Privacy and Data Protection Policy
Last Updated: September 29, 2020
Davidson Institute of Science Education at the Weizmann Institute of Science (“Davidson”, “we” and its cognates) is the educational arm of the Weizmann Institute of Science, a scientific research institution and an accredited institute of higher education, and engages in educational and research activities (“Weizmann”), and reference to Davidson in this policy may include Weizmann. Davidson respects the privacy of its website users and visitors (together “Data Subjects”, or “Users”), and is committed to protecting the personal information of its Users in accordance with the Israeli Protection of Privacy Law and Regulations of the EU’s General Data Protection Regulation (“GDPR”) (“Data Protection Law”) where it applies.
Davidson interacts with Users, including both online or remotely, through its websites and services (the “Activities”).
Davidson is transparent about its practices regarding the information it may collect and use when Users take part in the Activities, or otherwise engage with it, and describe Davidson’s practices in this policy.
This policy (the “Data Protection Policy”) explains the types of information Davidson may collect from Users or that Users may provide in connection with the Activities, either directly or from third parties, and Davidson’s practices for collecting, using, maintaining and processing information through its various websites and applications. This Data Protection Policy also serves as notification to our Data Subjects of their rights under relevant Data Protection Law.
For the purposes of European Economic Area data protection law, Davidson will usually be a data controller (the “Controller”).
1. WHICH INFORMATION DOES DAVIDSON COLLECT?
Categories of information and data Davidson collects from Users.
Data Davidson collects about Users through their participation in the Activities
One type of data is non-identifiable and anonymous information (“Non-personal Data”). Davidson also collects several categories of Personal Data. This may include name (first and last), ID number, email address, phone numbers, picture, postal address, birth-date, gender, position and organization name, bank account and other such payment details, billing address[DPO1] , username and password and usage details, and other information Users may choose to provide to us (“Personal Data”). Personal data also includes data provided in the context of online learning, such as: student credentials, grades, communications via learning management system with instructors, system usage, online and device identifiers, associated geographical data of devices used to access the services and so on.
A User does not have any legal obligation to provide any information. However, Davidson requires certain information in order to enable the Activities. If a User chooses not to provide Davidson with certain information Davidson may not be able to provide the User with access to some or all of the Activities.
Davidson is not responsible for any use of Users’ information or content by a third-party platform, which Users use at their own risk.
2. HOW DAVIDSON COLLECTS PERSONAL DATA ON USERS
Davidson collects Personal Data, both directly and indirectly in various ways. Davidson collects Personal Data through Users’ use of our websites and applications. This may include technical information and behavioral information such as the User’s Internet protocol (IP) address used to connect a computer to the Internet, uniform resource locators (URL), operating system, type of browser, browser plug-in types and versions, screen resolution, Flash version, time zone setting, the User’s ‘click-stream’ on the website, the period of time the User visited the website, methods used to browse away from a page, and any phone number used to call our service numbers. Davidson likewise may place cookies on browsing devices (see 'Cookies' section below).
Additionally, Data is provided to Davidson directly by Users; the most common examples are if the User registered or has attended our Activities, purchased services, or signed up to our mailing lists.
3. WHAT ARE THE PURPOSES OF PERSONAL DATA DAVIDSON COLLECTS?
We will use Personal Data to enable and improve the Activities and meet our contractual and legal obligations, including for example processing which is necessary for the performance of a contract to which the User is a party or in order to take steps at the User’s request prior to entering into a contract (GDPR Article 6(1)(b)), such as:
● carrying out obligations arising from any contracts entered into between Davidson and the User or anyone on their behalf;
● providing you with the information that you request from Davidson;
● verifying and carrying out financial transactions in relation to payments;
● sharing relevant information with vendors and partners;
Processing which is necessary for compliance with a legal obligation to which Davidson is subject (GDPR Article 6(1)(c)), such as:
● providing information to any official or authorized entity, in cases where we are under a legal obligation to do so;
● compliance and audit purposes, such as meeting reporting obligations, and for crime prevention and prosecution and assertion of our rights and those of Users, staff and students and others;
Processing is necessary for the purposes of the legitimate interests pursued by Davidson or by a third party (GDPR Article 6(1)(f)) of most effectively marketing and providing Activities in a secure and safe environment, such as:
● administering a User account, including to identify and authenticate access to Activities, as well as for security purposes;
● notifying Users about changes to the Activities;
● contacting Users for the purpose of providing technical assistance and other related information about the Activities;
● replying to queries, troubleshooting problems, detecting and protecting against error, fraud or other criminal activity, and soliciting feedback in connection with the Activities; contacting Users to give information about events or promotions or additional Activities offered by Davidson, including in other locations;
● tracking use of our facilities and Activities to enable us to optimize and improve the Activities;
● soliciting feedback in connection with your use of the Activities;
● marketing our services and Activities;
● security and operations of our facilities.
