This privacy notice explains what personal data EMBL collects, for what purposes, how it is processed, and how we keep it secure,
in the context of processing personal data in SMIS for the registration and review of proposals for the use of BEAM lines.
1. Who is responsible for the processing
The EMBL data controller (and joint-controller if applicable) contact details are:
EMBL Hamburg
c/o DESY, Building 25A
Notkestraße 85, 22607 Hamburg, Germany
+49 40 89 902-110 or 111 info@embl-hamburg.de
2. What personal data do we process
The following categories of personal data may be processed:
Core Personal Information
Basic identifiers (name, date of birth, nationality)
Contact details (email, phone, address)
Professional details (employer, job role, department)
Account & Technical Data
Digital identifiers (username, IP address, ORCID)
Login credentials
System access logs
Usage data and cookies
Professional & Academic Data
Education and qualifications
Publications and presentations
Research interests and activities
Other information (as relevant)
Experiment feedback form
Safety training completion
Information necessary to book accommodation (if relevant)
Title, gender, place of birth
ORCID ID
Current affiliation (work/institute)
Fax (if any)
A-Form validation, proposal form
Sensitive data: none are processed in this context.
3. For what purposes do we process your personal data
Service Delivery
Provide and manage service access
Technical support and maintenance
User authentication and security
Research & Development
Facilitate scientific research
Service improvement and development
Usage analysis and reporting
Academic users and industry customers register to the SMIS platform to submit and execute proposals for BEAM time at EMBL Hamburg.
External experts have access to the platform to evaluate and score the proposals. Once a proposal has been approved and executed,
feedback on the experiment is collected. Statistics may be extracted from the experiments and number of users (always pseudonymised).
4. What is the legal basis for processing
Academic users: Article 6(1)(a) of EMBL Internal Policy No. 68 — the achievement of the aims laid down in EMBL's establishing agreement of 1973.
Industry users: Article 6(3) alt.2 of IP68 — processing is necessary to enter into a contract.
5. Who can access your personal data
EMBL internal recipients
EMBL Heidelberg: Director’s Office
EMBL external recipients
DESY — host institute of the synchrotron (access and use)
European Commission — for grants
Location: Within the European Economic Area (EEA).
6. How long do we keep your personal data
Personal data will be retained even if users no longer use the service, to ensure legal compliance and allow audits.
For grants, data must be kept for at least 10 years for audit purposes; after that paper files are destroyed, electronic kept indefinitely.
Information on the use of BEAM lines is kept indefinitely for statistics and compliance.
7. How do we protect your personal data
Risk Management & Controls
Regular risk assessments of information assets
Implementation of control measures
Periodic review of access rights
Training & Access
Mandatory security awareness and data protection training
Access granted based on job roles
Strict management of privileged accounts
Cryptographic key management
Incident Response & Recovery
Cyber security incident management process
Regular penetration testing
Disaster recovery planning
Business continuity measures
Compliance & Privacy
Protection of personal data in adherence with IP68 and other contractual obligations
Biometric data security
Due diligence of third party hosting such as cloud services
Regular compliance monitoring
8. Data subjects’ rights and oversight mechanism
Under Article 16 of EMBL Internal Policy No. 68, data subjects have rights:
A right not to be subject to automated decisions
A right to request access to your personal data
A right to request information on the reasoning underlying data processing
A right to object to processing
A right to request erasure or rectification of your personal data
If consent is the legal basis, you may withdraw it at any time.
Rights may be subject to limitations under Article 16(2) of IP68.
To exercise rights or contact the data controller: info@embl.de or write to Meyerhofstraße 1, 69117 Heidelberg, Germany.
Data Protection Officer (Article 20(2) of IP68): dpo@embl.org, EMBL Heidelberg, Meyerhofstraße 1, 69117 Heidelberg, Germany.
Complaints (Article 25(1) of IP68): to the DPO. If unsatisfied or no response in 3 months, complain to the Data Protection Committee at the same address.