CAESAR
Privacy Policy
The software service
INAF is a research institute in astronomy and
astrophysics with full
name “Istituto Nazionale di Astrofisica” est. 1999 in Italy, funding and operating twenty
separate research facilities, which employ scientists, engineers
and technical staff. INAF headquarters are
located in Viale del Parco Mellini
n°84 00136, Rome, Italy.
Specific Service Elements (the CAESAR web UI
and the CAESAR RESTful APIs) have been produced and maintained with the
co-funding of the European Commission, under NEANIAS
project [GA 863448]. Service Elements are the sole responsibility of the
Provider. Nothing in the Service shall be considered as reflecting the views of
the European Commission.
Protecting your personal data is very important to us. Our Privacy Policy
is intended to help you understand why we collect your personal information and
how we use it. It provides detailed information about when and why we collect
your personal information, how we use and process it, how long we keep it, and
finally, under what terms we can share it with others.
This Privacy Policy
applies to all of you who access and use our
Service.
This policy applies solely to personal data and information that the
Service collects through its usage or through any electronic communication of
the User with the Provider, as indicated on the Service (herein referred to as
“Personal Data”).
We may also collect information from you in other ways, including
information collected during technical support contacts. If we provide a
separate or supplemental notice when we collect personal data from you, that
notice will control to the extent of any conflict.
It does not apply to any website of third-party services that the
Service may link to. The Service does not endorse, nor is responsible for the
content of these websites or third-party services, or their policies or
practices.
The Service manages different types of data,
all in compliance with the current European legislation on Data Protection. Any
Data concerning the User is collected to allow the Provider to provide the
services.
Personal Data
The provision of the Service requires that certain pieces of personally identifiable information are processed.
Personal data of yours we process:
·
name
·
email
address
Registration information
The Service may utilize services of
unaffiliated third-party providers for providing additional features. Those may
require that these providers have access to Personal Data such as name, affiliation and email address. These vendors may also
provide the Service with this information, so that the Service can keep track
of User’s linking to those third-party services. In this case, the information
that the User may provide as part of this registration will be subject to both
this
Operational data
Services and infrastructure management software
automatically gather general information from Users, such as IP address,
computer type, screen resolution, OS version, domain name, location, date and
time of the visit, page(s) visited, time spent on a page, origin from where the
User may come into the service, requests to the CAESAR backend services for
logging and accounting purposes, etc. Some of this information is provided
directly by the browser when navigating the CAESAR Web User Interface while the
remainder is obtained through tracking technologies.
The Service is not
intended for children.
The Service does not
collect knowingly any Personal Data from or about children.
The Personal Data required by our Service are
processed for the following purposes:
·
Fulfilment of requests: The Service uses Personal Data to deal with inquiries, contact the
user (via the service management system) and deliver notifications.
·
Service operation: The Service uses JWT tokens to identify users in
order to adapt / grant its capabilities, grant access to specific
Service areas, grant access to relevant information, filter content etc.
·
Statistical analysis: Aggregated data about Service usage (which do not identify a specific
user), such as the number of users who have performed certain processing on the
Service, or how long users are spending on a particular session, are used to
feed statistics as to the use of the Service.
·
Internal business purposes: The Provider uses the collected information for internal business
purposes, such as for audits or to track service feature use and behavior,
justification of resource usage, extraction of operational KPIs, etc.
·
Service and products design: Aggregated and Personal Data are used by the Provider so that
improvements, adjustments and refinements are
performed, as well as new Services and Products are designed to address general
or user-specific needs.
·
Displaying User information: Data concerning the User are presented by the service to allow Users
to identify ownership, provenance and allocation of
various resources.
Our Service guarantees that your personal data will not be used for
purposes other than those set forth in this policy, without prior notice and
where your approval is required.
The Data processing is carried out using computers and/or IT enabled
tools, following organizational procedures and modes strictly related to the
purposes indicated.
The Provider considers User Personal Data as an asset that is not for
sale and will never sell User Personal Data to any third-party.
Access to personal data and transaction information is only authorized by
employees, affiliates and third parties who process the above data at the Provider’s
discretion and only when and to the extent necessary for the above purposes.
Personal data may only be transmitted, for the purposes of the above
processing, to specific recipients who are employees, and generally affiliates
as well as third parties affiliated with the Provider. In addition, the Provider
may, without prior notice, disclose your information to the competent judicial
and/or administrative authorities to the extent required by applicable laws and
regulations, or by judicial decision and/or administrative act.
The service will explicitly provide data on user actions to (a) the NEANIAS Log Aggregation service, for combined troubleshooting of its operation and optimising use of resources provided to the service and (b) the NEANIAS Accounting Service, in order to summarize information on the use of resources by individual users, for the purposes of sizing its usage and, if needed, limiting or restricting access to its operations. Data provided to the aforementioned services shall not include user credentials or any such other user secret.
Additionally, the service will provide, either directly or via data collected by the NEANIAS Accounting Service, aggregate anonymized data for the calculation of Key Performance Indicators (KPIs) on its operation and performance. No sensitive data shall be included in those service transactions.
The Provider makes every effort to control and evaluate when selecting its
affiliates to whom it transmits the personal data of those concerned. There is
a written agreement between the Provider and any third party, according to
which the processing of personal data is carried out under the control of the Provider
and only on its order and is subject to the same data protection policy.
The Service allows the User to interact with Identity
Providers (herein referred to as “third-party Platform”), directly from the
user interface of the Service. The information acquired by the Service through
this interaction is always subject to the User's privacy settings related to
the third-party Platform.
