ORCID Privacy Policy

This Policy was last updated 26 September 2024

Contents

1. Introduction

ORCID is a global, non-profit organization headquartered in the United States. We provide the ORCID iD, a free, unique, persistent identifier for individuals to use as they engage in research, scholarship, and innovation activities and other connected services to our community of researchers, member organizations and to the public. For more information on our services, see our About page. 

To deliver these services and to operate as an organization we need to use some information that identifies and relates to individuals, in other words, personal data. 

We endeavor to be transparent about our use of personal data. We respect people’s privacy rights and recognize that transparency is an ongoing responsibility, as well as a legal requirement in most of the countries in which we operate. Providing detailed information on how we collect and use personal data helps us demonstrate our core values: Open, Trusted and Inclusive.

This Privacy Policy (also referred to below as ‘this Policy’) is incorporated into and made part of ORCID’s Terms of Use.

1.1 About this Policy

This Policy explains how ORCID, Inc. (‘ORCID’,‘we’, ‘us’, ‘our’) collects and uses (‘processes’) personal data (or personal information as it is also sometimes called).  Throughout this Policy we refer to this type of information as ‘personal data’ or ‘your data’. We tell you how we store and share your personal data, and about your rights and choices in relation to your data. 

We process personal data in electronic, digital, and, occasionally, paper / hard copy formats. This Policy applies to our personal data processing, regardless of format. 

If you have any questions, comments, complaints or requests regarding this Policy or our data collection, processing and protection practices, please contact our Data Protection Officer at [email protected]. If you prefer, you can also write to us. Our full mailing address is in the Questions and Concerns section of this Policy.

1.2 Who should read this Policy

This Policy is for individuals whose personal data we process in order to deliver our services and meet our mission as an organization. That is:

• Individuals who have ORCID Records
• Visitors to our Websites, including those searching the ORCID Registry, individuals who are considering creating ORCID Records and individuals seeking information about ORCID
• Contacts from current or prospective ORCID Consortia and Member Organizations
• Individuals applying for or who have received grants from us
• Individuals attending or contributing to in-person or virtual events run by ORCID
• Subscribers to our mailing lists
• Contributors to our blogs, community discussions, working groups and committees
• Individuals who contact us for any reason, including to request technical support

The personal data we process will vary, depending on your relationship with ORCID. In this Policy we use the term ‘you’ to refer to all of the above but will let you know when something relates only to a specific group or groups of people

A note for ORCID employees, contractors and job applicants: We have a separate privacy notice for people who have applied to work at ORCID, who currently work, or have worked, for ORCID as an employee or contractor. However, if you are, were, or have applied to be an ORCID employee or contractor but also fall into one or more of the categories above, this Policy will apply to you as well, to the extent your personal data is collected and/or processed for one of the above purposes.

2. ORCID terms

We use the following ORCID words and phrases throughout this Policy:

• ORCID Record or Record: The composite data set other than system data (e.g., user ID, password, log files), including the ORCID ID, pertaining to a specific individual and stored in the ORCID Registry
• Websites: Websites at the orcid.org domain
• ORCID Registry or Registry: Our open access registry of researcher identifiers 
• ORCID Consortium: A group of Member Organizations that work together to accelerate integration of ORCID services and resources in a national or regional context
• Member Organization: An organization that has entered into a membership agreement with ORCID
• Record Holder: the individual who owns an ORCID Record
• Record Data: The data in a specific ORCID Record
• ORCID Member Portal: A system used by ORCID Member Organizations to manage their membership information, and provides other functionality such as the ability to request permission from Record Holders to add affiliations to their Records. The Member Portal is not part of the ORCID Registry, and access is only for administrators at Member Organizations who have been invited to use it
• ORCID Account or Account: An account created by a Record Holder as part of the ORCID iD registration process
• Trusted Individual: An individual to whom a Record Holder has given the authority to manage their ORCID Record on their behalf, including setting privacy settings, naming Trusted Organizations, and editing and depositing data
• Trusted Organization: An ORCID Member Organization to which the Record Holder has given the right to view, edit, and/or deposit specific data (Trusted Party Data) in their ORCID Record
• Only Me Data: Data from an ORCID Record that the Record Holder has given a visibility setting of “visible by only me”. Also referred to as “private data” (see more information about ORCID Privacy Settings)
• Trusted Party Data: Record Data that the Record Holder has given a visibility setting of “visible by trusted parties”. Also referred to as “limited access data” (see more information about ORCID Privacy Settings)
• Everyone Data: Record Data that the Record Holder has given a visibility setting of “visible by everyone”. Also referred to as “public data” (see more information about ORCID Privacy Settings).
• Public Data File: A downloadable copy released to the public at least annually of all publicly available information (Everyone Data) for all active ORCID Records within the ORCID Registry at the time of creation

