Coscine (Collaborative Scientific Integration Environment) is a web-based platform for the management and storage of research data and metadata generated in the context of research projects. The service is provided by RWTH Aachen University and is designed to support researchers in maintaining good scientific practice.
The controller within the meaning of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations is:
Rector of RWTH Aachen University
Templergraben 55
52062 Aachen (office address)
52056 Aachen (postal address)
Telephone: +49 241 80 1
Fax: +49 241 80 92312
E-Mail: rektorat@rwth-aachen.de
Website: www.rwth-aachen.de/rektorat
Contact details for the person responsible for technical operation:
Director of the IT Center
IT Center of RWTH Aachen
Seffenter Weg 23
52074 Aachen
Telephone: +49 241 80 24680
E-Mail: servicedesk@itc.rwth-aachen.de
Website: www.itc.rwth-aachen.de
Contact details for the officially appointed data protection officers:
Data protection officers of RWTH Aachen University
Templergraben 83
52062 Aachen (office address)
52056 Aachen (postal address)
Germany
Phone: +49 241 80 94114
E-Mail: dsb@rwth-aachen.de
Website: www.rwth-aachen.de/datenschutz
State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia
Kavalleriestraße 2-4
40213 Düsseldorf
Phone: +49 211 38424-0
E-Mail: poststelle@ldi.nrw.de
Website: www.ldi.nrw.de/
First, general information on data processing is presented. The section on the provision of the web application and the creation of log files refers to data that is already collected and processed when the Coscine website is accessed without logging in. The data collected and processed when using the research platform Coscine after logging in are described next. The section on the use of cookies and local storage again concerns both logged-in and non-logged-in users. Finally, the rights of the data subject are listed and Appendix A contains a list of applications that can be linked to Coscine, including a description of the data transfer necessary for this.
RWTH Aachen processes personal data of the site’s users only to the extent necessary to provide a functional service and the content and services or for the purpose of the application. The processing of personal data of users takes place in order to fulfill the tasks of RWTH or with the consent of the users.
Every time the Coscine website is accessed, data and information about the accessing computer system is automatically collected. The following data is collected:
The data is stored in the log files of the university’s system and deleted after seven days. This data is not stored together with other personal data of the user.
The legal basis for the temporary storage of data and log files is Art. 6 para. 1 lit. e), para. 3 GDPR in conjunction with § 3 para. 1 DSG NRW.
The data is used to optimize the website and to ensure the security of the information technology systems. An evaluation of the data for marketing purposes does not take place in this context.
The data will be deleted as soon as they are no longer required for the purpose for which they were collected. Normally, this is the case after seven days at the latest. Further storage is possible. In this case, the IP addresses of the users are deleted or alienated, so that an assignment of the calling client is no longer possible.
The collection of data for the provision of the website and the storage of data in log files is essential for the operation of the website. Consequently, there is no right of objection on the part of the user.
The Coscine platform is a web-based integration platform for research-related data from various sources and is part of the research data infrastructure of RWTH Aachen University. It is provided as open source software. It can be used both via a web browser using the graphical user interface and via APIs (Application Programming Interfaces).
In accordance with § 3 Abs. 1 HG NRW, it is offered as a service with the aim of supporting researchers in ensuring good scientific practice. Through the time- and location-independent availability of the platform and the content stored on it, it also promotes regional, European and international cooperation, particularly in the higher education sector, and the exchange between German and foreign universities in accordance with § 3 Abs. 6 HG NRW.
When Coscine is used, personal data about the users is stored. According to the European General Data Protection Regulation (GDPR), the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) and the Data Protection Act of North Rhine-Westphalia (Datenschutzgesetz NRW, DSG NRW), we are obliged to explain what types of personal data are processed for what purpose, on what legal basis this is done, who has access to the data and what rights the users have with regard to the processing of the data.
The following categories of personal user data are processed in Coscine.
Authentication is necessary to control access to Coscine. This is done when logging on to the system via various single sign-on authentication services. In Coscine, a distinction is made between two access paths:
Coscine takes the information transmitted by the authentication service. Accounts with different authentication providers can be merged by users under a Coscine user ID.
To connect to external services, Coscine stores the user ID of these services. These are described in Appendix A.
The following data is stored in the Coscine user profile: first name, last name, email address, organizational and suborganizational affiliation (if applicable), and the IDs of the authentication services chosen by the user. In addition, each person with a Coscine user account receives a Coscine user ID.
