Last updated: 5 December 2024
Summary
GBIF has legitimate interests in collecting and maintaining the information needed to provide biodiversity-related evidence that supports scientific research and policy. Beyond that, we collect the minimum amount of personal information needed to fulfill the purpose of your interactions with us. We don't sell this information to third parties, and we process it only as described in this Privacy Notice. As an EU-based body, we comply with the General Data Protection Regulation (GDPR). But regardless of where you come from, where you are or where you live, we apply the same standard of privacy protection to all our users.
This summary is no substitute for the rest of the policy notice, so please read on for the complete details.
1. Introduction
1.1. This Privacy Notice is intended to provide you with information on how the Global Biodiversity Information Facility, Universitetsparken 15, DK-2100 Copenhagen Ø, CVR no. 29087156 (hereinafter "GBIF", "we", "us", "our") process your personal data in the following situations:
- When you use the Internet services available through gbif.org and its subdomains ('our Internet services’)
- When you register yourself on our Internet services
- When you sign up for our newsletters
- When you have questions or otherwise communicate with us
- When you are the observer, collector or identifier of a species contained within a record in our database
- When you are a representative of a GBIF Network Partner or advisory committee
- When you are employed as technical and administrative personnel with a data publisher and you are responsible for the data published through GBIF
1.2. This privacy notice applies to all personal data that you provide to us or that we collect via our Internet services.
1.3. This Privacy Notice explains how and for which purposes we process your personal data. We will only process your personal data in accordance with this Privacy Notice and applicable law to which we are subject, in particular the General Data Protection Regulation (EU 2016/679) (hereinafter the "GDPR") and the Danish Data Protection Act No. 502 of 23 May 2018 supplementing the GDPR and any amendments thereto.
1.4. GBIF is data controller in relation to your personal data. You can contact us by using the contact information in §9.
2. The data we collect, the purpose and the legal basis for processing
2.1. When you use our Internet services
- We automatically collect Technical Data about you and how you use our Internet services.
- Technical Data means information collected during your visits to our Internet services, the Internet Protocol (IP) address, login data, browser type and version, device type, time zone and location setting, browser plug-in types and versions, operating system and platform
The purpose of this processing is to learn how users use our Internet services and to optimize the user experience and the functions of these Internet services. The processing is necessary to maintain our interests in improving our Internet services (article 6(1)(f) of the GDPR).
2.2. When you register yourself on our Internet services
- We collect information on your name, e-mail address, country of residence and user login when you register. If you choose to upload one or more photos to your profile we will process such photo(s). Any discussion content in the Community Forum will be processed by GBIF and will be accessible to other users on our Internet services with your user name.
The purpose of our processing is to identify users signing up for a profile on one or more of our Internet services. The processing is necessary to maintain our interests in making available our services to our users (article 6(1)(f) of the GDPR).
2.3. When you sign up for our newsletters
- We collect information on your email-address, information on the newsletters you wish to receive, your consent as well as your name, organization, country or area, if you choose to disclose it.
The purpose of our processing is to send you the newsletters. The processing is necessary to pursue our interests in sending you marketing material (article 6(1)(f) of the GDPR).
Regardless of the above we will always collect a consent from you to send newsletters pursuant to Section 10 of the Danish Marketing Practices Act.
2.4. When you have questions or otherwise communicate with us
- We collect information on your name, your email, your phone number, the company or organization you represent and your question/our correspondence.
The purpose of the processing is to respond to your questions or to communicate with you in general. The processing is necessary to pursue our interests in communicating with our network and the public in general (article 6(1)(f) of the GDPR).
2.5. When you are the observer, collector or identifier of a species contained within a record in our database
- If you are the observer or collector of a species contained within a record in our database we will publish information on your name as well as the place and date of the observation or collection event in the record. All records in our database are published through our Internet services.
- If you have confirmed the identity of a species contained within a record in our database we will publish information on your name in the record. All records in our database are published through our Internet services.
