Actual Provisions and Rules

• Requirement to establish a legal basis
  • Every processing requires a legal basis under the GDPR; in case of sensitive data such as health, genetic, religion or ethnic origin, an additional legitimation is needed, which can be based on consent or the Luxembourgish data protection law
  • A careful analysis for each processing is needed, for which specific purposes it takes place and what the most appropriate legal basis is for the processing in the context of that purpose. A purpose is typically a research project (not “research” in general). Also storing data for future research projects is a potential (separate) purpose.
  • Several purposes can coincide where data are e.g. stored for in the same place for different projects. In this case, there may be different legal bases applicable at the same time for the processing.
  • The “processing” for a research project comprises all data operations from the data collection and storage to the (necessary) sharing with other entities, the data analysis, the publication (where this implies personal data), specific archiving for reproducibility reasons and the re-running of the data analysis for reproducibility or the disclosure to demonstrate reproducibility.
    
    
• Choosing the most appropriate legal basis
  • The typical legal bases to decide between are consent, a task in the public interest and legitimate interest.
  • There is no “default option”: the choice should be determined by what is best suitable to the research that is intended. A case by case analysis is needed
  • The legal basis has to be established before the data is collected (either from the data subject or another source) and communicated to the data subject (or where applicable to the collaborator who provides the data). Where there’s no direct information of the data subject, the project and legal basis needs at least to be published on the webpage of the institution (see transparency).
  • The legal basis is to be documented alongside a justification in advance to the start of a research project

• When to use it
  • There is no ethics requirement or legal obligation to choose consent as a legal basis when another legal basis is equally suited.
  • Leading questions:
    • Can a dataset be deleted from the project / database at any time if the data subject withdraws consent?
    • Can the data be anonymised at the latest at the time of publication so that the data that needs to be stored for reproducibility reasons is actually anonymous? Note: anonymisation means that the link to the data subject needs to be irreversibly destroyed; this may require more efforts than deleting the direct identifiers and the pseudonymisation table. Details under link to anonymisation
    • Is there no dependency between the data subject and the PI or his institution and / or the person recruiting the data subject? A dependency (real or perceived) will exist where a PI asks his team members to participate or a doctor / hospital recruits among their own patients
    • ONLY if all these questions can be answered with “yes”, consent is a suitable legal basis
      
      
• What is to be considered for implementation
  • The GDPR consent needs to include at minimum the following information: the controller’s identity, the purpose(s) of the processing, the type of data that will be collected, the right to withdraw the consent, information about any potential automated decision making and any data sharing with parties outside the EEA.
  • The elements of the informed consent to the research under ethics regime (“ethics consent”) should be kept separated from the GDPR consent to the processing
  • When several purposes are pursued – different projects, or using data for future, not yet defined projects – these purposes need to be consented separately
  • Where broad consent is to be obtained for entire research areas, it is still necessary to consent such research area(s) separately from the research project / research question that was driving the collection (where applicable)
  • Where data is planned to be made accessible to other scientists for research (e.g. by depositing in a data repository), this should also be consented separately
  • The DPO should be consulted on the consent form
  • [Example / template to be provided in the annex.]

• When to use it?
  • The “task in the public interest” can be derived when this task can be derived from a mission of the institution that is established by a law or a regulation
    • The LIX and the UL have research as part of their mission through the law that establishes them
    • All institutions covered by the Act of 8 March 2018 on hospital establishments and hospital planning can receive such research mission in the field of health through an authorisation by the Health Ministry. The same applies to the competence networks established on the basis of this law.
    • The STATEC receives by the Law of July 10, 2011 on the organization of the National Institute of Statistics and Economic Studies a mandate to carry out scientific research in the field of the modelling of economic, demographic, social and environmental facts
  • Where research support measures are pursued (e.g. operation of a biobank for research) such task has to be specified in a law or regulation as well to be able to rely on public interest. A research mission is not sufficient to establish a legal mandate for research support beyond the own organisation.
  • Where research support is established as a task in the public interest, the services must be in principle available to all stakeholders that fall under the eligibility criteria for the service
    
