Skip to content

Overview

The data providers remain at all times responsible for the data that will be hosted on the ELIXIR Luxembourg platform and for the validity of the data provision (data protection, ethics, etc.).

By default, the ELIXIR Luxembourg Hosting and Processing Agreement is concluded for 10 years, to allow for re-use of data in research and dissemination of results.

The services of ELIXIR Luxembourg are provided in principle free of charge and supported by Government of the Grand Duchy of Luxembourg and the University of Luxembourg.

Data submission journey

  • Pre-Submission Inquiry – Initiate contact and provide basic information about your dataset and intended use.
  • Legal Framework – Review and prepare the necessary legal documents, including the Hosting and Processing Agreement and Data Use Agreement.
  • Metadata Collection – Complete the Data Information Sheet and provide comprehensive metadata describing your dataset.
  • Data Upload – Transfer your dataset securely to ELIXIR Luxembourg using approved channels.
  • Quality Control – Ensure your data meets quality, integrity, and compliance standards.
  • Publication and Overview – Finalize dataset publication and review how your data will be presented in the ELIXIR Luxembourg Data Catalogue.
  • Renewal & Closure – Manage ongoing data stewardship, renew hosting agreements, or close out your submission.

Data access levels

Data can be hosted on our platform under open or controlled access level:

  • Open access - any registered ELIXIR Luxembourg user can access data in an unrestricted manner. This option is only possible for anonymised data.
  • Controlled access - the data provider must establish a data access policy that is used by the Data Access Committee to handle access requests from users. Data providers can choose which type of access level to use when preparing the data transfer to ELIXIR Luxembourg. The data users can access controlled data after signing the ELIXIR Luxembourg Data Use Agreement, guaranteeing that they respect the described data access policy (or use conditions).

For more information, see Data access levels.

GDPR Roles and Responsibilities

ELIXIR Luxembourg operates in compliance with the General Data Protection Regulation (GDPR). The following roles are defined in the context of data submission and hosting:

  • Data Controller: The data provider (institution or individual submitting the data) acts as the Data Controller, determining the purposes and means of processing personal data.
  • Data Processor: ELIXIR Luxembourg acts as the Data Processor, processing data on behalf of the Data Controller according to documented instructions and agreements.
  • Data Subject: Individuals whose personal data is included in the submitted datasets.

Quick overview of data submission process

Data submission flow

1. Pre-Submission Inquiry

Before submitting data, providers must complete a pre-Submission inquiry form to provide initial information about the dataset and intended use.

1.1. Define list of assets to sustain

List all datasets, files, and related resources you intend to submit for hosting.

1.2 Define embargo period

Specify if an embargo period is required before the data becomes available to users.

1.3. Define access level

Choose the appropriate access level for your data:

  • Open access: For fully anonymised datasets, available to all registered ELIXIR Luxembourg users.
  • Controlled access: For personal or sensitive data, requiring approval and compliance with a Data Access Policy.

For more details, see Data Access Level.

1.4 Build data access commitee and access policy

Establish the Data Access Committee (DAC) in one of the following forms:

  • Provider-led: All members designated by the data provider.
  • Joint committee: Includes ELIXIR Luxembourg experts, with provider veto rights.

For more information, refer to the Data Access Committee Models.

2. Provide detailed metadata

Submitters must provide a data information sheet detailing dataset characteristics, provenance, and any relevant metadata. See Metadata collection for more details.

3. Sign Terms of Service

Submitters and users must agree to the Hosting and Processing Agreement, which outline general conditions for accessing and using the platform.

4. Data upload

See Data upload for more detail. If data meets quality criteria, it is advertised in ELIXIR Luxembourg Data Catalogue and users can request access.

GDPR Roles and Responsibilities

ELIXIR Luxembourg operates in compliance with the General Data Protection Regulation (GDPR). The following roles are defined in the context of data submission and hosting:

  • Data Controller: The data provider (institution or individual submitting the data) acts as the Data Controller, determining the purposes and means of processing personal data.
  • Data Processor: ELIXIR Luxembourg acts as the Data Processor, processing data on behalf of the Data Controller according to documented instructions and agreements.
  • Data Subject: Individuals whose personal data is included in the submitted datasets.

Responsibilities of the Data Controller

  • Ensure that data collection and submission are lawful, fair, and transparent.
  • Obtain all necessary consents from data subjects, including informed consent for research use and data sharing.
  • Provide accurate and complete metadata and documentation.
  • Define the Data Access Policy, including use conditions and restrictions.
  • Respond to data subject requests (e.g., access, rectification, erasure).

Responsibilities of ELIXIR Luxembourg (Data Processor)

  • Process data only as instructed by the Data Controller and in accordance with the Data Use Agreement and Terms of Service.
  • Implement appropriate technical and organisational measures to ensure data security.
  • Assist the Data Controller in fulfilling GDPR obligations, such as responding to data subject requests and reporting data breaches.
  • Ensure that data is stored and processed in a GDPR-compliant manner.

Data Protection and Security

  • All data transfers are conducted via secure channels.
  • All personal data processed is de-identified (pseudonymised).
  • Access to controlled datasets is restricted to authorised users who have signed the Data Use Agreement and Data User Responsibility Acknowledgement.

Data Retention and Deletion

  • Data is retained for the duration specified in the Hosting and Processing Agreement (typically 10 years).
  • At the end of the retention period or upon request, data can be securely deleted, confirmed by submitting a Confirmation of Data Deletion Form)

Compliance and Audit

  • ELIXIR Luxembourg may conduct periodic audits to ensure compliance with GDPR and other applicable regulations.
  • Data providers are responsible for maintaining records of processing activities and demonstrating compliance.