The purpose of the processing is to assist researchers in evaluating the fitness-for-use of data accessed through GBIF as well as to acknowledge the named individuals for their recording, collection or expertise. Processing is necessary to pursue our and the public's interests to share the data for research purposes (article 6(1)(f) of the GDPR).
2.6. When you are a representative of a formal GBIF Participant, advisory committee, or GBIF-funded project
- We publish your professional contact information (name, title, work address, email, phone number) and name of your organization or institution through our Internet services.
The purpose of our processing is to allow researchers and other professionals to share information in the GBIF network, as well as to enable feedback from users to data publishers in relation to suspected errors or further information about the data. Processing is necessary to pursue our interest in encouraging professional activities in the GBIF network (article 6(1)(f) of the GDPR).
2.7. When you are employed as technical and administrative personnel with a data publisher and you are responsible for the data published through GBIF
- We publish your professional contact information (name, title, work address, e-mail, phone number) and name of your organization or institution through our Internet services.
The purpose of our processing is to allow researchers and other professionals to share information in the GBIF network, as well as to enable feedback from users to data publishers in relation to suspected errors or further information about the data. Processing is necessary to pursue our interest in encouraging professional activities in the GBIF network (article 6(1)(f) of the GDPR).
- We collect your name and professional email to send you announcements and information on GBIF’s services to data publishers.
The purpose of our processing is to send you the service announcements. The processing is necessary to pursue our interests in communicating with institutions that publish data through our Internet services (article 6(1)(f) of the GDPR).
2.8. When you serve as a volunteer or receive an award, training certificate or other professional recognition from GBIF
- We publish your name, email and ORCID iD (where available) along with your professional or educational affiliation, expertise, languages and country of residence.
The purpose of our processing is to credit your contributions to the community, to encourage and broker professional connections and to estimate the value of your unpaid services to the GBIF network's operations. The processing is necessary to pursue our interest in encouraging professional activities in the GBIF network (article 6(1)(f) of the GDPR).
To the extent that we refer to our legitimate interest as the legal basis for the processing of personal data specified above we have conducted a balancing test for those interests to ensure that our interest is not overridden by your interests or fundamental rights and freedoms. Please contact us by using the email provided in §9 below if you wish to receive more information on the balancing test.
3. How is your personal data collected
3.1. In most cases we receive the personal data directly from you. We will, however, also in same cases receive your data from third parties as further described below:
3.2. As you interact with our Internet services, we may automatically collect Technical Data about your equipment, browsing actions and patterns.
3.3. For data we publish in the records in our database we have collected such data from our network of data publishers around the world such as governmental agencies, museums, universities and non-governmental organizations.
3.4. For contact information published through our Internet services we will either have collected such data directly from you or from your employer or the organisation or institution you represent.
4. Disclosure of your personal data
4.1. Our primary Internet services are hosted at and by our data processor the University of Copenhagen. We have entered into a GDPR-compliant data protection agreement with the University of Copenhagen to ensure that they only process data in accordance with our instructions and for our purposes.
4.2. While we ourselves do not collect personal data from third-party services that process data on our behalf, our use and integration of such services means that your personal data may also be shared with these third parties such as IT service and hosting providers, consultants and sms service providers. We enter into GDPR-compliant data protection agreements to ensure that such data processors are only allowed to process data in accordance with our instructions and for our purposes, as explained in this notice, with each of the following service providers.
4.3. Where required by law, third-party service providers may also disclose your personal data to public authorities.
5. Transfer of your personal data to third countries
5.1. We rely on several third-party service providers established outside the European Union and make permissible transfer of personal data under the following safeguards.