    
• What is to be considered for implementation?
  • Where such mission to perform research can be derived from a law or a regulation, for each research project a “necessity test” needs to be performed with a positive outcome on the questions
    • Is the research question within the scope of the research mission of the institutions?
      • For LIX, the healthcare institutions and STATEC the scope of research is defined in the law
      • The UL has an open research mission; here additional criteria outside the law may have to be applied such as public funding or the demonstration that the research aims at knowledge for the benefit of the society in parts or as a whole
    • Is it necessary to process personal data to answer the research question?
    • Is only the data needed being collected and/or used and not any additional data?
    • Is the data used for research project only and not also for other purposes?
  • In addition, the research must comply with the requirements of scientific research. This includes that the project must follow good scientific practice, in particular:
    • Build on state of the art research methodologies of the field
      • Be in accordance with research ethics
      • Aim at knowledge generation and therefore at publication of the results
  • The result of the analysis to justify public interest should be documented
    • Demonstration how the research fits into the mission of the institution or what the public benefit of the research is (UL)
    • Peer-review of the project plan by external reviewer as part of research funding or at minimum through other scientists outside the project
  • If the data comprises genetic or biometric data, data on health, ethnic origin, religion (data listed in GDPR Art. 9(1)), the measures required in the Luxembourgish data protection law from Art. 65 should be implemented or any deviation to be justified in writing.
  • Consultation of the DPO or the data steward on the entire documentation

• When to use it?
  • To be used where the scientific research pursued does not fit with the research mission of the institution as given by law
  • Often suitable for research support (services)
    
    
• What is to be considered for implementation?
  • For research, the necessity test and the requirement for good scientific practice apply:
    • Is it necessary to process personal data to answer the research question?
    • Is only the data needed being collected and/or used and not any additional data?
    • Is the data used for research project only and not also for other purposes?
    • A balancing test is required in addition to consider:
      • Balance the research interest against a potential impact on the data subject;
      • The balancing should be positive if all the following apply:
        • The data subjects agree to the data processing (e.g. as part of the ethics consent) or a clear communication with an opt-out procedure was provided
          • An ethics approval was obtained
          • Only data needed for the project or research support are collected
          • Sufficient technical and organisational measures have been established to protect the data
  • The result of the analysis should be documented
  • On the full documentation (necessity test, balancing test) the DPO or data steward should be consulted
  • If the data comprises genetic or biometric data, data on health, ethnic origin, religion (data listed in GDPR Art. 9(1)), the measures required in the Luxembourgish data protection law from Art. 65 should be implemented or any deviation to be justified in writing.

• Consent as legal basis
  • Only possible where your institution was explicitly covered in the consent form
  • Where a collaborator insists on consent to be used as legal basis also for you / your institute’s processing
    • Proof needs to be provided by the collaborator that the institution is sufficiently (explicitly) covered by the consent
    • The DPO should be involved in such check
  • Where data are used in a project alongside other data not collected under consent, be aware that several legal bases may apply in parallel to each other
    
    
• Public interest or legitimate interest as legal basis
  • Choice will depend on the purpose and setup of the project rather than the data obtained
  • An analysis as described above under link to “task in the public interest” and link to “legitimate interest” has to be performed and documented.

• Dependence on legal basis of collection: consent
  • Where data was collected under consent: this legal basis will drive the future use
  • It is important that such secondary use (eg. in a new project or to be deposited in a repository) is consented by all data subject’s whose data is included
    
    
• Dependence on project: other legal basis of collection
  • Where data was collected on another legal basis than consent (e.g. public interest, legitimate interest), the project and an analysis as described above will determine the most suitable legal basis.

