Skip to main content

Data Processing Agreement

To use the genetic scoring service you must consent to a Data Processing Agreement (DPA) after registering for the service, which grants us permission to act as a data processor. You can revoke your consent at any time on your user profile. If you do this you will not be able to submit new jobs until you reconsent to the DPA.

Data Processing Terms & Conditions

By registering an account with GeneticScores.org You accept these Data Processing Terms & Conditions.

1. Definitions

The terms below shall have the following meaning:

1.1 "Applicable Data Protection Laws" means: for EMBL, its internal data protection legal framework, as enacted, amended or re-enacted at each time; and for You and/or Your Institution (a) if You and/or Your Institution are located in the EU/EEA, the General Data Protection Regulation (Regulation (EU) 2016/679) (EU GDPR) and any national data protection legislation, as amended and in force at each time; (b) if You and/or Your Institution are located in the UK, the retained version of the General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018), as amended an in force at each time; and (c) if You and/or Your Institution are located in any other jurisdiction, any data protection and/or privacy legislation applicable in such jurisdiction;

1.2 "Data" means human genetic data and linked metadata, for example sex and sample labels;

1.3 "Data Breach" means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data and/or Data processed that is likely to have a negative impact on the rights and freedoms of Data Subjects;

1.4 "Data Controller" means the entity determining, alone or jointly with others, the purposes and means of processing;

1.5 "Data Processor" means an individual or a legal entity or similar body which processes personal data on behalf of the data controller;

1.6 "GeneticScores.org" means a service for calculating polygenic scores managed by EMBL;

1.7 "Parties" means You and/or Your Institution and Us collectively, each being a “Party”;

1.8 "Personal Data" means any information relating to an identified or identifiable individual ("Data Subject"), and include the Data, where under the Applicable Data Protection Laws the Data constitute Personal Data;

1.9 "Processing" and "process” means any operation which is performed on personal data, including the collection, storage, alteration, retrieval, making available or destruction of such data;

1.10 "Processed Data" means outputs of bioinformatic pipelines run on uploaded data in the form of reports provided by the service;

1.11 "Pseudonymised" Personal Data means Personal Data that have been processed in such a manner that the Personal Data can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the Personal Data are not attributed to an identified or identifiable natural person;

1.12 "Registered User/You/Your" means an individual registered user who has an Account with the Service;

1.13 "Service" means the GeneticScores.org;

1.14 "Sub-Processor" means a natural person or legal entity that Processes Personal Data on Our behalf;

1.15 "We/Us/Our" means EMBL;

1.16 "Your Institution" means the institution to which You are affiliated when depositing and/or accessing and/or processing Data.

2. Other applicable terms and conditions and policies

2.1 These Terms should be read in conjunction with the following terms and conditions and policies, as these apply:

2.1.1 the EMBL-EBI General terms of use, as updated and in force at each time, which are applicable to all online services provided by Us located at https://www.ebi.ac.uk/about/terms-of-use;

2.1.2 the Privacy Notices, as may be updated and applicable at each time, located at https://docs.geneticscores.org/dataprocessing/index.html;

2.1.3 any requirements, rules and/or policies of Our Sub-Processors that can be found at https://docs.geneticscores.org/dataprocessing/index.html.

2.2 You acknowledge that the Service is made available subject to the disclaimers of liability.

2.3 If there is any conflict or inconsistency between (i) these Terms; and (ii) the EMBL-EBI General terms of use, these Terms shall take priority in relation to their subject-matter.

2.4 If You do not agree to these Terms or any of the EMBL-EBI General terms of use, disclaimers or policies detailed in Clause 2.1 above, please do not use the Service.

2.5 By accepting these Terms, You confirm that You have authority to act on behalf of Your Institution in respect of You and/or Your Institution using the Service to process Data.

2.6 You and/or Your Institution shall be responsible for Your and/or Your Institution’s compliance with any laws, rules, regulations and other requirements that may be applicable in respect of Your and/or Your Institution’s use of the Service.

3. Processing

We shall process the Personal Data in accordance with the following provisions:

3.1 The Parties acknowledge that You and/or Your Institution are a Controller and We act as a Processor of the Personal Data submitted and processed in the Service.

3.2 The Parties shall comply with their independent obligations under the Applicable Data Protection Laws, in accordance with their respective role.

3.3 You and/or Your Institution shall be responsible for providing any required notices to Data Subjects and collecting any required consent and any ethical or other authorisation, permit or approval before submitting Data to the Service.

3.4 You shall ensure that the Personal Data uploaded to the Service have been properly pseudonymised.

3.5 We are hereby authorised to process Personal Data only for enabling You and/or Your Institution to use the Service.

3.6 We shall only process Personal Data as far as it is necessary for achieving the aforementioned purpose, in accordance with Your and/or Your Institution’s instructions. We shall not be required to comply with any instruction that violates the Applicable Data Protection Laws.

3.7 We shall not share the Personal Data with any other third-party recipient without Your prior agreement. For the avoidance of doubt, it is clarified that Our Sub-Processors do not constitute third-party recipients.

3.8 You shall be responsible for responding to any Data Subject requests. We shall not respond to Data Subjects exercising any right under Applicable Data Protection Laws but shall redirect them to You. In any event and for the avoidance of doubt, it is clarified that Data Subjects may exercise vis-à-vis Us and raise claims against Us only in accordance with the substantive and procedural requirements laid down in Our internal data protection legal framework.

3.9 You and/or Your Institution shall be responsible for ensuring that the Personal Data are kept accurate and up to date, by rectifying, updating and/or erasing Personal Data as appropriate. We shall rectify, update and/or erase the Personal Data at Your and/or Your Institution’s request, where You and/or Your Institution are unable to do so through the use of the Service.

