20200429_Research Data & the GDPR: How Open is Open? (updated version)

OpenAIRE
OpenAIREOpenAIRE
Open Science & GDPR
Basic Concepts and Cases
Dr. Prodromos Tsiavos
ARC/ ΟpenAIRE
https://www.athena-innovation.gr/ptsiavos@imis.athena-innovation.gr
Open Science and GDPR
1. What is GDPR
2. Key DP structure
3. The setting
4. How is scientific research defined
5. Purpose
6. Legal Basis
7. Exercising data subject rights
8. Cases
What is GDPR?
Regulation (EU) 2016/679 of the European Parliament and of the
Council of 27 April 2016 on the protection of natural persons with
regard to the processing of personal data and on the free movement of
such data, and repealing Directive 95/46/EC (General Data Protection
Regulation)
1
Key DP structure
Personal Data
Type of processing
Purpose
Legal Basis
Be careful with
special categories
(sensitive) of
personal data
Make sure that the
legal basis covers
purpose and
personal data
2
The setting
Research within an RPO: check legal and ethics framework
EU or other collaborative projects:
Ethics and Data Protection Requirements
National Law
3rd countries
Call conditions
Tenders
Are you a data processor or (co)controller)?
Who is the DPO?
Have you passed from an Ethics Committee?
3
How is scientific research defined
Sources:
- Recitals: 26, 33, 50, 52, 53, 62, 65, 113, 156, 157, 159, 160, 161, 162
- Relevant articles: 5(1)(b), (e), 89 (1), (2), (3), 9(j), 14(5)(b), 17(3)(d), 21(6), 89
Most important article:
- Art. 89
4
Defining Scientific Research I: Definitions
• It falls under the broader public interest legal basis
• Could be a form of further processing
• Need to be subject to appropriate safeguards
• Technical and organizational measures are in place
• Focus on data minimization
• Means: pseudonymization (without affecting research objectives)
Defining Scientific Research II: Special Categories
• It falls under the broader public interest legal basis
• In relation to special categories of data (art.9), the processing:
• shall be proportionate to the aim pursued
• needs to respect the right to data protection
• needs to provide suitable and specific measures to safeguard the
fundamental rights and interests of the data subject
The purpose
Possible purposes:
Overall: scientific research (art. 89 GDPR)
Specific type of research
Further use/ exploitation
What happens when the purpose changes over time?
Legal basis?
Am I covered by the legal basis?
5
Legal Basis
Mostly forms of public interest (regular research)
Contract (tender)
Consent (specific research)
6
• Vital Interest
• Public Interest
• Legal Obligation
• Contract
• Consent
• Legitimate Interest
No discretion
discretion
Decision: both parties
Decision: data controller
Trace the life cycle
Follow the data
Different types of data processing may have different purposes and legal bases
Always stay within the legal basis
Data management plan
(processing/ purposes/ legal basis)
Data collection
- From the data
subject
- From 3rd party
- From publicly
available sources
Data Management
- Read
- Write (update/
improve/ enrich)
- Preservation
- Erasure
- Access
Data Sharing
- 3rd Parties
- Data processor
- Further use
- Subject
- Publishing
Purpose Α
Legal Basis Α
Purpose C
Legal Basis C
Purpose D
Legal Basis D
Purpose Β
Legal basis Β
Exercising data subject rights
Limitation of rights of the data subject (arts. 14(5)/17(3)/ 21(6) GDPR))
Scientific research/ statistical purposes/ archiving
Public interest
Technical and organizational measures (mostly pseudonymization)
Condition: “it is likely to render impossible or seriously impair the achievement of
the objectives of that processing”
Notices (proactive data subject information)
7
Limitations to data subject’s rights:
(I) information
• Information to be provided where personal data have not been obtained
from the data subject (art. 14(5)(b)
• Researchers are exempt when:
• The provision of such information proves impossible or would involve a
disproportionate effort
• Such obligations would render impossible or seriously impair
achievement of the objectives of scientific research
• The controller takes appropriate measures to protect the data subject’s
legitimate interests
Limitations to data subject’s rights:
(II) erasure
• Right to erasure (‘right to be forgotten’) (art. 17(3)(d)
• Researchers are exempt when:
• Such obligations would render impossible or seriously impair
achievement of the objectives of scientific research
Limitations to data subject’s rights:
(III) objection
• Right to object (art. 21(6)
• Researchers are exempt when:
• the processing is necessary for the performance of a task carried out
for reasons of public interest.
Limitations to data subject’s rights:
(IV) Member States Derogations
• Member State derogations in relation to data-subject rights:
• Right of access by the data subject (art.15)
• Right to rectification (art.16)
• Right to restriction of processing (art.18)
• Right to object (art.21)
• In terms of Open content: the re-users are covered by these exceptions only
to the degree they are also engaging in scientific research
Some cases
• Harvesting personal data from publicly available sources
• Data sharing with 3rd countries (international collaborations)
• Initial collection for legitimate interest – secondary research use –
notification process - objection process
• Balancing reuse of research data and the GDPR principles of accuracy and
data minimization
• Health data and GDPR protection
8
Cases
• Harvesting personal data from publicly available sources
• Data sharing with 3rd countries (international collaborations)
• Initial collection for legitimate interest – secondary research use –
notification process - objection process
• Balancing reuse of research data and the GDPR principles of accuracy and
data minimization
• Health data and GDPR protection
8
Cases
• Harvesting personal data from publicly available sources
• Check the original purpose of processing
• Check the original legal basis for processing
• It is a form of allowed further processing (art.5(b))
• Need to provide the following information to the data subject (art.14(1),(2)):
1. the identity and the contact details of the controller and, where applicable, of the controller's
representative
2. the contact details of the data protection officer, where applicable;
3. the purposes of the processing for which the personal data are intended as well as the legal
basis for the processing;
4. The categories of personal data concerned;
5. The recipients or categories of recipients of the personal data, if any;
6. When there is data transfer to 3rd countries, reference to the appropriate or suitable
safeguards and the means to obtain a copy of them or where they have been made available.
7. from which source the personal data originate, and if applicable, whether it came from
publicly accessible sources;
8a
Cases
• Conditions for further processing (arts.6(4)) + 13(3) + 14(4) + 89(1)):
1. Legal basis Consent; or
2. Legal obligations (by Member States); or
3. There is a new legal basis; or
4. Examine whether further processing is compatible with the purpose for which the personal
data were original collected:
1. What is the link between original and further processing
2. Context
3. If special categories exist and how they are protected
4. Consequences for the data subjects
5. Safeguards (e.g. encryption and pseudonymization)
5. When information is collected by the data-subject or third party, inform the data subject
regarding the further processing (prior to it) and any other relevant information (art.13(3) and
art.14(4))
6. Pseudonymize (if it is for research) art. 89(1)
8b
Cases
Transfers to 3rd countries
• Items:
• Conditions (contract or legal act) art.28
• Notifications and notices (data subject rights information – access ) (arts.13(1)(f), 14(1)(f),
15(1), (2))
• Keep records (art.30)
• Use of Codes of Conduct (art.40)
• Explore certification schemes, seals and marks (art.42(2))
• See entire Chapter V (arts.44-50)
• Adequacy decision
• Appropriate Safeguards
• Binding corporate rules
• Authorization by Union Law
• See EC Standard Contractual Clauses (SCC)
• Standard contractual clauses for data transfers between EU and non-EU countries.
8c
Cases
Initial collection for legitimate interest – secondary research use – notification process -
objection process
• Form of further processing
• Need to notify the data subject
• Include all notification principles of art.14
• There needs to be a clear opt-out/ objection process in the notification document:
• URL for automated opt-out
• At least email
• Always documented and confirmed
8d
Cases
Further processing and accuracy – minimization
• Adhere to all conditions of further processing
• Remain accurate through notices and notification
• Use only what is needed for the research purpose
• Erase data once the required processing is over (or retain data under archiving purposes)
8e
Cases
Health data and GDPR
- Special category of data (art.9)
- Form of Further Processing
- Emphasis on the legal basis
8f
q
a
ptsiavos@imis.athena-innovation.gr
1 of 27

