Data Privacy Notice for the IceBox managed IceBear service
This Data Privacy Notice applies to the managed hosting service ("IceBox") of the IceBear software ("IceBear") and to user data collected and processed on IceBox. It includes some information about data processing in IceBear that is generally applicable to all installations, not just those on IceBox. However, while the information herein may be useful in drafting a local privacy policy, such standalone installations are not covered by this Notice; refer to your own organisation's privacy policy in such cases.
Note that the content of this Notice may change from time to time. You should review this Notice regularly.
Data privacy notice
Data controller
The customer organisation is the Data Controller for the purposes of IceBox. Please refer to their own privacy policies for more information.
Data processing
Unit in charge of data processing:
University of Oulu, Biocenter Core
Administrative contact: Lari Lehtiö, e-mail address: lari.lehtio(at)oulu.fi
Technical contact: Edward Daniel, e-mail address: edward.daniel(at)oulu.fi
University Data Protection Officer: dpo(at)oulu.fi
Some IceBox instances are hosted at CSC; in such cases, some data processing is also performed at CSC, and you should familiarise yourself with their policies. You may discuss this with the contacts above.
Note that the customer organisation may also engage in further data processing outside the scope of this Notice. You should familiarise yourself with their data protection policies.
Purpose of, and legal basis for, processing personal data
The purpose of processing your personal data is to operate and maintain the IceBox service, including the underlying infrastructure, and to determine and prioritise new features and requirements for IceBear.
We also process your personal data in order to respond to queries made via the contact form on the icebear.fi website.
The legal basis for processing your data is our legitimate interest in providing a service to our customers, and in monitoring and improving the service.
General description of the technical and organisational protection measures
IceBox uses appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against damage or loss.
IceBear itself limits who can view personal data, and what personal data can be viewed.
Location of data storage and processing
IceBox instances are hosted either at the University of Oulu or at CSC, both in Finland.
IceBox instances do not process any data outside the European Union. However, IceBear may send personally identifiable information outside the European Union as a result of user action, for example, submitting shipment information to a synchrotron that is outside the European Union.
Data recorded
Data recorded in IceBear includes, for example, information submitted via forms and imported from laboratory hardware and external facilities such as synchrotrons.
Logs
Using IceBear may create log entries. These entries may contain personal data, and are used for ensuring data security, developing the technical features of IceBear, and detecting, preventing and resolving failures. IceBear Log entries are automatically deleted after some time, typically several days.
Cookies
IceBear uses only necessary cookies. See the separate Cookie Policy for further details.
Personal data to be processed
In general, use of IceBear requires you to have a user account. IceBear stores your name, email address, ORCiD, username, and encrypted password, as well as your membership of various user groups within IceBear. Your email address is visible only to IceBox and customer IceBear administrators. Your membership of a given group, and the group itself, may or may not be visible to others depending on how the group is configured in IceBear.
Your IceBear account may be created automatically based on information retrieved from, for example, automated imaging equipment or a third-party authentication service.
When a message is submitted via the contact form on the icebear.fi website, the content of the message along with name and email address are stored in the University’s email system.
Other data to be processed
Anonymised and aggregated data may be collected and processed for the purposes of reporting, resource planning, and the like.
Recipients or categories of recipients of personal data
For IceBox instances hosted at the University of Oulu, we transfer personal data contained in IceBox only within the University of Oulu and only to the extent necessary for the technical maintenance and development of the Service.
For IceBox instances hosted at CSC, please refer also to CSC's privacy policies.
The University of Oulu will disclose personal data to third parties only in so far as the third parties need access to the processed personal data to provide the University of Oulu with services for the purposes specified in this Data Privacy Notice. This refers to, for example, IceBox instances hosted at CSC rather than at the University. The University may disclose anonymous data to other third parties who assist the University in the development of the service and in resolving failures.
Data storage time
Data is stored within IceBox for the life of the IceBox instance. It will be deleted, along with the IceBox instance itself, when the IceBox contract is terminated by the customer or by the University. However, if the customer chooses to host their own IceBear, the data stored within the IceBox instance may be transferred to that new instance. Note that backups of the IceBox instance, and of the personal data within, may persist for up to six months after the instance itself is deleted.
If processed by the University outside the IceBox instance, data will be stored only for the time needed for these purposes and will not be used for any other purpose. This includes information submitted via the contact form on the icebear.fi website.
Third-party services
The University is not responsible for your use of third-party services through the IceBox web service, including but not limited to synchrotron systems.
Data subject rights
You have the following rights as a data subject:
- Right to access your data
- Right to have inaccurate data corrected (make sure to keep your contact information up to date)
- In certain situations, the right to have data erased ("right to be forgotten")
- In certain situations, the right to restriction of processing
- In certain situations, the right to object to processing
- In certain situations, the right to have data transferred from one system to another if the processing is based on consent or agreement and is performed automatically.
Please note that the applicability and scope of your above-mentioned rights will be specified on a case-by-case basis in accordance with the EU General Data Protection Regulation, depending on e.g. the grounds for processing the data, and that you do not have the above-mentioned rights in all cases.
If you have any questions about your rights, you should contact the customer organisation's data protection officers. You can also communicate with the University's Data Privacy Officer or the contact person of the responsible unit.
If you want to use the above-mentioned rights, please first contact the customer organisation's data protection officers. You can also send a request to the University’s registry office: kirjaamo(at)oulu.fi, where you will get the necessary additional instructions.
Right of appeal to the supervisory authority
In addition to the rights mentioned above, you have the right to file a complaint about the processing of your personal data with the Office of the Data Protection Ombudsman as the supervisory authority. The contact details and opening hours can be found on the website of the Data Protection Ombudsman.
Contact information
Postal address
P.O.Box 8000
FI-90014 University of Oulu
university.of.oulu(at)oulu.fi
Telephone number
+358 294 48 0000
Street address
Pentti Kaiteran katu 1
Linnanmaa