Is Scitodate a controller or processor?
Scitodate gives its customers access to a big data tool for mapping out application areas for their research equipment. By integrating scientific articles with funding databases, customers get access to an addressable market (prospects, competitors...). This information is mapped out in the ‘Market Landscape Dashboard’ of every individual customer.
Based on the provided information, our assessment is that Scitodate qualifies as Controller. The definition of ‘Controller’ in article 4(7) GDPR states the following: ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
In assessing the capacity of Scitodate, it is important to know whether the services provided consist primarily of data processing. If so, there may be a situation wherein the customer outsources certain data processing to Scitodate, resulting in the qualification as ‘Processor’.
This is however not the case for Scitodate. Scitodate processes research data with the aim of delivering valuable business data to the customer. This purpose is determined by Scitodate itself, in order to provide a service with added value to its customers. This service entails a tool that provides access to research data through scientific articles and databases. Scitodate determines essential aspects of the data processing when supplying the tool; what data is available through the tool, how data is made available and how the data processing is carried out.
The client-contractor relationship between Scitodate and its clients does not detract from the factual influence that Scitodate has on data processing. Scitodate determines the purposes and means of the processing of personal data and therefore qualifies as Controller under the GDPR.
Why do we collect this data?
Scitodate processes data from researchers whose publications are publicly available in databases like Pubmed & Medline. Scitodate provides curated scientific content with the aim to help solve the authorship ambiguity problems currently happening in the scientific industry, to create an accurate description of works associated with individual researchers and help organisations understand the work researchers. GDPR lists several legal grounds for processing data about individuals, in this case, scientists, one of which is Legitimate Interest. For the reason mentioned above, it is not only in our legitimate interest to process this data but also in the legitimate interests of the researchers. These objectives offer invaluable and incontestable benefits to the furtherance of unbiased and transparent academic research. Indeed, governments and academic institutions world-wide routinely make such data public for those purposes. The data we process and the way we process it is commonplace. Organisations like Google Scholar, Microsoft Academic, Semantic Scholar (Allen Institute), Web of Science (Clarivate) and Scopus (Elsevier) engage in the same processing as the core of their activities.
What type of data do we collect?
We collect the following information; Name, Email, Organisation (position) & user behaviour; This is only for the direct users of our products for the purpose to provide access to our services. Third-party information: We collect information about scientific literature and scientists from publicly available sources like academic publications, patent offices, regulatory agencies, funding agencies. If you are an academic author or researcher, a patent holder, clinical trials investigator or are otherwise an author of, or contributor to, reports, analysis, articles or other materials available in the public domain, your professional data such as your name, work contact details, and specialisation may be included as content in our services.
How do we collect data?
We collect data from publicly available sources through standard API’s included but not limited to Pubmed, Medline, OrcID, GridID and Cordis. A partial copy of these datasets is stored and indexed to enable accessibility, transparency and disambiguation of the data. Recital 47 of GDPR also specifies precisely how this data may be processed by our users and why it falls under Legitimate Interest in this context
For data processing in regards to our consultancy services for our Clients we have drawn up a standard processor agreement. This can be read here.
Location of the data
For its service, Scitodate hosts all data of its customers on its own (assigned) servers within Europe and does not use cloud services located outside of Europe.
Right to access
Do you wish to have access to the data that Scitodate has stored from you? You can submit a request for this. Read here how to do this.
Right to be forgotten
Do you wish to execute your right to be forgotten from Scitodate services? You can submit a request for this. Read here how to do this.
You actively use Scitodate's service as a client
The application form on Scitodate websites requires Clients to provide contact information (such as name and address), to provide Scitodate with unique identifiers (a password). Scitodate uses this information so that they can provide their services and to provide Clients with information about their services. If necessary, the information is also used to come into contact with the Clients. Unique identifiers are used to determine identity when logging into the personal account within the ScitoDate system. Passwords are automatically encrypted and cannot be viewed by ScitoDate. Information is transferred exclusively over secure SSL connections.