Recommended

20200429_Data, Data Ownership and Open Science by
20200429_Data, Data Ownership and Open Science20200429_Data, Data Ownership and Open Science
20200429_Data, Data Ownership and Open ScienceOpenAIRE
710 views11 slides
20200504_Data, Data Ownership and Open Science by
20200504_Data, Data Ownership and Open Science20200504_Data, Data Ownership and Open Science
20200504_Data, Data Ownership and Open ScienceOpenAIRE
7.8K views14 slides
20200429_OpenAIRE Legal Policy Webinar: GDPR and Sharing Data by
20200429_OpenAIRE Legal Policy Webinar: GDPR and Sharing Data20200429_OpenAIRE Legal Policy Webinar: GDPR and Sharing Data
20200429_OpenAIRE Legal Policy Webinar: GDPR and Sharing DataOpenAIRE
7.9K views23 slides
20200504_OpenAIRE Legal Policy Webinar: GDPR and Sharing Data by
20200504_OpenAIRE Legal Policy Webinar: GDPR and Sharing Data20200504_OpenAIRE Legal Policy Webinar: GDPR and Sharing Data
20200504_OpenAIRE Legal Policy Webinar: GDPR and Sharing DataOpenAIRE
292 views26 slides
20200504_Research Data & the GDPR: How Open is Open? by
20200504_Research Data & the GDPR: How Open is Open?20200504_Research Data & the GDPR: How Open is Open?
20200504_Research Data & the GDPR: How Open is Open?OpenAIRE
619 views28 slides
OpenAire Sessions - Joris Deene by
OpenAire Sessions - Joris DeeneOpenAire Sessions - Joris Deene
OpenAire Sessions - Joris DeeneOpen Knowledge Belgium
468 views28 slides

