Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CORBEL BBMRI-ERIC Code of Conduct webinar slides

On 25 May 2019, exactly one year after the GDPR came into force with direct effect in the EC Member States, the European Data Protection Board (EDPB) will publish its final Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679. The possibility of drawing up a Code of Conduct is specified in Article 40 of the GDPR. The Guidelines will specify the how, including how to seek approval and monitor the code’s adherence. The GDPR Code of Conduct for Health Research initiative is aiming for a sector specific code in the area of health. It shall help to demonstrate GDPR compliance and to navigate across the various national country derogations that apply for health research related data transfer.

The aim of the webinar is to present an update on the GDPR Code of Conduct for Health Research development: What has been achieved so far? What obstacles were encountered? What about the country derogations? Why is the timeline a moving target? When to expect public consultation? When will the code be finalized and operational?CORBEL ( is an initiative of eleven new biological and medical research infrastructures (BMS RIs), which together will create a platform for harmonised user access to biological and medical technologies, biological samples and data services required by cutting-edge biomedical research. CORBEL will boost the efficiency, productivity and impact of European biomedical research.
This webinar took place on 19th June 2019 and is part of the CORBEL webinar series. A recording of the webinar is available through the CORBEL website:

For previous and upcoming CORBEL webinars see:

  • Login to see the comments

CORBEL BBMRI-ERIC Code of Conduct webinar slides

  1. 1. Towards a GDPR Code of Conduct for Health Research: where are we today? PRESENTERS: Michaela Th. Mayrhofer (BBMRI-ERIC) HOST: Michelle Mendonca (EMBL-EBI) 19/06/2019 1 CORBEL Webinar Series
  2. 2. 19/06/2019 2 This webinar is being recorded
  3. 3. AUDIENCE Q&A SESSION 19/06/2019 3 Please write your questions in the questions window of the GoToWebinar application
  4. 4. BACKGROUND 4 Since 2015, thirteen ESFRI Research Infrastructures from the field of BioMedical Science (BMS RI) joined their scientific capabilities and services to transform the understanding of biological mechanisms and accelerate its translation into medical care. • biobanking & biomolecular resources • curated databases • marine model organisms • systems biology • translational research • functional genomics • screening & medicinal chemistry • microorganisms • clinical trials • structural biology • biological/medical imaging• plant phenotyping • highly pathogenic microorganisms 19/06/2019
  5. 5. CORBEL MISSION 5 Modern biological and biomedical research involves complex projects and a variety of different technologies. Some of the most important discoveries are made at the interface between different disciplines. CORBEL will harmonise access and services for complex research projects involving more than one RI that offer: − biological and medical technologies − biological samples and − data services 19/06/2019
  6. 6. TODAY’S PRESENTER 19/06/2019 6 MichaelaTh. Mayrhofer is a political scientist and historian by training. She was educated inVienna, Louvain-la-Neuve, Essex and Paris. In 2010, she has earned her PhD from both the Ecole des Hautes Etudes en Sciences Sociales and the University ofVienna, which was shortlisted by the Austrian Society for Political Science for 'best thesis 2010'. Prior to her involvement in BBMRI-ERIC, she was an investigator in several national and international research projects focusing on the politics of biotechnology and the life sciences, especially the governance of biobanks. Her academic career led to various positions at the Centre de Recherche Médecine, Sciences, Santé et Société, the University of Vienna, the Institute of Science, Technology and Society Studies at Alpen-Adria-Universität Klagenfurt/ Vienna/Graz, the Technical University of Vienna and the Medical University of Graz. Today, she serves as the Chief Policy and Coordination Officer of BBMRI-ERIC and coordinates the Code of Conduct for Health Research initiative.
  8. 8. 11.06.2019 Michaela Th. Mayrhofer 8
  9. 9. CODE OF CONDUCT ACCORDING TO GDPR ART. 40 40(1) The Member States, the supervisory authorities, the Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises. 40(2) Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of this Regulation, such as with regard to: *highlighs in bold me 11.06.2019 Michaela Th. Mayrhofer 9
  10. 10. SPECIFYING THE GDPR WITH REGARD TO ART.40(2) (a) fair and transparent processing; (b) the legitimate interests pursued by controllers in specific contexts; (c) the collection of personal data; (d) the pseudonymisation of personal data; (e) the information provided to the public and to data subjects; (f) the exercise of the rights of data subjects; (g) the information provided to, and the protection of, children, and the manner in which the consent of the holders of parental responsibility over children is to be obtained; (h) the measures and procedures referred to in Articles 24 and 25 and the measures to ensure security of processing referred to in Article 32; (i) the notification of personal data breaches to supervisory authorities and the communication of such personal data breaches to data subjects; (j) the transfer of personal data to third countries or international organisations; or (k) out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with regard to processing, without prejudice to the rights of data subjects pursuant to Articles 77 and 79. 19.06.2019 Michaela Th. Mayrhofer 4
