PRIVACY NOTICE FOR OPEN INDUSTRIAL DATA
PRIVACY NOTICE FOR OPEN INDUSTRIAL DATA
This privacy notice describes how Cognite AS collects and processes personal data about the user, the data subject, when using this service. It describes what data Cognite collects and what lawful basis this is based on.
Cognite AS (hereafter Cognite) is located at Oksenøyveien 10, NO-1366 Lysaker, Norway, and can be contacted at email@example.com. Questions specifically about this privacy notice, or requests regarding data subject rights according to the General Data Protection Regulation (GDPR) should be sent to firstname.lastname@example.org.
Aker BP can be reached at Aker BP ASA, P.O Box 65, NO-1324 Lysaker, Norway, and can be contacted at email@example.com.
The purpose of the Open Industrial Data initiative is to liberate industrial data for research and educational purposes and to encourage data sharing within the industry. Cognite AS is the main data controller for the applications and platform this data is stored in, but Cognite may share usage and user data with the owner of the datasets being accessed (for Valhall this is Aker BP — for future datasets this would be the respective owners of that dataset). When sharing this data, the recipient (the owner of the dataset) is also a data controller, meaning that Cognite and the owner are joint controllers for the data being collected and processed. We urge users to contact Cognite about data subject rights, since only Cognite will have a complete overview of the data being processed across dataset owners.
The user data is collected for three main purposes:
- To better understand who is interested in the data and how they wish to use it.
- For audit and security purposes to ensure no abuse, fraud or unwanted use of the data takes place, and to ensure the performance of the platform so that it can fulfil the user’s requirements.
- To contact the user with important information about the service, such as when it will not be available, problems with the actions taken by the user, or if a service is being discontinued.
For better understanding, mainly aggregated analytics data is used, while for security purposes Cognite may access audit logs on what requests to the system were done. The legal basis for this data collection and processing is legitimate interest (GDPR article 6, 1(f)).
One exception to this is the processing related to being contacted by Cognite or the dataset provider, where the user is explicitly asked for consent for this during the account signup. If the user does not consent to this, only critical and necessary contact (as outlined above) will take place. If the user does opt-in for being contacted, the legal basis for this processing is consent (GDPR article 6, 1(a)).
What data is collected
Cognite collects the first name, last name, registered Google Account email (for authenticating the user), occupation, for what purposes the data access is being requested and whether the user agrees to being contacted. If the user is a student, their university/school is stored, while for business users the company they work for and their role in the company is stored.
In addition, Cognite will store the preferred email for contact and phone number if the user chooses to supply these optional values.
For analytical purposes Cognite collects aggregated data on usage using Google Analytics. As a technical measure to reduce the impact of this, we use the IP anonymization feature in Google Analytics.
In addition to this we store the IP address and technical request details in our audit logs for security and performance monitoring (such as which API calls were made, what user-agent, what security level etc.). This data can not be used for other purposes.
Deletion of personal data
Cognite deletes the data about the user when they request it, or latest 1 year after the user has closed their account. Audit data for security purposes is stored for up to 18 months. For security purposes, we may choose to retain the identity of an account for the same length as we keep the audit logs, but then only for the specific security purpose.
Rights of the data subject
Cognite processes the user's personal data according to the current laws and regulations. The user has the right to see what data Cognite has about them, object to processing and request corrections or deletion of this data. These requests should be sent to firstname.lastname@example.org. For complaints about processing in breach of the law, the Norwegian Data Protection Authority (Datatilsynet) should be contacted.
User data is protected by encryption during transit and at rest. Cognite uses Google Cloud services and data is stored in their European data centers. These data centers are certified according to ISO 27001.
Accessing the user data in the platform requires authentication and authorization to ensure only those who should have access can access it.
Google Cloud delivers the services the Open Industrial Data initiative is built on, and Cognite has a data processor agreement with Google specifying how any data is used. Google cannot decide to use the data on their own or in ways Cognite has not requested.