More Related Content

What's hot

RDM & ELNs @ Edinburgh by
RDM & ELNs @ EdinburghRDM & ELNs @ Edinburgh
RDM & ELNs @ EdinburghEDINA, University of Edinburgh
756 views49 slides
Data mining by
Data miningData mining
Data miningRitesh Tiwari
544 views18 slides
Research data management : Open Research Data pilot, data management (plans),... by
Research data management : Open Research Data pilot, data management (plans),...Research data management : Open Research Data pilot, data management (plans),...
Research data management : Open Research Data pilot, data management (plans),...Leon Osinski
283 views23 slides
Data mining by
Data miningData mining
Data miningBirju Tank
762 views13 slides
DataONE Education Module 10: Legal and Policy Issues by
DataONE Education Module 10: Legal and Policy IssuesDataONE Education Module 10: Legal and Policy Issues
DataONE Education Module 10: Legal and Policy IssuesDataONE
35.6K views20 slides

What's hot(20)

Research data management : Open Research Data pilot, data management (plans),... by Leon Osinski
Research data management : Open Research Data pilot, data management (plans),...Research data management : Open Research Data pilot, data management (plans),...
Research data management : Open Research Data pilot, data management (plans),...
Leon Osinski283 views
DataONE Education Module 10: Legal and Policy Issues by DataONE
DataONE Education Module 10: Legal and Policy IssuesDataONE Education Module 10: Legal and Policy Issues
DataONE Education Module 10: Legal and Policy Issues
DataONE35.6K views
Research data management at TU Eindhoven by Leon Osinski
Research data management at TU EindhovenResearch data management at TU Eindhoven
Research data management at TU Eindhoven
Leon Osinski182 views
What funders want you to do with your data by Leon Osinski
What funders want you to do with your dataWhat funders want you to do with your data
What funders want you to do with your data
Leon Osinski116 views
Finding the Law for Sharing Data in Academia by Marlon Domingus
Finding the Law for Sharing Data in AcademiaFinding the Law for Sharing Data in Academia
Finding the Law for Sharing Data in Academia
Marlon Domingus333 views
Data sharing: How, what and why? by dancrane_open
Data sharing: How, what and why?Data sharing: How, what and why?
Data sharing: How, what and why?
dancrane_open205 views
ANDS health and medical data webinar 16 May. Storing and Publishing Health an... by ARDC
ANDS health and medical data webinar 16 May. Storing and Publishing Health an...ANDS health and medical data webinar 16 May. Storing and Publishing Health an...
ANDS health and medical data webinar 16 May. Storing and Publishing Health an...
ARDC521 views
Open Access Week 2017: Introduction to Open Data Policies in H2020 by OpenAIRE
Open Access Week 2017: Introduction to Open Data Policies in H2020Open Access Week 2017: Introduction to Open Data Policies in H2020
Open Access Week 2017: Introduction to Open Data Policies in H2020
OpenAIRE664 views
Basics of Research Data Management by OpenAIRE
Basics of Research Data ManagementBasics of Research Data Management
Basics of Research Data Management
OpenAIRE2.7K views
ANDS health and medical data webinar 23 May 2017. Ethics, Legal issues and Da... by ARDC
ANDS health and medical data webinar 23 May 2017. Ethics, Legal issues and Da...ANDS health and medical data webinar 23 May 2017. Ethics, Legal issues and Da...
ANDS health and medical data webinar 23 May 2017. Ethics, Legal issues and Da...
ARDC429 views

Similar to 20200429_Research Data & the GDPR: How Open is Open? (updated version)

VIAF GDPR by
VIAF GDPRVIAF GDPR
VIAF GDPRBiblioteca Nacional de España
1.9K views14 slides
Legal Guidelines regarding the Use of Electronic Patient Data. Do we need new... by
Legal Guidelines regarding the Use of Electronic Patient Data. Do we need new...Legal Guidelines regarding the Use of Electronic Patient Data. Do we need new...
Legal Guidelines regarding the Use of Electronic Patient Data. Do we need new...Plan de Calidad para el SNS
433 views14 slides
Browne Jacobson - Administrative and public law - October 2017 by
Browne Jacobson - Administrative and public law - October 2017Browne Jacobson - Administrative and public law - October 2017
Browne Jacobson - Administrative and public law - October 2017Browne Jacobson LLP
262 views109 slides
Engage 2018: GDPR Three Days To Go by
Engage 2018: GDPR Three Days To GoEngage 2018: GDPR Three Days To Go
Engage 2018: GDPR Three Days To Gopanagenda
3.1K views31 slides
Niall Rooney FD Event 05.09.19 by
Niall Rooney FD Event 05.09.19Niall Rooney FD Event 05.09.19
Niall Rooney FD Event 05.09.19Niall Rooney
814 views13 slides