Processing may also be undertaken with the consent of a User or other individual about their own Personal Data (GDPR Article 6(1)(a)).
4. SHARING DATA WITH THIRD PARTIES
Davidson may transfers Personal Data to:
Members of Weizmann Group: This includes any member of Weizmann group, such as its subsidiaries - whether wholly or partially owned by Weizmann and other related entities, wherever incorporated or situated, Weizmann affiliates and other related entities - both for profit and non-profits, as well as Weizmann’s joint-venture partners who support Weizmann in processing of Personal Data under this policy.
Third Parties. Davidson may transfers Personal Data to third parties in a variety of circumstances, and endeavors to ensure that these third parties process Personal Data only to the extent necessary to perform their functions, and to have a contract in place with them to govern their processing on our behalf. These third parties may include business partners, suppliers, affiliates and other related entities, agents and/or sub-contractors for the performance of any contract Davidson enters into with Users. They may assist us in providing the Activities, processing transactions, fulfilling requests for information, receiving and sending communications, analyzing data, providing IT and other support services or in other tasks, from time to time. These third parties also include analytics and search engine providers that assist Davidson in the improvement and optimization of its website and marketing.
Likewise, Davidson may transfer Personal Data to third parties if it is under a duty to disclose or share Users’ Personal Data in order to comply with any legal or audit or compliance obligation, in the course of any legal or regulatory proceeding or investigation, or in order to enforce or apply Davidson’s agreements; or to protect the rights, property, or safety of Users, or others. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction and to prevent cybercrime.
For avoidance of doubt, Davidson may transfer and disclose Non-Personal Data to third parties at its own discretion.
5. WHERE DO WE STORE YOUR DATA?
Your Personal Data is stored in computers, local servers, and Weizmann’s data-centers[NNM2] , or in cloud based computing services, such as Amazon Web Services, as well as on paper and other hard media stored at Davidson.
6. INTERNATIONAL DATA TRANSFERS
We may transfer your Personal Data outside of the EEA and Israel, in order to:
- Store or backup the information;
- Enable Davidson to provide Users with the Activities and fulfil its contracts;
- Fulfill any legal, audit or compliance obligations which require Weizmann to make that transfer;
- Facilitate the operation of Davidson’s Activities, where it is in its legitimate interests and we have concluded these are not overridden by Users’ rights;
- To serve Davidson’s Users; and
- To operate Davidson and Weizmann’s affiliates and other related entities, in an efficient and optimal manner.
7. DATA RETENTION
Davidson will retain Personal Data to perform the Activities to comply with its legal obligations, to resolve disputes and to enforce agreements, to meet any audit, compliance, research and other legitimate best-practices. If it is determined that access to such data is no longer expected to be needed, it may be encrypted and archived, deleted or anonymized
Unstructured data, such as emails, may be retained indefinitely.
Where interactions with Davidson include any unacceptable behavior, by phone, online or in person, which puts our staff or other people at risk or otherwise requires special attention, we will store a record of those interactions and share that information with relevant staff to avoid that risk in future, and as necessary may share it with authorities or other parties. This is in pursuit of our obligations to ensure safety in connection with our Activities. Users may have a right to object to the collection and storage of this data, and Weizmann may refuse such request.
Where data is deemed to be of potentially historical interest, it may be retained indefinitely in an archive and processed as such.
