On 25 May 2019, exactly one year after the GDPR came into force with direct effect in the EC Member States, the European Data Protection Board (EDPB) will publish its final Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679. The possibility of drawing up a Code of Conduct is specified in Article 40 of the GDPR. The Guidelines will specify the how, including how to seek approval and monitor the code’s adherence. The GDPR Code of Conduct for Health Research initiative is aiming for a sector specific code in the area of health. It shall help to demonstrate GDPR compliance and to navigate across the various national country derogations that apply for health research related data transfer.
The aim of the webinar is to present an update on the GDPR Code of Conduct for Health Research development: What has been achieved so far? What obstacles were encountered? What about the country derogations? Why is the timeline a moving target? When to expect public consultation? When will the code be finalized and operational?CORBEL (http://www.corbel-project.eu) is an initiative of eleven new biological and medical research infrastructures (BMS RIs), which together will create a platform for harmonised user access to biological and medical technologies, biological samples and data services required by cutting-edge biomedical research. CORBEL will boost the efficiency, productivity and impact of European biomedical research.
This webinar took place on 19th June 2019 and is part of the CORBEL webinar series. A recording of the webinar is available through the CORBEL website:
For previous and upcoming CORBEL webinars see:
AUDIENCE Q&A SESSION
Please write your questions in
the questions window of the
Since 2015, thirteen ESFRI Research Infrastructures from the field
of BioMedical Science (BMS RI) joined their scientific capabilities
and services to transform the understanding of biological
mechanisms and accelerate its translation into medical care.
• biobanking &
• curated databases
• marine model organisms
• systems biology
• translational research
• functional genomics
• screening & medicinal
• clinical trials
• structural biology
• biological/medical imaging• plant phenotyping
• highly pathogenic
Modern biological and biomedical research involves complex projects and a
variety of different technologies.
Some of the most important discoveries are made at the interface between
CORBEL will harmonise access and services for complex research projects
involving more than one RI that offer:
− biological and medical technologies
− biological samples and
− data services
MichaelaTh. Mayrhofer is a political scientist and historian by training. She was
educated inVienna, Louvain-la-Neuve, Essex and Paris. In 2010, she has earned her
PhD from both the Ecole des Hautes Etudes en Sciences Sociales and the University
ofVienna, which was shortlisted by the Austrian Society for Political Science for 'best
thesis 2010'. Prior to her involvement in BBMRI-ERIC, she was an investigator in
several national and international research projects focusing on the politics of
biotechnology and the life sciences, especially the governance of biobanks.
Her academic career led to various positions at the Centre de Recherche Médecine, Sciences, Santé et Société, the
University of Vienna, the Institute of Science, Technology and Society Studies at Alpen-Adria-Universität
Klagenfurt/ Vienna/Graz, the Technical University of Vienna and the Medical University of Graz. Today, she serves
as the Chief Policy and Coordination Officer of BBMRI-ERIC and coordinates the Code of Conduct for Health
TOWARDS A GDPR CODE OF CONDUCT FOR HEALTH RESEARCH:
WHERE ARE WE TODAY?
MICHAELA TH. MAYRHOFER, PHD
19. JUNE 2019, WEBINAR, CORBEL
CODE OF CONDUCT
ACCORDING TO GDPR ART. 40
40(1) The Member States, the supervisory authorities, the Board and the Commission shall
encourage the drawing up of codes of conduct intended to contribute to the proper application
of this Regulation, taking account of the specific features of the various processing sectors and
the specific needs of micro, small and medium-sized enterprises.
40(2) Associations and other bodies representing categories of controllers or processors may
prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the
application of this Regulation, such as with regard to:
*highlighs in bold me
11.06.2019 Michaela Th. Mayrhofer 9
SPECIFYING THE GDPR
WITH REGARD TO ART.40(2)
(a) fair and transparent processing;
(b) the legitimate interests pursued by controllers in specific contexts;
(c) the collection of personal data;
(d) the pseudonymisation of personal data;
(e) the information provided to the public and to data subjects;
(f) the exercise of the rights of data subjects;
(g) the information provided to, and the protection of, children, and the manner in which the consent of the holders of parental
responsibility over children is to be obtained;
(h) the measures and procedures referred to in Articles 24 and 25 and the measures to ensure security of processing referred to in
(i) the notification of personal data breaches to supervisory authorities and the communication of such personal data breaches to
(j) the transfer of personal data to third countries or international organisations; or
(k) out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with
regard to processing, without prejudice to the rights of data subjects pursuant to Articles 77 and 79.
19.06.2019 Michaela Th. Mayrhofer 4
NATIONAL DATA PROTECTION AUTHORITIES
‘17 out of 24 national data protection authorities report that their resources and
manpower do not suffice to meet their obligations.’