Similar to 20200429_Research Data & the GDPR: How Open is Open? (updated version)(20)

Legal Guidelines regarding the Use of Electronic Patient Data. Do we need new... by Plan de Calidad para el SNS
Legal Guidelines regarding the Use of Electronic Patient Data. Do we need new...Legal Guidelines regarding the Use of Electronic Patient Data. Do we need new...
Legal Guidelines regarding the Use of Electronic Patient Data. Do we need new...
Browne Jacobson - Administrative and public law - October 2017 by Browne Jacobson LLP
Browne Jacobson - Administrative and public law - October 2017Browne Jacobson - Administrative and public law - October 2017
Browne Jacobson - Administrative and public law - October 2017
Engage 2018: GDPR Three Days To Go by panagenda
Engage 2018: GDPR Three Days To GoEngage 2018: GDPR Three Days To Go
Engage 2018: GDPR Three Days To Go
panagenda3.1K views
Niall Rooney FD Event 05.09.19 by Niall Rooney
Niall Rooney FD Event 05.09.19Niall Rooney FD Event 05.09.19
Niall Rooney FD Event 05.09.19
Niall Rooney814 views
Data Protection (Download for slideshow) by Andrew Sharpe
Data Protection (Download for slideshow)Data Protection (Download for slideshow)
Data Protection (Download for slideshow)
Andrew Sharpe3.2K views
The Policy Framework: GDPR and all that by EUDAT
The Policy Framework: GDPR and all thatThe Policy Framework: GDPR and all that
The Policy Framework: GDPR and all that
EUDAT104 views
Adjusting to the GDPR: The Impact on Data Scientists and Behavioral Researchers by Travis Greene
Adjusting to the GDPR: The Impact on Data Scientists and Behavioral ResearchersAdjusting to the GDPR: The Impact on Data Scientists and Behavioral Researchers
Adjusting to the GDPR: The Impact on Data Scientists and Behavioral Researchers
Travis Greene228 views
GDPR - New European Union Legislation by Tekwill
GDPR - New European Union LegislationGDPR - New European Union Legislation
GDPR - New European Union Legislation
Tekwill54 views
GDPR for public sector DPO's seminar, April 2018, Manchester by Browne Jacobson LLP
GDPR for public sector DPO's seminar, April 2018, ManchesterGDPR for public sector DPO's seminar, April 2018, Manchester
GDPR for public sector DPO's seminar, April 2018, Manchester
GDPR for public sector DPO's, April 2018, Nottingham by Browne Jacobson LLP
GDPR for public sector DPO's, April 2018, NottinghamGDPR for public sector DPO's, April 2018, Nottingham
GDPR for public sector DPO's, April 2018, Nottingham
Data Protection Seminar_GDPR_ISOLAS_26-06-17 by Michael Adamberry
Data Protection Seminar_GDPR_ISOLAS_26-06-17Data Protection Seminar_GDPR_ISOLAS_26-06-17
Data Protection Seminar_GDPR_ISOLAS_26-06-17
Michael Adamberry136 views
Personal data: Legal Issues in Research Data Collection and Sharing by EUDAT ... by EUDAT
Personal data: Legal Issues in Research Data Collection and Sharing by EUDAT ...Personal data: Legal Issues in Research Data Collection and Sharing by EUDAT ...
Personal data: Legal Issues in Research Data Collection and Sharing by EUDAT ...
EUDAT1.5K views
GDPR – what does it mean for charities and what you need to consider - Iain P... by m-hance
GDPR – what does it mean for charities and what you need to consider - Iain P...GDPR – what does it mean for charities and what you need to consider - Iain P...
GDPR – what does it mean for charities and what you need to consider - Iain P...
m-hance271 views

More from OpenAIRE

10th OpenAIRE Content Providers Community Call by
10th OpenAIRE Content Providers Community Call10th OpenAIRE Content Providers Community Call
10th OpenAIRE Content Providers Community CallOpenAIRE
1.5K views36 slides
9th Content Providers Community Call\ by
9th Content Providers Community Call\9th Content Providers Community Call\
9th Content Providers Community Call\OpenAIRE
536 views14 slides
OpenAIRE in the European Open Science Cloud (EOSC) by
OpenAIRE in the European Open Science Cloud (EOSC)OpenAIRE in the European Open Science Cloud (EOSC)
OpenAIRE in the European Open Science Cloud (EOSC)OpenAIRE
495 views22 slides
8th Content Providers Community Call by
8th Content Providers Community Call8th Content Providers Community Call
8th Content Providers Community CallOpenAIRE
735 views16 slides
7th Content Providers Community Call by
7th Content Providers Community Call7th Content Providers Community Call
7th Content Providers Community CallOpenAIRE
847 views37 slides
OpenAIRE PROVIDE Dashboard for Turkish repository managers by
OpenAIRE PROVIDE Dashboard for Turkish repository managersOpenAIRE PROVIDE Dashboard for Turkish repository managers
OpenAIRE PROVIDE Dashboard for Turkish repository managersOpenAIRE
727 views18 slides