Personal information collected shall only be used by Scitodate for the objectives described above. Personal information shall not be provided or sold to unauthorized third parties. All personal information is optimally secured and treated with the utmost care by ScitoDate. This information is also only available internally to persons for whom access is essential to the performance of their tasks.
Scitodate does store the time and IP address of the login details in order to ensure safety. This is explicitly mentioned in Scitodate's General Terms and Conditions. Clients are obliged to sign a contract with Scitodate before they get access to the Scitodate Network.
Scitodate is convinced that behavior of people is the utmost important part of data security. Scitodate staff is well informed about the rules for data security. There is a special policy for incoming data, and there is a security and escalation protocol. On a regular basis, the data policy is again brought to attention to the Scitodate staff. The data policy is also officially included in the Scitodate's terms of employment. On a senior level, a data officer is responsible for the above mentioned policy.
The second - very important - part of data security at Scitodate, is that Scitodate saves the least amount of data as possible (privacy by design).
Scitodate has an advanced right management system, that ensures that only authorized personnel on a certain level can access private data.
Scitodate aims to secure their systems in the best possible manner. ScitoDate has standard procedures for the commissioning of new software. This must ensure only save software is taken into use.
Scitodate servers are being managed within the European Union by external hosting providers. These are ISO 9001 and ISO 27001 certified, among other standard security certifications.
This website is hosted by Squarespace, a complete web hosting package which includes basic analytics of page views and visits. This gives Scitodate the opportunity to analyse their website and to improve it. The data is only used for the purpose of improving the website. The data is not shared with others, and within Scitodate's organisation only a limited amount of people have access. The cookies do not contain personal data. The used tool is configured in such manner that it does not save personal data.
Newsletter mailings and e-mail marketing are a fixed part of the online marketing universe. Basically, the principle that processing is prohibited but subject to the possibility of authorisation also applies to the personal data which is used to send e-mails. Processing is only allowed by the General Data Protection Regulation (GDPR) if either the data subject has consented, or there is another legal basis. This could be, for example, preserving the legitimate interest of the controller to send e-mail marketing. Recital 47 of the General Data Protection Regulation expressly states that the law also applies to the processing of personal data for direct marketing as a legitimate interest of the controller.
In addition, such an interest could be seen, for example, if there is a relevant and proportionate relationship between the data subject and the controller. This could be the case if the data subject is a customer of the controller or is in the latter’s service. Therefore, much indicates that e-mail marketing is allowed without consent, at least for existing customers. If the company has a justified interest in ‘cold’ calling through e-mail marketing, the marketing e-mails may be sent to potential customers without consent. To receive no further information by newsletter or e-mail, the customer receiving them need only object to processing for marketing purposes. According to Art. 21(2), (3) GDPR the data subject always has the right to object to the processing of personal data for direct marketing purposes. If the data subject objects, the controller only has to stop the processing for marketing purposes, but can still process the data for other purposes, e.g. for the performance of a contract. The legitimate interest of the controller to process data for marketing purposes can never outweigh the objection of the data subject. One must note, however, that according to Art. 95 of the General Data Protection Regulation, this applies to all data protection-related purposes unless special rules with the same regulatory scope are contained in the ePrivacy Directive (see also recital 173). The consequence is that e-mail marketing is currently only allowed with the consent of the parties concerned (Art. 13(1) of Directive 2002/58/EC). One must wait to see whether the coming ePrivacy Regulation provides more clarity about this issue.
Regardless of whether a company bases its marketing measures afterwards on its legitimate interest or on consent, the controller has to adhere to the data subject’s right to be informed. The content of said information depends on which justification reason is used. Please be aware that there might be certain additional national laws (e.g. competition law) which might be slightly stricter or which may impose additional restrictions.
Relevant GDPR articles
Art. 6 GDPR Lawfulness of processing
Art. 7 GDPR Conditions for consent
Art. 21 GDPR Right to object
Art. 95 GDPR Relationship with Directive 2002/58/EC