General Data Protection Regulation – GDPR

What is the General Data Protection Regulation?

The General Data Protection Regulation (GDPR), which is enforced starting May 25th 2018, creates consistent data protection rules across Europe. It applies to organizations who are based in the EU and global organizations who processes personal data about individuals in the EU.

While many of the principles are similar to prior EU data protection rules, the GDPR has a wider scope, more prescriptive standards, and substantial fines.

What is labfolder’s position on the GDPR?

Data protection is built-in to labfolder’s product and company culture. We comply with current EU data protection law, and have completed GDPR compliance preparations . labfolder is committed to keep its Privacy Policy up to date and continuously accessible to all, which explains how we process people’s personal data. We will also continue to provide people with control over how their data is used.

Information for Organizations

Organizations who use labfolder’s software to manage their research data can continue to use labfolder’s platform in the same way they do today. Each company is responsible for ensuring their own compliance with the GDPR, just as they are responsible for compliance with other laws that apply to them.

Key Legal Bases

Under GDPR, there are a number of grounds to legitimize the processing of personal data. Below, we’ve outlined the most relevant legal bases under the GDPR.

Contractual Necessity

  • Data processed must be necessary for the Service and defined in the contract with the individual


  • Requires a freely given, specific, informed and unambiguous consent by clear affirmative action
  • People have a right to withdraw consent, which must be brought to their attention
  • Must be from a person over the age of consent specified in that Member State, otherwise given by or authorised by a parent / guardian
  • Explicit consent is required for some processing (e.g., special categories of personal data)

Legitimate Interests

  • If a business or a third party has legitimate interests which are not overridden by individuals’ rights or interests.
  • Processing must be paused if objection is raised by an individual

Is labfolder a Data Controller or a Data Processor?

It depends on the circumstance. Here are the most common use cases that apply to labfolder:

    1. When you visit our website, get in touch with labfolder or create a labfolder account, labfolder acts as the data controller. The data processor varies depending on
    2. When your organization uses labfolder’s Cloud version of our electronic lab notebook, labfolder is the data processor and the organization is the data controller. For some data points (usage information) labfolder may also be considered the data controller.
    3. When your organization uses labfolder’s Server version of our electronic lab notebook, labfolder is neither the controller nor the processor.

Data Controller

You are the data controller when you decide the ‘purposes’ and ‘means’ of any processing of personal data.

  • Similar to what’s already in place for data protection law today, data controllers will have to adopt compliance measures to cover how data is collected, what it is being used for, how long it is being retained for and ensure people have a right to access the data held about them.

Data Processor

You are the data processor when you process personal data on behalf of a data controller. Certain obligations now apply directly to data processors, and controllers must bind them to certain contractual commitments to ensure data is processed safely and legally.

When labfolder is processing data as a data processor acting on your behalf, your organization needs to have its own legal basis to process and share the data with us.

Services as data processor

Where labfolder provides services to our EU partners as a data processor on their behalf, we’ll ensure that we comply with the specific requirements for data processors. This means that, as relevant, we’ll refresh any necessary contractual obligations to align with the GDPR.
Where we appoint parties to act as data processor on our behalf, we’ll also ensure that we have appropriate terms in place to comply with our requirements under GDPR and safeguard our data.
Where we act as a data processor on an organization’s behalf, we will be relying on our customer’s legal basis as data controller for our processing of such data.