The privacy organization in MIRRI gets many questions these days about how we prepare for the GDPR (General Data Protection Regulation).
On this page, you can read MIRRI’s official answer to that question. The audience is any stakeholder that has basic insight in privacy
and privacy law. We will not go into details about the regulation itself.
GDPR will apply to all members of the EU and EEA from May 25th, 2018. It will replace todays legislation regarding privacy in member
countries currently subject to the EU Directive 95/46. You find many of the statutes in the GDPR in the current legislation, but the GDPR
is more detailed and precise in certain areas and takes into account the challenges in the rapid evolving digital world, giving rise to
privacy risks for data subjects. GDPR is first of all demanding due to its detailed transparency requirements. Any company as well as other
bodies that process personal data, is also to a large extent required to document the processing, ensure the lawfulness of processing,
document the existence of sufficient procedures, provide information on security measures and to ensure that sufficient data processing
agreements are in place. GDPR is important because it improves the protection of European data subjects’ rights and clarifies what companies
that process personal data must do to safeguard these rights.
MIRRI has worked hard to incorporate the right attitude and knowledge about data protection and privacy in its culture.
MIRRI cares about privacy and the topic is always on the agenda in the team meetings. The responsibility for privacy work in
MIRRI has been delegated to a Data Protection Officer (DPO) who reports directly to the CEO. This is an independent formal role
described in the GDPR. The person appointed is the main contact point for any data subject or customer in privacy matters. The DPO
facilitates the privacy work in MIRRI.
The GDPR defines two roles that are subject to different legal obligations:
The nature of MIRRI business makes us both Controller and Processor. Thus, MIRRI must comply with the legislation concerning
both of these roles. We are a Controller when we process data about our own employees and customer contacts/users. We are a Processor
when we provide cloud services (SaaS) or other hosted IT services to our customers. In addition, we are a vendor of software that customers
install and operate themselves, but this does not make MIRRI a Processor. When MIRRI act as Processor or software vendor, the customer
using the service/software is the Controller.
The next chapters will explain what MIRRI is doing to comply with the GDPR in the Controller and Processor roles.
MIRRI process data about employees and customer contacts/users. In a few occasions, we may also process data about others.
This is natural when running a software business. Our main efforts making sure we are compliant, are related to being transparent.
Enabling our employees and customer contact persons to understand why, what, when and how their personal data are processed.
Our customer contact persons will find this information in our Privacy Statement.
We are ensuring that all data protection agreements (DPA) with subcontractors are sufficient in terms of protecting the rights of data
subjects, as well as complying with provisions for transfer of data outside the EU/EEA as set out in the GDPR.
Utilizing the power of digital marketing technology is key to MIRRI going forward. This involves creation of interest profiles such
that only relevant information can be presented to stakeholders. In addition, we will increase efficiency for stakeholders wanting to
adjust their interest profiles, as well as withdrawing consent.
MIRRI provides a range of options in the cloud-based software (SaaS) to our customers, and does also provide hosting services as well as
consulting services. These occasions except for pure hire of consultants, makes MIRRI a Processor. This mean that MIRRI is responsible
for only processing the personal data as instructed by the Controllers (the customers). Since most of our software are delivered in a one to
many relation, giving the Controllers (the customers) the freedom to continuously give us instructions on how to process their personal data
is not possible. This underlines the importance of agreeing with the Controller (the customer) on what these instructions are, typically in
the Terms of Service or in a dedicated DPA.
When a customer hires a consultant from MIRRI and his/her work is supervised by the customer, MIRRI is not a Processor, and due to that
a DPA is not necessary. Depending on the nature of the assignment, it may be wise for the parties to enter into a non-disclosure agreement
As a software vendor we also take responsibility for certain things that the Controllers themselves will have difficulties controlling.
This will typically be the design of the software regarding features for correcting and erasing personal data and implementation of information
security measures to safeguard data confidentiality, integrity and availability.
Being a provider of cloud services also mean that we use a range of subcontractors to deliver the services, and we have certain transparency
obligations in this regard, as well as making sure that sufficient data processing agreements are in place. We are doing this to ensure
privacy and trust throughout the chain of companies involved in processing our customers data. MIRRI’s business is based on earning this
trust from our customers.