More from OpenAIRE(20)

10th OpenAIRE Content Providers Community Call by OpenAIRE
10th OpenAIRE Content Providers Community Call10th OpenAIRE Content Providers Community Call
10th OpenAIRE Content Providers Community Call
OpenAIRE1.5K views
9th Content Providers Community Call\ by OpenAIRE
9th Content Providers Community Call\9th Content Providers Community Call\
9th Content Providers Community Call\
OpenAIRE536 views
OpenAIRE in the European Open Science Cloud (EOSC) by OpenAIRE
OpenAIRE in the European Open Science Cloud (EOSC)OpenAIRE in the European Open Science Cloud (EOSC)
OpenAIRE in the European Open Science Cloud (EOSC)
OpenAIRE495 views
8th Content Providers Community Call by OpenAIRE
8th Content Providers Community Call8th Content Providers Community Call
8th Content Providers Community Call
OpenAIRE735 views
7th Content Providers Community Call by OpenAIRE
7th Content Providers Community Call7th Content Providers Community Call
7th Content Providers Community Call
OpenAIRE847 views
OpenAIRE PROVIDE Dashboard for Turkish repository managers by OpenAIRE
OpenAIRE PROVIDE Dashboard for Turkish repository managersOpenAIRE PROVIDE Dashboard for Turkish repository managers
OpenAIRE PROVIDE Dashboard for Turkish repository managers
OpenAIRE727 views
What will it cost to manage and share my data? by OpenAIRE
What will it cost to manage and share my data?What will it cost to manage and share my data?
What will it cost to manage and share my data?
OpenAIRE9.1K views
Open Research Gateway for the ELIXIR-GR Infrastructure (Part 3) by OpenAIRE
Open Research Gateway for the ELIXIR-GR Infrastructure (Part 3)Open Research Gateway for the ELIXIR-GR Infrastructure (Part 3)
Open Research Gateway for the ELIXIR-GR Infrastructure (Part 3)
OpenAIRE479 views
Open Research Gateway for the ELIXIR-GR Infrastructure (Part 2) by OpenAIRE
Open Research Gateway for the ELIXIR-GR Infrastructure (Part 2)Open Research Gateway for the ELIXIR-GR Infrastructure (Part 2)
Open Research Gateway for the ELIXIR-GR Infrastructure (Part 2)
OpenAIRE447 views
Open Research Gateway for the ELIXIR-GR Infrastructure (Part 1) by OpenAIRE
Open Research Gateway for the ELIXIR-GR Infrastructure (Part 1)Open Research Gateway for the ELIXIR-GR Infrastructure (Part 1)
Open Research Gateway for the ELIXIR-GR Infrastructure (Part 1)
OpenAIRE452 views
6th Content Providers Community Call by OpenAIRE
6th Content Providers Community Call6th Content Providers Community Call
6th Content Providers Community Call
OpenAIRE589 views
COVID-19: Activities, tools, best practice and contact points in Greece by OpenAIRE
 COVID-19: Activities, tools, best practice and contact points in Greece COVID-19: Activities, tools, best practice and contact points in Greece
COVID-19: Activities, tools, best practice and contact points in Greece
OpenAIRE1.2K views
5th Content Providers Community Call by OpenAIRE
5th Content Providers Community Call5th Content Providers Community Call
5th Content Providers Community Call
OpenAIRE639 views
4th Content Providers Community Call by OpenAIRE
4th Content Providers Community Call4th Content Providers Community Call
4th Content Providers Community Call
OpenAIRE428 views
3rd Content Providers Community Call by OpenAIRE
3rd Content Providers Community Call3rd Content Providers Community Call
3rd Content Providers Community Call
OpenAIRE601 views
2nd Content Providers Community Call by OpenAIRE
2nd Content Providers Community Call2nd Content Providers Community Call
2nd Content Providers Community Call
OpenAIRE349 views
1st Content Providers Community Call by OpenAIRE
1st Content Providers Community Call1st Content Providers Community Call
1st Content Providers Community Call
OpenAIRE319 views
20200130_Mannocci_OpenAIRE_ResearchGraph by OpenAIRE
20200130_Mannocci_OpenAIRE_ResearchGraph20200130_Mannocci_OpenAIRE_ResearchGraph
20200130_Mannocci_OpenAIRE_ResearchGraph
OpenAIRE267 views
IPR and Exploitation by OpenAIRE
IPR and Exploitation IPR and Exploitation
IPR and Exploitation
OpenAIRE504 views
Eosc_OpenAIRE_onboarding_v2 by OpenAIRE
Eosc_OpenAIRE_onboarding_v2Eosc_OpenAIRE_onboarding_v2
Eosc_OpenAIRE_onboarding_v2
OpenAIRE164 views

