Team Making sure accelopment Switzerland provides researchers with the right tools, environment and support to complete their projects successfully is what motivates me.
Liam Colman
ICT Support

Privacy Policy

Preamble



With the following privacy policy, we would like to inform you which types of your personal data (hereinafter also abbreviated as “data”) we process for which purposes and in which scope. The privacy statement applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites, in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as “online services”).

The terms used are not gender-specific.

Last Update: 13. December 2021

accelopment Schweiz AG



Dr Jeanette Müller
Seefeldstrasse 198
8008 Zurich, Switzerland

Email: info@accelopment.com
Phone: +41 44 455 66 00
Fax: +41 44 455 66 09

VAT no.: CHE-114.132.648
Commercial Reg. No.: CHE-114.132.648

accelopment Deutschland GmbH



Dr Jeanette Müller
Langer Anger 7-9
69115 Heidelberg, Deutschland

Email: info@accelopment.com

VAT no.: 32019/05854
Commercial Reg. No.: HRB 737473

Controller / Data Protection Officer



Liam Colman / accelopment Schweiz AG
Seefeldstrasse 198
8008 Zurich, Switzerland

Authorised Representatives: Dr Jeanette Müller
E-mail address: info@accelopment.com

Legal Notice: https://accelopment.com/legal-notice/
Contact information of the data protection officer: lcolman@accelopment.com

What is the GDPR?



The General Data Protection Regulation is a European Union law that was implemented May 25, 2018 and requires organizations to safeguard personal data and uphold the privacy rights of anyone in EU territory. The regulation includes seven principles of data protection that must be implemented and eight privacy rights that must be facilitated. It also empowers member state-level data protection authorities to enforce the GDPR with sanctions and fines. The GDPR replaced the 1995 Data Protection Directive, which created a country-by-country patchwork of data protection laws. The GDPR, passed in European Parliament by overwhelming majority, unifies the EU under a single data protection regime.

Who must comply with the GDPR?



Any organization that processes the personal data of people in the EU must comply with the GDPR. “Processing” is a broad term that covers just about anything you can do with data: collection, storage, transmission, analysis, etc. “Personal data” is any information that relates to a person, such as names, email addresses, IP addresses, eye color, political affiliation, and so on. Even if an organization is not connected to the EU itself, if it processes the personal data of people in the EU (via tracking on its website, for instance), it must comply. The GDPR is also not limited to for-profit companies.

How we comply with the GDPR?



accelopment must comply with the GDPR by implementing technical and operational safeguards to protect the personal data that accelopment controls. The first step is to conduct a GDPR assessment to determine what personal data accelopment controls, where it is located and how it is secured. accelopment must also comply with the data protection principles set out in the GDPR, such as obtaining consent and ensuring data portability. accelopment must also appoint a data protection officer and update the privacy notice, among other organisational measures.

What is a Data Protection Officer?



A Data Protection Officer (DPO) is an employee within your organization who is responsible for understanding the GDPR and ensuring your organization’s compliance. The DPO is the main point of contact for the data protection authority. Typically, the DPO has knowledge of both information technology and law.

Does the GDPR require encryption?



The GDPR requires organizations to implement “appropriate technical and organizational measures” to secure personal data and provides a short list of options for doing so, including encryption. In many cases, encryption is the most feasible method of securing personal data. For instance, if you regularly send emails within your organization that contain personal information, it may be more efficient to use an encrypted email service than to anonymize the information each time.

What is new about the General Data Protection Regulation?



New obligations

These include stricter requirements for obtaining valid consent for data collection, data breach notification, the obligation to appoint a local representative in the EU to act as a contact point for EU citizens and EU authorities, and the obligation to appoint a data protection officer. The new obligation for companies to notify EU supervisory authorities (and in certain circumstances the data subjects themselves) within 72 hours of becoming aware of a personal data breach is a serious new obligation that will need to be negotiated in data processing contracts.