• “Ethical” consent (based on recognised ethical standards)
  • Will be obtained wherever possible, independent of legal basis
  • Where no consent is possible (e.g. incapacitated subjects; danger of research bias), other measures will be taken in accordance with recognised ethical standards
    
    
• Transparency
  • Information provision about the purpose of the research and the scope of processing in advance to data collection where collection is from the data subject
  • In particular, in case of changes to the provided information:
    update required before the new situation is pursued
  • For more information on how: see Transparency of processing
  • Where contact information is missing and cannot be reasonably recovered, publication on website and in places where the data subject is likely to find this information
  • Where information is collected in public places: advance notices should be given onsite well in advance as well as in relevant media
    
    
• Data subjects’ rights
  • Allow exercising of rights as easily and as comprehensively as possible
  • Reliable ways of authentication to be foreseen
  • React on requests as fast as possible
    (foresee upfront technical and organisational measures)
  • DPO is involved in feedback provision

• Provision of age appropriate information
• Informed (ethics) consent of parents or legal representative will be obtained; (and re-obtained in case of change of legal representative)
• Assent = agreement of child to data processing for research
  • Will be obtained in addition at least from 8 years old onwards; also earlier where appropriate Reason: child must understand the concept of data and privacy at minimum
    
    
• “Coming of age”: from 16 years onwards
  • Re-contact for confirmation / consent where electronic contact (data) is maintained;
  • Provision of general information and contacts to exercise consent otherwise: right to object rather than formally consenting
  • Justification for chosen age limit: age defined in GDPR to be able to give consent in the context of online services

• Mentally ill / demented patients / difficulties accessing information
  • Examples
    • Alzheimer patients
    • Psychiatric patients with strong personality disorder, e.g. schizophrenia
  • Specific measures & safeguards
    • Information provision and discussion of research at the level of their capacity to understand
    • Use media to provide best understanding
      (e.g. where written content will not be efficient, cartoons could be envisaged)
    • Informed (ethics) consent from legal representative or proxy
    • Explicit objections will be accepted even if legal rep has given consent except where research will be of vital interest to data subject
      
      
• Traumatised / unconscious subjects or otherwise unable to give consent
  • Example: sepsis research
    • Sepsis patients get into hospital under shock, high mortality, pathobiology still not understood
    • Standard healthcare does not include molecular diagnostics
    • Additional parameter may be taken immediately to better understand the underlying biology (e.g. metabolic and circulatory parameters play a role)
  • Specific measures & safeguards
    • No information provision / consent may be possible prior to data processing
    • Legal representative or proxy will be informed and asked for permission
    • Where a legally authorised representative or proxy is not available for timely enrolment, researchers may obtain the permission of a representative who is socially accepted but not formally recognised before the law (and outside the research) e.g. independent physician in case of patient
    • Person will be given all relevant information as soon as regaining capacity,
    • (Ethics) consent to remain in the research project will be obtained as soon as possible.
    • Public information on website, in newspapers, doctor’s practices & hospitals
      
      
• Disadvantaged people
  • Examples
    • People in hierarchical relationship, economically disadvantaged people, asylum seekers, elderly
  • Information provision adapted to their needs
  • Safeguards to promote voluntary decision-making to participate in research

• Examples:
  • internet, bystanders, other controllers, monitoring devices such as CCTV cameras
    
    
• Data received from another controller (e.g. other researcher)
  • Researcher will make sure that data collection was fair and
    sharing for the envisaged purpose is in line with expectations of data subject;
  • Where data collection was not fair, the data will not be used
  • Where data sharing for envisaged purpose is not covered by information
    (and consent) of data subject, the necessary information will be provided before the data is transferred / processed (through provider or other means)
    
    
• In all other cases
  • If contact data is available, information about research / data processing will be provided directly to the data subjects before starting the data collection
  • Without contact data: information provision where information is likely to be found, at minimum at research institution’s webpage.
    In minimum case: Justification why other channels would be less effective
  • Examples for missing contact data
    • Data received is pseudonymised without access to key, monitoring in public spaces, data from internet (manifestly made public by data subject without contact data)