  11. 11. NATIONAL DATA PROTECTION AUTHORITIES ‘17 out of 24 national data protection authorities report that their resources and manpower do not suffice to meet their obligations.’ As stated by the President of the French data protection Authority CNIL, Isabelle Falque-Pierrotin to Reuters a few days prior GDPR entered into force on 25 May 2018 Quoted in 11.06.2019 11Michaela Th. Mayrhofer
  12. 12. CODE OF CONDUCT FOR HEALTH RESEARCH AIMS ▪ To contribute to the proper application of the GDPR, taking into account the specific features of processing personal data in the area of health; ▪ To clarify and specify certain rules of the GDPR for controllers who process personal data for purposes of scientific research in the area of health; ▪ To help demonstrate compliance by controllers and processors with the regulation; ▪ To help foster transparency and trust in the use of personal data in the area of health research. 19.06.2019 Michaela Th. Mayrhofer 6
  13. 13. WHY INTERESTING FOR RESEARCH SECTOR? RESEARCH IS A HARD NUT TO CRACK Research remains the exception Member State derogations (no harmonization) Research is bordeless / open science Photo by Markus Spiske on Unsplash 19.06.2019 Michaela Th. Mayrhofer 13
  14. 14. FOCUS AREAS ▪ Lawfulness of processing (esp. Art 9.j -> 6, 89) ▪ Responsibility of controller/processor and their relationship (esp. Art 24, 28) • ”burden of proof” with the controller • guiding principle = accountability ▪ Appropriate safeguards (esp. pseudonymization) ▪ Anonymization versus personal data ▪ Practical examples, references to existing guidelines 19.06.2019 Michaela Th. Mayrhofer 8
  15. 15. PROCESSING OF SPECIAL CATEGORIES Article 9. 1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited. 2. Processing forbidden, unless a) Explicit consent b) Obligations (e.g. employment/social security) c) Vital interest d) Legitimate activities (e.g. unions) e) Made public by data subject f) Necessary for exercise or defense of legal claims g) Substantial public interest h) Preventive/occupational medicine i) Public interest/public health (quality/safety) j) Archiving in the public interest, historical, statistical research OF PERSONAL DATA 19.06.2019 Michaela Th. Mayrhofer 9
  16. 16. KEY QUESTIONS OR STRUCTURE OF THE CODE ▪ Am I handling personal and sensitive data? ▪ What am I doing with the data exactly? ▪ What is then my role? ▪ What are my duties? ▪ What is my legal basis? ▪ How do I anonymise, pseudonymise data? ▪ What are the information obligations? ▪ What do I have to do to enable research participants to exercise their rights? ▪ What do I have to do in order to protect the privacy of the research participants? ▪ How long can I retain the data? ▪ Can I reuse the data? ▪ Who owns the data? ▪ With whom can I share my data? ▪ What about data security? ➢ Uses non-legalistic language ➢ Builds on the questions that arise in the workflow for a researcher/data controller (FAQ style) 1.Question 1.1.Rule/Recommendation 1.2 Explanation 1.3 Example 19.06.2019 Michaela Th. Mayrhofer 10
  17. 17. EU MEMBER STATE IMPLEMENTATION STATUS READY: Austria, Germany, France, Croatia, the Netherlands, Sweden and Slovakia, … NOT READY: Belgium, Bulgaria, Cyprus, the Czech Republic, Greece, Hungary, Lithuania and Slovenia, .. 11.06.2019 17Michaela Th. Mayrhofer Source: Excerpt from the GDPR expert group on implementation in MS, Information provided by national authorities and REPs
  18. 18. LEVELS OF INVOLVEMENT SECTOR: HEALTH RESEARCH * 350+ 11.06.2019 Michaela Th. Mayrhofer 18 Dialogue with other groups drafting a code (European & nationally) still ongoing !!!
  19. 19. EXAMPLE: CONSENT 11.06.2019 Michaela Th. Mayrhofer 19
  20. 20. HOW TO SUBMIT / GOVERN A CODE MINIMUM CRITERIA WHAT THE CODE NEEDS TO CONTAIN ▪ EDPB Guidelines ▪ conduct-and-monitoring-bodies-under_en ✓ public consultation closed early April ✓ Final version forthcoming In practice: ▪ How is the code implemented? ▪ How is the code modified? ▪ How is adherence to the code guaranteed? 19.06.2019 Michaela Th. Mayrhofer
  21. 21. LIAISON WITH OTHER INITIATIVES • Sectoral • National • Other 19.06.2019 Michaela Th. Mayrhofer
  22. 22. WHAT THE CODE IS(N‘T) 19.06.2019 Michaela Th. Mayrhofer
  23. 23. "WHAT DESTROYS FAITH IS INVOKING IT.” DON’T ASSUME ANYTHING! BE ACCOUNTABLE! Trust me, I am a Doctor! of Philosophy . 11.06.2019 Michaela Th. Mayrhofer 23
  24. 24. TIMELINE REALITY CHECK subject to change – CODE DEVELOPMENT IS A PROCESS • Draft code developed and presented to peers: 2019/2020 • Public consultation: 2020 • Submission to EDPB via national DPA: 2020 19.06.2019 Michaela Th. Mayrhofer 24
  25. 25. THANK YOU! Activities supported by: 19.06.2019 Michaela Th. Mayrhofer
  26. 26. QUESTIONS? GET IN TOUCH! @BBMRIERIC BBMRI-ERIC Michaela Th. Mayrhofer, PhD | Chief Coordination & Policy Officer @mtmayrhofer | 19.06.2019 Michaela Th. Mayrhofer
  27. 27. UPCOMING WEBINARS 19/06/2019 Registration and details