Karim is a German team leader preparing a project. He does not need data about people for research, therefore the European data privacy legislation that protects citizens’ rights, namely the General Data Protection Regulation (GDPR), does not apply in this situation.
Alexandre is a French team leader preparing a project. For his research project, he needs data about people but not precise ones: it is sufficient for him to have individual data that do not link with anything else. Thus, he opts for anonymized data where all the personal identifiers are removed. No legal basis for such data processing is needed.
Sara and Anna are Italian co-leaders preparing a project. For their research project, they need reliable data about people, but not the link to their personal data. So, they need pseudonymised data, since personal data about people are replaced by a combination of characters and kept separately.
Monica is Sara and Anna’s colleague, and she needs to see both data about people and linkable pseudonyms and to have direct access to their personal data.
Sara, Anna, and Monica are processing data for their scientific purpose, and so they are subject to European data privacy legislation that protects citizens’ rights, namely the GDPR.
Sara, Anna, and Monica belong to a Research Center: their institution is the data controller, because it determines the purpose and means of personal data processing, while Sara, Anna, and Monica act as responsible people on behalf of their institution.
Before research can be performed, Sara, Anna, and Monica have to address the Research Ethics Committee (REC), a panel of experts and independent bodies, which shall give the approval to the purpose and source of their research project.
Sara and Anna are not receiving data from another institution, while Monica does.
Sara wants to use data that were already collected for another purpose since she wants to conduct a retrospective study. In this case, the REC will conduct a compatibility test to check if the purpose of Sara’s project is compatible with the initial purposes for which data were collected. If the Committee does not find compatibility, the processing for Sara’s project will not be allowed. If the data were initially collected on the basis of a consent form, the Committee will evaluate if it is possible to modify the informed consent and retake it from people; otherwise, Sara will have to reconsider her project and purpose. If the REC verifies that the purpose of Sara’s project is compatible with the initial purpose of collection, it will allow Sara’s project to continue.
Sara does not want to transfer data further. So, she can proceed to prepare data capture and she must show to the REC the study design, the data management plan, and the documents given to people for collecting their data. More precisely, Sara has to demonstrate that an informed consent form to participate in the study and an information sheet with the legal basis for processing data have been provided to people and have been explained to and collected from them. The Data Management plan should include activity records and all the indications about access control, log-in, backup, network security. Moreover, a Data Processing Impact Assessment (DPIA) should be done, in order to analyse, identify and minimise the data protection risks of the project. It should be presented before the REC too and, if the residual risk is low, the project is ready to be approved. If the risk is too high, the project shall be reshaped.
Differently from Sara, Anna does not want to use data that were already collected for another purpose. So, if the REC approves purposes and sources, Anna can continue with the research project preparation. She must show to the REC the study design, the data management plan, and the documents given to people for collecting their data. As for Sara, a DPIA should be done, in order to analyse, identify and minimise the data protection risks of the project. It should be presented before the REC too and, if the residual risk is low, the project is ready to be approved. If the risk is too high, the project shall be reshaped.
If Sara and Anna wanted to transfer data to a third party, they would have to apply the same procedure that Monica who is receiving data from another institution shall follow. Namely, the role of Monica’s team as a partner of another institution that is providing data shall be clearly defined. If Monica defines the purpose of data collection on her own, it is qualified as a Controller and so it shall sign a Controller-Controller Agreement or Consortium agreement with the party providing data since both the parties are controllers. If the party providing data is defining the purposes of collection, Monica’s team is a Processor and so a Data Processing Agreement regulating the relationship between the Controller and the Processor should be signed. The same will occur if Sara and Anna want to transfer data to a third party: it shall be understood if Sara’s or Anna’s teams act as a Controller or as a Processor.
If the data transfer occurs within the EU or among EEA countries or third countries or international entities for which the European Commission has enacted an adequacy decision stating that the third party in question ensures an adequate level of protection, no further authorization is needed by a supervisory authority. The transfer is performed on the basis of a contract between the Parties, a Controller-Controller Agreement or Consortium Agreement if the parties are controllers, or a Data Processing Agreement if one of the parties is a Processor.
Instead, if the transfer occurs towards or from third countries outside the EU for which there is no adequate decision, the transfer is allowed only if the controller or processor has provided appropriate safeguards and if data subjects’ rights are respected. No authorization from the competent supervisory authority is needed if safeguards are provided for by binding instrument between authorities, binding corporate rules approved by the competent supervisory authority, standard data protection clauses adopted by the Commission or by a supervisory authority and approved by the Commission, an approved code of conduct or an approved certification of GDPR compliance issued by the supervisory authority or by a national accreditation body.
Finally, authorization from the competent supervisory authority is needed in case that the appropriate safeguards are given by (non-EC standard) contractual clauses between the parties and administrative arrangements between public authorities.