3. Our responsibilities

Our processing of personal data is subject to certain legal safeguards specified in applicable national and international data protection regulations, including but not limited to the EU and UK General Data Protection Regulation (GDPR) and US privacy laws. 

Under the GDPR, we are a ‘data controller’ for the personal data added by Record Holders, Trusted Individuals and Organizations, and for the information we process in order to operate and deliver our services as described in this Policy. We also act as a data processor when ORCID Member Organizations use our Member Portal to create and edit information about their researchers.

4. Your privacy rights and choices

4.1 Privacy choices you can make as a Record Holder

Our services are designed so that ORCID Record Holders are in control of how their Record Data appears and is shared.

If you are a Record Holder you control the visibility of most of the data items in your ORCID Record. You can revoke Trusted Individual/Organization status at any time, download your data or deactivate your Account, which will result in the deletion of almost all the data we hold about you (see Section 9 for information about the data we retain.) We describe how you can make these privacy changes in our privacy settings guidance. 

You can also adjust frequency settings for email notifications we may send you and choose whether to receive our New Features and Tips notifications—see our detailed guidance on notifications.

4.2 Privacy rights

Around the world, data protection laws and regulations have been put in place to give people specific rights in relation to their personal data. As a global organization, we extend the same general rights in relation to our use of your personal data regardless of your location. These rights are consistent with the GDPR and other current privacy laws around the world. We aim to interpret these rights broadly, however they are subject to exceptions in some jurisdictions and may not apply in all circumstances.

• Right to know and access: This right enables you to request that we confirm whether we process your personal data and receive copies of your data if so, and to request information about our collection and use of your personal data, including whether we sell or share your personal information.
• Right to request correction of personal data that we hold about you: This right enables you to have any incomplete or inaccurate information we hold about you corrected.
• Right to request erasure of your personal data (also known as the ‘right to be forgotten’): This right enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
• Right to object to processing of your personal data: This right applies where we are relying on a legitimate interest for using your data. You also have the right to object if we are processing your personal data for direct marketing purposes.
• Right to request the restriction of processing of your personal data: This right enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
• Right to data portability: This right enables you to request and obtain a copy of your personal data that you previously provided to us in a portable format. This right also gives you the right to request that ORCID transmits this data directly to another data controller.
• Right to opt out of the sale and sharing of personal data: This right enables you to opt out of the processing of your personal data for the purpose of selling or sharing your personal information for cross-context behavioral advertising. Note that we do not sell your personal information, nor do we share any data with direct marketers.
• Right to opt-out of the use of Personal Data for targeted advertising and profiling: This right enables you to opt out of the processing of your personal data for purposes of targeted advertising or profiling in furtherance of decisions that produce legal or similarly significant effects concerning you. Note that we do not use your data for targeted advertising or profiling purposes.
• Right to limit use and disclosure of sensitive personal data: This right enables you to request that we limit the ways we use and disclose your sensitive personal data to uses which are necessary for us to perform our services.
• Right to non-discrimination: This right ensures you are not discriminated against in the services or quality of services you receive from us for exercising your rights. We will not discriminate against you for exercising any of your rights in this section including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services. 
• Right to appeal: This right enables you to appeal our denial of any request you make under this section. To exercise your right to appeal, please submit an appeal request by contacting our Data Protection Officer at [email protected].

4.3 How to exercise your rights

You are able to review, verify, correct and request erasure of your Record Data directly in the ORCID Registry—detailed guidance is available in our Help Center . If you want to make a request in relation to any other personal data we hold about you, please contact our Data Protection Officer at [email protected].  

