Weizmann Institute of Science Privacy and Data Protection Policy
Last Updated: July 23, 2019
Weizmann Institute of Science ("Weizmann", or the "Institute") respects the privacy of its students, staff, candidates, partners, suppliers, users, visitors, research subjects and volunteers, website users and visitors, application users, applicants for jobs, studentships and research positions, and others (together “Data Subjects”, or “Users”), and is committed to protecting the personal information of its Users in accordance with any applicable law, including the Israeli Protection of Privacy Law and Regulations, and the EU’s General Data Protection Regulation (“GDPR”) (together "Data Protection Law") where they apply.
Weizmann is a scientific research institution and an accredited Institute of higher education, and engages in educational and research activities. Weizmann interacts with Users, including both in person, online, on campus or remotely, through service providers or directly (the "Activities").
Weizmann is transparent about its practices regarding the information it may collect and use when Users take part in the Activities, apply for a position, are employed by Weizmann, visit the Weizmann campus, or its websites, use Weizmann’s mobile applications, or otherwise engage with it, and describe Weizmann’s practices in this policy.
This policy (the "Data Protection Policy") explains the types of information Weizmann may collect from Users or that Users may provide in connection with the Activities, either directly or from third parties, and Weizmann’s practices for collecting, using, maintaining and processing information, including through its various websites and applications. This Data Protection Policy also serves as notification to our Data Subjects of their rights under relevant Data Protection Law.
Users who wish to take part in the Activities may be asked to provide Weizmann, either directly or through third parties, such as their employer, their university, school, testing and evaluation services, with certain information including Personal Data as defined in section 1 hereunder and as further detailed in this Data Protection Policy.
Please read the following carefully to understand Weizmann’s practices regarding Personal Data and how Weizmann treats it.
For the purposes of European Economic Area data protection law, if applicable, Weizmann will usually be a data controller (the "Controller"); in some cases, Weizmann affiliated institutions may receive support, including computing services, and in such cases, Weizmann may be a data processor.
Categories of information and data Weizmann may collect from Users.
Data Weizmann collects about Users through their participation in the Activities
One type of data is non-identifiable and anonymous information ("Non-personal Data"). Weizmann also collects several categories of Personal Data, including sensitive Personal Data (as detailed and defined in the Data Protection Law) ("Personal Data"). Personal Data, which is being gathered, may include:
- any details which are personally identifiable provided consciously or unconsciously, voluntarily or inadvertently by Users through their participation in the Activities. This may include name (first and last), ID number, email address, phone numbers, picture, postal address, birth-date, gender, position and organization name, bank account and other such payment details, billing address, Weizmann application account username and password and usage details, and other information Users may choose to provide to Weizmann
- data provided in the context of scientific research, such as: biomedical data including images, biological specimens, biomedical histories etc.
- data provided in the context of online learning, such as: student credentials, grades, communications via learning management system with instructors, online and device identifiers and so on.
- Some oriented learning programs managed by, or in collaboration with, Weizmann include programs and scholarships for students from particular socio-economic or geographical background, and may include data pertaining to these characteristics (for example, a given country, welfare support and so on).
Additionally, Weizmann in some instances obtains location data related to the geographic location of a laptop, mobile device or other digital device on which the Weizmann website or application is used.
Weizmann, through its campus security service and through automated means, records images of persons and vehicles, vehicle registration details, and other Personal Data of visitors on Weizmann campus. Weizmann uses this information to facilitate its legitimate interest to ensure the safety and security of Weizmann’s Users and premises.
A User does not have any legal obligation to provide any information to Weizmann however, Weizmann requires certain information in order to enable the Activities. If a User chooses not to provide Weizmann with certain information Weizmann may not be able to provide the User with access to some or all of the Activities.
Weizmann also collects Personal Data through the use of CCTV cameras and site access cards which automatically collect information about those present in the Weizmann facilities. This consists of video images in the public spaces on campus, as well as records of entrances and exits of the Weizmann buildings and floors. Weizmann may not be aware of the nature of the information collected through the Activities (for example, through CCTV), and such information may include sensitive Personal Data, but Weizmann does not knowingly collect such sensitive data.
Weizmann also collects data relating to employees, such data being governed also by a separate notice.
Weizmann also collects data relating to employment applicants and student candidates. This includes CVs and the data contained therein, notes on meetings, technology-based and interviewer-based evaluations and testing, reports, references, interviewer impressions, as well as data made publicly available or available on social networks. Weizmann collects such data based on the intention of the candidate to enter into an engagement with Weizmann.