Third-party service | Location | Safeguard frameworks |
---|---|---|
Box | United States | Standard Contractual Clauses |
Civilized Discourse Construction Kit | United States | Standard Contractual Clauses |
Fluxx | United States | EU Model Clauses |
GitHub | United States | Standard Contractual Clauses |
Google Cloud | United States | Standard Contractual Clauses |
MailChimp | United States | Standard Contractual Clauses |
Microsoft | United States | EU Model Clauses |
ORCID | United States | Standard Contractual Clauses |
Vimeo | United States | Standard Contractual Clauses |
Zapier | United States | Standard Contractual Clauses |
ZenHub | Canada | Standard Contractual Clauses |
Zoom Video Communications | United States | Standard Contractual Clauses |
For further information, including obtaining a copy of the documents used to protect your information, please contact us at info@gbif.org.
6. Your rights
6.1. Under certain circumstances, you have one or more of the following rights:
6.1.1. You have the right to request access to your personal data. This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
6.1.2. You have the right to request correction of your personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
6.1.3. You may have the right to request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. To the extent that continued processing of your personal data necessary, for example in order for us to comply with our legal obligations or for legal requirements to be established, enforced or defended, we are not required to delete your personal data.
6.1.4. You have the right to object to our processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
6.1.5. You may have the right to request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
6.1.6. You may have the right to request the transfer of your personal data to another party (also known as data portability).
6.1.7. In cases where we process your data based on your consent, you are entitled to withdraw it at any time. If you wish to withdraw your consent, please contact us by using the contact information in section 9.
6.1.8. If you have unresolved concerns, you also have the right to complain to the Danish Data Protection Agency or to the data protection authorities in the country where you live or work, or where you consider a breach of data protection law has occurred. The contact information for the Danish Data Protection Agency are Borgergade 28, 5, 1300 København K, email address dt@datatilsynet.dk or telephone number +45 33 19 32 00.
7. Data retention
7.1. Your personal data is kept for as long as it is necessary to meet the purposes described in this Privacy Notice.
7.2. When you use our Internet services the collected information is deleted after thirty (30) days.
7.3. If you register for a user profile through our Internet services, we will delete it only upon request. We generally do not delete user profiles, discussion content in the Community Forum or information associated with data downloads that are assigned persistent identifiers, in order to preserve information relevant to research and policy purposes in ours and the public’s interest (article 6(1)(f) of the GDPR).
7.4. When you withdraw your marketing consent for a newsletter that you subscribed to, we will automatically delete the collected information within thirty (30) days. Please note that we will store information documenting your withdrawal of consent for a period of two years after such withdrawal.
7.5. When you inquire about or apply for a staff position for which we are recruiting, we will retain personal data for twelve (12) months (view full details on data handling and processing).
7.6. When you have questions or otherwise communicate with us, the collected information will be deleted after five years.
7.7. When we publish data in our database, please be advised that we generally do not delete such data except upon request of the data publisher.
7.8. When we publish your contact information through our Internet services, we may preserve this information even if you no longer represent the relevant institution or organization in our network, to maintain the institutional service history or data provenance for research purposes in our and the public's interests (article 6(1)(f) of the GDPR).
7.9. As an exception, we will not delete your personal data where we still have a legitimate interest to use your personal data.
8. Data security
8.1. We have put in place appropriate security measures to prevent your personal data from being lost, used or accessed in an unauthorized way, altered or disclosed.
8.2. In addition, we have limited access to your personal data to employees and contractors who have a relevant and reasonably required need to access your personal information to perform their work have access to them and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
9. Contact information
9.1. GBIF is data controller for the personal data, which are collected about you.
9.2. If you have any questions regarding this Privacy Notice or request to exercise your rights please use the contact information set out below.
Global Biodiversity Information Facility
Universitetsparken 15
DK-2100 Copenhagen Ø
CVR no. 29087156Phone number: +45 35 32 14 70
Email address: info@gbif.org
10. Changes to this privacy notices
10.1. GBIF have the right to update and change this Privacy Notice from time to time. Any changes to this Privacy Notice will be made available at https://www.gbif.org.