Our main efforts making sure that we are compliant as Processor, are around these initiatives:
Further, we have published the Trust Center on MIRRI.org. This page provides customers information needed to document their processing
activities as a Controller. In summary, this information seeks to outline the privacy skills and abilities of our cloud services and software
products. The aim with this information is to enable Controllers (our customers) to fulfill their duties according to GDPR to safeguard privacy
when using a Processor (MIRRI) to process personal data on their behalf.
On request, a customer may also access more detailed privacy information particularly concerning security measures applied and agreements
with subcontractors. Such requests may be subject to fees and non-disclosure agreements.
MIRRI believes that awareness and competence among all our employees will have significant impact on our ability to comply with the GDPR
and safeguard privacy for customers and MIRRI. In order to increase awareness and understanding, we have developed courses for privacy that
will be mandatory for all MIRRI employees to complete in 2018. These courses will also be included in the onboarding process for new
If you are looking for general information regarding processing of personal data in MIRRI, visit MIRRI.org and read our
If you represent a customer being a Controller and need more information regarding data protection around software products/services, you
can visit our Trust Center.
If you have questions directly related to a data protection agreement with MIRRI, you should reach out to your primary business contact in
All other inquiries should be sent to firstname.lastname@example.org. We will respond to such inquiries as soon as possible and make priorities based on
urgency in terms of risk for data subjects.
Hannut, May 23rd, 2019
If you would like to know more about cookies and how they work, please visit www.allaboutcookies.org.
1. Table-columns-strains_2: contains the list of columns that must be displayed (when changed by the end-user) when searching Strains_2 table views (this is there to keep the preferences of the end-users; It will not be present if the end-user has not changed this option).
2. Queries-layout-strains_2: contains the list of queries that have been done by the end-user when searching Strains_2 table views (this is there to keep the preferences of the end-users; It will not be present if the end-user has not changed this option).
3. Table-columns- strains_3: contains the list of columns that must be displayed (when changed by the end-user) when searching strains_3 table views (this is there to keep the preferences of the end-users; It will not be present if the end-user has not changed this option).
4. Queries-layout- strains_3: contains the list of queries that have been done by the end-user when searching strains_3 table views (this is there to keep the preferences of the end-users; It will not be present if the end-user has not changed this option).
5. Table-columns-Open%20collection: contains the list of columns that must be displayed (when changed by the end-user) when searching 20collection table views (this is there to keep the preferences of the end-users; It will not be present if the end-user has not changed this option).
6. Queries-layout- 20collection: contains the list of queries that have been done by the end-user when searching 20collection table views (this is there to keep the preferences of the end-users; It will not be present if the end-user has not changed this option).
7. List-display: keeps the end-user preference in terms of display format (either results in grid or results looking like a Google format) (this is there to keep the preferences of the end-users; It will not be present if the end-user has not changed this option).
8. SearchState: this keeps the information about the last query and the page number where the end-user was the last time he/she did a query.
9. ASP.NET_SessionId: this is an automatic cookie that keeps the unique session ID number to be used on the server side. This is deleted when session is finished/expired.
10. last-query-layout-Open%20collection and similar, contain the last query done by the end-user on the Open%20collection table view. This is used when first reloading the page. It is replaced each time there is a query done.
11. _utma, _utmb, _utmc, _utmd, etc are Google analytics cookies to analyze web traffic (see https://helpful.knobs-dials.com/index.php/Utma,_utmb,_utmz_cookies).
Cookies mentioned in the last point are Google analytics cookies that are IP anonymized which means that we cannot trace single users. See below for more information.
No other cookies than the ones mentioned above are used on our websites.
Google cookies and technologies
Google Analytics: These cookies allow us to see information on user website activities including, but not limited to page views, source and time spent on a website. The information is depersonalized and is displayed as numbers, meaning it cannot be traced back to individuals. This will help to protect your privacy. Using Google Analytics, we can see what content is popular on our websites.
You can prevent the information generated by the Google cookie about your use of our Sites from being collected and processed by Google in the future by downloading and installing Google Analytics Opt-out Browser Add-on for your current web browser. This Add-on is available at http://tools.google.com/dlpage/gaoptout.