Social Media: Weizmann’s website may allow Users to connect and share information with various social media platforms, such as Facebook, Google+, YouTube, LinkedIn, Instagram and Twitter. Doing so is at the discretion and responsibility of the Users. These features may require Weizmann to implement cookies, plugins, and/or APIs provided by such social media platforms to facilitate communications and features. Weizmann may share information that Users provide or that Weizmann may collect about Users of the website with these platforms, and such information becomes subject to their privacy and data policies. Weizmann encourages Users to visit the privacy policies of these platforms for further information.
In addition, by choosing to use any third-party social media platform or choosing to share content or communication with any social media platform, Users allow Weizmann to share information with the designated social media platform. Weizmann cannot control any policies or terms of such third-party platform. As a result, Weizmann cannot be responsible for any use of Users’ information or content by a third-party platform, which Users use at their own risk.
Weizmann collects Personal Data, both directly and indirectly in various ways. Data is provided to Weizmann directly by Users; the most common examples are:
- The User is a candidate or a student on one of Weizmann’s programs
- The User is a prospective employee, volunteer or otherwise serves Weizmann
- The User provided Personal Data when participating in one of Weizmann’s academic research projects
- The User registered or has attended one of the Activities
- The User signed up to one of Weizmann’s mailing lists
- The User has accessed Weizmann’s website or application
- The User has bought goods and services from Weizmann or provided them to it
Weizmann also receives Personal Data indirectly. Examples of this may include:
- Personal Data is held in collections and archives
- The User is a focus of academic research, including where a third party institution, such as a hospital or university, provides the User’s data to Weizmann.
- The User is a donor or an alumna/us of Weizmann
- Contact details of a Data Subject have been provided by a User as an emergency contact or a referee, or otherwise
- A complainant included Personal Data in their complaint correspondence
Weizmann - either independently or through the help of third-party services as detailed below - also collects Personal Data through Users’ use of Weizmann websites and applications. This may include technical information and behavioral information such as the User’s Internet protocol (IP) address used to connect a computer to the Internet, uniform resource locators (URL), operating system, type of browser, browser plug-in types and versions, screen resolution, Flash version, time zone setting, the User’s ‘click-stream’ on the website, the period of time the User visited the website, methods used to browse away from a page, and any phone number used to call Weizmann’s service numbers. Weizmann likewise may place cookies on browsing devices (see 'Cookies' section below).
Weizmann will use Personal Data to enable and improve the Activities and meet its contractual, ethical and legal obligations, including for example:
- carrying out obligations arising from any contracts entered into between Weizmann and the User or anyone on their behalf;
- administering a User account with Weizmann including to identify and authenticate access to the parts of the campus and to Activities, as well as for security purposes;
- verifying and carrying out financial transactions in relation to payments;
- notifying Users about changes to the Activities;
- contacting Users for the purpose of providing technical assistance and other related information about the Activities;
- replying to queries, troubleshooting problems, detecting and protecting against error, fraud or other criminal activity, and soliciting feedback in connection with the Activities;
- contacting to give information about events or promotions or additional Activities offered by Weizmann, including in other locations;
- tracking use of Weizmann facilities and Activities to enable Weizmann to optimize and improve the Activities;
- compliance and audit purposes, such as meeting reporting obligations, and for crime prevention and prosecution and assertion of Weizmann’s rights and those of Users and others;
Weizmann processes Personal Data based generally on one or more of the following legal bases:
- based on Weizmann’s legitimate interests, where the rights and freedoms of the Data Subjects do not override Weizmann’s interests, including Weizmann’s legitimate interest in: marketing its Activities, effectively and efficiently finding and recruiting suitable candidates and students, promoting Weizmann research and participation of trial subjects; security and operations of the Weizmann campus and facilities;
- to fulfill Weizmann’s contractual obligations, including with staff, vendors, providers, partners, affiliates and so on;
- for scientific research purposes;
- with consent.
Weizmann transfers Personal Data to:
Members of Weizmann Group: This includes any member of Weizmann group, such as its subsidiaries - whether wholly or partially owned by Weizmann and other related entities, wherever incorporated or situated, Weizmann affiliates and other related entities - both for profit and non-profits, as well as Weizmann’s joint-venture partners who support Weizmann in processing of Personal Data under this policy.
