Privacy notice for processing of user data on the LUMI Service

Effective as of 10.11.2021.

General

This privacy notice includes information for the data subject (natural person) in accordance with Articles 13 and 14 of the EU General Data Protection Regulation (2016/679). This notice is provided to the data subject during the collection of personal data.

The LUMI Joint Controllers (referred later as “we”)

The LUMI Services are provided by the LUMI Consortium partners. The participation of each consortium member is integral to providing access and appropriate services to the Users. We jointly process the LUMI Service’s user data to provide LUMI Services. We jointly determine the purposes and means of the processing and we shall therefore be Joint Controllers within the meaning of Article 26 of the GDPR.

Data protection and privacy are important to the LUMI Consortium. We ensure that your personal information is processed appropriately, fairly and in a transparent manner. We only collect personal information for a specific purpose and we will only collect the personal information that is necessary for the purpose of processing the data. We will ensure that the personal information we collect is accurate and we will update them as needed.

Joint Controllers are:

Belgium: Belgian Science Policy Office, Belgium’s contact information will be updated later. Please use privacy(at)csc.fi for contacting us.
Czech Republic: VSB –Technical University of Ostrava, IT4Innovations National Supercomputing Center, it4i(at)it4i.cz
Denmark:  Universities Denmark, Susanne.groth(at)deic.dk
Estonia: Estonian Scientific Computing Infrastructure, support(at)hpc.ut.ee
Finland: CSC – IT Center for Science Ltd., privacy(at)csc.fi
Iceland: University of Iceland, morris(at)hi.is
Norway: UNINETT Sigma2 AS, privacy(at)sigma2.no
Poland: AGH University of Science and Technology, Academic Computer Centre Cyfronet AGH, daneosobowe(at)cyfronet.pl
Sweden: Swedish Research Council, Vetenskapsrådet, dataskyddsombudet(at)vr.se
Switzerland: ETH Zürich, privacy(at)cscs.ch

You may contact us using the common contact point via LUMI User Support (https://lumi-supercomputer.eu/user-support/need-help/).

The scope of this Privacy Notice and Joint Controllers’ responsibilities concerning Data Subject’s rights

Image 1: Joint Controllers in LUMI and its primary connections. Resource allocation is done on external portals not in the scope of this Privacy Notice. The registration service with Identity provider authentication proxy is operated by GÉANT, who is the Controller in that context. LUMI Services receive data from you and your home organisation identity provider (user profile data listed later in this document). Data is also received from the resource allocators on decisions, and possible roles and memberships of projects. LUMI Services produce accounting and reporting information which is disclosed to resource allocators and funders.

When you log in to any service related to LUMI, including registration portals, or the system itself, we handle your account data. Additionally, collection of the resource allocation decisions, usage accounting, support, and user data on the LUMI system is in scope of this document.

The different controllers have their dedicated responsibilities. When it comes to the central allocation and accounting services, the LUMI system, web pages and the technical platform for the support requests, CSC is the main contact point for the data subject.

For LUMI User support, each LUMI Party is primarily responsible for the support cases assigned to its specialist at the support service. All LUMI User Support (LUST) team members have permission to process the tickets. As you may be unsure of who has contributed to your support case, we have a central contact point. Contact information is described earlier in this document.

If your request concerns any other of us besides the one receiving the Data Subject’s request, it will forward your request to those of us concerned without undue delay. The Joint Controllers concerned are jointly responsible for responding to your requests and enforcing your rights as the Data Subject.

Categories of personal data, purposes of processing and legal basis for the processing of personal data

This privacy notice applies to information collected in connection with your access to and use of LUMI Services.  “You” refers to any data subjects who register for use or uses the LUMI Services.  The “LUMI Services” refers to any services or products that are provided to you by the LUMI Consortium (https://www.lumi-supercomputer.eu/lumi-consortium/), including platform, software, web solutions, tools and related support services, regardless of how you access or use these services.

Sources of Personal Data

We acquire data primarily from the following sources:

• data provided by you (data subject)
• MyAccessID registration and authentication service
• your home organisation’s identity provider
• other identity provider or virtual community you have chosen to use
• organisations that have allocated LUMI resources for you

Collected Personal Data

The following data may be registered:
A. Profile Information

• contact information such as name and email address
• credentials for authentication or other purposes
• identifiers provided by your Identity Providers (home organisation or 3rd party)
• affiliation information about users such as home organisation, job title, the data subject’s role as a member of his/her organisation

B. Project Allocation information such as project name, project membership, project description, resource allocator of the project, user roles in project
C. Data access permissions
D. Information of your other possible memberships and roles in scientific communities

• group and memberships you may have in the context of your scientific community
• roles and rights you may have in the context of your scientific community

Additionally, we keep service use data, such as logs, consisting of the following data:

• Your identifier (user account, identifier, name)
• Accounting data
• System, service and central logs and databases which contain traces on your activities on the system
• Your IP address with timestamps
• The Identity Provider you used and any other data collected with specific agreement from the data subject

Purpose of the processing of personal data

You will need to register before you apply for LUMI resources from a Resource Allocator, or to be added to existing LUMI projects. Resource allocation is handled separately by Controllers who are allowed to grant resources to the LUMI system. If you register to their allocation services, they will receive from us profile information, created at the time of your registration, to identify you as a user.

