Privacy Statement
Privacy Statement regarding the protection of personal data in the context of Agora Service
Controller details: Α public limited company (societe anonyme) under the corporate name "National Infrastructures for Technology and Research S.A.” and the distinctive title “GRNET S.A."
Controller’s Contact Details: info@grnet.gr
Processor Details: Agora Support Team
Processor’s Contact Details : agora@grnet.gr
Scope of this Privacy Statement:
National Infrastructures for Technology and Research S.A. (hereinafter referred to as “GRNET SA") is bound by European Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation – hereinafter referred to as “the GDPR”) and Law 4624/2019 (Government Gazette 137/A/2019) on "Data Protection Authority, measures for the implementation of Regulation(EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and for the incorporation into national law of Directive(EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 and other provisions”, as in force at any time (hereinafter referred to as “the Law”).
This Privacy Statement details all information necessary for the processing of personal data carried out in the context of Agora., as well as the policies and procedures implemented by GRNET SA for the protection of the Agora users' privacy.
This Privacy Statement sets out the criteria as well as the terms and conditions under which GRNET SA collects, processes, uses, stores and transmits the personal data of the service users, how it ensures the confidentiality of such information, including any law and/or regulation implemented or enacted in accordance with Union and national laws on personal data protection and electronic privacy, as well as any law and/or regulation amending, replacing, issuing or consolidating any of the latter, including any other applicable Union and national laws on the processing of personal data and privacy, which may exist in accordance with applicable law.
GRNET SA reserves the right to amend and update this Privacy Statement whenever necessary, whereas any such updates shall become effective five (5) days after they have been posted on the service website.
For the purposes of this Privacy Statement, the terms “processor”, “controller”, “third party”, “supervising authority”, “personal data”, “processing”, “data subject” shall have the meaning ascribed to them by applicable legislation on the protection of personal data.
In addition, for the purposes of the present, the following definitions shall also apply:
"Website" – the website accessible via domain name including the entirety of the web pages thereof.
" Agora Service" - {{service_url}}
“User”- the Agora online service user, whom the data refer to, whose identity is known or may be verified, namely it may be directly or indirectly determined.
A. Purpose/s for processing the data collected:
i. GRNET SA – as processor – processes its “users" personal data as referred to in the following section, for the following purposes:
Authentication of “Agora” service users
“Users” authentication is carried out through the {{ login_service }} service ({{ login_url}}).
And through a local authentication process.
Providing the Agora service
Seamless operation of the service.
Technical support to the "coordinators" of the service
Easy and user friendly operation of the service.
Enhancement of the online experience in providing the services
Proof of Acceptance of the Terms of Use and the Privacy Statement
Creation of statistical reports and charts to monitor the Agora service
- Statistical reports and charts data do not contain any “users” personal data, as they result from anonymized information.
GRNET SA collects and processes “users” personal data in the context of providing the Agora service solely for the above mentioned purposes and only to the extent strictly necessary to effectively serve such purposes. These data shall be relevant, appropriate and not more than those required in view of the aforementioned purposes. They shall also be accurate and, if necessary, updated.
Furthermore, the aforementioned data shall be retained only during the period required as mentioned hereinabove, in order to accomplish the purposes of their collection and processing and shall be deleted after the end thereof (see below “Retention period of personal data”).
Ii. GRNET S.A. – as the processor – collects and processes personal data of "users" using its infrastructure for the purpose of providing the Agora Service.
B. Categories of personal data processed:
i. For the Authentication of Agora “users”
The authentication of the Agora service "users" is carried out through the {{ login_service }} service ({{ login_url }}) and the local login process. For the sole purpose of the authentication of the Agora service "users", GRNET SA collects through the aforementioned authentication procedures, and processes – as processor- the following personal data:
Name
Surname
e-mail address
Affiliation, in broad categories such as student, faculty, staff, alum, etc, within a particular security domain representing the organisation or sub-organisation of the affiliation
Unique identifier for the sole purpose of their authentication in the Agora service (Persistent Id).
