Data Protection Notice for Reviewers

We, the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation), take the protection of your personal data and its confidential treatment extremely seriously. Therefore, we wish to inform you about the processing of your personal data in connection with the review process and the rights to which you are entitled. Please also consult our additional data protection information which may be relevant to you in other roles (in particular data protection information for research funding). The processing of your personal data takes place exclusively within the framework of the applicable statutory provisions of data protection laws, in particular the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

I. Who is responsible for the data processing and who is the data protection officer?

1. The controller for the processing of your personal data is:

2. Joint controllership

In certain funding programmes in which the DFG cooperates with other research funding organisations in Germany and abroad, the DFG is jointly responsible with other organisations for the processing of your personal data. The DFG has concluded a joint controller agreement with these organisations. This is relevant to you if you are involved in such funding programmes as a reviewer. You can find a list of the relevant funding programmes with information concerning the joint controller organisations (including their contact details), as well as information on the essential content of the joint controller agreements here:

3. You can contact our data protection officer as follows:

II. What is the subject matter of data protection?

The subject matter of data protection is personal data. This is all information which relates to an identified or identifiable natural person (so-called data subject). For example, this includes information such as name, postal address, email address or telephone number.

III. What personal data relating to me will be processed?

Within the framework of the review process and the associated activities, we only process the personal data relating to you which is relevant. Specifically, this may include:

  • Business or private contact information, including your name, title, address, email address and telephone number
  • General external and private data concerning your person (gender, date of birth, nationality etc.)
  • Data concerning previous reviews at the DFG
  • Data concerning whereabouts and times (participation in meetings, participation in events, hotel reservations etc.)
  • General categorising and assigning data (reference numbers, personal ID, relation to a further process / proposal etc.)
  • Payment details (IBAN, bank, invoice data etc.)
  • Competence data (information concerning knowledge and capabilities, certificates, vocational training completed etc.)
  • Declarations (consent, agreement, other declarations relating to a matter which have been submitted etc.)
  • Content-related data (for example evaluation of a proposal, assignment to a subject / topic, summaries, possible instances of bias, other content-related matters – countries, key words etc.)
  • Investigations and so-called measures in accordance with the DFG Rules of Procedure for Dealing with Scientific Misconduct which are issued by the Joint Committee in cases where scientific misconduct has been established
  • Special categories of data, for example health information, periods of maternity leave or data concerning family obligations (see Section IV.)

IV. What are the purposes of the processing of my personal data and on what legal basis does this take place?

Below, we wish to provide you with an overview of the purposes and legal basis of the processing of your personal data.

Description

In order to be able to approach and engage suitable persons for the review process, we process the information in our database of applicants and funded persons, as well as other publicly accessible information (for example on websites of researchers).

Legal basis

Entering into a contractual relationship (point (b) of Article 6 Paragraph 1 GDPR)

Description

In order to evaluate funding proposals, you will be requested to draw up written reviews and participate in the review meetings. During this process personal information will be stored, for example your communication address.

Personal information from the review process will be made accessible to the DFG statutory bodies. In the case of consortium proposals, the spokespersons of the consortium also receive information on the composition of the review group in advance of the review meeting in order to rule out any conflicts of interest and for the purpose of organising on-site reviews. In this respect, the review takes place – as a rule – in a joint meeting with the applicants and members of the review group as well as any rapporteurs involved.

Applicants will be informed about the contents of the review without mentioning the name of the reviewer.

Legal basis

Carrying out the review task (point (b) of Article 6 Paragraph 1 GDPR)

Description

The purpose of the elan account is to communicate with the DFG Head Office.

The setting up of the account is necessary for all persons who use elan.

Legal basis

Communication, provision of the review documents, secure transfer of documents and reports (carrying out of the review task, point (b) of Article 6 Paragraph 1 GDPR)

Description

Should costs be incurred in the course of the review process (for example travel expenses, reimbursement of expenses), we process data in order to reimburse these.

Legal basis

Carrying out the review task (point (b) of Article 6 Paragraph 1 GDPR).

Consent (point (a) of Article 9 Paragraph 2 GDPR), insofar as higher costs are claimed due to health restrictions and the evidence required for this is processed.

Description

When a proposal which is intended to be funded with another (funding) organisation is reviewed (for example within the framework of a call with other funding organisations), personal data is processed in order to carry out the necessary agreement with other funding organisations in the individual case.

The names of the reviewers will be processed for the purpose of investigating the choice of reviewers or any potential conflict of interest, as well as the contents of the review for deciding on a proposal.

Legal basis

Carrying out the review process (point (b) of Article 6 Paragraph 1 GDPR)

Description

Primarily in the case of written reviews, the participating reviewers will be informed of the content of the co-reviews without naming the reviewer, in order to ensure transparency as to the results of the review process and to contribute to the further development of quality criteria and the formation of standards in DFG reviews.

The members of the review boards of the DFG also receive information concerning the reviewers who are used.