• Justification of scope of data used, e.g. by analysis plan
• Peer-review of research plan, at minimum by colleagues to ensure scientific value of research
• Ethics reviews to ensure societal value of research and fairness of approach
• Adherence to consent obtained / information provided where possible
• Technical and organisational safeguards to ensure that data is always used for the foreseen purposes only
  • Avoid accidental or deliberate misuse of data;
    • Includes default measures and assessment of nature, scope, context and purposes of processing for appropriateness of standard measures
      -> Identification if a potential need of higher protection level is required.
    • In case of higher protection level / sensitivity of data or processing
      -> DPIA will be done (see also guidance when DPIA is necessary)
• Measures to ensure integrity and confidentiality of data
• Pseudonymisation or anonymisation as early as possible; (see pseudonymisation / anonymisation)

• Before data is transferred to third parties (includes access)
  • Definition of purposes of transfer and subsequent data processing / use
  • Check that transfer and purpose for transfer is compliant with provided information and ethics / GDPR consent
  • Limitation of processing by third party to the defined purpose
  • Assurance that third party has organisational and technical safeguards in place to avoid misuse of data
    
    
• Assured adherence of third party to requirements through written and signed agreement
  • At minimum between the researchers
  • Ideally legally binding between institutions
  • The DPO is consulted about the agreement
    
    
• Processor involvement
  • Where data is disclosed to a Processor, a formal agreement with defined clauses according to Art. 28 GDPR is signed between the institutions
  • The DPO is consulted about the agreement

• Where data needs to be kept only for a limited time, these limits
• have to be documented and told to the data subject
• Documentation periods have to be considered
• Decide and communicate upfront if data is to be deleted or (where
• possible) anonymised
• Where data is kept only for a limited time, it cannot be used beyond
• this time frame unless anonymised

• Dependence on milestone
  • Duration may not be clear as it depends on achievement
    Example: publication of research and/or end of archiving obligations following publication
  • Clearly define milestone
  • Define mechanisms to check achievement or achievability of milestone
  • Communicate milestone to data subject
    
    
• Open retention for future research purposes
  • Allow (theoretically) indefinite retention time for scientific research
  • Define criteria to review continued usefulness of data for research
  • Define mechanisms to review criteria
  • Define safeguards
    
    
• Criteria for Open Retention for Research
  • Prerequisite
    • There is in-house knowledge (metadata) about the data to enable its future use
  • Documentation
    • Documentation of the data (FAIR data) must be available to give auditable proof that enough knowledge exists about the data to use it in future research projects
  • Further Conditions
    • Data have not been made obsolete by new technologies or new findings
    • Data cannot be easily recovered (availability, cost, distortion of data)
      
      
• Examples for open retention criteria
  • Data cannot be easily recovered
    • Data represent an important “picture of the time” (such as socioeconomic cross-section, environmental conditions that is possible to obtain retrospectively)
    • Data represent status of health/disease of a certain person at a certain time,
    • Data generation is costly (e.g. molecular data)
    • Data re-generation could lead to a different outcome
  • Data can be recovered
    • Data is available in a central repository; in this case, there is no need for a local copy with open retention time
      
      
• Other aspects for open retention for research purposes
  • It is not required that the data is in permanent use;
  • If data is not in use, it should be encrypted.
  • The link to the data subject can be kept provided there are technical and organisational safeguards in place to protect the privacy of the data subject and that there is a justification to keep the pseudonymisation table (e.g. potential future data linkage; longitudinal data; possibility to keep the link to the data subject)
    See pseudonymisation [link]: here, best practice of key management and criteria for the involvement of a trusted third party (TTP) will be made.
  • The potential future use should be reviewed every 5 years
  • The approach needs to be communicated to the data subject (where the data subject is given the right to object to this open research use)
  • The approach including the data subject information needs to be covered by an initial ethics approval.

