O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

20200504_Research Data & the GDPR: How Open is Open?

Presentation by Prodromos Tsiavos (Senior Legal Advisor - ARC/ Director - Onassis Group) as delivered during the OpenAIRE Legal Policy Webinar series on May 4th 2020.
More information and recordings: https://www.openaire.eu/item/openaire-legal-policy-webinars

  • Seja o primeiro a comentar

  • Seja a primeira pessoa a gostar disto

20200504_Research Data & the GDPR: How Open is Open?

  1. 1. Open Science & GDPR Basic Concepts and Cases Dr. Prodromos Tsiavos Senior Legal & Policy Adviser ARC/ ΟpenAIRE https://www.athena-innovation.gr/ptsiavos@athenarc.gr
  2. 2. Open Science and GDPR 1. What is GDPR 2. Key DP structure 3. The setting 4. How is scientific research defined 5. Purpose 6. Legal Basis 7. Exercising data subject rights 8. Cases
  3. 3. What is GDPR? Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) 1
  4. 4. Key DP structure Personal Data Type of processing Purpose Legal Basis Be careful with special categories (sensitive) of personal data Make sure that the legal basis covers purpose and personal data 2
  5. 5. The setting Research within an RPO: check legal and ethics framework EU or other collaborative projects - check WPs re who is processing what and why: Ethics and Data Protection Requirements (at the point/ WP of processing) National Law 3rd countries Call conditions (e.g. ethics report/ DPIA) Tenders Are you a data processor or (co)controller)? Who is the DPO in a project (check the Consortium and Grant Agreement)? 3
  6. 6. How is scientific research defined Sources: - Recitals: 26, 33, 50, 52, 53, 62, 65, 113, 156, 157, 159, 160, 161, 162 - Relevant articles: 5(1)(b), (e), 89 (1), (2), (3), 9(j), 14(5)(b), 17(3)(d), 21(6). Most important article: - Art. 89 4
  7. 7. Defining Scientific Research I: Definitions • It falls under the broader public interest legal basis (though this is not the only possible legal basis) • Could be a form of further processing (e.g. when obtaining data from a public source or e.g. the government) • Need to be subjected to appropriate safeguards • Technical and organizational measures are in place • Focus on data minimization (use only necessary data) • Means: pseudonymization (without affecting research objectives)
  8. 8. Defining Scientific Research II: Special Categories • In relation to special categories of data (art.9), the processing: • shall be proportionate to the aim pursued • needs to respect the right to data protection • needs to provide suitable and specific measures to safeguard the fundamental rights and interests of the data subject
  9. 9. The purpose Possible purposes: Overall: scientific research (art. 89 GDPR) Specific type of research Further use/ exploitation What happens when the purpose changes over time? Legal basis? [e.g. from public task to consent / collection by a public hospital – secondary use by researchers) Am I covered by the legal basis? 5
  10. 10. Legal Basis Mostly forms of public interest (needs to be specifically documented per institution and research project) Contract (tender) Consent (specific research) Could change from collection, to retaining to sharing. There always needs to be one covering the purpose of processing. 6
  11. 11. • Vital Interest • Public Interest • Legal Obligation • Contract • Consent • Legitimate Interest No discretion discretion Decision: both parties Decision: data controller
  12. 12. Trace the life cycle Follow the data (use the DMP as your backbone) Different types of data processing may have different purposes and legal bases Always stay within the legal basis
  13. 13. Data management plan (processing/ purposes/ legal basis) Data collection - From the data subject - From 3rd party - From publicly available sources Data Management - Read - Write (update/ improve/ enrich) - Preservation - Erasure - Access Data Sharing - 3rd Parties - Data processor - Further use - Subject - Publishing Purpose Α Public Hospital Public Interest A Purpose C Research Performing Organisation Legal Obligation Purpose D Research Performing Organisation Consent Purpose Β Research Performing Organisation Public Interest B
  14. 14. Exercising data subject rights Limitation of rights of the data subject (arts. 14(5)/17(3)/ 21(6) GDPR)) Scientific research/ statistical purposes/ archiving Public interest Technical and organizational measures (mostly pseudonymization) Condition: “it is likely to render impossible or seriously impair the achievement of the objectives of that processing” Notices (proactive data subject information) 7
  15. 15. Limitations to data subject’s rights: (I) information • Information to be provided where personal data have not been obtained from the data subject (art. 14(5)(b) • Researchers are exempt when: • The provision of such information proves impossible or would involve a disproportionate effort • Such obligations would render impossible or seriously impair achievement of the objectives of scientific research • The controller takes appropriate measures to protect the data subject’s legitimate interests
