Skip to content

EFP Privacy policy

This privacy statement provides information about the processing and the protection of your personal data.

1. Introduction

The protection of your privacy is of high importance to EuroHPC Joint Undertaking (EuroHPC JU). EuroHPC JU is committed to respecting and protecting your personal data and ensuring your privacy rights.

This Privacy statement provides detailed information on the processing of your personal data in the context of EuroHPC Federation Platform (EFP or platform), a federation platform developed by EuroHPC JU.

This processing operation is subject to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals regarding the processing of personal data by the Union institutions, bodies, offices, and agencies and on the free movement of such data. The information in this communication is given pursuant to Articles 14, 15 and 16 of Regulation (EU) 2018/1725.

2. Who is responsible for your data?

The relevant processing operation is under the responsibility of the Executive Director of EuroHPC JU, acting as the Data Controller. The Data Controller can be contacted via the email address: info@eurohpc-ju.europa.eu.

The EuroHPC JU has appointed a DPO. The task of the DPO is to ensure, in an independent manner, that the Union body complies with the data protection law and protects individuals' rights and freedoms by protecting effectively their personal data. For any questions related to your rights as a data subject, please contact the EuroHPC JU Data Protection Officer at:  dpo@eurohpc-ju.europa.eu.

EuroHPC JU contracted a consortium led by CSC IT Center for Science Ltd to provide a federation platform to EuroHPC JU and the users (scientific, industrial and public users) of its supercomputers and quantum computers. The federation platform and the related data bases will be owned by EuroHPC JU. The members of consortium members will act as the Processor of EuroHPC JU and will only process personal data on behalf of EuroHPC JU and on its documented instructions.

3. Description of the Processing

EFP aims to provide federated access to High Performance Computing-based infrastructures and services to a wide range of users from the research and scientific community, as well as the industry including SMEs, and the public sector, for new and emerging data and compute-intensive applications and services. Moreover, it intends to foster science and engineering applications in Europe's HPC infrastructure by providing federated and secure access to supercomputing resources. EFP will also foster the federated and secure use of supercomputers primarily for research and innovation purposes falling under public funding programmes that shall be open to users from the public and private sectors.

In order for users to get access to the EFP and the EuroHPC JU supercomputers, they will first need to be identified as eligible through a portal owned by EuroHPC JU called Peer-review portal (EPrP). A prior necessary step for the access of EFP by users is the user identification and authentication through MyAccessID provided by Geant.

Part of the information collected through the above-mentioned platforms and portals will be shared with some Hosting entities[^1] in order for them to allow the users access to their supercomputers. Hosting entities on their turn also save part of this information in the supercomputer database.

In light of the above-mentioned processing activity, personal data is processed for:

  • User identification and authentication to the EFP through MyAccessID

  • Provisioning access credentials to users 

  • Collection, storage and transmission of required personal data for the provision access to external compute systems

  • Tracking of user behavior on the system and prohibition of access if misbehavior is detected

  • Collection of statistics related the used time of the users, their geographical distribution, sectorial use and gender ratio on supercomputers and also to monitor the well being of supercomputers. The gathered data will be used to improve gender balance or encourage different sector to further use the EuroHPC JU supercomputers. It will also give an insight on what type of processors and tools are in demand by EuroHPC JU users to consider in future procurements.

In principle, EFP will collect the data directly from the users. EFP will also collect the union of users' attributes required for Hosting Entities to provision access. In case of the Principal Investigator of a project, the e-mail address is received from the EPrP-Part, while the rest of their information is collected directly from them. Finally, part of the attributes are supplied by the user selected IdP, while the rest is collected by the EFP to grant access to the platform and systems. National eDIP providers are supported and thus can supply the information as well.

The processing is necessary and lawful under:

  • Article 5(1)(a) of the Regulation (EU) 2018/1725: processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in EuroHPC JU; The applicable legislation for the processing in question is Council Regulation (EU) 2021/2085 of 19 November 2021 establishing the Joint Undertakings under Horizon Europe.

  • Article 5(1)(c) of the Regulation (EU) 2018/1725: processing necessary for the performance of a contract to which the data subject is a party, where applicable.

5. What are the categories of data subjects and which personal data do we collect?

The categories of data subjects are as follows:

  • The users of the EFP and the rest of the EuroHPC JU systems (EPrP and EuroHPC JU supercomputers)

  • Representatives of the EuroHPC JU

  • Staff at the Hosting Entities

EuroHPC JU will process the following personal data -- mandatory attributes:

  • User ID (MyAccessID unique identifier)

  • First Name and Last Name (Extracted via identity vetting)

  • Email

  • Affiliation / Organization

  • Citizenship (Extracted via identity vetting)

  • Level of Assurance

  • Country of organisation

  • Type of organisation

  • Country of residence

  • IP Address

  • Date of birth and Gender (Extracted via identity vetting)

Categories of personal data processed -- optional attributes depending on specific allocations of the user:

  • Phone number

  • All nationalities possessed by a user

  • Job title

  • Title/Salutation

  • Place of birth

As part of the EPrP application and assessment EuroHPC JU will collect information related to which supercomputer the user wants to access, why and for how long as well as further information such as affiliation, phone number etc and lists the names of other group members that would need to access the same project on the same supercomputer.

For security and export restriction purposes, user activity and logs will be collected and will share with other Hosting Entities any information concerning suspected misbehaviour, breach of terms, or actions including account suspension, banning, or termination.

Users' requests and information may be shared with the Hosting Entities when required for the purpose of diagnosing or resolving technical issues.