You will not normally have to pay a fee to access your personal data, or to exercise any of the other rights. However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in these circumstances.

We may request information from you to help us confirm your identity and facilitate your right to access the information (or to exercise any of your other rights). This is so we can ensure that personal data is not disclosed to any person who has no right to receive it.

5. How and when we collect your data

We obtain your personal data in the following ways.

5.1 Information you provide to us

We collect information directly from you when you:

• Register with ORCID to create an Account or Record or serve as a Trusted Individual
• Apply on behalf of your organization to become a Member Organization, or act as a contact person or administrator of a Member Organization, for example when using the Member Portal
• Apply for a grant from us
• Contact our Helpdesk or any ORCID staff member directly
• Sign up to our mailing lists
• Initiate or participate in a dispute investigation, in line with our Dispute Procedures
• Respond to surveys, make or contribute to posts in any online chats, blogs or other public forums offered on the Websites or other platforms such as Slack, Trello or GitHub
• Participate in our working groups or committees
• Register to attend, speak at or otherwise contribute to an ORCID event

5.2 Information from third parties

• Trusted Organizations may add new information to your Record, and edit or delete that information, only if you give them permission to do so through an opt-in mechanism, or have previously given permission and they were the source of the data. You may provide this permission via a link from a Member service that has integrated with ORCID, via a link sent to you by a Trusted Organization, or directly in the ORCID Registry.
• Your Trusted Individuals may edit, delete and deposit information in your Record. You may specifically designate or remove Trusted Individuals in the ORCID Registry from the Trusted Parties page of your Record—see detailed guidance in our Help Center.
• A Member Organization (or agent working on its behalf) may contact us to let us know that they have information about new publications or other research activities that are related to your ORCID iD. 
• Additionally, ORCID Member Organizations may choose, as a separate data controller, to upload personal data to the ORCID Member Portal about users who are affiliated with that organization (‘Member Data’). This Member Data is stored in the Member Portal pending transfer to the Registry.
• In either case, ORCID will contact you and ask if you would like to make this Member Organization one of your Trusted Organizations in order to deposit information about these activities to your Record.
• A current or prospective Member Organization or someone applying for a grant from us may designate you as a contact person, administrator, director, officer, beneficial owner, controlling person or key staff member of the organization.
• Member Creators. Through 2015, there was an option for Member Organizations to create ORCID Records on behalf of their staff and students, including obtaining an ORCID iD, populating the record with data, and setting the initial settings for visibility & sharing. Such Members are referred to as ‘Member Creators’. This functionality is no longer provided by ORCID, however, we describe how this functionality worked at our Member Creators page.

5.3 Information collected from your use of the Websites and Registry

When you use our Websites and Registry we automatically collect information (referred to as log files or log data) about how our services are used, that could potentially identify you.

5.4 Information from cookies and other tracking technologies

We use cookies and similar tracking technologies on our Websites. Our cookie information describes tracking technologies used and how you can accept or reject them. You can view and change your settings at any time by clicking on Cookie Settings at the bottom of this and all ORCID Websites pages.

5.5 Alternate sign in accounts

When you sign in to your ORCID Record using institutional credentials or social sign-in providers (for example with Google credentials) certain information is provided by the identity provider to enable the connection and create a persistent link to your account. 

You may remove this information by deleting the alternate sign in account using the Account Settings page of your ORCID account, but otherwise it will be retained indefinitely as ‘Only Me’ Data on your account.

6. The data we use and why we use it

The types of personal data we collect and the ways we use it will vary, depending on our relationship with you and your engagement with us. 

The following sections describe our uses of personal data in different scenarios that reflect the range of services we offer. We also explain our legal grounds (known as a ‘lawful basis’) for processing your data in these scenarios.

6.1 Using our Websites and the ORCID Registry

When you access our Websites or the Registry we collect the following information: 

• Your IP address (which may reveal your approximate location)
• Details about your use of the Websites and Registry, including date & time of access and any edits made to a Record, or when you added and removed an individual or organization to or from your Trusted Individuals and Trusted Organizations lists
• Your method of accessing the Websites and the Registry
• The type and version of the internet browser you are using
• The type of device you are using (e.g. computer, smart phone, tablet) and operating system
• Your screen resolution

For further information about the usage data we collect and tracking details, see our Cookie Settings (link at the bottom of each page).