Until you have been allocated access to LUMI resources or been added to projects with access to LUMI resources, we process your data only to determine if you have access to the system. Once you have access to the LUMI resources, your information will be processed to provide access to the system, including the local account creation. Accounting information will be stored and transferred to other parties as specified below. Once your access to the system has ended, we will still store your account, log, and accounting information according to what is described in the data retention section.

We process your personal data for the following purposes:

• identify authorized users, administer user accounts and credentials, manage access to our services, process and track transactions and manage licenses
• deliver, maintain and develop our services
• provide help and support for the services
• send you information relating to the services, such as to notify you about changes to our service and products
• track and analyse services used for accounting, auditing and other internal functions
• protect against, identify and prevent fraud and other criminal activity, claims and other liabilities; and
• comply with and enforce applicable legal requirements, relevant international agreements due to the nature of the provided services, relevant industry standard practices, and our policies, including this privacy note and the applicable terms of use for the LUMI Services.
• to operate our business, which includes analysing our performance and meeting our legal and contractual obligations. It also includes processing personal data for reporting purposes for LUMI Consortium members, LUMI infrastructure funders and for LUMI user organisations (your affiliation).

Legal basis for processing Personal Data

When you apply the right to use or use the LUMI Services, the legal basis for data processing is to take steps prior to entering into a contract at the request of you or performance of the contract where you are a party (Art. 6 (1)(b) General Data Protection Regulation, GDPR). When your data is processed for any other purposes listed above, the legal basis is our or third party’s legitimate interests (Art. 6 (1)(f) GDPR). The processing is necessary for client management, fraud prevention, misuse prevention, intra-consortium transfers (i.e., for accounting and resource allocation purposes), IT and network security, and to fill our contractual obligations (including providing information on the use of the LUMI Service to those who have funded it or to your home organisation). In some cases, we may ask if you consent to the relevant use of your personal data. In such cases, the legal basis for us processing that data about you may (in addition or instead) be that you have consented (Art. 6 (1) (a) GDPR).

Processing of personal information by other service providers and processors

Your personal information or your affiliation may be shared with the system vendor contracted by EuroHPC JU, our sub-processors, to the extent necessary to provide the LUMI Service. These organisations have committed to comply with privacy laws and regulations.

Data Transfer outside EU/EEA

Your data is processed on the EU/EEA, except in the following case:
One of the Joint Controllers is established in Switzerland, which is recognised as having an adequate level of data protection by the European Commission. That Joint Controller may process your data to provide you the service or service support. The Swiss data protection law guarantees the protection of the privacy of data processing carried out in Switzerland. The Swiss data protection authority FDPIC deems all EU and EEA countries adequate with regard to personal data of individuals.

Your profile information may be transferred to software provider(s), which may be located outside the EU/EEA, when you use their software to comply with their license terms. The software provider(s) are responsible for informing you how they process your personal data. If your personal data is transferred for any other purposes outside the EU/EAA, you will be notified or your consent will be asked.

How do we protect the data and how long do we hold it for?

The data is collected into databases that are protected by firewalls, passwords, and other technical measures. The databases and backups of these databases are located in locked facilities.

Information disclosure to other Controllers

Accounting and reporting, as well as other necessary information (e.g., to handle possible security incidents), including your profile information, will be transferred to EuroHPC Joint Undertaking, other resource allocators and funders, LUMI Consortium partners, and home organisations.

Resource allocation is done on external portals, not in the scope of this Privacy Notice. There may be other external services not in the scope of this Privacy Notice connected to the central allocation and authentication services. If you choose to use these services, your profile data, and possibly applicable allocation data, will be transferred to these services. Those services are responsible for informing you of your rights before using the services.

Data Retention

The retention period of user and project information (general information, roles, persons, resource allocation, project logs, accounting information and accompanying reporting information) is 2 years after the end of the operation of LUMI system for the purpose of accounting and statistics unless otherwise required by applicable legislation.

The retention period of other system logs is a maximum of 5 years after the relevant information has been collected.

How do we protect the data and how long do we hold it for?

The data is collected into databases that are protected by firewalls, passwords, and other technical measures. The databases and backups of these databases are located in locked facilities.

Data subject rights

You have the following rights as a data subject:

• To request confirmation as to whether we are processing personal data concerning you
• To request a copy of the personal data
• To demand the rectification or completion of inaccurate or incomplete data
• To withdraw your consent, if processing is based on your consent
• To request the erasure of data in certain cases
• To request the restriction of processing, provided that the processing is based on our or third party’s legitimate interests.
• Right to object processing of your personal data, provided that the processing is based on our or third party’s legitimate interests.
• Right to have your data transferred from one system to another in certain situations

We will always use our best efforts to address and settle any requests or complaints you bring to our attention. Besides contacting us, you always have the right to approach the competent data protection authority with your request or complaint:

• at your habitual residence in the EEA
• at the place of your work in the EEA or
• at the place of the alleged infringement in the EEA.

The data protection authority competent for CSC – IT Center for Science Ltd is Office of the Data Protection Ombudsman, Postal address: PL 800, 00531 Helsinki, Finland; https://tietosuoja.fi/en/contact-information .

Changes to this privacy notice

This privacy notice is current as of the date which appears at the top of the document. We may occasionally update this privacy notice. If there are material changes to this privacy notice or in how we will use your personal data, we will use reasonable efforts to notify you.