This privacy statement was last revised on March 3rd 2021.
What is SURF Research Access Management (SRAM)?
SURF Research Access Management (SRAM), a service provided by SURF, helps Dutch led (international) research collaborations to (register and) manage users, groups, roles and rights and connect to typical services for researchers, like data- and compute services. SRAM saves time on creating and managing accounts in research services and enables using the valuable institutional identity/user account and other mechanisms to improve security. It prevents having to resort to more troublesome solutions, like 'zero hour contracts' (nulurencontract) etc. It builds upon standing international research practices to gain access to resources.
SRAM allows data subjects (researchers, scientists – ‘users’) to participate in Collaborative organizations (CO, also known as VOs, virtual organizations) and access external services based on the membership with the virtual organization.
What parties are involved in the service?
SURF | SURF is the SRAM operator. |
Identity Provider | An organization providing data on the user’s identity in order to allow user authentication. This can be an institution, or a guest identity provider like eduID or Google. |
Organization | A legal entity, mostly Dutch institutions, that is allowed to create COs in SRAM and acts as data controller for the processing activities their CO(’s) conduct(s). |
Service Provider | An organization that is connected to one or more COs in SRAM and that provides services to users. |
All parties have their own roles and responsibilities within SRAM. This privacy statement describes how SURF processes the personal data of you – user – when you use SRAM.
SURF: role and responsibilities
SURF acts both as a data controller and as a data processor for different parts of the SRAM service. Schematically:
This distinction is relevant for the question which party you can contact if you have any questions.
- SURF as a data controller: SURF acts as a data controller for all processing activities relating to the central profiles of all users in SRAM.
- If you have any questions relating to your profile in SRAM, you can directly contact SURF via the contact details that you will find at the end of this privacy statement.
- SURF as a data processor: SURF acts as a data processor for the Organizations for all processing activities relating to the COs insofar SRAM is involved. A CO is always connected to an Organization in SRAM. The Organization to which the CO is connected is the data controller regarding these processing activities. SURF is an intermediary in this process. Mind that SURFs role is limited. SURF does not determine the way different institutions and organizations work together in a CO. SRAM is only a small part of all processing activities carried out by a CO. This privacy statement does not cover all processing activities performed by the CO, the transfer of your personal data to Service Providers or further processing activities performed by the Service Providers.
- If you have any questions relating to a CO, please contact an administrator of the CO.
What processing activities do we perform?
SURF as a data controller for the Central Profiles
Users of SRAM (CO-admins, CO-members, anybody that signs in to SRAM using a federated account, either from an institution or a guest identity provider) | |||
Purposes | Personal data | Legal ground | Who has access |
For authentication to SRAM we may request personal data from someone’s home institution or a guest identity provider of their choice | Receiving information from Identity Provider:
| Legal contract (this also includes pre-contractual actions necessary to conclude the contract) | A limited number of SURF employees (or processors) responsible for operating the SRAM-service |
Making, viewing and managing your central profile on SRAM |
| Legal contract | A limited number of SURF employees (or processors) responsible for operating the SRAM-service |
Sending profile information to a CO, after a user accepts an invitation from a CO |
| Legal contract |
|
Contact persons for services connected to SRAM | |||
Purposes | Personal data | Legal ground | Who has access |
Processing personal information to contact the organization for support, questions, connecting services and forwarding requests from COs to connect to their service |
| Consent |
|
SURF as a data processor for the COs
Users of SRAM (CO-admins, CO-members) | |||
Purposes | Personal data | Legal ground | Who has access |
Creating and managing a CO and managing the memberships of a CO |
| Please contact an administrator of the SRAM-CO |
|
Sending profile information to a Service Provider a CO has chosen to connect to |
| Please contact an administrator of the SRAM-CO | Please contact the Service Provider for more information |
Technical logs for security reasons and support |
| Please contact an administrator of the SRAM-CO | A limited number of SURF employees (or processors) responsible for operating the SRAM-service |
Provide information regarding the use of SRAM to Organizations |
| Please contact an administrator of the SRAM-CO | The Organization |
Anonymizing data by SURF to gain insight into the use of the service and to improve the service. After the data is anonymized, the GDPR is no longer applicable. We may use the information for the following purposes:
|
| Please contact an administrator of the SRAM-CO | n/a |
Contact persons for the Organizations allowed to create COs (mostly institutions) | |||
Purposes | Personal data | Legal ground | Who has access |
To onboard and disconnect an Organization and to solve any issues with COs for which the Organization is responsible |
| Please contact the Organization |
|
To whom do we transfer your data?
We only pass on the data you provided us to third parties when this is necessary to be able to provide you with the respective service. When you accept an invite from a CO-admin in SRAM, we transfer data from your central profile to the CO in SRAM, so you are able to collaborate within that CO and use the services connected to that CO. We use the following third parties to deliver the service:
- Hosting : SURFcumulus and Amazon AWS (inside the EEA).