The user profile includes not only the login data but also information that users can optionally add to their profiles.
The information provided by users in their user profile is used to display the information in Coscine for other users, as well as to contact them via email. If a user enters an email address, it is verified via a confirmation email. If users choose their organization, organizational unit, discipline or title freely, these are not validated. The control over this freely selectable information lies with the users.
Usage data is created by users’ activity in the system. For each action within Coscine, the system automatically logs the following data:
Research data comes in many forms and can consist of (interim) results of research activities, measurement data, surveys, source research, but also code, text and multimedia data. The core of this data is that it was collected, generated or otherwise obtained in the context of and for the purpose of scientific activity.
The associated metadata contain structured information about research data. They are linked to the research data described.
Metadata fields for describing projects and resources are predefined by the system. Metadata for describing data within resources can be extensive and depend on the metadata profile selected by the users. Depending on the data format, metadata can also be extracted automatically from the research data. For example, additional information stored in image data (EXIF data) can be saved as metadata in Coscine.
Coscine stores research data in the directly connected Research Data Storage (RDS) or DataStorage.nrw. If necessary, multiple versions are stored. In addition, Coscine links to and integrates other third-party data storage systems and stores the necessary references (e.g. URLs, PIDs, file names). Coscine also stores metadata for research data stored in third-party systems.
The responsibility for personal research data and associated metadata remains with the users who submit them to Coscine. The provider of Coscine does not independently process the research data and associated metadata beyond the measures mentioned for storage and operational security. Coscine accesses research data and associated metadata exclusively on behalf of the users. Optional functions for the automated extraction of metadata from stored files must be explicitly activated by users and can be deactivated at any time. Control over all actions - writing, reading and deleting - lies entirely with the users.
Provenance data refers to the traceability of changes to research data. To ensure good scientific practice, changes to research data and associated metadata must be documented during the research process.
When users create, modify, download, or delete data, an association is created between the user and the processed data.
The following data is stored for these user actions:
The processing of the data is necessary to support users in maintaining good scientific practice in accordance with the Coscine rules of use. The processing of the data is based on Art. 6 para. 1 lit. a) and b) GDPR.
The processing of personal data in Coscine is carried out in accordance with Art. 5 para. 1 lit. b) and c) GDPR for a specific purpose and under the condition of data minimization.
Login data, user profile data, research data and associated metadata, usage data and provenance data are processed to support good scientific practice, along with the necessary research data management. The usage data is also used for the purpose of administering, developing and maintaining the system, for technical controlling, for troubleshooting in the event of technical problems or for clarifying security incidents.
The data can also be processed without consent for archiving purposes in the public interest, scientific or historical research purposes and statistical purposes based on Art. 6 para. 1 lit. e), para. 3 GDPR in conjunction with Art. 89 GDPR in conjunction with § 17 para. 1 DSG NRW, if the processing is necessary for these purposes and the interests of the data subject do not outweigh them. The RWTH Aachen provides appropriate and specific measures to safeguard the interests of the data subject in accordance with § 17 para. 2 DSG NRW. The data will be anonymized in accordance with § 17 para. 3 DSG NRW as soon as this is possible according to the research or statistical purpose. The data will be deleted as soon as the research or statistical purpose allows it.
Access to personal data depends on the respective role in the system.
In the context of a project, user profile data of all project members (persons with the roles guest, member and owner) are visible to all other project members.
To add members to projects, project owners can search for first and last names as well as email addresses of existing platform users in the user administration. The search requires at least three letters to match before search results are displayed and returns a maximum of 10 results.
Details can be found in the rights and roles concept, which can be viewed on our documentation pages Project-related - Documentation | Coscine.
In order to support good scientific practice, only users themselves have the option of viewing and downloading the provenance data concerning them in full.
Art. 5 para. 1 lit. e) GDPR requires that a storage period be specified for the processed personal data, linked to the fulfillment of the respective purpose, after which the data must be deleted.
The data required for authentication is deleted when you log out, at the end of the Coscine session, after 24 hours of inactivity or when you close the browser session.
User profile data is stored in Coscine until it is deleted. The prerequisite for deletion is that users are not members of a project. The system deletes profile data if users are not members of a project and the last login was one year ago.
Usage data is deleted after 14 days.
Research data in the Research Data Storage (RDS) storage system or DataStorage.nrw and associated metadata stored in Coscine, as well as references to research data, may be retained for 10 years after the end of the project to which they are assigned. Users have the option of deleting data earlier on their own initiative.
