Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

20200429_Research Data & the GDPR: How Open is Open? (updated version)

Presentation by Prodromos Tsiavos (Senior Legal Advisor - ARC/ Director - Onassis Group) as delivered during the OpenAIRE Legal Policy Webinar series on April 29th 2020.
More information and recordings: https://www.openaire.eu/item/openaire-legal-policy-webinars

  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

20200429_Research Data & the GDPR: How Open is Open? (updated version)

  1. 1. Open Science & GDPR Basic Concepts and Cases Dr. Prodromos Tsiavos ARC/ ΟpenAIRE https://www.athena-innovation.gr/ptsiavos@imis.athena-innovation.gr
  2. 2. Open Science and GDPR 1. What is GDPR 2. Key DP structure 3. The setting 4. How is scientific research defined 5. Purpose 6. Legal Basis 7. Exercising data subject rights 8. Cases
  3. 3. What is GDPR? Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) 1
  4. 4. Key DP structure Personal Data Type of processing Purpose Legal Basis Be careful with special categories (sensitive) of personal data Make sure that the legal basis covers purpose and personal data 2
  5. 5. The setting Research within an RPO: check legal and ethics framework EU or other collaborative projects: Ethics and Data Protection Requirements National Law 3rd countries Call conditions Tenders Are you a data processor or (co)controller)? Who is the DPO? Have you passed from an Ethics Committee? 3
  6. 6. How is scientific research defined Sources: - Recitals: 26, 33, 50, 52, 53, 62, 65, 113, 156, 157, 159, 160, 161, 162 - Relevant articles: 5(1)(b), (e), 89 (1), (2), (3), 9(j), 14(5)(b), 17(3)(d), 21(6), 89 Most important article: - Art. 89 4
  7. 7. Defining Scientific Research I: Definitions • It falls under the broader public interest legal basis • Could be a form of further processing • Need to be subject to appropriate safeguards • Technical and organizational measures are in place • Focus on data minimization • Means: pseudonymization (without affecting research objectives)
  8. 8. Defining Scientific Research II: Special Categories • It falls under the broader public interest legal basis • In relation to special categories of data (art.9), the processing: • shall be proportionate to the aim pursued • needs to respect the right to data protection • needs to provide suitable and specific measures to safeguard the fundamental rights and interests of the data subject
  9. 9. The purpose Possible purposes: Overall: scientific research (art. 89 GDPR) Specific type of research Further use/ exploitation What happens when the purpose changes over time? Legal basis? Am I covered by the legal basis? 5
  10. 10. Legal Basis Mostly forms of public interest (regular research) Contract (tender) Consent (specific research) 6
  11. 11. • Vital Interest • Public Interest • Legal Obligation • Contract • Consent • Legitimate Interest No discretion discretion Decision: both parties Decision: data controller
  12. 12. Trace the life cycle Follow the data Different types of data processing may have different purposes and legal bases Always stay within the legal basis
  13. 13. Data management plan (processing/ purposes/ legal basis) Data collection - From the data subject - From 3rd party - From publicly available sources Data Management - Read - Write (update/ improve/ enrich) - Preservation - Erasure - Access Data Sharing - 3rd Parties - Data processor - Further use - Subject - Publishing Purpose Α Legal Basis Α Purpose C Legal Basis C Purpose D Legal Basis D Purpose Β Legal basis Β
  14. 14. Exercising data subject rights Limitation of rights of the data subject (arts. 14(5)/17(3)/ 21(6) GDPR)) Scientific research/ statistical purposes/ archiving Public interest Technical and organizational measures (mostly pseudonymization) Condition: “it is likely to render impossible or seriously impair the achievement of the objectives of that processing” Notices (proactive data subject information) 7
  15. 15. Limitations to data subject’s rights: (I) information • Information to be provided where personal data have not been obtained from the data subject (art. 14(5)(b) • Researchers are exempt when: • The provision of such information proves impossible or would involve a disproportionate effort • Such obligations would render impossible or seriously impair achievement of the objectives of scientific research • The controller takes appropriate measures to protect the data subject’s legitimate interests
  16. 16. Limitations to data subject’s rights: (II) erasure • Right to erasure (‘right to be forgotten’) (art. 17(3)(d) • Researchers are exempt when: • Such obligations would render impossible or seriously impair achievement of the objectives of scientific research