Recently uploaded

2. Natural Sciences and Technology Author Siyavula.pdf by
2. Natural Sciences and Technology Author Siyavula.pdf2. Natural Sciences and Technology Author Siyavula.pdf
2. Natural Sciences and Technology Author Siyavula.pdfssuser821efa
13 views232 slides
Determination of color fastness to rubbing(wet and dry condition) by crockmeter. by
Determination of color fastness to rubbing(wet and dry condition) by crockmeter.Determination of color fastness to rubbing(wet and dry condition) by crockmeter.
Determination of color fastness to rubbing(wet and dry condition) by crockmeter.ShadmanSakib63
8 views6 slides
Small ruminant keepers’ knowledge, attitudes and practices towards peste des ... by
Small ruminant keepers’ knowledge, attitudes and practices towards peste des ...Small ruminant keepers’ knowledge, attitudes and practices towards peste des ...
Small ruminant keepers’ knowledge, attitudes and practices towards peste des ...ILRI
7 views6 slides
Evaluation and Standardization of the Marketed Polyherbal drug Patanjali Divy... by
Evaluation and Standardization of the Marketed Polyherbal drug Patanjali Divy...Evaluation and Standardization of the Marketed Polyherbal drug Patanjali Divy...
Evaluation and Standardization of the Marketed Polyherbal drug Patanjali Divy...Anmol Vishnu Gupta
8 views10 slides
IMMUNODIAGNOSTICS KITS.pdf by
IMMUNODIAGNOSTICS KITS.pdfIMMUNODIAGNOSTICS KITS.pdf
IMMUNODIAGNOSTICS KITS.pdfvetrivel303632
31 views10 slides
Bacterial Reproduction.pdf by
Bacterial Reproduction.pdfBacterial Reproduction.pdf
Bacterial Reproduction.pdfNandadulalSannigrahi
37 views32 slides

Recently uploaded(20)

2. Natural Sciences and Technology Author Siyavula.pdf by ssuser821efa
2. Natural Sciences and Technology Author Siyavula.pdf2. Natural Sciences and Technology Author Siyavula.pdf
2. Natural Sciences and Technology Author Siyavula.pdf
ssuser821efa13 views
Determination of color fastness to rubbing(wet and dry condition) by crockmeter. by ShadmanSakib63
Determination of color fastness to rubbing(wet and dry condition) by crockmeter.Determination of color fastness to rubbing(wet and dry condition) by crockmeter.
Determination of color fastness to rubbing(wet and dry condition) by crockmeter.
ShadmanSakib638 views
Small ruminant keepers’ knowledge, attitudes and practices towards peste des ... by ILRI
Small ruminant keepers’ knowledge, attitudes and practices towards peste des ...Small ruminant keepers’ knowledge, attitudes and practices towards peste des ...
Small ruminant keepers’ knowledge, attitudes and practices towards peste des ...
ILRI7 views
Evaluation and Standardization of the Marketed Polyherbal drug Patanjali Divy... by Anmol Vishnu Gupta
Evaluation and Standardization of the Marketed Polyherbal drug Patanjali Divy...Evaluation and Standardization of the Marketed Polyherbal drug Patanjali Divy...
Evaluation and Standardization of the Marketed Polyherbal drug Patanjali Divy...
Small ruminant keepers’ knowledge, attitudes and practices towards peste des ... by ILRI
Small ruminant keepers’ knowledge, attitudes and practices towards peste des ...Small ruminant keepers’ knowledge, attitudes and practices towards peste des ...
Small ruminant keepers’ knowledge, attitudes and practices towards peste des ...
ILRI10 views
Presentation on experimental laboratory animal- Hamster by Kanika13641
Presentation on experimental laboratory animal- HamsterPresentation on experimental laboratory animal- Hamster
Presentation on experimental laboratory animal- Hamster
Kanika136416 views
ELECTRON TRANSPORT CHAIN by DEEKSHA RANI
ELECTRON TRANSPORT CHAINELECTRON TRANSPORT CHAIN
ELECTRON TRANSPORT CHAIN
DEEKSHA RANI18 views
Ellagic Acid and Its Metabolites as Potent and Selective Allosteric Inhibitor... by Trustlife
Ellagic Acid and Its Metabolites as Potent and Selective Allosteric Inhibitor...Ellagic Acid and Its Metabolites as Potent and Selective Allosteric Inhibitor...
Ellagic Acid and Its Metabolites as Potent and Selective Allosteric Inhibitor...
Trustlife184 views
Oral_Presentation_by_Fatma (2).pdf by fatmaalmrzqi
Oral_Presentation_by_Fatma (2).pdfOral_Presentation_by_Fatma (2).pdf
Oral_Presentation_by_Fatma (2).pdf
fatmaalmrzqi8 views
XUE: Molecular Inventory in the Inner Region of an Extremely Irradiated Proto... by Sérgio Sacani
XUE: Molecular Inventory in the Inner Region of an Extremely Irradiated Proto...XUE: Molecular Inventory in the Inner Region of an Extremely Irradiated Proto...
XUE: Molecular Inventory in the Inner Region of an Extremely Irradiated Proto...
Sérgio Sacani787 views
Study on Drug Drug Interaction Through Prescription Analysis of Type II Diabe... by Anmol Vishnu Gupta
Study on Drug Drug Interaction Through Prescription Analysis of Type II Diabe...Study on Drug Drug Interaction Through Prescription Analysis of Type II Diabe...
Study on Drug Drug Interaction Through Prescription Analysis of Type II Diabe...
Exploring the nature and synchronicity of early cluster formation in the Larg... by Sérgio Sacani
Exploring the nature and synchronicity of early cluster formation in the Larg...Exploring the nature and synchronicity of early cluster formation in the Larg...
Exploring the nature and synchronicity of early cluster formation in the Larg...
Sérgio Sacani1.5K views
Factors affecting fluorescence and phosphorescence.pptx by SamarthGiri1
Factors affecting fluorescence and phosphorescence.pptxFactors affecting fluorescence and phosphorescence.pptx
Factors affecting fluorescence and phosphorescence.pptx
SamarthGiri19 views
RADIATION PHYSICS.pptx by drpriyanka8
RADIATION PHYSICS.pptxRADIATION PHYSICS.pptx
RADIATION PHYSICS.pptx
drpriyanka815 views