• Principles to consider
  • Written information always provided beforehand if possible
    • Written can also be cartoons
    • Media can be adapted to best accessible means for research participant
    • Information in language of research participant
  • Where such information provision is not possible beforehand: see also fairness of processing add link
  • Leading principle: data subject should never be surprised by the way the data is being processed
  • Information needs to be precise, understandable and target-specific towards the data subjects;
  • Data protection information should be grouped and not distributed over a research information sheet mixed with other information (on the research or as required by ethics)
  • Archive information sheet(s) / documents
  • In case of evolution of information provided during the research
    • Do transparent and documented versioning
    • Document which data subjects have been informed based on which version
  • Provide data subjects with a paper and/or electronic copy if possible (either directly or through download)
    
    
• Timing of information provision
  • Before starting the collection with at least 24 hours between the information provision and the beginning of the collection (where the nature of the research allows this)
    
    
• Providing contact details
  • Contacts to be specified
    • Name and contact details of the organisation
    • Name and contact details of the legal representative of the organisation
    • Contact details for questions of the data subjects and for exercising data subjects’ rights
    • Contact details of the data protection officer
    • Recommended: Explanation that the provided contact will be the contact for all subsequent data use, also if data is shared with collaborators. Any subsequent user can be reached through this organisation as long as data remains pseudonymised (i.e. the link to the identity is not destroyed).
  • Important considerations for contact details
    • Possibility to contact should not depend on individual person(s) [only]. Researchers need to be prepared that such contact person can change and data subjects should still be able to reach someone. The same is true for other contact data such as DPO.
    • Provide “generic” contact addresses such as function@institution.lu rather than Firstname.Lastname@institution.lu
      
      
• Explaining the purpose of the processing / research
  • Where data is collected for a specific project
    • Specific project has to be described independent of potential future research
    • Respective recipients where possible must be named
    • Future research should be described as an additional purpose and categories of recipients named
  • Broad or multiple purposes
    • Where data is collected for multiple purposes, these (e.g. healthcare applications
      as well as research; different research areas), these need to be specified separately.
    • Where data is collected for a broad purpose upfront (e.g. health research in an epidemiological project; biobanking), such purposes should be described a concrete way in line with the idea of “certain areas of research”, i.e. specify research sectors such as “health research” or “socio-economic research” and explain why no more narrow focus is possible to define also for the initial research.
    • Where a broader research use (e.g. research in the public interest) is envisaged, a clear reference to a source providing additional and up-to-date information on the use of data needs to be provided to the data subject to allow information on the subsequent concrete purposes of the data use at any time.
    • A country-wide website on data use will be established, where such information on data use can be found by the data subjects.
  • Changes of the purpose / further processing
    (e.g. new research previously not communicated and not covered by a broad consent previously informed about)
    • Add all associated changes, e.g. new types of recipients, changes in rights, etc.
    • To be provided to data subject at least 4 weeks before starting the new research
    • In case of continued contact / existing contact data: directly to data subject
    • Where no contact to data subject exists: via webpage and likely places people to find, e.g. newspapers, as well as in future Luxembourg Research Information Portal
      In this case, more time may be required; please check with your DPO on what is appropriate in the specific case.
    • In particular important: referring to the right to object to this processing.
    • Where data was based on consent, new legal basis should be public interest;
      (Background: statements that further processing under consent need new consent)
    • Explanation to be provided what this public interest constitutes and that ethics approval has been obtained.
      
      
• Lawful basis of the processing
  • The legal basis under Art. 6 needs to be specified
  • The consequences of the choice of legal basis should be explained to the data subject
  • Where a different basis to GDPR consent is chosen, the difference between ethics consent and GDPR consent has to be made clear
  • If legitimate interest is the legal basis, the specific interest in question must be identified to the data subject
  • Different types of processing may come under different legal bases – all need to be considered and communicated upfront
    Examples
    • Industry collaborations may be processed under legitimate interest
    • Where research processing is under GDPR consent, subsequent archiving should be under public interest
    • Clinical trials will have safety and quality aspects under “legal obligation” (Clinical Trial Regulation) while the research itself is usually under public interest, legitimate interest or (in rare cases) under GDPR consent
  • Comment: Example clauses will be given in annex
    
    
• Information on recipients
  • Recipients are any (legal or natural) persons to whom data are disclosed, i.e. made available for processing
  • All recipients that are known to receive the data in a foreseeable timeframe should be mentioned by name
  • For broader purposes than a defined project and also future use, categories of recipients should be named;
    These should be characterised
    • By activity type (e.g. non-for profit research organisation; industry)
    • By location (within the country? Within the EU? Globally?)