Legal basis

Safeguarding legitimate interests (point (f) of Article 6 Paragraph 1 GDPR)

Description

Personal data is processed in connection with the carrying out of procedures in accordance with the Rules of Procedure for Dealing with Scientific Misconduct. This also includes disclosure to the institution where the data subject is employed (see Section VIII. “Who has access to my personal data and which recipients obtain it?”). As reviewers are also obliged to comply with the standards of good scientific practice within the framework of the review process, relevant procedures are also conceivable in connection with review activities.

Legal basis

Consent (point (a) of Article 6 Paragraph 1 GDPR), unless the data processing is covered by one of the following legal bases:

Carrying out the review task (point (b) of Article 6 Paragraph 1 GDPR)

Safeguarding legitimate interests (point (f) of Article 6 Paragraph 1 GDPR)

Description

In order to safeguard the interest of the public in relation to the use of public funds, the DFG reports on the research it funds.

Information which is obtained through questionnaires and the processing of proposals serve as the basis for DFG publications concerning its funding programmes (for example statistical evaluations of DFG funding activities and studies on the effects of DFG funding).

In order to assess and further develop the funding instruments of the DFG (evaluation), questionnaires and scientific investigations are also carried out, which may use personal data.

Legal basis

Fulfilment of a legal obligation (point (c) of Article 6 Paragraph 1 GDPR)

Safeguarding legitimate interests (point (f) of Article 6 Paragraph 1 GDPR)

Description

Data is processed in order to respond to research-related queries from third parties (for example other funding organisations or other academic institutions). This applies, for example, to queries relating to reviewers, scientific experts, potential prize winners or other awards.

Legal basis

Safeguarding legitimate interests (point (f) of Article 6 Paragraph 1 GDPR)

Description

The DFG processes reviewers’ data in order to organise review meetings. In order to enable meeting participants to exchange information (e.g. in the run-up to or after the meetings) or to network with each other, the DFG provides the participating reviewers or review board members with lists of personal data.

Legal basis

Safeguarding legitimate interests (point (f) of Article 6 Paragraph 1 GDPR)

Description

The DFG processes your personal data in the context of reviewing any allegations of discrimination that may be received against the DFG with regard to the formal correctness of the application processing procedure. The allegations of applicants are typically directed against what they consider to be inadmissible discriminatory statements in the written reviews prepared.

Legal basis

Carrying out the review task (point (b) of Article 6 Paragraph 1 GDPR).

Exercise of legitimate interests (point (f) of Article 6 Paragraph 1 GDPR, in particular following § 12 General Equality Treatment Act (AGG) and in accordance with the DFG’s internal guidelines, in particular the regulations for written review).

V. Will my personal data also be collected from third parties?

We primarily process the personal data which we obtain from you directly in connection with research funding. In addition, the DFG also processes personal data which is provided to us by the applicants or applicant institutions and their representatives concerning project participants.

In a few cases, we also obtain your personal data from third parties, for example:

  • From your employer or research institution, for example the university
  • From third parties, for example other reviewers
  • From organisations in Germany and abroad with which the DFG cooperates within the framework of the research funding
  • Via public sources, for example websites or publication databases

If necessary, we will provide you with more precise information about the above in separate form.

VI. Does automated decision-making or profiling take place?

We do not use automated decision-making or profiling in accordance with Article 22 GDPR.

VII. Am I required to provide my personal data?

We would kindly request your understanding that in the course of the review process, you are required to provide the personal data which is necessary for the clear identification of your person, the preparation and carrying out of the review process and the fulfilment of the associated contractual or statutory obligations, or which we are legally obliged to process. Without this data, we may not be able to use you as a reviewer. In order to be able to identify and support the best proposals out of a large number of submissions, the DFG is dependent on the assistance of volunteer reviewers.

VIII. Who has access to my personal data and which recipients obtain it?

Within the DFG, only employees of the DFG Head Office and the committee members who require access to your personal data in order to carry out their functions or tasks have access to it.

We only pass your personal data on to external recipients if a legal basis exists for this or if you have given your consent to such. No data is shared with third parties solely for their commercial purposes. External recipients may be:

  • Consortia spokespersons: In connection with the programmes for the funding of consortia, i.e. larger-scale cooperations consisting of several projects, the applying consortia have a spokesperson who acts as the consortium contact and coordinates the application and implementation of the project. The DFG provides these spokespersons with information on the members of the review group in advance of the review meeting in order to rule out any conflicts of interest and for the purpose of organising on-site reviews. In this respect, the review takes place – as a rule – in a joint meeting with the applicants and members of the review group as well as any rapporteurs involved. The DFG also passes on information and appraisals from the review process to these spokespersons – without naming the reviewers.
  • Higher education administrations: In the case of programmes where applications are submitted by the higher education administration, the DFG passes on information and appraisals from the review process to these higher education administrations – without naming the reviewers.
  • Other participants in the decision-making process for funding proposals: The applicants and co-reviewers are informed about the contents of the review process – without naming the reviewers. Participating reviewers or review board members receive lists with personal data prior to or after a review meeting for the purpose of academic exchange or networking.
  • Partner organisations: Within the framework of calls with other funding agencies, the DFG pass on personal data to the partner organisation for the purpose of investigating the choice of reviewers or any potential conflict of interest. The partner organisation will also be informed about the contents of the review as part of the decision-making process about a proposal.
  • Bodies who are joint controllers with us: When we carry out research in cooperation with other organisations, these may be joint controllers with us concerning the data processing (for example joint processing/administration of proposals with German or foreign funding organisations in the case of multilateral measures). The necessary data will then be exchanged with these organisations.
  • Service providers: We use service providers who are responsible for supplying services in the area of information provision, the creation of statistics and evaluative studies, or the maintenance of our IT systems. These service providers work for us as processors or are themselves responsible for data processing; they are carefully selected by us and are regularly audited in order to ensure that your personal data remains protected. The service providers may only process your personal data for the purposes stated by us. This is also ensured by means of contract.
  • Public bodies: In individual cases, we may be required to provide personal data to authorities and state institutions such as public prosecutor's offices, courts, financial authorities, the Federal Audit Office or the federal and state ministries with jurisdiction over the DFG.
  • Universities / research or research funding organisations, other academic institutions, for example foundations or ministries:
    • In order to respond to research-related queries, data is passed on to individual institutions in individual cases.
    • Following the conclusion of investigations into allegations of scientific misconduct, personal data is disclosed if there is a legitimate interest and in accordance with the Rules of Procedure for Dealing with Scientific Misconduct. This applies in particular to the institution / employer for which you work.

IX. Will my personal data be transferred to third countries?

Within the framework of the research funding, your personal data may be transferred to bodies whose headquarters or data processing location is not in a Member State of the European Union or another Member State of the European Economic Area. In such a case, prior to the transfer, we ensure that either an adequate level of data protection exists (for example by means of an adequacy decision of the European Commission, suitable guarantees, such as the agreement of so-called EU standard data protection clauses of the European Commission with the recipient) or you have given your express consent, with the exception of exemption cases which are permitted by law.

Furthermore, transfers to third countries may take place if the review takes place within the framework of a funding programme where cooperation takes place with organisations in third countries, for example because the research funding which has been applied for is intended to take place with researchers from third countries. In such cases, the transfer is justified by the regulation set out in point (b) or (c) of Article 49 Paragraph 1 GDPR.

X. For how long will my data be stored?

We will erase the data once it is no longer necessary for the purposes pursued by us and provided that no other legal requirements, in particular statutory or contractual retention periods, apply.

XI. What are my rights as a data subject?

You are entitled to the following rights in connection with the processing of your personal data:

1. Right of access

You have the right to receive confirmation from us as to whether we process personal data relating to you or not. Should this be the case, you have the right to receive information concerning your personal data and to receive further details concerning the processing.

2. Right to rectification

You have the right to request the rectification of incorrect personal data relating to you and to have incomplete personal data completed.

3. Right to erasure (“right to be forgotten”)

Under certain circumstances, you have the right to request that we erase your personal data. For example, this right exists if the personal data is no longer necessary for the purposes for which it was collected or otherwise processed or if the personal data was processed unlawfully.

4. Restriction of processing

Under certain circumstances, you have the right to request that the processing of your personal data be restricted. In such a case, we will only store such personal data in relation to which you have given your consent or processing is permitted by the GDPR. For example, you may have a right to restrict processing if you have disputed the correctness of your personal data.

5. Data portability

Should you have provided us with personal data under a contract or with your consent, then provided that the statutory requirements are met, you can request to receive the data which you have provided in a structured, commonly used and machine-readable format or request that we transfer this data to another controller.

6. Withdrawal of consent

Should you have given us your consent to the processing of your personal data, you can withdraw this at any time with effect for the future. The lawfulness of the processing of your personal data prior to the withdrawal remains unaffected by this.

7. Objection against processing on the basis of a “legitimate interest”

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (f) of Article 6 Paragraph 1 GDPR (data processing in accordance with a balancing of interests). Should you raise an objection, we will no longer process your personal data, unless we can demonstrate compelling legitimate grounds for the processing which outweigh your interests, rights and freedoms or the processing is for the establishment, exercise or defence of legal claims.

8. Right to complain to the supervisory authority

You also have the right to lodge a complaint with the responsible supervisory authority, should you consider that the processing of your data breaches applicable laws. For this purpose, you can contact the data protection authority which is responsible for your place of residence, place of employment or the location of the alleged breach or the data protection authority which has jurisdiction over us. The supervisory authority of the German Federal State in which you reside or work or where an alleged breach which forms the subject of the complaint has taken place holds jurisdiction.

XII. Who can I contact if I have any questions or wish to assert my rights as a data subject?

Should you have any questions concerning the processing of your personal data or should you wish to assert your rights as a data subject which are set out in Number XI. 1-7, you can contact us free of charge. Please use the contact details under Number I., 1. To withdraw your consent, you can also use the contact channel which you selected when submitting the declaration of consent.