New procedures

These include the increasing importance of data protection impact assessments, internal record-keeping and accountability, the implementation of sound information security measures, the anonymisation and pseudonymisation of data, and the incorporation of ‘privacy by design’ principles into an organisation’s core activities. A significant part of the negotiation of a data processing agreement is likely to concern data security standards and whether these standards are “adequate” in relation to the risks of the processing.

New or extended rights for data subjects

These include the right to erasure (commonly known as the right to be forgotten), the right to data portability, the right to object to profiling and the right to restriction of processing. These new rights require that organisations have the necessary technical and administrative systems and protocols in place to enforce the rights within the timeframe and in the manner prescribed by the General Data Protection Regulation. Controllers (i.e., organisations that determine the purposes and means of processing) are therefore likely to require a much higher level of support and cooperation on data processing contracts to fully comply with data subjects’ requests and other administrative requirements.

What does the GDPR mean for you as an accelopment customer?



Compliance with the GDPR is the joint responsibility of the data controller and the data processor. If the GDPR applies to you, accelopment processes data on your behalf and according to your instructions, making us the data processor and you the data controller.

How do we ensure data security?



Internally, we use Microsoft 365, along with the Office 365 product family and SharePoint. Storage for these services is provided by Microsoft’s datacenters located in Germany. Data stored in Microsoft datacenters is encrypted. The encryption process encodes our data (referred to as plaintext) into ciphertext. Unlike plaintext, ciphertext can’t be used by people or computers unless and until the ciphertext is decrypted. Decryption requires an encryption key that only authorized users have.

Local applications are kept up to date through automatic updates, and a state-of-the-art antivirus/firewall application ensure our systems can’t be abused by bad actors.

Access to accelCLOUD is protected by Transport Layer Security (TLS), ensuring the connection between our web server and the user is properly encrypted and kept private. Data stored in the accelCLOUD is stored on redundant hard drives and is backed up on a nightly basis.

How do we process data during proposal preparation and in running EU projects?



In the process of preparing a grant proposal or when we support administration and dissemination tasks in running EU projects, our data processing is two-folded:

1) We collect and store data on members of the project consortium on our servers. This information is communicated directly to us in writing and may include names, positions, emails and telephone numbers as well as project partner profiles. The information is stored for the duration of the contractual agreement. For proposal writing this means until a project has been either funded or rejected. For a running EU project this means 5 years after the last payment of balance.

2) We collect and store data on scientific content on behalf of the project consortium on our server. This may include descriptions of science, its impact and how the project is implemented. This latter type of data does not include any personal data or information that can lead back to the identification of any person.

How is data processed on accelCLOUD?



accelCLOUD is a secure online document management platform provided by accelopment.

The platform provides our clients with a password-protected online folder structure to share documents between partners in projects. The accelCLOUD also provides a calendar for easier coordination between project partners. If a client or project consortium wishes to use accelCLOUD, the following use terms apply:

1) we assume the role of administrator of the system. This includes creating a restricted-access folder structure exclusively for the use of the project partners. It also includes granting access rights to project partners through personalised accounts. To fulfil these tasks to the satisfaction of all parties, accelopment relies fully on the truthful and accurate information communicated to us by the project coordinator and project partners. We do not take any responsibility for inaccurate or outdated access rights, as well as structural errors occurring as a result of inaccurate, outdated or misinterpreted information sent to us from project partners.

2) we act as the data processor in accelCLOUD for the project coordinator and project partners. This means that accelopment does not take responsibility for the data which partners upload to accelCLOUD. The structure of accelCLOUD provides a safety feature allowing only for partners to delete or modify their own information, which they have uploaded themselves. Only system administrators (accelopment staff) hold the access rights to delete or modify data which has been uploaded by any partner.

3) Users of accelCLOUD may at any time ask us to delete all personal data available on accelCLOUD (Right to be forgotten).