- Software supplier : GÉANT, eduTEAMS (inside the EEA).
We will only supply your data to other parties with your permission, unless it is legally required of us to transfer your data. For example, the police may require us to provide data as part of a fraud investigation. SURF is then legally required to provide these data.
COs pass information through to Service Providers linked to the CO. These Service Providers can be located outside the EEA. Passing on the information from the CO to these Service Providers and further processing activities that the Service Providers perform are the responsibility of the CO. Contact a CO-admin for more information.
How long do we store your data?
- Data in the central user profile:
- If we don't see activity on our platform for a user profile within the last 12 months, we will send out an email to the user whether the user wants us to delete the central user profile. If the user does not reply within 3 months nor does the user sign in to our service within those 3 months, SURF will delete the user profile.
- Users can request for SURF to delete their central user profile, under the GDPR Right to erasure (‘right to be forgotten’). SURF will process the request as soon as possible and delete the profile within 10 working days. Please note this does not include erase of data in log files. Since our service plays a role in access to possible (highly) sensitive data, for information security reasons SURF will keep a minimal set of data in log files for the below specified period to allow for investigation/follow-up in case of (suspicion of) irregular data access and activity.
- Data regarding the CO (name of the CO, groups within the CO, membership of the CO, services connected to the CO):
- In case an organisation or CO-admin requests to delete the CO, SURF will hide the data from all users except the platform managers. SURF will verify whether deleting the CO is indeed what the organsation responsible for the CO wants, and delete the CO data within 8 weeks.
- If we don't see any activity in relation to a CO for 12 months, SURF will send out an email to the CO-admin and/or the Organisation contact person whether they want us to delete the CO. If we don't get a reply within 3 months nor do we see any activity regarding the CO within those 3 months, SURF will delete the CO.
- Contact details of Organizations (for organisations that opt to use SRAM to create COs):
- SURF stores the contact data for 18 months after the organisation has ended their contract to use SRAM, and as long that Organisation does not request to change or delete that data, in order to be able to contact the Organization for any questions that may result from the annual review.
- Contact details of Service Providers:
- SURF stores the contact data for 18 months after a service is disconnected from SRAM, and as long the service provider does not request to change or delete that data, in order to be able to contact the Service Provider for any questions that may result from the annual review.
- Log data will be stored for 6 months. Log data includes:
- Date/time of request to the webserver
- Remote IP address of the client doing the request
- Browser version of the client doing the request
- The URL that is accessed
- The URL the client arrived from
- Anonimised data can be stored by SURF for any period of time.
What rights do you have in relation to your data?
SURF processes your personal data in your central profile, and you can therefore decide what is done with them. What exactly can you do with your data?
- You may request to see your data that we are processing.
- You may ask us to amend your data, to complete them, or to remove them if they are incorrect or not (no longer) relevant. If SURF or the Organization still has a legal or legitimate reason to keep your data, we may not be able to comply with a request for deletion.
- You may ask us to restrict the processing of your data.
- You may request a digital copy of your data that we process and in some cases you have the right to transfer these data to a different service provider.
- You may withdraw your consent to the processing of your personal data.
SURF will cooperate to ensure that you can exercise your rights regarding your central profile. SRAM offers users a profile page where you can view and amend your data, revoke your consent for the release of attributes and view the used attributes per Service Provider; in case such a page is not (yet) available, you can email sram-support@surf.nl and state your wishes. However, information that SRAM receives from an Identity Provider, can not be changed via SRAM: you should contact the source (for instance your institution) to change your data.
To exercise your rights, please see the contact details at the end of this privacy statement.
If you believe that SURF is not handling your personal data correctly, then you may file a complaint with SURF. If we are unable to resolve the issue, then you can submit a complaint to the Dutch Data Protection Authority.
Right of objection
In addition to the rights referred to above, you may also object to processing that takes place on the grounds of the legitimate interest of SURF, the Organization or a third party. This may be for reasons related to your specific situation. You can object via the contact details at the end of this privacy statement.
GÉANT Data Protection Code of Conduct
Your personal data, for the part where it is stored in SRAM, will be protected according to the GÉANT Data Protection Code of Conduct for Service Providers [Code of Conduct], a common standard for the research and higher education sector to protect your privacy.
Changes to this privacy statement
SURF may amend this privacy statement. We therefore recommend that you review this privacy statement regularly. We will inform you about important changes.
Contact details
In case of questions regarding your central profile in SRAM, you can contact SURF directly.
In case of questions regarding processing of personal data in SRAM by a CO, you are invited to first contact an administrator of a SRAM-CO that you have been invited to. If that does not sufficiently solves questions you have, you can contact SURF.
You can reach SURF via the following contact details:
SURF
Moreelsepark 48
3511 EP Utrecht
sram-support@surf.nl