Third Parties. Weizmann transfers Personal Data to third parties – including subsidiaries and related entities – in a variety of circumstances. Weizmann endeavors to ensure that these third parties process Personal Data only to the extent necessary to perform their functions, and to have a contract in place with them to govern their processing on Weizmann’s behalf. These third parties may include academic collaborators, grantors and other supporters, research partners, associations for friends of Weizmann, business partners, suppliers, affiliates and other related entities, agents and/or sub-contractors for the performance of any contract Weizmann enters into with Users. They may assist us in providing the Activities, processing transactions, fulfilling requests for information, receiving and sending communications, analyzing data, providing IT and other support services or in other tasks, from time to time. These third parties may also include analytics and search engine providers that assist Weizmann in the improvement and optimization of its website, application, and marketing.
Some parties collaborating with Weizmann may require for their data security and management to know the identity of anyone who accesses the areas in which they and Weizmann collaborate, for example, the identity of vendors (such as delivery services, catering, IT support, contractors, cleaning etc), researchers, students, and staff who are on site.
Weizmann periodically adds and removes third party providers. At present, its third party providers to whom Weizmann may transfer personal data include also: learning management services; education management and delivery platforms; enterprise resource planning software and associated services; campus security and administration providers; job candidate data processors; employee pension right processing; conference call and meeting service providers; website analytics services; marketing and newsletter services; standard business service providers, such as lawyers, accountants etc.
In addition, Weizmann may disclose Users’ Personal Data to third parties in connection with sale of assets, technology licensing, and commercial partnerships, as well as any form of corporate transaction. Likewise, Weizmann may transfer Personal Data to third parties if it is under a duty to disclose or share Users’ Personal Data in order to comply with any legal or audit or compliance obligation, in the course of any legal or regulatory proceeding or investigation, or in order to enforce or apply Weizmann’s agreements; or to protect the rights, property, or safety of Users, or others. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction and to prevent cybercrime.
For avoidance of doubt, Weizmann may transfer and disclose Non-Personal Data to third parties at its own discretion.
Weizmann and / or its researches may keep Personal Data in computers, local servers, and Weizmann’s data-centers, or in cloud based computing services, such as OneDrive, Google Drive, Box, Dropbox etc.
Weizmann may transfer your Personal Data outside of the EEA and Israel, in order to:
- Store or backup the information;
- Enable Weizmann to provide Users with the Activities and fulfil its contracts;
- Fulfill any legal, audit or compliance obligations which require Weizmann to make that transfer;
- Facilitate the operation of Weizmann’s Activities, where it is in its legitimate interests and Weizmann has concluded these are not overridden by Users’ rights;
- To serve Weizmann Users; and
- To operate Weizmann’s subsidiaries, affiliates and other related entities, in an efficient and optimal manner.
Weizmann will retain Personal Data to perform the Activities to comply with its legal obligations, to resolve disputes and to enforce agreements, to meet any audit, compliance, research and other legitimate best-practices. If it is determined that access to such data is no longer expected to be needed, it may be encrypted and archived, deleted or anonymized. Scientific data may be stored indefinitely, on account of possible future secondary-research on such data.
Where interactions with Weizmann include any unacceptable behavior, by phone, online or in person, which puts Weizmann’s staff or other people at risk or otherwise requires special attention, Weizmann will store a record of those interactions and share that information with relevant staff to avoid that risk in future, and as necessary may share it with authorities or other parties. This is in pursuit of Weizmann’s obligations to ensure safety on Weizmann’s campus and in connection with its Activities. Users may have a right to object to the collection and storage of this data, and Weizmann may refuse such request.
Different cookies are kept for different periods. Session cookies are used to keep track of Users’ activities online in a given browsing session; these cookies generally expire when the browser is closed but may be retained for a period on the User’s device. Permanent cookies remain in operation even when the User has closed the browser; they are used to remember the User’s login details and password. Third-party cookies are installed by third parties with the aim of collecting certain information to research behavior, demographics. Third party cookies on Weizmann’s site include, for example, Google Analytics. Likewise, pixels from Facebook and others enable integration of third party service providers (e.g. Facebook, Twitter) on Weizmann’s site. Third party cookies will be retained according to the terms of those third parties, and Users can control those cookies in their browser settings.
Most browsers will allow Users to erase cookies from their computer’s hard drive, block acceptance of cookies, or receive a warning before a cookie is stored. However, if a User blocks or erases cookies their online experience on Weizmann’s website or other Activities will be limited.
