Privacy Policy
‘This privacy policy is currently being updated to comply with the GDPR and applicable regulations. The final version will be published soon. If you have any questions, please contact dpo@emfl.eu.’
📜 Legal Information
Responsible Entity: European Magnetic Field Laboratory – AISBL
Address: Rue du Trône 98, 1050 Ixelles, Brussels, Belgium
Phone: +31 2 43 65 30 05
Publication Director: JOCHEN WOSNITZA
Editorial Director: JOCHEN WOSNITZA
Hosting Provider: CNRS LNCMI, Grenoble, France (acting as a data processor under a GDPR-compliant agreement). All data is hosted within the European Union (France) and is subject to the same GDPR protections. For more information, please refer to the CNRS Data Protection Policy.
Host Contact: webmaster@grenoble.cnrs.fr ❓>> à modifier❓
Data Protection Officer (DPO): dpo@emfl.eu
Supervisory Authority: Belgian Data Protection Authority (APD)
🔒 Introduction
At EMFL, we are committed to protecting your privacy and ensuring the security of your personal data in compliance with the General Data Protection Regulation (GDPR) and Belgian data protection laws. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our User Portal to:
- Create and manage your account.
- Submit research proposals.
- Access our facilities.
- Manage your experiments and collaborations.
We use a dual-table system (user + user_history) to:
- Retain a complete history of your data (e.g., changes in institution, country, or name over time).
- Enable accurate statistics (e.g., number of researchers per country over 20 years).
- Prevent duplicate accounts and allow account recovery even after long inactivity.
Important Note:
- This policy applies only to user.portal.emfl.eu.
- For the public website emfl.eu, please refer to its dedicated privacy policy.
📋 Personal Data We Collect
| Category | Examples | Legal Basis |
|---|---|---|
| Identity | Name, surname, email, nationality, date of birth, gender | Contractual necessity (Art. 6.1.b GDPR) |
| Professional | Institution, department, researcher status, professional phone number | Contractual necessity / Legitimate interest |
| Personal Contact | Home address, personal phone number (for emergencies/logistics) | Contractual necessity (Art. 6.1.b GDPR) |
| Technical | Account creation date, login history, role permissions | Legitimate interest (Art. 6.1.f GDPR) |
| Research Data | Proposal titles, scientific descriptions, facility access requests | Contractual necessity (Art. 6.1.b GDPR) |
| Administrative | Travel details, accommodation needs, safety requirements, emergency contacts | Contractual necessity (Art. 6.1.b GDPR) |
| Travel Documents | Passport copies, visa information (if required for facility access) | Legal obligation (Art. 6.1.c GDPR) |
| Financial Data | IBAN, expense receipts | Legal obligation (Art. 6.1.c GDPR) |
| Usage Logs | Facility usage time, energy consumption, experiment duration | Legitimate interest (Art. 6.1.f GDPR) |
| Communication History | Internal messages, feedback, support requests | Legitimate interest (Art. 6.1.f GDPR) |
Note:
- user_history Table: We retain a complete history of your data (e.g., past institutions, names, or emails) to ensure statistical accuracy and enable account recovery.
- Sensitive Data: Travel documents and financial data are stored separately and automatically deleted after their respective retention periods (1 year for travel documents, 7 years for financial data).
🎯 Purposes of Processing and Data Retention Periods
1. User Data and History Management
To provide our services and comply with legal obligations, we retain your data as follows:
| Data Category | Retention Period | Justification | Legal Basis |
|---|---|---|---|
| user_id | Indefinite | Internal unique identifier to prevent duplicates and link data. | Legitimate interest (Art. 6.1.f GDPR) |
| First and Last Name | Indefinite | Prevent duplicates and enable account recovery. | Legitimate interest (Art. 6.1.f GDPR) |
| Email Address | Indefinite | Prevent duplicates (even if name changes) and enable account recovery. | Legitimate interest (Art. 6.1.f GDPR) |
| Institution and Country | Indefinite | Scientific context and historical statistics. | Legitimate interest (Art. 6.1.f GDPR) |
| Phone / Postal Address | Active account + 1 year of inactivity | Logistics support and emergency contacts. | Contractual necessity |
| Experiment Data (Raw) | 10 years after last activity | Operational management and funder reporting (e.g., Horizon Europe). | Contractual necessity + Legitimate interest |
| Experiment Data (Archived) | Indefinite (restricted access) | User access and scientific archives. | Legitimate interest (Art. 6.1.f GDPR) |
| Travel Documents (Passport, Visa) | 1 year after facility visit | Security compliance and access control verification. Legal obligation. | Legal obligation (Art. 6.1.c GDPR) |
| Financial Data (IBAN, Receipts) | 7 years after last transaction | Belgian/French legal obligation (accounting). | Legal obligation (Art. 6.1.c GDPR) |
| Usage Logs | 5 years (anonymized after 1 year) | Facility management and billing. | Legitimate interest |
| Communication History | Active account + 1 year | Support continuity. | Legitimate interest |
Key Points:
- Indefinite Retention: user_id, first/last name, email, institution, and country are retained indefinitely to prevent duplicates and enable account recovery.
- Automatic Deletion: Sensitive data (travel documents, financial data) are automatically deleted after their respective retention periods.
- Partial Anonymization: After 10 years of inactivity, non-sensitive data (e.g., phone, address) are anonymized, but user_id, name, email, and institution are retained.