8. WEBSITE DATA COLLECTION AND COOKIES
Different cookies are kept for different periods. Session cookies are used to keep track of Users’ activities online in a given browsing session; these cookies generally expire when the browser is closed but may be retained for a period on the User’s device. Permanent cookies remain in operation even when the User has closed the browser; they are used to remember the User’s login details and password. Third-party cookies are installed by third parties with the aim of collecting certain information to research behavior, demographics. Third party cookies on Davidson’s site include, for example, Google Analytics. Third party cookies will be retained according to the terms of those third parties, and Users can control those cookies in their browser settings.
Most browsers will allow Users to erase cookies from their computer’s hard drive, block acceptance of cookies, or receive a warning before a cookie is stored. However, if a User blocks or erases cookies their online experience on Davidson’s website or other Activities will be limited.
How to disable cookies: The effect of disabling cookies depends on which cookies a User disables but, in general, the website and some Activities delivered through it may not operate properly, may not recognize the device, may not remember the User’s preferences and so on, if cookies are disabled or removed. However, allowing or disabling cookies is the User’s choice and in their control. If a User wants to disable cookies on Davidson’s site, he/she needs to change the browser settings to reject cookies. How can this be done will depend on the browser used, and details are available on the support site of all major browsers.
In addition, Davidson has implemented a cookie management tool on its websites, which enable the user to determine which cookies may and may not be placed on their devices, and it is for Users to control which cookies they agree to, and which they reject, through their browers or through the cookie management tool.
Davidson’s websites and its researchers’ websites may, from time to time, contain links to external sites and services. Davidson is not responsible for the operation, data management, privacy policies, content nor for any aspect of such sites and services.
9. SECURITY AND STORAGE OF INFORMATION
Davidson takes great care and expends very substantial resources in maintaining the security of the Personal Data it processes. Likewise, Davidson takes steps to ensure its networks, websites and applications are safe. Note however, that no data security measures are perfect or impenetrable, and Davidson cannot guarantee that unauthorized access, leaks, viruses and other data security breaches will never occur.
Davidson takes steps to limit access to Personal Data, and to maintain its integrity and availability and takes steps to ensure that its staff who have access to Personal Data are under a duty of confidentiality.
Davidson shall act in accordance with its policies to promptly notify the relevant authorities and data subjects in the event that any Personal Data processed by Davidson is breached, all in accordance with applicable law and on the instructions of qualified authority. Davidson shall promptly take reasonable remedial measures.
10. DATA SUBJECT RIGHTS
Applicable Data Protection Law may grant data subjects certain rights, including, depending on the circumstances and the relevant legislation: rights to data portability, rights to access data, rectify data, object to processing, withdrawal of consent and erase data. It is clarified for the removal of doubt, that where Personal Data is provided through a third party, such data subject rights will have to be effected through that third party. In addition, data subject rights cannot be exercised in a manner inconsistent with the rights of Davidson employees and staff, with Davidson proprietary and other rights, and third party rights. As such, reviews, internal notes and assessments, documents and notes including proprietary information or forms of intellectual property, and experimental data, cannot be accessed, erased, or rectified. In addition, these rights may not be exercisable where they relate to data that is not in a structured form, for example emails, or where other exemptions apply.
If, for any reason, a data subject wishes to modify, delete or retrieve their Personal Data, they should contact Weizmann’s Data Protection Officer and team (DPO[at]weizmann.ac.il). Note that Davidson will have to undertake a process to identify a data subject exercising their rights. Davidson may keep details of such rights exercised for its own compliance and audit requirements.
Davidson aims to process data limited to the needs and purposes for which it is gathered. Davidson only collects data in connection with a specific legitimate purpose and only processes data in accordance with this Data Protection Policy.
12. CHANGES TO THIS DATA PROTECTION POLICY
The terms of this Data Protection Policy will govern the use of the Activities, websites and application, and any information collected in connection with them. We may amend or update this Data Protection Policy from time to time. The most current version of this Data Protection Policy will be available at: [https://davidson.weizmann.ac.il/de/privacy-policy]. Any changes to this Data Protection Policy are effective as of the stated “Last Revised” date and continued access to the Activities will constitute active acceptance of, and agreement to have Davidson act in accordance with, the changes to the Data Protection Policy.
If you have any questions or comments concerning this Data Protection Policy, you are welcome to send an email to our Data Protection Officer, at DPO[@]weizmann.ac.il.