Privacy Notice

Introduction

Your privacy is our priority: we (the European Charcot Foundation, ECF) believe that your privacy is important and should be protected, which is why we would like to tell you what we do for you. As part of our legal obligations in relation to the Multiple Sclerosis Data Alliance (MSDA), we collect and process a certain amount of personal data and we do everything we can to protect it. This privacy notice has been prepared in compliance with the GDPR. It defines both the personal data to be processed and the purpose and the legal and technical means of the processing.

Some definitions

The User: Any natural or legal person who wishes to subscribe to our newsletter, reaches out to the MSDA using the contact form or creates an account to access and use our MSDA Catalogue and related services or any person who enters or comes into a (contractual) relationship with us of any kind and whose data may thus be collected. This includes Metadata Providers as defined in the MSDA Terms of Use.
The Data Controller: the natural person, legal entity, government body, department or other body that establishes the purpose and means of processing personal data, alone or with others.
The Data Processor: the natural person, legal person, government body, department or other body which processes personal data at the request of the Data Controller. The Data Processor always acts in accordance with the instructions of the Data Controller and is under an obligation to ensure the security and confidentiality of the data.
Personal Data: any information relating to an identified or identifiable natural person (the data subject, here the User). An identifiable person is any natural person who can be identified directly or indirectly on the basis of an identifier such as a name, an identification number, location data, an online identifier or one or more factors characteristic of the physical, physiological, genetic, mental, economic, cultural or social entity of that natural person.
Privacy Legislation: the European Regulation of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation or GDPR) and any applicable local privacy laws.

Data Controller - Data Processor(s)

The Data Controller is ECF, acting as the lead legal entity of the MSDA, an independent non-for-profit organisation, organised and existing under the laws of Belgium, having its registered office located at Vaartdijk 3, bus 2, 3018 Leuven, Belgium and with company number (RLE Leuven) 0547.995.164. You can reach out via email (info@msdataalliance.com).

The following service providers may act as a processor of your Personal Data as further defined in this notice:

BMD Software	Support the MSDA in maintaining and hosting the MSDA Catalogue and related services. The data of the MSDA Catalogue, including the data provided when registering, is stored under Amazon Web Services. In particular, it is being hosted in AWS Europe in Frankfurt, Germany.
Mailchimp	GDPR compliant customer management relation of ECF to manage the mailing list of the Newsletter and Contact Form. By subscribing to the MSDA newsletter, people acknowledge that their information will be transferred to Mailchimp for processing. More about Mailchimp's privacy practices can be found on https://mailchimp.com/legal/terms/.

General Principles of Data Processing

Lawfulness and fairness: We pay particular attention to compliance with the general principles applicable to the processing of your data and respect for your privacy. We want to guarantee that the processing will be carried out in a legal and transparent manner.

Limitation to what is necessary and accuracy: We will strictly limit ourselves to collecting data that is necessary for the purposes required. We endeavour to collect accurate data to the extent reasonably possible.

Limiting retention over time: We will limit the retention of data over time by ensuring that it is destroyed or anonymised once the processing is complete or the purposes have been achieved. The cookies installed are specifically time-limited according to their use or type.

Security of your data: We take the security of your data very seriously and do everything in our power to ensure their integrity and confidentiality.

What types of personal data do we process?

First Name
Last Name
Email address
Country
Organization
Stakeholder group you're representing

Purpose and Lawful Processing Ground

Personal Data		Purpose	Processing Ground
First Name	Catalogue / Contact Form / Newsletter	Customer Service	informed consent
Last Name	Catalogue / Contact Form / Newsletter	Customer Service	informed consent
Email Address	Catalogue / Contact Form / Newsletter	needed to: login on Catalogue / answer to people's questions, customer service / sending the newsletter	informed consent
Country	Catalogue / Newsletter	Optimising usefulness of MDSA services to stakeholders	Legitimate interest
Organization	Catalogue	Optimising usefulness of MDSA services to stakeholders	Legitimate interest
Stakeholder Group	Newsletter	Optimising usefulness of MDSA services to stakeholders	Legitimate interest

Any of the above details in relation to Metadata Providers can be used for populating the MSDA Catalogue in order to allow MSDA and its users to contact the Metadata Provider.

Your rights

We would like to make you aware of your rights regarding the protection of your personal data:

Right of access to collected data: you have the right to request a copy of the personal data we collect and information about how we use that data.
Right of correction: you have the right to ask us to correct and/or complete your personal data if it is incorrect or incomplete.
Right to be forgotten: subject to compliance with certain legal conditions, you may request the deletion of your data:
- If the data collected are no longer required to achieve the purposes and aims of the processing for which they were collected.
- If the processing was based solely on your consent without any other legal basis for the processing and you wish to withdraw your consent.
- If you want to raise a legitimate objection to the processing of your data.
- If your data have been processed unlawfully.
- If a legal obligation indicates that your personal data must be deleted.
Right to restriction of processing: you have the right to request restriction of processing in certain cases.
- You dispute the accuracy of certain data:
- The processing of your data is unlawful:
- Your personal data are required for legal proceedings.
Right to object to processing: you have the right to object to the processing of your personal data for direct marketing or profiling purposes. Your personal data will no longer be processed unless the controller has compelling legitimate grounds for the processing which outweigh the interests, rights and freedoms of the data subject.
Right to data portability: you have the right to obtain the personal data processed by us in a structured, customary and machine-readable form. In addition, you also have the right to transfer these data to another controller or to have them transferred to us if this is technically possible.
Right to withdraw your consent: You have the right to withdraw your consent at any time if your consent is the basis for lawful processing.
- This does not preclude the processing being based on criteria other than your consent, in which case the absence or otherwise of your consent would have no impact (if the processing is based on compliance with a legal obligation or the performance of a contract between the individual and us for example).
- Withdrawing your consent does not affect the legitimacy of the processing carried out when your consent was validly obtained.

In the event of a request from you, we undertake to reply within a maximum of one month. You can contact us at info@msdataalliance.com. In the event that you consider it necessary, you can file a complaint with the Data Protection Authority (see below). Filing a complaint with the Data Protection Authority has no bearing on the intervention of a civil court.

Data Transfers

The MSDA data as described herein are located in Europe, however, it is possible that data may be transferred to countries outside the European Union. As a consequence of Article 44 of the European Regulation 2016/679 of 27 April 2016 on the protection of personal data, any transfer of personal data outside the EU is only possible if an adequate level of protection is guaranteed in the country concerned. The European Commission has been mandated to carry out an assessment of the level of protection in a given country, territory, region or even international organisation. If this level of protection is considered adequate, the data can be transferred. The European Charcot Foundation guarantees that it will not process or store data in countries that do not apply an adequate level of protections or without adopting appropriate safeguards as required by Privacy Legislation.

Complaints

You can always file a complaint by sending a written request via email to info@msdataalliance.com We undertake to comply with your request within one month.

You also have the option of submitting a complaint to the supervisory authority:

Data Protection Authority
Rue de la Presse 35
1000 Brussels, Belgium
contact@apd-gba.be
http://www.gegevensbeschermingsautoriteit.be/