We use the above information to help us: 

• Ensure the transparency of the ORCID Registry
• Remember your settings such as language preference or interface display preferences
• Analyze trends, track user movements around the websites and to gather demographic information about our user base as a whole
• Monitor and record when and by whom Registry information has been changed
• Maintain information security and help identify patterns of abuse and block some spammers 
• Provide troubleshooting and support services

6.3 Creation, editing, management and publication of ORCID Records

To create an ORCID Record we require you to provide at least your given name and email address, as noted above. An ORCID iD will be automatically generated and associated with your Record.

You (the Record Holder or a Trusted Individual) may choose to include other additional information in the ORCID Record, such as:

• Family or last name, or other names
• Biographical information 
• Affiliations and employment
• Professional activities
• Education and qualifications
• Grants, awards and other and funding received 
• Works, including patents and publications
• Links to websites and social media accounts
• Keywords to help people identify you/your work 
• Countries where you conduct your research or where your research is focused
• Peer review activities
• Access to research resources

We will use the above information to enable you to create and populate your ORCID Record, and to:

• Help us respond to questions or disputes about your Record 
• Publish Everyone Data held within your ORCID Record in the ORCID Public Data File
• Publish Everyone Data held within your ORCID Record as a publicly accessible web page in the ORCID Registry
• Make Everyone Data held within your ORCID Record available via our APIs
• Make Trusted Party Data held within your ORCID Record available via our APIs to ORCID Members to whom you have granted permission
• Help us operate, protect, evaluate and improve our Websites and the ORCID Registry, its features, and ORCID operations generally

Instances where ORCID may modify your Record

In limited circumstances, ORCID may proactively correct data in your ORCID Record where errors are a result of system errors, changed standards specifications, or other obviously and unambiguously correctable errors not caused by you or your Trusted Individuals or Organizations. To ensure transparency of our processes, we will post information on our Websites when we make record corrections. See the Integrity section of the ORCID Trust page for more information.

ORCID reserves the right (but shall not be required) to remove or hide from the ORCID Registry and its servers any Record Data that violates the privacy, publicity or other rights of any person, is the subject of a dispute, or for any other good cause, including without limitation, in any situation in which ORCID is advised by legal counsel that the retention or public availability of such data poses a legal risk to ORCID.

Detecting misuse of our services

We may use the information we collect to train machine learning models that detect patterns of abuse in Registry usage. We use these models, as well as manual review processes, to detect and lock ORCID Records that may be in breach of our Terms of Use or otherwise contravene our policies, such as Records for business, organizations, and advertising content. 

Locked Records are not accessible by anyone other than the Record Holder, ORCID staff and our data processors. If we lock your Record, you will be notified by email. If you believe we have locked your Record erroneously, you may contact our Helpdesk so that we can review your data and if appropriate, reactivate the Record.

Lawful basis

When you (or a Trusted Individual acting on your behalf) create or update an ORCID Record we rely primarily on your consent to process the personal data contained within your Record. Where our lawful basis for processing your personal data is consent, you can withdraw your consent for processing this information at any time, by contacting [email protected].

We also have a legitimate interest in using the information you provide to help us operate, protect, evaluate and improve the provision (and, where relevant, the public availability) of the ORCID Registry.

6.4 Contacting us

If you contact us for technical or non-technical support, for advice in accessing or using ORCID services, or for any other purpose relating to our services, we will collect some or all of the following information to enable us to address your query and respond to you.

• Your name
• Your email address(es)
• Your ORCID ID
• Your place of work or affiliations
• Your country

We may request, or you may choose to provide, other information that is necessary and relevant to your enquiry. We may also associate your Account information (e.g., name, email address, and ORCID ID) with your enquiry. If you require technical support we may also combine information we collect directly from you with automatically-collected log data collected from your use of the Websites and Registry. 

If you contact us to exercise your data protection rights, for example to request a copy of your personal data, or if you are locked out of your ORCID account and wish to regain access we may also ask for proof of identity. We do not retain this information.

