Privacy Policy

1. General Information

The IODP3 Science Office on behalf of IODP3 takes the protection of personal data very seriously. IODP3 is bound to protect the privacy of everyone who uses its website and to treat any personal data provided in the strictest confidence. This data is used solely for the purposes indicated in each case and is not forwarded or sold to any third party.

The provisions of the EU General Data Protection Regulation (GDPR) have been incorporated directly into UK law as the UK GDPR. Article numbers referred to herein refer to those in the EU GDPR, that are assumed to be retained in the UK GDPR. Both are referred to below as the GDPR.

2. Name and address of data controller

The data controller as defined in the GDPR is:

International Ocean Drilling Programme Science Office
University of Plymouth
Drake Circus
Plymouth
PL4 8AA
United Kingdom
Email: enquiries@iodp3.org

3. General information on data processing

3.1. Scope of personal data processing

In general, the IODP3 Science Office on behalf of IODP3 only processes personal data collected from users insofar as this is necessary to provide a functional website with the relevant content and services. As a rule, personal data provided by users is only processed with the respective user's consent. Exceptions apply in cases where the user’s prior consent cannot be obtained on factual grounds and statutory regulations permit the processing of personal data.

3.2. Legal basis for the processing of personal data

Article 6(1a) of the GDPR serves as the legal basis when the IODP3 obtains a data subject's consent to the processing of their personal data.

Article 6(1b) of the GDPR serves as the legal basis when processing personal data for the performance of a contract to which the data subject is a party. The same applies to any processing measures that are required if steps are to be taken before entering into a contract.

Article 6(1c) of the GDPR serves as the legal basis when the processing of personal data is necessary for compliance with a legal obligation to which the IODP3 is subject.

Article 6(1f) of the GDPR serves as the legal basis when processing is necessary to safeguard the legitimate interests of the IODP3 or a third party, and provided these legitimate interests are not outweighed by the data subject’s interests and fundamental rights and freedoms.

3.3. Data erasure and storage period

The data subject's personal data is erased or blocked as soon as the purpose for which it was stored ceases to apply. Personal data may also be stored if so specified by the UK GDPR, laws or other provisions to which the data controller is subject. In such instances, personal data is blocked or erased when a retention period specified in any of the above-named legislation expires, unless it has to be retained for longer in order to conclude or execute a contract.

4. Provision of website and generation of log files

4.1. Description and scope of data processing

Every time our website is accessed, our system automatically collects data and information from the accessing computer system.

The following information is stored in the web server’s log files:

  • the client's IP address
  • the user’s ID, if the request requires the user to register
  • the date and time of the request
  • the client’s specific request, including the HTTP method, HTTP protocol version, and the path of the resource requested
  • the status code sent back to the client by the server
  • the size of the resources requested
  • the URL of the website from which the user accessed the current web page or file
  • the client program identifier

This data is also stored in our system’s log files. However, it is not stored together with other personal data collected from the user.

The legal basis for the temporary storage of this data is Article 6(1f) of the GDPR.

4.2. Purpose of data processing

This data is used to optimize website use, correct errors, and safeguard the security of our information technology systems. Data collected in this context is not evaluated for marketing purposes.

The above-named purposes also constitute the IODP3’s legitimate interest in processing the data pursuant to Article 6(1f) of the GDPR.

4.3. Storage period

The data is erased as soon as it is no longer required to fulfil the purpose for which it was collected. Log files are deleted within 7 days maximum.

4.4. Right to object and right to erasure

The collection of data for website provision and the storage of data in log files are absolutely essential to the operation of the website. The user is therefore unable to assert any right to object in this context.

5. Use of Cookies

5.1. Description and scope of data processing

Whenever a user accesses a website, the IODP3 Science Office uses cookies to make the website more user-friendly.

IODP3's website uses HTTP cookies, but only "session cookies" issued locally by IODP3's content management system. Session cookies are very limited in scope, only used temporarily, and only to track the login status of users. Session cookies enable user-friendly navigation back and forth on IODP3's web pages. Cookies are tiny text files stored inside main memory of the user’s web browser, or on the hard disk of that user’s computer system. IODP3 does not use third-party cookies, and does not share cookie-data with external companies or organisations.

5.2. Legal basis for data processing

The legal basis for the processing of personal data using cookies is Article 6(1f) of the GDPR.

5.3. Purpose of data processing

The use of technically necessary cookies is intended to simplify website usage. Some of the functions on our website cannot be provided unless cookies are enabled. In these cases, it is essential that the browser is also recognized after accessing another page.

The user data collected by these technically necessary cookies is not used to generate user profiles.

5.4. Storage period, right to object and right to erasure

Cookies are stored on the user's computer, from where they are sent to our website. This means that users have full control over the use of cookies. Users can deactivate or restrict the transmission of cookies by changing their web browser settings. Any cookies already stored can be deleted at any time. This can also be effected automatically. If cookies are deactivated for our website, it may no longer be possible to use all the website’s functions in full.