A completely anonymized and minimal metadata record, a so-called tombstone, remains of deleted projects and resources. This includes:
Provenance data of users are anonymized when the user profile is deleted and deleted when the associated project is deleted.
Personal data will not be passed on to third parties or used for purposes other than those stated here, subject to legal provisions.
Data transfer for the purpose of connecting to third-party systems is explicitly only initiated and authorized directly by the users. Third-party applications connected via the Coscine API can only receive the data that is also available via the web interface. Before being put into operation, these applications must be separately considered in terms of data protection.
Coscine does not transfer data to third countries. However, users have the option of linking external systems (e.g. cloud storage) to Coscine in order to use functions of these systems in the context of Coscine. It cannot be ruled out that such applications are operated in third countries. In this case, users must explicitly authorize the transfer of data to the external system. Depending on the external system, only the necessary data is transferred (e.g. login or authorization data). Which data is transferred differs depending on the application. A list of applications and the data transferred can be found in Appendix A.
In accordance with Art. 32 of the GDPR, various measures are taken to ensure the integrity and confidentiality of personal data in Coscine. Access to personal data within the application is controlled by user ID and password, as well as a second factor if necessary. Access to the server is restricted to specific workstations by both user control and firewall rules. Communication between the application and the servers is encrypted and transmitted via a secure connection (HTTPS) to prevent unauthorized data processing. All measures are described in detail in a separate document. They are taken in accordance with Art. 32 GDPR.
Coscine uses cookies and local storage. These are data that are stored by the internet browser on the user’s computer system. Cookies and local storage contain characteristic strings (tokens) that enable the browser to be clearly identified when the website is accessed again. Cookies are sent from the internet browser to the Coscine server each time the page is accessed. Information in local storage is only processed locally by the user’s internet browser when needed.
The following information is stored and transmitted:
Cookies identify logged-in users via an anonymous ID and store the login for the current session in Coscine. This must be allowed so that the login and access authorizations can be passed from the authentication service to Coscine and retained within Coscine during the session. The cookie is automatically deleted as soon as the user logs off from the system or closes the web browser.
The following cookies are set.
LocalStorage stores user preferences in the internet browser. Third parties cannot access data in LocalStorage. They are not passed on to third parties. Settings that users have made in the Coscine web interface and information about access authorizations in the current session are stored in LocalStorage. The personal tokens in the local storage are deleted from the user’s computer system as soon as the user logs off from the system.
The following tokens are used.
The legal basis for the processing of personal data using cookies is Art. 6 para. 1 lit. e, para. 3 GDPR in conjunction with § 3 para. 1 HG NRW.
Cookies and LocalStorage are stored on the user’s computer and transmitted from there to the site. Therefore, users have full control over the use of cookies and LocalStorage. By changing the settings in the internet browser, users can deactivate or restrict the transmission of cookies. Data that has already been stored can be deleted at any time. This can also be done automatically. If cookies and LocalStorage are deactivated in Coscine, it is possible that not all system functions can be used to their full extent.
If personal data of users is processed, these users are data subjects within the meaning of the GDPR and they have the following rights vis-à-vis the controller:
a) If personal data is processed, the data subjects have the right to obtain information about the data stored about them. (Art. 15 GDPR)
b) If incorrect personal data is processed, the data subjects have the right to request its correction (Art. 16 GDPR)
c) If the legal requirements are met, the data subjects may request the deletion or restriction of the processing and object to the processing (Art. 17, 18, 21 GDPR)
d) If the data subjects have consented to the data processing or a contract for data processing exists and the data processing is carried out using automated procedures, the data subjects may have a right to data portability. (Art. 20 GDPR).
e) If the legal basis is consent, this can be withdrawn at any time with effect for the future. The lawfulness of the data processing carried out on the basis of the consent until the withdrawal remains unaffected.
Should the data subjects make use of the aforementioned rights, the controller will check whether the legal requirements for this have been met. Furthermore, there is a right of appeal to the data protection supervisory authority https://www.ldi.nrw.de/.
List of applications that can be linked to Coscine and a description of the data transfer to the application that is necessary for this.
Organization’s headquarters: Germany Unique login data for Sciebo.
Organization’s headquarters: European Union Unique login data for EUDAT.
Organization’s headquarters: USA Unique login data for Gitlab.
Organization’s headquarters: USA
Organization’s headquarters: USA Unique login data for Amazon S3.