20200429_Research Data & the GDPR: How Open is Open? (updated version)

  • 1. Open Science & GDPR Basic Concepts and Cases Dr. Prodromos Tsiavos ARC/ ΟpenAIRE https://www.athena-innovation.gr/ptsiavos@imis.athena-innovation.gr
  • 2. Open Science and GDPR 1. What is GDPR 2. Key DP structure 3. The setting 4. How is scientific research defined 5. Purpose 6. Legal Basis 7. Exercising data subject rights 8. Cases
  • 3. What is GDPR? Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) 1
  • 4. Key DP structure Personal Data Type of processing Purpose Legal Basis Be careful with special categories (sensitive) of personal data Make sure that the legal basis covers purpose and personal data 2
  • 5. The setting Research within an RPO: check legal and ethics framework EU or other collaborative projects: Ethics and Data Protection Requirements National Law 3rd countries Call conditions Tenders Are you a data processor or (co)controller)? Who is the DPO? Have you passed from an Ethics Committee? 3
  • 6. How is scientific research defined Sources: - Recitals: 26, 33, 50, 52, 53, 62, 65, 113, 156, 157, 159, 160, 161, 162 - Relevant articles: 5(1)(b), (e), 89 (1), (2), (3), 9(j), 14(5)(b), 17(3)(d), 21(6), 89 Most important article: - Art. 89 4
  • 7. Defining Scientific Research I: Definitions • It falls under the broader public interest legal basis • Could be a form of further processing • Need to be subject to appropriate safeguards • Technical and organizational measures are in place • Focus on data minimization • Means: pseudonymization (without affecting research objectives)
  • 8. Defining Scientific Research II: Special Categories • It falls under the broader public interest legal basis • In relation to special categories of data (art.9), the processing: • shall be proportionate to the aim pursued • needs to respect the right to data protection • needs to provide suitable and specific measures to safeguard the fundamental rights and interests of the data subject
  • 9. The purpose Possible purposes: Overall: scientific research (art. 89 GDPR) Specific type of research Further use/ exploitation What happens when the purpose changes over time? Legal basis? Am I covered by the legal basis? 5
  • 10. Legal Basis Mostly forms of public interest (regular research) Contract (tender) Consent (specific research) 6
  • 11. • Vital Interest • Public Interest • Legal Obligation • Contract • Consent • Legitimate Interest No discretion discretion Decision: both parties Decision: data controller
  • 12. Trace the life cycle Follow the data Different types of data processing may have different purposes and legal bases Always stay within the legal basis
  • 13. Data management plan (processing/ purposes/ legal basis) Data collection - From the data subject - From 3rd party - From publicly available sources Data Management - Read - Write (update/ improve/ enrich) - Preservation - Erasure - Access Data Sharing - 3rd Parties - Data processor - Further use - Subject - Publishing Purpose Α Legal Basis Α Purpose C Legal Basis C Purpose D Legal Basis D Purpose Β Legal basis Β
  • 14. Exercising data subject rights Limitation of rights of the data subject (arts. 14(5)/17(3)/ 21(6) GDPR)) Scientific research/ statistical purposes/ archiving Public interest Technical and organizational measures (mostly pseudonymization) Condition: “it is likely to render impossible or seriously impair the achievement of the objectives of that processing” Notices (proactive data subject information) 7
  • 15. Limitations to data subject’s rights: (I) information • Information to be provided where personal data have not been obtained from the data subject (art. 14(5)(b) • Researchers are exempt when: • The provision of such information proves impossible or would involve a disproportionate effort • Such obligations would render impossible or seriously impair achievement of the objectives of scientific research • The controller takes appropriate measures to protect the data subject’s legitimate interests
  • 16. Limitations to data subject’s rights: (II) erasure • Right to erasure (‘right to be forgotten’) (art. 17(3)(d) • Researchers are exempt when: • Such obligations would render impossible or seriously impair achievement of the objectives of scientific research
  • 17. Limitations to data subject’s rights: (III) objection • Right to object (art. 21(6) • Researchers are exempt when: • the processing is necessary for the performance of a task carried out for reasons of public interest.
  • 18. Limitations to data subject’s rights: (IV) Member States Derogations • Member State derogations in relation to data-subject rights: • Right of access by the data subject (art.15) • Right to rectification (art.16) • Right to restriction of processing (art.18) • Right to object (art.21) • In terms of Open content: the re-users are covered by these exceptions only to the degree they are also engaging in scientific research
  • 19. Some cases • Harvesting personal data from publicly available sources • Data sharing with 3rd countries (international collaborations) • Initial collection for legitimate interest – secondary research use – notification process - objection process • Balancing reuse of research data and the GDPR principles of accuracy and data minimization • Health data and GDPR protection 8
  • 20. Cases • Harvesting personal data from publicly available sources • Data sharing with 3rd countries (international collaborations) • Initial collection for legitimate interest – secondary research use – notification process - objection process • Balancing reuse of research data and the GDPR principles of accuracy and data minimization • Health data and GDPR protection 8
  • 21. Cases • Harvesting personal data from publicly available sources • Check the original purpose of processing • Check the original legal basis for processing • It is a form of allowed further processing (art.5(b)) • Need to provide the following information to the data subject (art.14(1),(2)): 1. the identity and the contact details of the controller and, where applicable, of the controller's representative 2. the contact details of the data protection officer, where applicable; 3. the purposes of the processing for which the personal data are intended as well as the legal basis for the processing; 4. The categories of personal data concerned; 5. The recipients or categories of recipients of the personal data, if any; 6. When there is data transfer to 3rd countries, reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available. 7. from which source the personal data originate, and if applicable, whether it came from publicly accessible sources; 8a
  • 22. Cases • Conditions for further processing (arts.6(4)) + 13(3) + 14(4) + 89(1)): 1. Legal basis Consent; or 2. Legal obligations (by Member States); or 3. There is a new legal basis; or 4. Examine whether further processing is compatible with the purpose for which the personal data were original collected: 1. What is the link between original and further processing 2. Context 3. If special categories exist and how they are protected 4. Consequences for the data subjects 5. Safeguards (e.g. encryption and pseudonymization) 5. When information is collected by the data-subject or third party, inform the data subject regarding the further processing (prior to it) and any other relevant information (art.13(3) and art.14(4)) 6. Pseudonymize (if it is for research) art. 89(1) 8b
  • 23. Cases Transfers to 3rd countries • Items: • Conditions (contract or legal act) art.28 • Notifications and notices (data subject rights information – access ) (arts.13(1)(f), 14(1)(f), 15(1), (2)) • Keep records (art.30) • Use of Codes of Conduct (art.40) • Explore certification schemes, seals and marks (art.42(2)) • See entire Chapter V (arts.44-50) • Adequacy decision • Appropriate Safeguards • Binding corporate rules • Authorization by Union Law • See EC Standard Contractual Clauses (SCC) • Standard contractual clauses for data transfers between EU and non-EU countries. 8c
  • 24. Cases Initial collection for legitimate interest – secondary research use – notification process - objection process • Form of further processing • Need to notify the data subject • Include all notification principles of art.14 • There needs to be a clear opt-out/ objection process in the notification document: • URL for automated opt-out • At least email • Always documented and confirmed 8d
  • 25. Cases Further processing and accuracy – minimization • Adhere to all conditions of further processing • Remain accurate through notices and notification • Use only what is needed for the research purpose • Erase data once the required processing is over (or retain data under archiving purposes) 8e
  • 26. Cases Health data and GDPR - Special category of data (art.9) - Form of Further Processing - Emphasis on the legal basis 8f