3.10 We shall delete or return the Personal Data, at Your choice, upon Your and/or Your Institution’s request. In any event, We will delete the Personal Data from the Service within 14 days from when the Personal Data is first uploaded to the Service. No back-ups will be kept.

3.11 You already hereby approve and acknowledge that We may engage one or more subcontractors, who may engage further subcontractors, for the purpose of carrying out the Processing (each, a “Sub-Processor”). Any such engagement does not alter the allocation of responsibility between You and/or Your Institution and Us. If any Sub-Processor is engaged by Us, We shall ensure that the Sub-Processor will be subject to data protection obligations similar or equivalent to the ones provided for herein. You can find a list of Sub-Processors we have engaged at https://docs.geneticscores.org/dataprocessing/index.html. We will keep the list of Sub-Processors updated. If You and/or Your Institution have any objections to the Sub-Processors (including their further Sub-Processors) and/or any update, you should not use the Service.

3.12 Your and/or Your Institution’s audit rights, in Your and/or Your Institution’s capacity as the Data Controller, shall not extend beyond Our obligation, without prejudice to Our privileges and immunities, to provide reasonable and appropriate information and documentation.

3.13 Taking into account (a) the purposes of the Processing, (b) the risks to the security of the Personal Data and to the rights and freedoms of Data Subjects, (c) the state of the art, and (d) the cost of implementation, We shall ensure that appropriate technical and organisational measures are implemented in order to protect the Personal Data against accidental or unauthorised destruction or accidental loss, as well as against unauthorised access, alteration or dissemination. You can find more information on the technical and organisational measures we have implemented at https://docs.geneticscores.org/security/index.html.

3.14 We shall not use, nor attempt to use the Personal Data to compromise or otherwise violate the confidentiality of any Data Subject, including their right to privacy, or to directly contact a Data Subject.

3.15 We shall not (a) seek to identify any Data Subject; or (b) analyse or make any use of the Data in such a way that has the potential to: (i) lead to the identification of any Data Subject; or (iii) compromise the anonymity or privacy of any Data Subject in any way.

3.16 If We become aware of any Data Breach, we shall (a) take measures to respond to it and mitigate its consequences, (b) notify You and/or Your Institution without undue delay and (c), comply with any other requirement under Our internal legal framework.

3.17 Nothing herein constitutes, nor may it be construed as commitment by Us to process Personal Data in accordance with any national or EU data protection legislation.

3.18 No provision hereof establishes any joint processing relationship between You and/or Your Institution and Us, neither any joint, nor any joint and several liability of You and/or Your Institution and Us towards Data Subjects.

3.19 Without prejudice to Our privileges and immunities, We shall provide, upon request, reasonable assistance to You and/or Your Institution, to allow You and/or Your Institution to comply with Your own and/or Your Institution’s obligations under the Applicable Data Protection Laws.

4. General

4.1 If You breach any of these Terms and/or any General terms of use, disclaimers or policies incorporated herein, Your access to the Service may be withdrawn with immediate effect and You may be denied further access to the Personal Data. In such case we shall delete the Personal Data immediately.

4.2 We reserve the right to update these Terms and/or any General terms of use, disclaimers or policies incorporated herein at Our complete discretion. If these Terms change, You will be required to accept the new version before logging into and using the Service. If You do not agree to these changes, You will be unable to continue to use the Service.

5. Liability and Indemnity

5.1 You and/or Your Institution agree that 1) We provide the Service as is and make no warranty, neither express nor implied, and assume no legal responsibility for the accuracy, comprehensiveness, merchantability, or fitness for any particular purpose of the Service and the Processed Data and/or that the use of the Service and/or the Processed Data will not infringe any patent, copyright, trademark or other proprietary rights of third parties; 2) to the extent permitted by law, We assume no liability for any indirect, consequential, or incidental damages or losses arising from the use of Service, and/or from the use, storage, disclosure or disposal of the Processed Data; and 3) We assume no responsibility for Your further analysis or interpretation of the Processed Data.

5.2 You and/or Your Institution agree to hold Us harmless and to defend and indemnify Us against all liabilities, demands, damages, expenses, and losses caused by You and/or Your use of the Service and/or Your and/or Your Institution’s breach of these Terms or any of the General terms of use, notices, rules, requirements or policies detailed in Clause 2.1 above, except to the extent that such damage or liability is due to Our gross negligence or wilful misconduct.

6. Governing law, dispute resolution, no waiver of EMBL’S privileges and immunities

6.1 These Terms shall be interpreted in accordance with their true meaning and effect. Without prejudice to EMBL’s status as an intergovernmental institution, reference shall be made to the substantive law of England and Wales, where: (i) A matter is not specifically covered by these Terms; or (ii) A provision is ambiguous or unclear. Such reference shall be made exclusively for the matter or provision(s) concerned, and shall in no event apply to the other provisions of these Terms.

6.2 Any dispute, controversy or claim arising under, out of or relating to these Terms, including, without limitation, formation, validity, binding effect, interpretation, performance, breach or termination, as well as non-contractual claims, shall be referred to and finally determined by arbitration in accordance with the WIPO Expedited Arbitration Rules. The place of arbitration shall be Cambridge, UK. The language to be used in the arbitral proceedings shall be English. The arbitral award shall be final and binding for You and Us.

6.3 Nothing in these Terms nor any document or activity under or in relation hereto shall be deemed or interpreted as a waiver, express or implied, of any privileges or immunities accorded to EMBL by its constituent documents or international law (see link for further information about EMBL’s status: https://www.embl.org/about/embl-legal-status/) , or as the acceptance by EMBL of the jurisdiction of (i) the courts of any country, including in case of injunctive relief sought, or (ii) any national regulatory and/or supervisory authority.

Data Processing Agreement v1.0

Last Updated 2025/02/25