The time period for
storing data is decided on the basis of the following specific criteria, as
appropriate:
·
Where processing is required by provisions of the applicable legal
framework, your personal data will be stored for as long as the relevant
provisions require.
·
When processed on a contract basis, your personal data is stored for as
long as necessary for the performance of the contract and for the foundation,
exercise, and/or support of legal claims under the contract.
·
For other purposes, your personal information is kept until your
consent is withdrawn. This can be done at any time. Withdrawal of consent does
not affect the legality of the consent-based treatment during the period prior
to its withdrawal. You can revoke your consent at any time by selecting the
link provided in the emails we send to you.
As defined in the Regulation
(EU) 2016/679 (General Data Protection Regulation), you (as the data subject) have the following Rights:
·
Right to have access to the Personal Data that
is held about you by the Provider - what data we have collected, for what
purpose, how it is processed and how long it is stored (article 15).
·
Right to rectification (article 16). You have the
right to obtain from the Provider the rectification of inaccurate personal data
and to have incomplete personal data completed.
·
Right to erasure (‘right to be forgotten’)
(article 17). You have the right to obtain from the Provider the erasure of
personal data concerning you.
·
Right to restriction of
processing (article 18). You shall have the right to obtain from the Provider
restriction of processing where one of the following applies: (a) the accuracy
of the personal data is contested, (b) the processing is unlawful, or (c) the
Provider no longer needs the personal data for the purposes of the processing.
·
Notification obligation
regarding rectification or erasure of personal data or restriction of
processing by the Provider (article 19). The Provider will communicate any rectification or
erasure of personal data or restriction of processing carried out to each
recipient to whom the personal data have been disclosed,
unless this proves impossible or involves disproportionate effort. The
Provider shall inform you about those recipients if you request it.
·
Right to data portability (article 20). You have the
right to receive the personal data concerning you, in a structured, commonly used and machine-readable format and have the right to
transmit those data to another Party without hindrance from the Provider.
·
Right to object (article 21). You have the right to object to processing of your
personal data. The Provider shall no longer process the personal data unless
the Provider demonstrates compelling legitimate grounds for the processing
which override the interests, rights and freedoms of
the data subject or for the establishment, exercise or defence of legal claims.
Before we are able to provide you with any
information or correct any inaccuracies, we may ask you to verify your identity
and/or provide other details to help us respond to your request.
The Provider reserves the right not to respond to requests generated
through third-party applications or automated processes without direct
validation of the requests by data subjects using the resources provided by the
Service for the exercise of these rights as described in this Policy.
The Provider takes care to guard the security of your personal data. We
apply appropriate physical, technical and organizational measures that are
reasonably designed to protect personal data against accidental or unlawful
destruction, loss, alteration, unauthorized disclosure
or access, and against all other unlawful forms of processing. We maintain a
security program that is proportionate to the risks associated with the
processing.
The Service is provided via its project managed
instance, whose servers are located in Italy and Greece and provided by the following Providers:
INAF Astrophysical Observatory
of Catania- OACT (IT), NKUA Data Center (GR), CITE – Communication & Information
Technologies Experts SA (GR), GARR - Gruppo per l'Armonizzazione
delle Reti della Ricerca (IT).
The Data is processed at the infrastructures of
the aforementioned providers and in any other places
where the parties involved in the processing are located. For further information, please contact the Provider.
The Provider processes Personal Data in a proper manner and takes
appropriate security measures to prevent unauthorized access, disclosure,
modification, or destruction of them.
In addition to the Provider, in some cases, the
Data may be accessible to certain types of persons in charge, involved with the
operation of the Service (administration, legal, system administration) or
external parties (such as third-party technical service providers, mail
carriers, hosting providers, IT companies, communications agencies) appointed,
if necessary, as Data Processors by the Provider. Specifically:
·
NKUA,
CITE and GARR Providers of the NEANIAS AAI, Logging and Accounting services,
·
Google
and Microsoft Identity Providers for Authentication.
The updated list of these parties may be requested from the Provider at
any time.
As the Service relies on a list of distributed services, in the process
of supporting a user request we might have to share Personal Data with Other
Providers.
We store personal data on servers located in
the European Economic Area (EEA). Each organization is required to
safeguard personal data in accordance with our contractual obligations and data
protection legislation.
The Provider may use or disclose Personal Data to any third-party (a) if
required to do so by law; (b) to comply with legal processes or respond to
requests from governmental or public authorities; (c) to prevent, investigate,
detect, or prosecute criminal offenses or attacks on the technical integrity of
the Service or network; (d) to enforce Terms and Conditions; or (e) to protect
the rights, privacy, property, business, or safety of the Provider, its
business partners, employees, members, Service Users, or the public. Unless
prohibited by applicable law, the Provider shall inform the User if a
third-party requests access to Personal Data about the User.
This privacy policy may be modified. We will make
sure to keep you informed of any changes, but in any event
we invite you to visit our website regularly, where the most up-to-date Privacy
Policy will be posted.
For exercising your rights, or for any
questions, comments, objections or complaints,
regarding this Privacy
Policy or privacy,
security or data protection practices applied, please contact the Provider by
email via its designated Data Protection Officer rpd@inaf.it.
We handle your requests with the utmost care to ensure
that your rights are protected. For any requests that may require assumption or
disclosure of Personal Data, the User will have to demonstrate legitimate
grounds for making the respective requests, as well as provide sufficient
evident for the identity of the User.
In some cases we may not be able to process your
request directly. However, in any event we will inform you of the progress of
your request within one month of the submission of your original request.
You always have the right to complain to the “Italian
Data Protection Authority (https://www.garanteprivacy.it/home_en)”, if you are concerned about how we have processed your personal data.
Effective Date: 4 June 2021