How to disable cookies: The effect of disabling cookies depends on which cookies a User disables but, in general, the website and some Activities delivered through it may not operate properly, may not recognize the device, may not remember the User’s preferences and so on, if cookies are disabled or removed. However, allowing or disabling cookies is the User’s choice and in their control. If a User wants to disable cookies on Weizmann’s site, he/she needs to change the browser settings to reject cookies. How can this be done will depend on the browser used, and details are available on the support site of all major browsers.
Weizmann’s websites and its researchers’ websites may, from time to time, contain links to external sites and services. Weizmann is not responsible for the operation, data management, privacy policies, content nor for any aspect of such sites and services.
Weizmann takes great care and expends very substantial resources in maintaining the security of the Personal Data it processes. Likewise, Weizmann takes steps to ensure its websites and applications are safe. Note however, that no data security measures are perfect or impenetrable, and Weizmann cannot guarantee that unauthorized access, leaks, viruses and other data security breaches will never occur.
Weizmann takes steps to limit access to Personal Data, and to maintain its integrity and availability and takes steps to ensure that its staff who have access to Personal Data are under a duty of confidentiality.
Weizmann shall act in accordance with its policies to promptly notify the relevant authorities and data subjects in the event that any Personal Data processed by Weizmann is lost, stolen, or where there has been any unauthorized access to it, all in accordance with applicable law and on the instructions of qualified authority. Weizmann shall promptly take reasonable remedial measures.
Data Protection Law may grant the respective data subjects certain rights. These rights may include, depending on the circumstances and the relevant legislation, rights to data portability, rights to access data, rectify data, object to processing, withdrawal of consent and erase data. It is clarified for the removal of doubt, that where Personal Data is provided through a third party, such data subject rights will have to be effected through that third party. Likewise, where Personal Data have been included in academic research material, it may no longer be feasible for such data to be accessed, erased, rectified etc. In addition, data subject rights cannot be exercised in a manner inconsistent with the rights of Weizmann employees and staff, with Weizmann proprietary and other rights, and third party rights. As such, job references, reviews, internal notes and assessments, documents and notes including proprietary information or forms of intellectual property, and experimental data, cannot be accessed, erased, or rectified. In addition, these rights may not be exercisable where they relate to data that is not in a structured form, for example emails, or where other exemptions apply.
If, for any reason, a data subject wishes to modify, delete or retrieve their Personal Data, they may do so by contacting Weizmann. Note that Weizmann may have to undertake a process to identify a data subject exercising their rights. Weizmann may keep details of such rights exercised for its own compliance and audit requirements.
Weizmann aims to process data limited to the needs and purposes for which it is gathered. Weizmann only collects data in connection with a specific legitimate purpose and only processes data in accordance with this Data Protection Policy.
Weizmann enables Activities specifically for children, such as on-site and online science experiential learning, and other such activities. In all cases, Weizmann endeavors to secure Personal Data of participants from or with the approval of their parents-guardians either directly or through the participants’ schools or other institutions. Where children participate in Weizmann programs through their schools, it is the school’s responsibility to secure parental consent, and exercise of any data subject rights is through the school. In addition, Weizmann may collect data regarding children in connection with scientific research. Except with respect to such Activities, we do not knowingly collect or solicit information or data from children under the age of 16 or knowingly allow children under the age of 16 to register for Weizmann Activities. Unless Users participate in such Activities specifically intended for children, as above, and if they are under 16 years of age, they should not register or attempt to register for any of the Weizmann Activities or send any information about themselves to Weizmann; and if Weizmann learns that it has collected or have been sent Personal Data or from a child under the age of 16, Weizmann may delete that Personal Data without any liability to Weizmann. If a person believes that Weizmann might have collected or been sent information from a minor under the age of 16 except as described above, please contact us at: DPO@weizmann.ac.il.
The terms of this Data Protection Policy will govern the use of the Activities, websites and application, and any information collected in connection with them. Weizmann may amend or update this Data Protection Policy from time to time. The most current version of Data Protection Policy. Any changes to this Data Protection Policy are effective as of the stated "Last Revised" date and continued access to the Activities will constitute active acceptance of, and agreement to be bound by, the changes to the Data Protection Policy.
If you have any questions or comments concerning this Data Protection Policy, you are welcome to send an email to Weizmann’s Data Protection Officer, or contact Weizmann by other means, and Weizmann will make an effort to reply within a reasonable timeframe.