Research participant privacy notice
Last revised: September 2023
1. An overview of data protection
The Luxembourg Institute of Science and Technology (hereafter “LIST”, “We”) is committed to ensure the highest standards of data protection in compliance with the applicable legislation, notably with reference to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereafter “GDPR”).
The present document aims at illustrating which personal data we collect and/or process about you as a research participant in the context of research activities carried out by LIST, which are your rights in relation to said activities and how to contact us.
Please kindly note that this Privacy notice should be read in conjunction with the research project’s privacy notice or participants’ information sheet (hereafter “information sheet”), that has been provided to you in the framework of the specific research Project you take part in.
2. Scope of the notice
The present notice is directed to the participants (hereafter “participant”, “you”, “data subject”) to the research project(s) for which LIST either acts as Coordinator or partner.
3. Who are we?
LIST has its registered office at 5, Avenue des Hauts-Fourneaux L-4362 Esch-sur-Alzette, Luxembourg.
Depending on the project, LIST may either act as Data Controller (determining the means and purposes of the processing of your personal data alone) or Joint Controller (deciding these aspects alongside with other partners to the project). In few cases, LIST may qualify as Data Processor, which means that it will collect and/or process personal data on behalf of the Data Controller.
4. Which personal data do we collect about you?
The categories of personal data we collect about you may vary greatly depending on each research projects and its objectives.
In some cases, and if necessary for the research project, we may collect and/or process special categories of personal data, meaning information about your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union memberships, genetic or biometric data used for identification purposes, data concerning your health or your sexual orientation. Due to the sensitive nature of these data, additional security and technical measures are put in place to make sure that data are handled in accordance with all the relevant legal requirements.
In general, information about the categories of personal data collected and/or processed in the framework of a specific research project are included in the information sheet.
5. Why do we collect your personal data?
We collect and/or process your personal data to fulfil the research objectives that are mentioned in the information sheet that has been provided to you.
Your data are exclusively processed in accordance with LIST’s internal policies and procedures on personal data and ethics. In addition to this, LIST will collect and/or use only data that are essential to perform the research tasks.
6. Which are the legal grounds on which we process your personal data?
The applicable data protection legislation establishes that personal data can only be processed if supported by a valid legal basis (which are listed and identified by art. 6 and 9 of the GDPR). The relevant legal basis for the project you are involved in is normally mentioned on the information sheet.
As a matter of principle, the following legal basis may be applicable to LIST’s research projects:
- LIST’s legitimate interest to have usable data to carry out research activities in accordance with the missions of public research centres in Luxembourg as established in the law on the organisation of the Public Research Centres; or
- Your consent, that must be collected in an explicit and active way. For example, we shall require the data subjects’ consent when children are involved in a research project or when you are subscribing to LIST’s newsletter(s); or
- In relation to special categories of personal data, we rely on the scientific research legal basis since the processing is necessary for archiving in the public interest, scientific, historical research or statistical purposes.
7. Who has access to your personal data?
We pledge to ensure that your personal data remains securely stored and only accessible to those individuals or legal entities on a justified need to know basis.
Your personal data may be shared with and/or made accessible to:
- The members of the research team;
- The partners to the research project, as identified in the information sheet;
- Public or regulatory bodies that are in charge of auditing LIST’s activities;
- LIST’s service providers, that are engaged by LIST to carry out tasks or activities on our behalf. In accordance with LIST’s internal policies and procedures, such providers are hired after completion of an internal due diligence process and upon signature of the necessary contractual documentation.
We will not transfer your personal data outside of the European Economic Area without having informed you via the information sheet and having put in place all the necessary requirements established by the applicable data protection legislation.
8. How long is your personal data kept?
LIST will only retain your personal for a period of time that is strictly necessary for the purposes for which we collect your data and to comply with a legal or regulatory obligation to which LIST is subject.
Please note, however, that in research projects our funders normally establish contractual obligations that mandate the retention of data after the project for the purposes of audits. In addition to that, we must retain research data to demonstrate we have followed good principles of research integrity even after the termination of projects, particularly because publication activities are often performed later in time.
9. Security measures
We have put in place the following security measures:
- DPO: We have appointed a DPO.
- Policies and Procedures: We have a privacy policy, as well as information security policy, and related procedures in place, which are approved by management, published, communicated to employees and subject to regular review. There is a training program in place to ensure training on GDPR and information security to all staff.
- Personnel management: LIST has implemented mandatory training to all its corporate and RDI staff on GDPR matters. In addition, all staff is under statutory and/or contractual confidentiality obligations.
- Relations with third parties: Contracts, including data processing agreements, and non-disclosure agreements are in place where appropriate.
- Project approval: projects involving personal data are submitted to the DPO team for assessment and approved by a multidisciplinary team.
- DPIA: DPIAs are performed when required with the support of the DPO team.
- DMP: many of our projects have DMPs from the outset of the project.
- Pseudonymisation and anonymisation: we have policies in place to ensure our researchers give preference to anonymous data or, if this is not an option, to only collect or use in projects the minimum amount of personal data. Pseudonymisation for use and storage is used whenever possible.
- Security of our systems: our information security team ensures encryption is used when required, that access controls are in place on our systems on a need-to-know basis, that logging is available and more generally that we use state of the art technology and measures for the security of our data and the personal data we are responsible for.
10. Your rights and how to exercise them
With regards to your personal data collected and processed by LIST, you may exercise at any time the following rights:
- Right to access: You have the right to receive confirmation about whether or not your personal data is being processed by LIST. If that is the case, you have the right to know what data is being collected and processed and to obtain of copy of it;
- Right to rectification: If the personal data we hold about you is inaccurate or incomplete, you have the right to request to have it rectified;
- Right to erasure: Subject to certain conditions specified in art. 17 of the GDPR, you have the right to have your personal data deleted by LIST;
- Right to restriction of processing: Subject to certain conditions specified in art. 18 of the GDPR, you have the right to obtain restriction of the processing of your personal data performed by LIST;
- Right to data portability: Subject to certain conditions specified in art. 20 of the GDPR, you have the right to obtain a copy of the personal data you provided to LIST in in a structured, commonly used and machine-readable format and to request the transfer of these data to another data controller;
- Right to object: You have the right to object the processing of your personal data when the conditions set out in art. 21 of the GDPR apply;
- Right to withdraw consent: If LIST is processing your personal data based on your consent, you have the right to withdraw that consent at any time. The withdrawal of such consent shall not affect the lawfulness of processing based on consent before its withdrawal.
- Right to lodge a complaint with a supervisory authority: You have the right to lodge a complaint with the Commission Nationale pour la Protection des Données (CNPD). More information on how to lodge a complaint are available on CNPD’s website: https://cnpd.public.lu.
Please kindly note that your rights are not absolute and they may be withheld in accordance with applicable data protection laws and the peculiarities of each research project.
You may exercise any of these rights by contacting our Data Protection Officer (DPO) by filling the online form.
11. Changes to this notice
LIST may make changes to this privacy notice from time to time, to reflect our current privacy practices or to comply with changes in the applicable data protection legislation. We encourage you to regularly visit this page in order to remain informed on any update.