6. Rights of the data subject

Whenever personal data is processed, the data subject defined in GDPR has the following rights vis-à-vis the data controller:

6.1. Right to information

Data subjects (users) can request the data controller on behalf of IODP3 to confirm whether or not the IODP3 is processing their personal data.

If this is the case, data subjects are entitled to request the following information from the data controller on behalf of IODP3:

  • the purposes for which the personal data is being processed;
  • the recipient or category of recipient to whom your personal data has been or is to be disclosed;
  • the period for which your personal data will be stored, or, if no specific information can be provided, the criteria used to determine that period;
  • the existence of a right to request the controller to rectify or erase your personal data, to restrict the controller’s processing of your personal data, or to object to such processing;
  • the existence of a right to complain to a supervisory authority;
  • where the personal data is not collected from the data subject, any available information as to its source.

6.2. Right to rectification

Data subjects have the right to request the data controller, acting on behalf of IODP3, to rectify and/or complete their personal data insofar as that of their personal data being processed is incorrect or incomplete. In such cases, the data controller, acting on behalf of IODP3, must rectify the data immediately.

6.3. Right to restriction of processing

Data subjects are entitled to request restrictions on the processing of their personal data in the following circumstances:

  • if the accuracy of the personal data is contested by the data subject for a period enabling the data controller to verify the accuracy of the personal data;
  • if the data controller no longer needs the personal data for the purposes for which it was processed but it is still required by the data subject for the establishment, exercise, or defence of legal claims;
  • if the data subject has objected to the processing of their data pursuant to Article 21(1) GDPR and it has not yet been established whether the legitimate grounds of the IODP3 override those of the data subject.

If the processing of the data subject’s personal data has been restricted, this data may – with the exception of storage – only be processed with the data subject’s consent, or to establish, exercise, or defend legal claims, or to protect the rights of another natural or legal person, or for reasons of important public interest within the UK, EU or an EU member state.

A data subject who has obtained restriction of processing under the conditions specified above must be informed by the data controller, acting on behalf of IODP3, before the restriction of processing is lifted.

6.4. Right to erasure

6.4.1. Erasure obligation

The data subject may request the controller to erase their personal data without delay, in which case the controller is obliged to erase the data without delay where one of the following grounds applies:

  • The personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
  • The data subject withdraws the consent on which the processing is based pursuant to Article 6(1a) or Article 9(2a) of the GDPR, and there are no other legal grounds for the processing.
  • The data subject objects to the processing of their data pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing of their data pursuant to Article 21(2) of the GDPR.
  • The user's personal data was processed unlawfully.
  • The personal data has to be erased for compliance with a legal obligation in UK,  EU or member state law to which the controller is subject.
6.4.2. Information to third parties

If the data controller, acting on behalf of IODP3, has made the data subject’s personal data public and is obliged pursuant to Article 17(1) of the GDPR to erase it, the controller, taking account of the technology available and the cost of implementation, must take reasonable steps, including technical measures, to inform controllers who are processing the personal data that the data subject has requested the erasure of any links to, or copy or replication of, their personal data.

6.4.3. Exceptions

No right of erasure exists if the data has to be processed

  • to exercise a right to freedom of speech and information;
  • for compliance with a legal obligation according to which processing is required by UK, EU or member state law to which the controller is subject, or for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller;
  • for reasons of public interest in the area of public health pursuant to Article 9(2h), Article 9(2i) and Article 9(3) of the GDPR;
  • for archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes pursuant to Article 89(1) of the GDPR, insofar as the right referred to in point a is likely to render impossible or seriously impair the achievement of the objectives of the processing; or
  • for the establishment, exercise, or defence of legal claims.

6.5. Right to notification

If the data subject exercises their right to rectification or erasure of personal data or restriction of processing, the controller is obliged to communicate this to all recipients to whom the personal data has been disclosed unless this proves impossible or involves disproportionate effort.

The data controller, acting on behalf of IODP3, is obliged to inform the data subject about these recipients if so requested.

6.6. Right to object

The data subject has the right to object at any time, on grounds relating to their particular situation, to any processing of their personal data effected on the basis of Article 6(1e) or Article 6(1f) of the GDPR.

If this right is exercised, the data controller, acting on behalf of IODP3, will cease processing this personal data unless they can demonstrate compelling legitimate grounds for the processing that override the interests, rights and freedoms of the data subject, or if the data have to be processed for the establishment, exercise, or defense of legal claims.

6.7. Right to revoke the declaration of consent provided in compliance with data protection legislation

The data subject has the right to withdraw their consent under data protection law at any time. The withdrawal of consent shall not affect the lawfulness of processing effected on the basis of the data subject’s consent before its withdrawal.

6.8. Right to complain to a supervisory authority

Without prejudice to any other administrative or judicial remedy, the data subject has the right to lodge a complaint with a supervisory authority, in particular in the state of their habitual residence, place of work, or place of the alleged violation, if the data subject considers that the processing of their personal data violates the GDPR.