Does ORCID provide any supplemental measures in the transfer of personal data from the EU to the US?
Yes, in addition to the safeguards discussed above, ORCID incorporates the following supplementary measures to address data protection.
Data Subject Control. Users are provided with a high amount of transparency and control related to the information shared with ORCID and other users or member organizations. ORCID has taken actions to minimize the amount of personal data needed to establish an ORCID record, requiring only a first name and email address. In addition, ORCID makes it clear that its tools and services provide users with control over registration, what is connected to an iD, and who can access user information.
Third-Party Processor Agreements. ORCID enters into agreements with its processors that incorporate data privacy and security provisions. Prior to entering into agreements with processors, ORCID conducts due diligence that addresses privacy and security components. To conduct this due diligence, ORCID first determines whether or not the third-party provider will have access to and/or receive copies of any Personal Data. If the answer is yes, then ORCID moves forward with negotiating a data processing agreement that aligns with the requirements of the GDPR and any other applicable data protection requirements.
Data Encryption. ORCID implements reasonable encryption measures for all data at rest and in transit. Further, all back-ups are encrypted.
Technical and Organizational Measures. ORCID implements a variety of security controls to support the secure management of its databases and infrastructure. These security controls include security patch management; system access monitoring; audit logging; access control; and change control mechanisms. Additionally, ORCID maintains an incident response plan as well as a disaster and data recovery process.