Privacy Policy

‘This privacy policy is currently being updated to comply with the GDPR and applicable regulations. The final version will be published soon. If you have any questions, please contact dpo@emfl.eu.’


🔒 Introduction

At EMFL, we are committed to protecting your privacy and ensuring the security of your personal data in compliance with the General Data Protection Regulation (GDPR) and Belgian data protection laws. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our User Portal to:

  • Create and manage your account.
  • Submit research proposals.
  • Access our facilities.
  • Manage your experiments and collaborations.

We use a dual-table system (user + user_history) to:

  • Retain a complete history of your data (e.g., changes in institution, country, or name over time).
  • Enable accurate statistics (e.g., number of researchers per country over 20 years).
  • Prevent duplicate accounts and allow account recovery even after long inactivity.

Important Note:


📋 Personal Data We Collect

Categories of Personal Data Collected
Category Examples Legal Basis
Identity Name, surname, email, nationality, date of birth, gender Contractual necessity (Art. 6.1.b GDPR)
Professional Institution, department, researcher status, professional phone number Contractual necessity / Legitimate interest
Personal Contact Home address, personal phone number (for emergencies/logistics) Contractual necessity (Art. 6.1.b GDPR)
Technical Account creation date, login history, role permissions Legitimate interest (Art. 6.1.f GDPR)
Research Data Proposal titles, scientific descriptions, facility access requests Contractual necessity (Art. 6.1.b GDPR)
Administrative Travel details, accommodation needs, safety requirements, emergency contacts Contractual necessity (Art. 6.1.b GDPR)
Travel Documents Passport copies, visa information (if required for facility access) Legal obligation (Art. 6.1.c GDPR)
Financial Data IBAN, expense receipts Legal obligation (Art. 6.1.c GDPR)
Usage Logs Facility usage time, energy consumption, experiment duration Legitimate interest (Art. 6.1.f GDPR)
Communication History Internal messages, feedback, support requests Legitimate interest (Art. 6.1.f GDPR)

Note:

  • user_history Table: We retain a complete history of your data (e.g., past institutions, names, or emails) to ensure statistical accuracy and enable account recovery.
  • Sensitive Data: Travel documents and financial data are stored separately and automatically deleted after their respective retention periods (1 year for travel documents, 7 years for financial data).

🎯 Purposes of Processing and Data Retention Periods

1. User Data and History Management

To provide our services and comply with legal obligations, we retain your data as follows:

Data Retention Periods
Data Category Retention Period Justification Legal Basis
user_id Indefinite Internal unique identifier to prevent duplicates and link data. Legitimate interest (Art. 6.1.f GDPR)
First and Last Name Indefinite Prevent duplicates and enable account recovery. Legitimate interest (Art. 6.1.f GDPR)
Email Address Indefinite Prevent duplicates (even if name changes) and enable account recovery. Legitimate interest (Art. 6.1.f GDPR)
Institution and Country Indefinite Scientific context and historical statistics. Legitimate interest (Art. 6.1.f GDPR)
Phone / Postal Address Active account + 1 year of inactivity Logistics support and emergency contacts. Contractual necessity
Experiment Data (Raw) 10 years after last activity Operational management and funder reporting (e.g., Horizon Europe). Contractual necessity + Legitimate interest
Experiment Data (Archived) Indefinite (restricted access) User access and scientific archives. Legitimate interest (Art. 6.1.f GDPR)
Travel Documents (Passport, Visa) 1 year after facility visit Security compliance and access control verification. Legal obligation. Legal obligation (Art. 6.1.c GDPR)
Financial Data (IBAN, Receipts) 7 years after last transaction Belgian/French legal obligation (accounting). Legal obligation (Art. 6.1.c GDPR)
Usage Logs 5 years (anonymized after 1 year) Facility management and billing. Legitimate interest
Communication History Active account + 1 year Support continuity. Legitimate interest

Key Points:

  • Indefinite Retention: user_id, first/last name, email, institution, and country are retained indefinitely to prevent duplicates and enable account recovery.
  • Automatic Deletion: Sensitive data (travel documents, financial data) are automatically deleted after their respective retention periods.
  • Partial Anonymization: After 10 years of inactivity, non-sensitive data (e.g., phone, address) are anonymized, but user_id, name, email, and institution are retained.

2. User History (user_history Table)

We maintain a complete history of your data in the user_history table to:

  • Generate accurate statistics (e.g., number of researchers per country over time).
  • Enable account recovery even after long inactivity.
  • Preserve your historical data (e.g., past institutions, names, or emails).

Example:

If you worked:

  • In the USA in 2010 (Institution: Harvard).
  • In Lebanon in 2015 (Institution: AUB).
  • In France in 2026 (Institution: CNRS).
  • → All this information is retained in user_history for statistical purposes, with no time limit.

