Skip to content

CSC’s EUDAT Services Personal Data Protection Measures#

This document updated 27 January 2026

1. Purpose#

This description of technical and organisational security measures (TOMs) is part of the agreement between the controller and the processor concerning personal data processing under Article 28 of the General Data Protection Regulation (EU) 2016/679. Below are the security measures implemented by CSC in EUDAT services named CDI B2SHARE, B2SHARE Premium and B2DROP Premium. These EUDAT services enable data to be shared for others to use. The data owner and controller are ultimately responsible for handling the data according to laws and other obligations.

The processor has the right to change the security measures unilaterally and without separate notice, provided the changes maintain or improve the level of protection. An individual measure may be replaced with another as long as it does not weaken data protection. CSC may update this description if the security measures are changed.

Explanations of terminology used in this description can be found in the Terminology section of CSC’s general terms of use for research and education services.

2. EUDAT Service Security Measures#

2.1. General#

  • Processing activities performed by CSC are agreed in writing.
  • Personal data processing in EUDAT B2DROP Premium and EUDAT B2SHARE Premium is agreed in service contracts, for example:
    • The customer is responsible for ensuring that the purpose, nature and scope of personal data processing, as well as the types of personal data and categories of data subjects, are described in the Description of Processing Activities.
    • The service does not process special categories of personal data or other highly sensitive data listed in Articles 9 and 10 of the GDPR.
  • In CDI B2SHARE, personal data processing is defined in the Terms of Use and Privacy Policy.
    • CDI B2SHARE Terms of Use: https://b2share.eudat.eu/terms-of-use
  • Privacy Policies for CSC-produced EUDAT services
  • Service continuity is ensured through technical and organisational means, whose timeliness and functionality are verified at least annually.
  • CSC maintains access rights for its staff based on roles. Access to data is granted only to those whose duties require it, and only to the extent necessary. Access rights are reviewed periodically.
  • Only authenticated users can access personal data, unless content has been publicly shared by the user. Users are responsible for having the right to publish any personal data they disclose.
  • Logs containing users’ personal data are created in service production.
  • Personal data logs are kept for a maximum of 5 years and older logs are deleted.
  • Data protection expertise of personnel handling personal data is maintained through mandatory and regularly renewed training.
  • CSC personnel are bound by confidentiality obligations under Section 35 of the Finnish Data Protection Act, as well as prohibition of exploitation.
  • CSC has a Data Protection Officer.
  • Data transfers across public networks are encrypted or otherwise protected.
  • Software development follows best practices.
  • Changes to production follow a defined change management process.
  • Critical documentation is kept up to date via regular reviews.
  • Vulnerability scans are performed regularly.
  • System vulnerabilities are monitored and critical fixes applied immediately once available.
  • Security incidents follow a defined handling process.
  • Service integrity and availability are monitored through controls implemented in a separate monitoring system.
  • Multi-layered security measures are used.
  • Data storage location is within the EU (Finland).

2.2. Data Reception Security Measures#

  • Content is accepted only from registered users using encrypted connections. As an exception, B2DROP users may share limited write access protected with a password.
  • In B2SHARE, descriptive metadata entered is validated against a predefined data model.

2.3. Data Storage Security Measures#

  • In B2SHARE, users can verify store file content using a checksum.
  • In B2SHARE, every metadata record has a unique identifier.
  • In B2SHARE, versioning rules ensure dataset integrity. If files of a published dataset are no longer fully available, because of e.g. intentional removal, the dataset is marked as outdated.
  • Configurations are version-controlled and databases are backed up regularly.
  • In B2SHARE, integrity deviations found in regular checks are addressed immediately.

2.4. Data Use and Processing Security Measures#

  • Each user has personal credentials, and access to the service is authenticated.
  • B2SHARE’s search, view and download features of publicly shared content are an exception, and they do not require authentication. In B2SHARE, dataset owner may temporarily share access to embargoed content for another user without authentication. In B2DROP, authenticated users may share limited access procted by password.
  • Each registered user accepts the Terms of Use which describe responsibilities and limitations.
  • API access requests are logged.
  • Access rights within the service are user-managed in means described in service documentation.
  • Users are responsible for instructing and supervising any persons they grant access to.
  • Measures taken to ensure data integrity are logged and communicated to users.

2.5. Data Distribution Security Measures#

  • Users decide on openness, sharing and usage policies of their content. The data owner and controller are responsible for processing data in accordance to legal and other responsibilities.
  • In B2SHARE, each published file has a checksum available during download.

2.6. Data Deletion Security Measures#

  • After service use ends, access to user content is blocked. If not otherwise agreed, content is permanently deleted after the service’s protection period.
    • Published datasets in B2SHARE are recommended to be transferred to ownership and responsibility of another user.
    • As an exception, public metadata of datasets published in B2SHARE is always preserved as a so called “tomb stone” landing page.
  • Users may request deletion of user account data.
    • In Premium services, account data is deleted as agreed with the customer or after the protection period.
    • In B2SHARE, account data can be deleted upon request or after the protection period.