As stated by the President of the French data protection Authority CNIL, Isabelle Falque-Pierrotin
to Reuters a few days prior GDPR entered into force on 25 May 2018
Quoted in derstandard.at/2000079432832/EU-Datenschuetzer-sehen-sich-fuer-neue-Aufgaben-schlecht-gewappnet
11.06.2019 11Michaela Th. Mayrhofer
CODE OF CONDUCT FOR
▪ To contribute to the proper application of the GDPR, taking into account the
speciﬁc features of processing personal data in the area of health;
▪ To clarify and specify certain rules of the GDPR for controllers who process
personal data for purposes of scientiﬁc research in the area of health;
▪ To help demonstrate compliance by controllers and processors with the
▪ To help foster transparency and trust in the use of personal data in the
area of health research.
19.06.2019 Michaela Th. Mayrhofer 6
WHY INTERESTING FOR
RESEARCH IS A HARD NUT TO CRACK
Research remains the exception
Member State derogations (no harmonization)
Research is bordeless / open science
Photo by Markus Spiske on Unsplash
19.06.2019 Michaela Th. Mayrhofer 13
▪ Lawfulness of processing (esp. Art 9.j -> 6, 89)
▪ Responsibility of controller/processor and their relationship
(esp. Art 24, 28)
• ”burden of proof” with the controller
• guiding principle = accountability
▪ Appropriate safeguards (esp. pseudonymization)
▪ Anonymization versus personal data
▪ Practical examples, references to existing guidelines
19.06.2019 Michaela Th. Mayrhofer 8
PROCESSING OF SPECIAL CATEGORIES
1. Processing of personal data revealing racial or
ethnic origin, political opinions, religious or
philosophical beliefs, or trade union membership,
and the processing of genetic data, biometric data
for the purpose of uniquely identifying a natural
person, data concerning health or data concerning a
natural person's sex life or sexual orientation shall
2. Processing forbidden, unless
a) Explicit consent
b) Obligations (e.g. employment/social security)
c) Vital interest
d) Legitimate activities (e.g. unions)
e) Made public by data subject
f) Necessary for exercise or defense of legal claims
g) Substantial public interest
h) Preventive/occupational medicine
i) Public interest/public health (quality/safety)
j) Archiving in the public interest, historical, statistical
OF PERSONAL DATA
19.06.2019 Michaela Th. Mayrhofer 9
OR STRUCTURE OF THE CODE
▪ Am I handling personal and sensitive data?
▪ What am I doing with the data exactly?
▪ What is then my role?
▪ What are my duties?
▪ What is my legal basis?
▪ How do I anonymise, pseudonymise data?
▪ What are the information obligations?
▪ What do I have to do to enable research participants to exercise their rights?
▪ What do I have to do in order to protect the privacy of the research participants?
▪ How long can I retain the data?
▪ Can I reuse the data?
▪ Who owns the data?
▪ With whom can I share my data?
▪ What about data security?
➢ Uses non-legalistic language
➢ Builds on the questions that
arise in the workflow for a
19.06.2019 Michaela Th. Mayrhofer 10
EU MEMBER STATE IMPLEMENTATION
Austria, Germany, France, Croatia, the Netherlands, Sweden and Slovakia, …
Belgium, Bulgaria, Cyprus, the Czech Republic, Greece, Hungary, Lithuania and Slovenia, ..
11.06.2019 17Michaela Th. Mayrhofer
Source: Excerpt from the GDPR expert group on implementation in
MS, Information provided by national authorities and REPs
LEVELS OF INVOLVEMENT
SECTOR: HEALTH RESEARCH
11.06.2019 Michaela Th. Mayrhofer 18
Dialogue with other
groups drafting a
code (European &
still ongoing !!!
HOW TO SUBMIT / GOVERN A CODE
MINIMUM CRITERIA WHAT THE CODE NEEDS TO CONTAIN
▪ EDPB Guidelines
✓ public consultation closed early April
✓ Final version forthcoming
▪ How is the code implemented?
▪ How is the code modiﬁed?
▪ How is adherence to the code guaranteed?
19.06.2019 Michaela Th. Mayrhofer
LIAISON WITH OTHER INITIATIVES
19.06.2019 Michaela Th. Mayrhofer
WHAT THE CODE IS(N‘T)
19.06.2019 Michaela Th. Mayrhofer
"WHAT DESTROYS FAITH IS
DON’T ASSUME ANYTHING! BE ACCOUNTABLE!
I am a Doctor!
11.06.2019 Michaela Th. Mayrhofer 23
subject to change – CODE DEVELOPMENT IS A PROCESS
• Draft code developed and presented to peers: 2019/2020
• Public consultation: 2020
• Submission to EDPB via national DPA: 2020
19.06.2019 Michaela Th. Mayrhofer 24