Group membership and role information for the sole purpose of their authorised access to the Agora
In addition to the personal data retrieved through the aforementioned authentication procedure, the Agora service collects the following personal data:
ii. For providing the Agora service
For the use of the Agora service as well as for the efficient and lawful provision of this service, GRNET SA processes – as processor – the following personal data:
The IP address where from the “user “connects to the Agora service
Service use timestamp
“Users” e-mail address.
iii. For communicating with Agora service “users”
For communicating with Agora service “users”, GRNET SA processes - as processor - the following personal data:
- E-mail address
iv. Special categories of personal data
GRNET SA does not collect, process or gain access in any way to specific data categories, as set forth in the provisions of the legislation in force (in particular data relating to racial or ethnic origin, religion, health data, etc.). In the event that a "user" posts any such special category data on the Agora Service, such data will be removed as soon as the management team become aware thereof.
C. Legal bases for processing
The processing of “users” personal data is necessary for the performance of the Agreement on the provision of Agora services, in accordance with the needs (technical and organisational) to provide the best possible services, to serve the "users".
D. Access to personal data:
For providing Agora services and the seamless operation of such services, access to the “users” personal data shall be granted to the following:
- To the Agora service support team, consisting of personnel engaged in a contractual relationship of either a project or an independent service agreement with GRNET SA hereinafter referred to as "GRNET associates”.
The processing of Agora service “users” personal data by the aforementioned, is carried out under the supervision and only at the request of GRNET SA, within the scope of the mission and the role of each associate. Such associates undertake to comply with the same privacy and personal data requirements as GRNET SA itself in accordance to the present Privacy Statement
E. Recipients of collected personal data:
GRNET SA shall in no way transmit or in any way disclose the Agora service “users” personal data to any third-party entities, private businesses, natural persons or legal entities, public authorities, agencies or other organizations, other than as expressly set out herein.
The Agora service “users” personal data may be disclosed or transmitted to governmental authorities and/or law enforcement officials, only if necessary for the above mentioned purposes, in the context of enforcement of a court decision or a provision of law or if necessary to secure the legitimate interests of GRNET SA in its capacity as processor, in compliance with the terms and conditions of applicable law.
F. Rights of data subject
As regards the data processed in the context of providing the Agora service, GRNET as processor – takes all necessary action, pursuant to the terms of this Privacy Statement, both during the collection as well as in every subsequent stage of processing of Agora service “users” personal data, so that every "user" may exercise his/her rights, as laid out in applicable legislation on the protection of personal data, namely the rights of Access, Rectification, Erasure, Restriction of Processing, data Portability, as detailed hereinbelow and in accordance with the terms and conditions of applicable law:
Right of Access: The data subject is entitled to request and obtain from GRNET SA, a confirmation on whether or not his/her personal data are processed and, if so, to exercise the right to access such personal data pursuant to applicable legislation. The data subject may also request a copy of the personal data undergoing processing, as described in this Privacy Statement, by sending an email to the following email address: agora@grnet.gr Finally, it should be noted that the right to obtain a copy of the personal data undergoing processing shall not adversely affect the rights and freedoms of others in accordance with applicable law.
Right of Rectification: The data subject shall have the right to request GRNET SA to rectify any inaccurate personal data concerning him/her. Taking into account the purposes of the processing, the data subject shall have the right to request that any incomplete personal data be completed, including by means of providing a supplementary statement, in accordance with applicable legislation.
Right of Erasure: The data subject has the right to obtain from GRNET the erasure of his/her personal data within the framework of Agora service, in accordance with the provisions of applicable law.
Right to restriction of processing: The data subject is entitled to ensure that GRNET SA restricts the processing of his/her data, if any of the conditions laid down by applicable legislation on the protection of personal data, is met.
Right to data portability: The data subject has the right to obtain any personal data concerning him/her, which he/she has provided to GRNET SA in a structured, commonly used and machine-readable format, as well as the right to transmit such data to another processor without any objection from the processor to which the personal data have been provided, in accordance with the provisions of the applicable legislation on personal data.