  17. 17. Limitations to data subject’s rights: (III) objection • Right to object (art. 21(6) • Researchers are exempt when: • the processing is necessary for the performance of a task carried out for reasons of public interest.
  18. 18. Limitations to data subject’s rights: (IV) Member States Derogations • Member State derogations in relation to data-subject rights: • Right of access by the data subject (art.15) • Right to rectification (art.16) • Right to restriction of processing (art.18) • Right to object (art.21) • In terms of Open content: the re-users are covered by these exceptions only to the degree they are also engaging in scientific research
  19. 19. Some cases • Harvesting personal data from publicly available sources • Data sharing with 3rd countries (international collaborations) • Initial collection for legitimate interest – secondary research use – notification process - objection process • Balancing reuse of research data and the GDPR principles of accuracy and data minimization • Health data and GDPR protection 8
  20. 20. Cases • Harvesting personal data from publicly available sources • Data sharing with 3rd countries (international collaborations) • Initial collection for legitimate interest – secondary research use – notification process - objection process • Balancing reuse of research data and the GDPR principles of accuracy and data minimization • Health data and GDPR protection 8
  21. 21. Cases • Harvesting personal data from publicly available sources • Check the original purpose of processing • Check the original legal basis for processing • It is a form of allowed further processing (art.5(b)) • Need to provide the following information to the data subject (art.14(1),(2)): 1. the identity and the contact details of the controller and, where applicable, of the controller's representative 2. the contact details of the data protection officer, where applicable; 3. the purposes of the processing for which the personal data are intended as well as the legal basis for the processing; 4. The categories of personal data concerned; 5. The recipients or categories of recipients of the personal data, if any; 6. When there is data transfer to 3rd countries, reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available. 7. from which source the personal data originate, and if applicable, whether it came from publicly accessible sources; 8a
  22. 22. Cases • Conditions for further processing (arts.6(4)) + 13(3) + 14(4) + 89(1)): 1. Legal basis Consent; or 2. Legal obligations (by Member States); or 3. There is a new legal basis; or 4. Examine whether further processing is compatible with the purpose for which the personal data were original collected: 1. What is the link between original and further processing 2. Context 3. If special categories exist and how they are protected 4. Consequences for the data subjects 5. Safeguards (e.g. encryption and pseudonymization) 5. When information is collected by the data-subject or third party, inform the data subject regarding the further processing (prior to it) and any other relevant information (art.13(3) and art.14(4)) 6. Pseudonymize (if it is for research) art. 89(1) 8b
  23. 23. Cases Transfers to 3rd countries • Items: • Conditions (contract or legal act) art.28 • Notifications and notices (data subject rights information – access ) (arts.13(1)(f), 14(1)(f), 15(1), (2)) • Keep records (art.30) • Use of Codes of Conduct (art.40) • Explore certification schemes, seals and marks (art.42(2)) • See entire Chapter V (arts.44-50) • Adequacy decision • Appropriate Safeguards • Binding corporate rules • Authorization by Union Law • See EC Standard Contractual Clauses (SCC) • Standard contractual clauses for data transfers between EU and non-EU countries. 8c
  24. 24. Cases Initial collection for legitimate interest – secondary research use – notification process - objection process • Form of further processing • Need to notify the data subject • Include all notification principles of art.14 • There needs to be a clear opt-out/ objection process in the notification document: • URL for automated opt-out • At least email • Always documented and confirmed 8d
  25. 25. Cases Further processing and accuracy – minimization • Adhere to all conditions of further processing • Remain accurate through notices and notification • Use only what is needed for the research purpose • Erase data once the required processing is over (or retain data under archiving purposes) 8e
  26. 26. Cases Health data and GDPR - Special category of data (art.9) - Form of Further Processing - Emphasis on the legal basis 8f
  27. 27. q a ptsiavos@imis.athena-innovation.gr

×