Occasionally, we may use information you have provided to liaise with Member Organizations or ORCID Consortium representatives, in order to help us resolve the matter you have contacted us about or otherwise improve our services. 

Lawful basis

When you contact us for these purposes, we and you have a legitimate interest (and, for personal data-related requests, a possible legal obligation) in ensuring that we have adequate information to be able to support you and to resolve any issues. We also have a legitimate interest in being able to identify potential wider issues or concerns, in order to maintain and improve our services.

6.5 Subscribing to our optional mailing lists

In addition to our routine service messages, we offer electronic mailing lists, such as our blog update and member newsletter, to help our community keep up to date with ORCID services, news and events. To administer these mailing lists we require your name and email address.

Lawful basis

When you register for one of our optional mailing lists we rely on your consent to process the personal data you provide for this purpose, and to send any messages that constitute direct marketing.

You can withdraw your consent at any time by clicking the Unsubscribe link in any emails we send you. Withdrawing your consent will mean we will stop sending you emails from this mailing list. You can also withdraw your consent by contacting [email protected].

6.6 Acting as a contact or administrator of ORCID Consortia and Member Organizations

We process a limited amount of personal data about people who represent and act on behalf of current or prospective Member Organizations or Consortia. If you are designated as a contact person by your organization, we ask for your name, email address and phone number. To use the ORCID Member Portal we ask for your given name, family name and email address. You may choose to provide additional information in the course of your working with us in these roles. When you engage with us in this way, we may also link to other information already held about you. 

Lawful basis

When you act in such a role, we require limited information about you to perform our contract with the organization you are representing. We also have a legitimate interest in using your data to communicate with you, to help us develop and manage the relationship between ORCID and its Consortia and Member Organizations.

6.7 Applying for a grant from ORCID

ORCID offers grant programs that require the submission of a limited amount of personal data from the person making the application or registration. These are:

• Applying for a grant from our Global Participation Fund (GPF)
• Being designated as a director, officer, beneficial owner, controlling person or key staff member of a grantee organization
• Responding to our grant questionnaires and agreements

The types of data we request are listed on each submission form. You may choose to provide additional information in the course of the application or registration process.

Lawful basis

When you act in such a role we, and the organization on whose behalf you are acting, have a legitimate interest in using limited information about you to help us evaluate and respond to your application and to develop and manage the relationship between the organizations.

6.8 Registering for, attending or speaking at an ORCID-hosted event or webinar

We host webinars, events, and meetings to provide updates on ORCID, to explore topics of interest and promote our services, and to help us better understand the needs of our community.

Attending an event or webinar

If you attend an ORCID-hosted event we will ask you to register and provide your name, email address, location, role and organization. If the event is in-person we may also ask you to share any dietary requirements, restrictions or allergies. In the registration form, you will be given a link to this Policy and any other relevant information about our use of your data.   

Our online events are usually recorded, and if this is the case you will be informed when recording has begun and may leave the event if you object. We may use AI technologies to automatically generate captions and transcripts for our events, and to translate these into other languages. Before and during the event you may also have the opportunity to submit questions or provide your views and opinions. We will also ask you to provide feedback on the event.

Speaking and presenting at an event or webinar

If you speak or present at an ORCID-hosted event we will also collect information about you:

• Your name and contact information 
• Your employer
• Your photograph and short biography (if provided)
• Any personal data within your presentation and associated materials
• We may also collect information provided by attendees who evaluated the event

Lawful basis

Whether you are an attendee or a presenter, we will ask for your consent to use your data when you engage with us in these ways. We also have a legitimate interest in using your personal data to help us organize the event, facilitate your participation, to encourage engagement with the ORCID community and to improve our services and attendee experience. If you share any health-related information with us (for example, if you tell us about allergies you may have) we will ask for your explicit consent to use this information in our event planning.

6.9 Engaging with us and the ORCID community

ORCID benefits greatly from community involvement and you can choose to engage with us in a number of ways. You can contribute to our chat rooms, user groups and other online forums, respond to our surveys and questionnaires, participate in our Working Groups or become a friend of ORCID or apply to or become a board or committee member. Organizational members can also contribute to our blogs.