    And justified for their likely / potential need.
    Warning: Any unnecessary restriction should be avoided in order to prevent limited usability for research in the future; however, categories still need to be specific (i.e. be clear, make sense and be justifiable).

  • Where categories of recipients are mentioned:
    Keep track of the individual recipients during the lifetime of the data to be able to inform in case of information requests of the data subject (see Art. 15 below)
    
    
• Special information requirements for recipients outside the European Economic Area (EEA)
  • EEA – GDPR is directly applicable: no additional information needed
    • EU countries
    • Norway, Iceland, Liechtenstein
  • For any recipient country outside the EEA or any international organisation
    • If an adequacy decision is in place for the respective country and that this means a comparable protection as under the GDPR
    • Where no adequacy decision is in place and safeguards are chosen according to Article 46 or 47, or the second subparagraph of Article 49(1):
      Reference to the respective Article and explanation of the safeguard
  • Where the transfer is based on consent:
    • Information needs to be provided about the risk;
      such information should mention that in the recipient country:
      • There might not have a supervisory authority
      • Data processing principles might not be provided for
      • Data subject’s rights might not be provided for
  • Where agreements are part of the safeguards, information should also be provided that a contract was concluded to ensure as much as possible the data subjects’ rights. Further information should be given that and how this contract can be viewed.
  • Information should be made available (directly or via link) on the level of protection and risk of the data subject based on the DPIA made for the transfer
  • Always involve your DPO if data is transmitted or accessed by an organisation outside the EEA
    
    
• Information on the retention time
  • Where data is kept only for a defined period, such period should be named
  • Retention periods specified should not only cover the duration of research but also subsequent archiving periods of data as required by scientific journals for reproducibility
  • Where no defined retention period can be given, information on criteria and how they are tracked should be provided
  • The potential long-term retention (e.g. over decades; or even longer) should be openly addressed
  • More detailed information: See section on retention
  • Information should be provided as to what happens at the end of the retention period: destruction or anonymisation of the data
    Comment: for anonymisation instead of erasure, see the following information
    
    
• Information on data subjects’ rights
  • Information on rights should be specific
    • Applicable rights depend on choice of legal basis
      (Comment: List will be provided in the Annex of the CoC)
    • Rights should not only be listed but also explained
  • Mechanisms to exercise rights must be explained and robust contact information and/or tools provided that allow the data subjects to identify themselves and easily communicate their aims
  • Possible derogation from rights must be mentioned
    • Most rights can be suspended under certain conditions
      if this is to be expected for the intended research, the information is to be provided already with the first / initial information
  • Anonymisation
    • If it is planned to anonymise the data at some point, the information should be provided that after the anonymisation, the rights can no longer be exercised
      
      
• Information on profiling and automated decision making
  • Information on automated decision making and profiling is obligatory and a new obligation under the GDPR
  • Almost many research computings falls under the definition of profiling
  • 2 scenarios
    A. Computational analysis may have direct consequences for the data subject
    - Example incidental findings: profiling, not automated decision making
    - Example pre-research: selection for research study or clinical trial based on features -> profiling, potentially also automated decision making but without legal or significant consequences for the data subject.
    B. Computational analysis for knowledge gain only but new features are associated with the data subjection (e.g. biomarker studies)
  • Information in case A
    • Explain that computational methods are applied to their data, how data is being analysed (e.g. using machine learning algorithms to detect relevant features; use statistical methods to group people etc.) as a basis for contacting them
    • Explain the potential findings with relevance for them, what the consequences are and how / why they are contacted about them (relevant e.g. for “pre-research”)
  • Information in case B
    • Explain that computational methods are applied to their data, how data is being analysed (see above); potentially giving examples
    • Explain that the aim is to find and understand features of diseases, not people
      
      
• Additional information to be provided
  • Information on risks and safeguards taken to protect the rights and freedom of the data subjects should always be given in the information sheet:
    • Explaining potential risks due to the processing
    • Explaining the most relevant safeguards in the research
  • Comment: the information about the potential risks and the relevant safeguards in plain language will replace making any DPIAs or parts thereof available.

