data within the EU. If we engage subprocessors that process data outside the Netherlands we ensure compliance with the GDPR through transfer instruments such as the EC Standard Contractual Clauses, combined with any required additional technical and organisational guarantees to mitigate possible dataprotection high risks for the users.
Nuffic staff is bound by statutory, and when required, additional confidentiality agreements, as well as contractual provisions.
Members and organisations can choose which data are accessible.
All personal data provided by members and organisations are accessible to other members and organisations, and to the EURAXESS Centres members.
Users can always opt in or out of being visible to other users. In addition, users can select to have some personal data, such as name and email, hidden from other users. Nuffic as a processor does not take decisions to provide personal data to any third party. If Nuffic would receive a request from an authority to disclose personal data relating to EURAXESS, it will redirect the requesting authority to the data controller, the European Commission. Only in case Nuffic would be prohihibited by law from disclosing the request or order, Nuffic may have to take such a decision. However, Nuffic will first examine the validity of both the request and the gagging order.
8. What are your rights and how can you exercise them?
You have the (data protection) rights to:
- access the information we have on you;
- rectification or completion of inaccurate or incomplete information;
- erasure of your data if they have been processed unlawfully (please note, there are exceptions to this right, for example, when legislation requires that we continue to retain data).
- restriction of data processing pending clarification of a question regarding the legal basis, to reach a decision regarding an objection to data processing, or to delay/restrict data erasure.
- withdraw your consent if you initially granted it to us as the basis for a data processing activity;
- object to the data processing if it is not based on consent, agreement or legal obligation; if the processing is carried out in the public interest or as an exercise of official authority (GDPR Art. 6 (1) litra e), or in the pursuit of legitimate interests (same article, litra f), and the processing is not necessary for the protection of vital interests. You may at any time object to direct or targeted marketing. See Section 8 on how to object.
- data portability in a structured, commonly used, machine-readable format if the data processed were based on consent/agreement and you are the one who has provided them to us. We will only release data when able to confirm your identity, secure the data using encryption, and ensure that doing so does not infringe on the rights or freedoms of others. The information will be transmitted free of charge unless we can prove that the cost is unjustifiable or excessive (please note, however, that this right is primarily intended to protect customers in commercial matters such as switching between service providers, and will only be applicable to our activities in certain cases);
- information about our processing of personal data that is concise, transparent, intelligible and easily accessible.
- Not to be subject to a decision based solely on automated processing that is wholly automated (i.e. independent of human influence) and produces legal effects concerning you (i.e. controlling your rights or obligations). This does not apply, however, unless the decision is based on consent, is necessary for entering into or performance of a contract, or is based on legislation that safeguards the interests of the individual. In the case of such decisions we will implement measures to safeguard your interests, and you will have the right to express your point of view, to contest the decision and to obtain human intervention.
You are able to exercise these rights through your EURAXESS account, in the portal.
You may also address Nuffic with such a request, but as data processor, Nuffic can only forward your request to the data controller, DG RTD. Nuffic has a separate form to file such data subject requests: Request to acces, rectify or erase your personal data | Nuffic.
9. File a complaint or objection
If you do not agree with the way EURAXESS processes your personal data, you can submit a complaint to DG RTD via +32 229 89797, email address RTD-ERA-TALENT-PLATFORM@ec.europa.eu. You may also contact the Data Protection Officer (DPO) of the Commission: DATA-PROTECTION-OFFICER@ec.europa.eu.
In case of a conflict, and preferably after a first contact with the Controller, you can also submit your complaint to the European Data Protection Supervisor (EDPS), email@example.com.
If you have an objection against specific data processing by Nuffic as data processor, or you have a question about the euraxess.nl website or this privacy statement, please contact us via firstname.lastname@example.org.
You may also contact Nuffic’s Data Protection Officer, Ms Sjoera Nas (MA), via email@example.com or via +31 70 4260 260.
10. Where to find more detailed information?
The Commission Data Protection Officer publishes the register of all operations processing personal data. You can access the register via the following link: http://ec.europa.eu/dpo-register.
This specific processing has been notified to the DPO with the following reference: DPO-3806.