In each case, the personal data you choose to provide can vary, but we will generally collect your email address, name, your role and place of work or affiliation. We may also link the information you share with us to other information we already hold about you. Otherwise, you are in control over how much or how little personal data you choose to share. 

You should be aware that any information you provide in forums or similar areas may be read, collected, and used by others who access them, and that some are publicly available and/or may be delivered by third party platform providers, such as Slack, Google and GitHub. These companies provide their own privacy information, which we advise you to read. See detailed information on the data processors we use.

Lawful basis

When you engage with us in these ways, wherever possible we will seek your consent to use your personal data. We also have a legitimate interest in using your personal data to help us facilitate this engagement, to communicate with you, to encourage involvement within the ORCID community and to improve our services and user experience. 

7. Sharing your personal data

The circumstances in which Record Data and other personal data provided to us may be shared or made publicly available are set out in this section of the Policy, and in the Data storage and international transfers section below. 

We do not otherwise share your personal data. We never sell your personal data, and we do not share it with marketers or advertisers.

7.1 Publishing and distribution of ORCID Record Data

In addition to ORCID’s commitment to giving Record Holders control over their ORCID Records, we seek to support open access to ORCID information for the research community. ORCID shares with the public free of charge Everyone Data through the Registry web pages and APIs for viewing and use. Access to and use of this data is governed by our Terms of Use and membership agreements.

Annually, ORCID also releases a Public Data File, containing all Everyone Data from active ORCID Records within the ORCID Registry at the time of creation. The public has free access to the Public Data File for viewing and re-use. We share the Public Data File to ensure that all scholarly communication stakeholders, including organizations that are not ORCID Members, have broad access to what has become a vital part of the scholarly communication infrastructure. Additionally, this serves as a method to allow ORCID data to be archived in the public interest and for scientific and historical research purposes.

The Public Data File is released under a CC0 1.0 Public Domain Dedication developed by Creative Commons, in which ORCID waives all copyright and related rights it owns in the Public Data File to the extent permitted by law. Accordingly, ORCID does not impose restrictions or conditions (including those contained in our Terms of Use and membership agreements) on use of the Public Data File, but we have published recommended community norms in our Public Data File Use Policy. 

We may also share aggregated, or summarized, usage data and Record data, which may contain ORCID IDs, with our Members or others in the research community or publish information based on aggregated usage data so Members and others can understand how the ORCID Registry is being used. 

ORCID does not undertake the responsibility to police third party uses of data, and does not otherwise limit commercial use of Everyone Data by third parties or of Trusted Party Data by entities to which you (or a Trusted Individual) gives access and cannot control actual use despite these terms and suggestions. If you are a Record Holder you can block commercial re-use of your data by setting the visibility of it to Trusted Parties and by controlling to whom you grant permissions as a Trusted Organization.

7.2 Sharing data with Trusted Organizations and Trusted Individuals

Your designated Trusted Individuals have access to all of your Record Data (other than your password and Account access security information) including your Trusted Party and Only Me Data. They can add, edit and delete information on your behalf.

Your designated Trusted Organizations are able to access your Everyone Data and Trusted Party Data. Your Trusted Organizations can also access any data that you have authorized them to deposit to your Record, even if this data has a visibility setting of Only Me. Trusted Organizations cannot see Only Me data that they have not deposited.

As noted in 6.4, if you contact us, we may occasionally share information you have provided to liaise with other Member Organizations or consortia representatives, in order to help us resolve the matter you have contacted us about or otherwise improve our services.

7.3 Disputes

If there is a dispute regarding data in your Record, or if you raise a dispute as a claimant, we may share your name and email address with your permission with the other party to the dispute and / or a third party mediator, so that the dispute may be resolved according to our Dispute Procedure. The visible deposit history (i.e., what data was deposited in your record and by whom) may also be used for this purpose and we may ask you to provide additional evidence to support the factual accuracy of the data in your Record.

7.4 Legal reasons for sharing personal data

We may share your data if we need to defend against legal claims or in bankruptcy proceedings, or to meet any applicable law, regulation, legal process or other legal obligation. Additionally, we may share your data if we believe it is necessary to detect, investigate, and help prevent fraud or security issues with our services, or to protect the rights or safety of ORCID, our users, staff or others.