  16. 16. Limitations to data subject’s rights: (II) erasure • Right to erasure (‘right to be forgotten’) (art. 17(3)(d) • Researchers are exempt when: • Such obligations would render impossible or seriously impair achievement of the objectives of scientific research
  17. 17. Limitations to data subject’s rights: (III) objection • Right to object (art. 21(6) • Researchers are exempt when: • the processing is necessary for the performance of a task carried out for reasons of public interest.
  18. 18. Limitations to data subject’s rights: (IV) Member States Derogations • Member State derogations in relation to data-subject rights: • Right of access by the data subject (art.15) • Right to rectification (art.16) • Right to restriction of processing (art.18) • Right to object (art.21)
  19. 19. Cases • Harvesting personal data from publicly available sources • Data sharing with 3rd countries (international collaborations) – model licences • Initial collection for legitimate interest – secondary research use – notification process - objection process • Balancing reuse of research data and the GDPR principles of accuracy and data minimization • Health data and GDPR protection • Data Sharing Codes of Conduct • GDPR application for small projects 8
  20. 20. Cases • Harvesting personal data from publicly available sources • Check the original purpose of processing • Check the original legal basis for processing • It is a form of allowed further processing (art.5(b)) • Need to provide the following information to the data subject (art.14(1),(2)): 1. the identity and the contact details of the controller and, where applicable, of the controller's representative 2. the contact details of the data protection officer, where applicable; 3. the purposes of the processing for which the personal data are intended as well as the legal basis for the processing; 4. The categories of personal data concerned; 5. The recipients or categories of recipients of the personal data, if any; 6. When there is data transfer to 3rd countries, reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available. 7. from which source the personal data originate, and if applicable, whether it came from publicly accessible sources; 8a
  21. 21. Cases • Conditions for further processing (arts.6(4)) + 13(3) + 14(4) + 89(1)): 1. Legal basis Consent; or 2. Legal obligations (by Member States); or 3. There is a new legal basis; or 4. Examine whether further processing is compatible with the purpose for which the personal data were original collected: 1. What is the link between original and further processing 2. Context 3. If special categories exist and how they are protected 4. Consequences for the data subjects 5. Safeguards (e.g. encryption and pseudonymization) 5. When information is collected by the data-subject or third party, inform the data subject regarding the further processing (prior to it) and any other relevant information (art.13(3) and art.14(4)) 6. Pseudonymize (if it is for research) art. 89(1) 8b
  22. 22. Cases Transfers to 3rd countries • Items: • Conditions (contract or legal act) art.28 • Notifications and notices (data subject rights information – access ) (arts.13(1)(f), 14(1)(f), 15(1), (2)) • Keep records (art.30) • Use of Codes of Conduct (art.40) • Explore certification schemes, seals and marks (art.42(2)) • See entire Chapter V (arts.44-50) • Adequacy decision • Appropriate Safeguards • Binding corporate rules • Authorization by Union Law • See EC Standard Contractual Clauses (SCC) • Standard contractual clauses for data transfers between EU and non-EU countries. 8c
  23. 23. Cases Initial collection for legitimate interest – secondary research use – notification process - objection process • Form of further processing • Need to notify the data subject • Include all notification principles of art.14 • There needs to be a clear opt-out/ objection process in the notification document: • URL for automated opt-out • At least email • Always documented and confirmed 8d
  24. 24. Cases Further processing and accuracy – minimization • Adhere to all conditions of further processing • Remain accurate through notices and notification • Use only what is needed for the research purpose • Erase data once the required processing is over (or retain data under archiving purposes) 8e
  25. 25. Cases Health data and GDPR - Special category of data (art.9) - Form of Further Processing - Emphasis on the legal basis 8f
  26. 26. Cases Data Sharing CoCs - ICO (UK) [https://ico.org.uk/media/for- organisations/documents/1068/data_sharing_code_of_practice.pdf] - OECD [http://www.oecd.org/gov/ethics/ethicscodesandcodesofconductinoecdcountries.htm] 8g
  27. 27. Cases Personal data for small projects (excel rules…) - Specify your research purpose and define data range - Specify and document legal basis - Manage and document consent - Use DMP as your backbone - Consult with your Ethics Committee and DPO 8h
  28. 28. q a ptsiavos@athenarc.gr