Note:

  • Your historical data (e.g., past institutions, names) is never deleted to ensure statistical accuracy.
  • Your sensitive data (e.g., passport, IBAN) is automatically deleted after 1-7 years.

🗃️ Data Archiving and Account Recovery

1. After 10 Years of Inactivity: Partial Anonymization + Secure Archiving

If your account is inactive for 10 years (no login or activity), we:

  • Retain indefinitely in user and user_history:
  • Anonymize non-sensitive data (e.g., phone, address).
    • user_id (internal unique identifier).
    • First and last name (to prevent duplicates).
    • Email address (to prevent duplicates, even if name changes).
    • Institution and country (for historical statistics).
    • Non-sensitive experiment data (titles, dates, scientific fields).
Why Retain Email, Name, and Institution Indefinitely?
  • Prevent Duplicates: Even if you change your name (e.g., due to marriage), your email remains unique.
  • Enable Account Recovery: You can recover your account via your email or name.
  • GDPR Compliance: Retention is justified by legitimate interest (Art. 6.1.f GDPR):
    • System security (preventing duplicates).
    • User service (account recovery).

2. Access to Archived Data (After 10 Years of Inactivity)

  • Via Your User Account:
    • A "Experiment History" section allows you to view and download your archived data.
    • Enhanced authentication (two-factor authentication) required.
  • Via Manual Request:
    • Send a request to dpo@emfl.eu with proof of identity (e.g., copy of your ID).
    • We will provide your data within 72 hours (GDPR deadline).

3. Account Reactivation

If you log in or conduct a new experiment after 10 years of inactivity:

  • Your data becomes fully accessible again.
  • The inactivity timer resets to zero.

4. Updating Your Data (e.g., Name or Email Change)

  • If your account is active, you can update your data (e.g., name, email, institution) via your personal space.
  • If your account is inactive, contact dpo@emfl.eu with proof of identity to update your data.
  • All changes are recorded in user_history to preserve your complete history.

🤝 Data Sharing

We share your data only with authorized parties as follows:
Recipient Data Shared Legal Basis
EMFL Staff All data necessary for managing your account and experiments. Contractual necessity (Art. 6.1.b GDPR)
Local Contacts Data related to your proposal (without sensitive information). Legitimate interest (Art. 6.1.f GDPR)
Selection Committees Anonymized proposals (without name or institution). Legitimate interest (Art. 6.1.f GDPR)
Partner Institutions Data necessary for access to their facilities (with your explicit consent). Consent (Art. 6.1.a GDPR)
Subprocessors CNRS CRIC (hosting, Grenoble, France, acting as a data processor under a GDPR-compliant agreement). No data transferred outside EU/EEA. Contractual necessity (Art. 6.1.b GDPR)
❌ Never Shared With Marketing companies, data brokers, unauthorized third parties. -

Note:

Travel Documents and Financial Data: These are never shared with third parties and are automatically deleted after 1 year and 7 years, respectively.


🔒 Data Security

We implement the following measures to protect your data:

  • Encryption: All data is transmitted and stored encrypted (HTTPS, AES-256 for archives).
  • Access Control: Access limited to authorized personnel (role-based).
  • Backups: Daily backups with regular restoration tests.
  • Audits: Annual security audits (internal and external).
  • Training: All staff are trained in data protection.

Note:

Sensitive Data (Travel Documents, Financial Data): Stored in separate, encrypted tables with restricted access.



✅ Your Rights Under GDPR

You have the following rights regarding your personal data. To exercise them, contact dpo@emfl.eu or use your account settings.

Your GDPR Rights
Right Description How to Exercise
Access Obtain a copy of all data we hold about you. Request via dpo@emfl.eu or your account ("My Data" section).
Rectification Correct inaccurate or incomplete data. Edit via your account or request at dpo@emfl.eu.
Erasure Request deletion of your data ("right to be forgotten"). Request at dpo@emfl.eu. Exception: Anonymized or legally required data (e.g., accounting).
Restriction Limit the processing of your data. Request at dpo@emfl.eu.
Objection Object to processing based on legitimate interest. Request at dpo@emfl.eu.
Portability Receive your data in a machine-readable format. Request at dpo@emfl.eu.
Withdraw Consent Unsubscribe from newsletters or other communications. Unsubscribe link in each email or via your account.

Note:

Historical Data: Your historical data (e.g., past institutions, names) is retained indefinitely for statistical purposes and cannot be deleted. However, you can request the deletion of sensitive data (e.g., phone, address) at any time.

📞 Contact and Complaints

  • Data Protection Officer (DPO): dpo@emfl.eu
  • General Inquiries: info@emfl.eu
  • File a Complaint: Belgian Data Protection Authority (APD)

📅 Last Updated

This Privacy Policy was last updated on June 8, 2026.