Privacy Policy
The privacy and cookie policy for the services of SCITODATE B.V. (referred to hereafter as: SCITODATE) is set out on this page.
Is SCITODATE a controller or processor?
SCITODATE gives its customers access to a big data tool for mapping out application areas for their research equipment. By integrating scientific articles with funding databases, customers get access to an addressable market (prospects, competitors...). This information is mapped out in the ‘Market Landscape Dashboard’ of every individual customer.
Based on the provided information, our assessment is that SCITODATE qualifies as Controller. The definition of ‘Controller’ in article 4(7) GDPR states the following: ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
In assessing the capacity of SCITODATE, it is important to know whether the services provided consist primarily of data processing. If so, there may be a situation wherein the customer outsources certain data processing to SCITODATE, resulting in the qualification as ‘Processor’.
This is however not the case for SCITODATE. SCITODATE processes research data with the aim of delivering valuable business data to the customer. This purpose is determined by SCITODATE itself, in order to provide a service with added value to its customers. This service entails a tool that provides access to research data through scientific articles and databases. SCITODATE determines essential aspects of the data processing when supplying the tool; what data is available through the tool, how data is made available and how the data processing is carried out.
The client-contractor relationship between SCITODATE and its clients does not detract from the factual influence that SCITODATE has on data processing. SCITODATE determines the purposes and means of the processing of personal data and therefore qualifies as Controller under the GDPR.
Why do we collect this data?
SCITODATE processes data from researchers whose publications are publicly available in databases like Pubmed & Medline. SCITODATE provides curated scientific content with the aim to help solve the authorship ambiguity problems currently happening in the scientific industry, to create an accurate description of works associated with individual researchers and help organizations understand the work researchers. GDPR lists several legal grounds for processing data about individuals, in this case, scientists, one of which is Legitimate Interest. For the reason mentioned above, it is not only in our legitimate interest to process this data but also in the legitimate interests of the researchers. These objectives offer invaluable and incontestable benefits to the furtherance of unbiased and transparent academic research. Indeed, governments and academic institutions world-wide routinely make such data public for those purposes. The data we process and the way we process it is commonplace. Organizations like Google Scholar, Microsoft Academic, Semantic Scholar (Allen Institute), Web of Science (Clarivate) and Scopus (Elsevier) engage in the same processing as the core of their activities.
What type of data do we collect?
We collect the following information; Name, Email, Organisation (position) & user behavior; This is only for the direct users of our products for the purpose to provide access to our services. Third-party information: We collect information about scientific literature and scientists from publicly available sources like academic publications, patent offices, regulatory agencies, funding agencies. If you are an academic author or researcher, a patent holder, clinical trials investigator or are otherwise an author of, or contributor to, reports, analysis, articles or other materials available in the public domain, your professional data such as your name, work contact details, and specialization may be included as content in our services.
How do we collect data?
We collect data from publicly available sources through standard API’s included but not limited to Pubmed, Medline, OrcID, GridID and Cordis. A partial copy of these datasets is stored and indexed to enable accessibility, transparency and disambiguation of the data. Recital 47 of GDPR also specifies precisely how this data may be processed by our users and why it falls under Legitimate Interest in this context
For data processing in regards to our consultancy services for our Clients we have drawn up a standard processor agreement. This can be read here.
Location of the data
For its service, SCITODATE hosts all data of its customers on its own (assigned) servers within Europe and does not use cloud services located outside of Europe.
Right to access
Do you wish to have access to the data that Scitodate has stored from you? You can submit a request for this. Read here how to do this.
Right to be forgotten
Do you wish to execute your right to be forgotten from SCITODATE services? You can submit a request for this. Read here how to do this.
You actively use SCITODATE's service as a client
The application form on SCITODATE websites requires Clients to provide contact information (such as name and address), to provide SCITODATE with unique identifiers (a password). SCITODATE uses this information so that they can provide their services and to provide Clients with information about their services. If necessary, the information is also used to come into contact with the Clients. Unique identifiers are used to determine identity when logging into the personal account within the ScitoDate system. Passwords are automatically encrypted and cannot be viewed by ScitoDate. Information is transferred exclusively over secure SSL connections.
Personal information collected shall only be used by SCITODATE for the objectives described above. Personal information shall not be provided or sold to unauthorized third parties. All personal information is optimally secured and treated with the utmost care by ScitoDate. This information is also only available internally to persons for whom access is essential to the performance of their tasks.
SCITODATE does store the time and IP address of the login details in order to ensure safety. This is explicitly mentioned in SCITODATE's General Terms and Conditions. Clients are obliged to sign a contract with SCITODATE before they get access to the SCITODATE Network.
Data security
SCITODATE is convinced that behavior of people is the utmost important part of data security. SCITODATE staff is well informed about the rules for data security. There is a special policy for incoming data, and there is a security and escalation protocol. On a regular basis, the data policy is again brought to attention to the SCITODATE staff. The data policy is also officially included in the SCITODATE's terms of employment. On a senior level, a data officer is responsible for the above mentioned policy.
The second - very important - part of data security at SCITODATE, is that SCITODATE saves the least amount of data as possible (privacy by design).
SCITODATE has an advanced right management system, that ensures that only authorized personnel on a certain level can access private data.
SCITODATE aims to secure their systems in the best possible manner. SCITODATE has standard procedures for the commissioning of new software. This must ensure only save software is taken into use.
SCITODATE servers are being managed within the European Union by external hosting providers. These are ISO 9001 and ISO 27001 certified, among other standard security certifications.