To exercise any of the above rights, the “user” may contact the Agora Support Team at the following email address: agora@grnet.gr.
The aforementioned rights of the data subjects are subject to restrictions in accordance with the applicable legislation.
GRNET SA– acting in its capacity as processor – shall provide the data subject with information about any action taken upon his/her request to exercise any of the above rights within one (1) month as of receipt of the request. This period may be extended by an additional period of two (2) months, in accordance with the terms of applicable law.
GRNET SA, when processing personal data in the capacity of a controller on behalf of an academic or research institution, it shall immediately forward any request filed by a data subject with GRNET SA concerning the processing carried out by the institution in the context of providing Agora service, and shall assist the Institution to fulfill its obligation to respond to such request. GRNET SA shall not be responsible to respond to the data subject’s request in such cases.
G. Personal data retention periods
The Agora service users personal data shall be retained no longer than it is necessary for the needs of the service and the audits the service is subjected to. More specifically:
**Categories of personal data collected** | **Time and place of retention of personal data** |
---|---|
IP address Data from website navigation through Cookies | 18 months (log retention) |
Unique User Identifier, Email address Name, Role | 18 months (db) for the Unique user Identifier , Email, Name, Role will deleted from db on user request |
H. Privacy and Security of Information:
The processing of personal data by GRNET SA is performed in a manner that ensures both confidentiality and security thereof. All appropriate organisational and technical measures shall be taken to safeguard data against any accidental or unlawful destruction, accidental loss, alteration, prohibited dissemination or access or any other form of unfair processing.
The services provided by GRNET SA are constantly evaluated to be in line with the safety requirements of international standards. GRNET’s Information Security Management System (ISMS) has been certified by the accredited certification body, EUROCERT SA
In particular:
Access to technical log data is restricted and can only be accessed in a secure way by the Agora service staff.
When accessing the Agora service adequate security controls are in place to keep your personal data safe in accordance with the classification of the personal data we have collected from you.
We use encryption (HTTPS) to keep data private while in transit. Data sent using HTTPS is secured via Transport Layer Security protocol (TLS), which provides a) Encryption—encrypting the exchanged data to keep it secure from droppers. b) Data integrity—data cannot be modified or corrupted during transfer, intentionally or otherwise, without being detected. c) Authentication—proves that your users communicate with the intended website.
The implementation of the Agora service ensures that no unauthorized user can log into the service. An authorised user means a service user, who has an active account with the {{ login_service }} service, having passed the authentication process mentioned above.
We review our information collection, storage, and processing practices, including physical security measures, to prevent unauthorized access to our systems
Although we follow best security practices to ensure your personal data remains secure, there is no absolute guarantee of security when using services online. While we strive to protect your personal data, you acknowledge that:
There are security and privacy limitations on the internet which are beyond our control and can have a negative impact on the confidentiality, integrity and availability of the information.
We cannot be held accountable for activity that results from your own neglect to safeguard the security of your login credentials and equipment which results in a loss of your personal data. If you feel this not enough, then please do not provide any personal data.
Your personal data will be protected according to the Code of Conduct for Service Providers , a common standard for the research and higher education sector to protect your privacy.
I. Contact:
For any questions or clarifications regarding the present Privacy Statement and as well as in the event of any violation related to personal data issues, "users" may contact the Competent Department of GRNET SA at the e-mail address mentioned hereinabove.
They may also contact the Data Protection Officer (DPO) of GRNET S.A., Ms. Vera Meleti, and/or the deputy DPO, Ms. Vasiliki Konstantinopoulou at the e-mail address: dpo@grnet.gr.
K. Recourse/Complaint
In the event that any Agora “user” request is not satisfied by the processor, the "user" may at any time address to/ file recourse with the Competent Supervisory Authority, namely the Data Protection Authority https://www.dpa.gr