2. User History (user_history Table)
We maintain a complete history of your data in the user_history table to:
- Generate accurate statistics (e.g., number of researchers per country over time).
- Enable account recovery even after long inactivity.
- Preserve your historical data (e.g., past institutions, names, or emails).
Example:
If you worked:
- In the USA in 2010 (Institution: Harvard).
- In Lebanon in 2015 (Institution: AUB).
- In France in 2026 (Institution: CNRS).
→ All this information is retained in user_history for statistical purposes, with no time limit.
Note:
- Your historical data (e.g., past institutions, names) is never deleted to ensure statistical accuracy.
- Your sensitive data (e.g., passport, IBAN) is automatically deleted after 1-7 years.
🗃️ Data Archiving and Account Recovery
1. After 10 Years of Inactivity: Partial Anonymization + Secure Archiving
If your account is inactive for 10 years (no login or activity), we:
- Retain indefinitely in user and user_history:
- Anonymize non-sensitive data (e.g., phone, address).
- user_id (internal unique identifier).
- First and last name (to prevent duplicates).
- Email address (to prevent duplicates, even if name changes).
- Institution and country (for historical statistics).
- Non-sensitive experiment data (titles, dates, scientific fields).
- Prevent Duplicates: Even if you change your name (e.g., due to marriage), your email remains unique.
- Enable Account Recovery: You can recover your account via your email or name.
- GDPR Compliance: Retention is justified by legitimate interest (Art. 6.1.f GDPR):
- System security (preventing duplicates).
- User service (account recovery).
2. Access to Archived Data (After 10 Years of Inactivity)
- Via Your User Account:
- A "Experiment History" section allows you to view and download your archived data.
- Enhanced authentication (two-factor authentication) required.
- Via Manual Request:
- Send a request to dpo@emfl.eu with proof of identity (e.g., copy of your ID).
- We will provide your data within 72 hours (GDPR deadline).
3. Account Reactivation
If you log in or conduct a new experiment after 10 years of inactivity:
- Your data becomes fully accessible again.
- The inactivity timer resets to zero.
4. Updating Your Data (e.g., Name or Email Change)
- If your account is active, you can update your data (e.g., name, email, institution) via your personal space.
- If your account is inactive, contact dpo@emfl.eu with proof of identity to update your data.
- All changes are recorded in user_history to preserve your complete history.
🤝 Data Sharing
| Recipient | Data Shared | Legal Basis |
|---|---|---|
| EMFL Staff | All data necessary for managing your account and experiments. | Contractual necessity (Art. 6.1.b GDPR) |
| Local Contacts | Data related to your proposal (without sensitive information). | Legitimate interest (Art. 6.1.f GDPR) |
| Selection Committees | Anonymized proposals (without name or institution). | Legitimate interest (Art. 6.1.f GDPR) |
| Partner Institutions | Data necessary for access to their facilities (with your explicit consent). | Consent (Art. 6.1.a GDPR) |
| Subprocessors | CNRS CRIC (hosting, Grenoble, France, acting as a data processor under a GDPR-compliant agreement). No data transferred outside EU/EEA. | Contractual necessity (Art. 6.1.b GDPR) |
| ❌ Never Shared With | Marketing companies, data brokers, unauthorized third parties. | - |
Note:
Travel Documents and Financial Data: These are never shared with third parties and are automatically deleted after 1 year and 7 years, respectively.
🔒 Data Security
We implement the following measures to protect your data:
- Encryption: All data is transmitted and stored encrypted (HTTPS, AES-256 for archives).
- Access Control: Access limited to authorized personnel (role-based).
- Backups: Daily backups with regular restoration tests.
- Audits: Annual security audits (internal and external).
- Training: All staff are trained in data protection.
Note:
Sensitive Data (Travel Documents, Financial Data): Stored in separate, encrypted tables with restricted access.
✅ Your Rights Under GDPR
You have the following rights regarding your personal data. To exercise them, contact dpo@emfl.eu or use your account settings.
| Right | Description | How to Exercise |
|---|---|---|
| Access | Obtain a copy of all data we hold about you. | Request via dpo@emfl.eu or your account ("My Data" section). |
| Rectification | Correct inaccurate or incomplete data. | Edit via your account or request at dpo@emfl.eu. |
| Erasure | Request deletion of your data ("right to be forgotten"). | Request at dpo@emfl.eu. Exception: Anonymized or legally required data (e.g., accounting). |
| Restriction | Limit the processing of your data. | Request at dpo@emfl.eu. |
| Objection | Object to processing based on legitimate interest. | Request at dpo@emfl.eu. |
| Portability | Receive your data in a machine-readable format. | Request at dpo@emfl.eu. |
| Withdraw Consent | Unsubscribe from newsletters or other communications. | Unsubscribe link in each email or via your account. |
Note:
Historical Data: Your historical data (e.g., past institutions, names) is retained indefinitely for statistical purposes and cannot be deleted. However, you can request the deletion of sensitive data (e.g., phone, address) at any time.
📞 Contact and Complaints
- Data Protection Officer (DPO): dpo@emfl.eu
- General Inquiries: info@emfl.eu
- File a Complaint: Belgian Data Protection Authority (APD)
📅 Last Updated
This Privacy Policy was last updated on June 8, 2026.