To the extent possible in the relevant situation, we will promptly provide information about any such disclosures to the relevant Record Holders.

If ORCID is involved in a merger, acquisition, joint venture or dissolution, we will give Record Holders notice (by posting on the ORCID Website) and the option to opt-out of the transfer, before Trusted Party and Only Me Data is transferred or becomes subject to a different privacy policy.

7.5 Data Processors

Your data will be shared with third party organizations who are engaged by ORCID to provide specific services involving the processing of personal data. These organizations are our data processors. They act on our behalf and under our instructions. 

The type(s) and amount of your data that we share with these data processors will depend on your relationship with us and use of our services. 

We have contracts in place with these data processors and they cannot do anything with your personal data unless we have instructed them to do so, or unless required by law. Our data processors for the Registry are listed here and the data processors used in the delivery of our Member Portal are listed here. To help you identify which data processors may handle your personal data, we have listed the service(s) provided by each.

8 Data storage and international transfers

ORCID’s headquarters are in the United States and this is our primary location for handling and storing your data. We have employees located in a number of countries and use a range of third party data processors who also may process personal data in different nations. As such, when you use our services we may store and otherwise process your personal data on servers located outside of the country where you originally deposited the data.

By using our Websites, Registry, mailing lists and online chat and forums, registering for ORCID events, participating in ORCID committees and other groups, applying for a grant, permitting the deposit and/or publication of personal data in the Registry, or otherwise giving us your personal data, you acknowledge that:

• Your personal data may be transferred to our facilities and those of the third parties with whom we share it as described in this Policy, and 
• Any claims of any kind that you have regarding this Policy and our processing of your personal data shall be resolved in accordance with the procedures set out in the Questions and Concerns section of this Policy.

We recognise that different countries have varying data protection laws and standards, some of which apply directly to some of our activities. We will only transfer data to countries where we are satisfied that adequate levels of protection are in place to protect that information.

8.1 Data transfers where the EU / UK GDPR applies

Where the EU or UK GDPR directly applies to personal data to be transferred to the US or another country we will ensure any potential risks have been adequately assessed and that: 

• The destination country has been deemed to provide an adequate level of protection for personal data; or,
• The transfer is subject to appropriate safeguards, specifically that standard data protection clauses (Standard Contractual Clauses, or SCCs) have been incorporated into an agreement between ORCID and the other organization; or,
• In exceptional circumstances only, one or more of the derogations set out in the GDPR can be applied. 

If you would like to know more about international data transfers affecting your personal data, please contact our Data Protection Officer at [email protected].

8.2 ORCID and the Data Privacy Framework (DPF) Program

As a non-profit organization that is not subject to the jurisdiction of the US Federal Trade Commission (FTC), ORCID is not eligible to participate in the EU–US Data Privacy Framework (DPF) Program, which was established in 2023 to provide US organizations with approved mechanisms for personal data transfers to the United States from the EU / EEA, the UK, and Switzerland. Instead, where appropriate, we use the above-mentioned SCCs as an appropriate safeguard for the transfer of personal data to the United States. 

Although we cannot formally self-certify to the DPF, each year our data protection practices are independently assessed against the EU–US Data Privacy Framework requirements. We have taken this additional verification step to demonstrate our commitment to your privacy rights. To view our current verification status you may click on the “Verified International Privacy” Seal below. (Please note, depending on your browser settings, the seal may not be visible. In this case, please click on the “TRUSTe” link instead).

8.3 Government data requests

If we are required by law, or we are served with a warrant, court order, or subpoena, we may provide your data, including Trusted and Only Me Data to regulators, enforcement agents, courts and/or other government entities. To protect the privacy interests of our users, ORCID will provide only such data as we deem necessary and lawful in the situation. To the extent allowed, we will promptly provide information about any government data requests received and accounts affected to the relevant Record Holders.

9. How long we keep your data

If you are a Record Holder, we will retain your Record Data until and unless you deactivate your Record, or as needed to provide you services, including reactivation of your Account, and to help ORCID analyze data for our own operations. 