EuroHPC JU will also collect statistics related the used time of the users, their geographical distribution, sectorial use and gender ratio on supercomputers and to monitor the well being of supercomputers. The gathered data will be used to improve gender balance or encourage different sector to further use the EuroHPC JU supercomputers. It will also give an insight on what type of processors and tools are in demand by EuroHPC JU users to consider in future procurements.

6. Automated decision-making including profiling

In principle, the processing activity described in this privacy notice does not involve any automated decision-making, including profiling, within the meaning of Article 24 of Regulation (EU) 2018/1725 by EuroHPC JU. If required, EuroHPC JU will only use automated means to make any decision if the law allows it, or if you have given your consent separately, or if it's necessary for the execution of the terms of the contract, such as monitoring that the usage does not violate the terms given.

7. Who has access to your personal data and to whom is it disclosed?

Personal data is made accessible only on a need-to-know basis to EuroHPC JU staff members and the external providers helping with the support and operation of the EFP and the access to the EuroHPC JU portals and tools.

More specifically, the recipients of personal data can be:

  • The EFP Consortium members[^2] led by CSC IT Center for Science Ltd for the provision of support and the operation of EFP.

  • The Hosting Entities of EuroHPC JU for provisioning the users and providing access to EuroHPC JU supercomputers and systems.

8. How long do we retain your personal data?

Personal data is stored for the duration of your usage of the EFP service. In addition to that, personal data is stored for 5 years from 31.12.2029 on the EFP's servers. Once the retention period for personal data has expired and there are no longer grounds for processing them within the limits permitted by data protection legislation, the personal data will be deleted.

9. How do we protect and safeguard your personal data?

Personal data processed within the EFP is accessible only to authorised individuals acting on behalf of the EFP Consortium, strictly in accordance with their roles and responsibilities. Access is limited through appropriate controls, including user authentication via unique usernames and passwords. Where external service providers are engaged, the EFP Consortium ensures that appropriate data protection obligations are in place in compliance with Regulation (EU) 2018/1725.

10. Transfer to a third country or international organisation

Personal data will be processed only within Europe and the European Economic Area (EEA). No international data transfers will take place.

11. What are your rights and how to exercise them?

As 'data subject' you have, under Chapter III (Articles 14-25) of Regulation (EU) 2018/1725, specific rights. In particular:

  • You have the right to request access to all personal data processed by us pertaining to you.

  • You have the right to rectification, i.e., to ask that any personal data pertaining to you that are inaccurate, be corrected.

  • You have the right to withdraw your consent for processing of your personal data where applicable.

  • You have the right to erasure, i.e., to request that personal data pertaining to you be deleted if these data are no longer required in the light of the purposes outlined above in Heading 4.

  • You have the right to restriction instead of deletion, i.e., to request that we limit the processing of your personal data.

  • you have the right not to be subject to a decision based solely on automated processing of data, including profiling, if such decision has legal effect on you, except for certain situations, such as entering a contract (as required by articles 14-16 & 24 of EUDPR).

  • You have the right to data portability, i.e., to receive from us in a structured, commonly used, and machine-readable format all personal data you have provided to us if the processing is based on your consent or a contract with you and the processing is carried out by automated means.

Information on action taken on the data subject's request to exercise her/his rights shall be provided without undue delay and in any case within one month of receipt of the request.  

In case of complex or voluminous requests, this period may be extended by another two months, in which case the the data subject will be informed accordingly.  

If you would like to exercise your rights under Regulation (EU) 2018/1725, or if you have comments, questions or concerns, or if you would like to submit a complaint regarding the collection and use of your personal data, please feel free to send your request to the EuroHPC JU by post in a sealed envelope to the following address 12E rue Guillaume Kroll, L-1882, Luxembourg, Office Drosbach Building (DRB) - Wing E -- 1st floor or by e-mail to dpo@eurohpc-ju.europa.eu. Your request should contain a detailed, accurate description of the personal data you want access to.

If you would like to exercise your rights under Regulation (EU) 2018/1725, or if you have comments, questions or concerns, or if you would like to submit a complaint regarding the collection and use of your personal data, please feel free to send your request to EFP Consortium processing of personal data to helpdesk@my-eurohpc.eu. EuroHPC JU has mandated the EFP Consortium to handle such requests and queries on its behalf.

For register-related matters, you can also contact the data protection officers of the EFP Consortium members via helpdesk@my-eurohpc.eu.

The European Data Protection Supervisor (EDPS)

If you consider that your rights under Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal data by the EuroHPC JU, as a data subject, you have a right to recourse to the European Data Protection Supervisor (EDPS) at any time by e-mail to edps@edps.europa.eu or a letter to the EDPS postal address marked for the attention of the EDPS DPO:

European Data Protection Supervisor Rue Wiertz 60 B-1047 Brussels BELGIUM

For more information on the EDPS, please consult their website: https://www.edps.europa.eu

[^1]: The Hosting entities are the following: IZUM - Slovenia, IT4I- Czechia, LuxProvide - Luxembourg, Discoverer - Bulgaria, FCT- Portugal, CSC- Finland, Cineca - Italy, BSC- Spain, JSC - Germany, GENCI - France, GRNET - Greece, NAISS - Sweden, HLRS- Germany, ACA - Austria, PCSS- Poland, DKF- Hungary, ICHEC- Ireland, SURF -The Netherlands, CESGA - Spain, ICI-Romania, Cyfronet-Poland, Lithuanian center, LRZ- Germany.

[^2]: GÉANT Vereniging, VSB -- Technical University of Ostrava, IT4Innovations National Supercomputing Center, University of Tartu , Universiteit Gent, NORDUnet A/S