If you deactivate your Record, we will delete all of your Record Data other than your ORCID iD and a cryptographically hashed form of your email address(es). We retain your ORCID iD, marked as deactivated and with no personal data attached, to ensure your former identifier is not reassigned to someone else. We maintain a non-reversible, cryptographically hashed form of your email address, to allow you to re-claim your identifier in the future if you choose to do so. This also enables us to fulfill any legal obligation to keep a record of your request to be removed from our system. (Note that some residual copies of data may take a period of time before they are deleted from our active servers and may remain in our backup systems and log files.)

Record Data that has been published in the Public Data File (see 7.1) is retained permanently and cannot be deleted. 

For all other uses of personal data as described in this Policy, we retain information in line with our Document Retention Policy, and for no longer than necessary for the purpose(s) for which we process the data.  When personal data is no longer required we ensure it is securely deleted from our systems and from the systems of our data processors, in line with our agreements with them.

We will otherwise retain and use your information as long as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

For further information on our records retention, please contact our Data Protection Officer at [email protected].

10. Automated decision making and profiling

As noted in section 6.3 of this Policy, we use the information we collect about ORCID Records to train machine learning models that detect patterns of abuse in Registry usage and this may result in ORCID Records being locked. While this activity constitutes automated processing, we will always manually review any locked records upon request. If you think a Record has been wrongly locked please contact our Helpdesk.

11. Sensitive personal data

Aside from the allergy (and potentially dietary) information mentioned in section 6.8, ORCID does not require nor intentionally collect or process sensitive personal data, that is, the ‘special categories’ of data listed in the GDPR, criminal offense or convictions data.

Any disclosure of sensitive personal data by those attending in-person events is purely optional and based on your consent, which you can withdraw at any time by contacting our Data Protection Officer at [email protected].

12. Children

ORCID provides general audience Websites and does not offer services directed to children. Should a child whom we know to be under 16 send personal data to us, we will delete that information immediately. 

If you are under 16 years old, please do not share any personal data with us, even if prompted by the Websites to do so. If you think you have provided personal data to us, please ask your parent(s) or guardian(s) to notify our Helpdesk and we will delete all such information about you.

13. Confidentiality and security of your data

We are committed to protecting the confidentiality of the personal data we process and use a range of technical and organizational measures to ensure its security. We have published separate information outlining some of the security measures we take. If you would like to know more, or have any questions about security on our Websites, please contact our Helpdesk.

14. Questions and Concerns

If you have any questions, comments, complaints or requests regarding this Policy or our data protection practices, please contact our Data Protection Officer by email in the first instance at [email protected]. You can also write to us, addressing your letter to the Data Protection Officer, ORCID Inc., 10411 Motor City Drive, Suite 750, Bethesda MD 20817, USA.

14.1 Escalation process

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our US-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.

If you are not able to resolve your concerns through ORCID’s internal mechanism or escalation process, arbitration as described below will be your final and exclusive recourse for dispute resolution, unless otherwise provided by local data protection law, in which case you may also have recourse through your data protection authority.

15. Other terms

15.1 Governing law

This Policy is governed by and any disputes shall be resolved under the laws of the State of New York (United States), without giving effect to its conflict of laws principles.

15.2 Translations

Translations of this policy are provided on our website only for the convenience of users. In case of any divergence in the interpretation of this policy, the English version shall prevail.

16. Changes to this Policy

We may change our Policy from time to time, to reflect changes in our practices or to comply with changes in applicable law or regulatory requirements. 

We will post any changes to this Policy on this page and encourage you to check this page regularly to keep informed. If you would like to view our previous Privacy Policies, you can contact our Data Protection Officer at [email protected]. 

If, in our discretion, we think that any changes are significant, we will take additional steps to inform you where reasonably possible (for example, by posting a notice of changes on our Websites and/or Registry homepage and/or by sending you an email to inform of such changes) and, where required by applicable law, to obtain your consent.

17. Additional privacy information

Links to other websites and services: Our Websites and Registry may contain links to and from sites maintained by third parties. This Policy does not cover your activities on those sites, any information you may provide to those sites, or information that may be collected about you by those sites. We recommend you read the privacy notices or policies of these sites.