• Applicability
  • Only relevant where data is not obtained directly from data subject
    • Where initial / all data is obtained from other controllers, the internet etc.
    • Where additional data on top of already existing data collected from the data subject is obtained from other sources, such as public registries, healthcare providers or biosample
      
      
• Timing of information provision
  • As early as possible
  • Where initial data collection is done from data subject: at the time of first information
  • Where additional collection was unforeseen:
    • At minimum 4 weeks before obtaining data in case of direct contact with data subject
    • At a time frame to be defined jointly with the DPO and the REC Chair before obtaining data in case of public information (and justification of period to be provided) and after an Ethics approval has been obtained / updated
  • Where initial collection from other sources: within 4 weeks after obtaining the data
    • And at minimum 4 weeks before research commences in case of direct contact data
    • And at a time frame to be defined jointly with the DPO and the REC Chair before starting the research in case of public information provision (and justification of period to be provided) and after an Ethics approval has been obtained / updated
      
      
• Potential derogations from information obligation
  • Impossible to contact data subjects
    • No contact data available (e.g. information from the internet)
    • Pseudonymised data where the controller does not have access to the key
  • Disproportionate effort
    • Familial information (except in case of genetic family studies)
    • Addresses out of date – measures to be taken is to be defined jointly with DPO
    • Only postal address for a large study – number of subjects to justify a disproportionate effort is to be defined jointly with DPO
  • Where information would impair or make impossible the research
    • Information may cause people to modify (including deletion of) their data
  • Safeguards to be implemented
    • Involve DPO
    • Make information public on website and relevant public places / platforms
    • Inform retrospectively as soon as obstacles are overcome
    • Give higher protection level to prevent misuse
      (e.g. access restriction; encryption; data access committee for the use of the data)
      • Make data protection impact assessment with focus on
        • Intrusiveness of the processing
        • Appropriateness of safeguards
          
          
• Information on data sources
  • If possible name specific sources where data will/was be obtained from
  • Where sources can not be exactly specified: give the kind of resource (e.g. health records) and the type of provider (e.g. doctor; diagnostics companies; hospitals)
    
    
• Information on the categories of data obtained
  • Raise awareness which kind of data will be drawn from from these external sources: data subjects should not be surprised!
  • Describe as precisely as possible which data you (intend to) collect
  • In case of biosamples “molecular data” can be used as category but needs to be explained. Does not need to be specific but explanations to be provided what kind of data this is.
    
    
• All information as described above for Art. 13 requirements

• Applicability
  • On the specific request of the data subject
    
    
• Timing
  • Within 4 weeks after receiving the request
    
    
• Potential derogations from information obligation
  • If this right impairs the research
    Example: double blind clinical trials – participants are not allowed to know if they take a drug or a placebo
  • If the right leads to disproportionate efforts for the research performed “Too expensive” alone is not enough
    Example could be: Information provision requires dedicated consulting as accompanying measure such as in case of genetic data; to be reviewed and decided jointly with DPO
  • General derogation but relevant for research: if right of access adversely affect the rights and freedoms of others; can be information e.g. on family members implied
  • In all cases where this right is not complied with, a DPIA is needed jointly with the DPO
    
    
• Same information rights as under Art. 13 and Art. 14
  • Article 13 information (link)
  • Article 14 information (link)
    
    
• Additional information rights
  • Specific information on recipients (not only categories)
  • Specific information on naming other countries (cross-border processing / third countries)
  • Access to / a copy of the personal data if this does not affect the rights and freedom of other data subjects
  • Explanations on the risk assessments made to guard the rights and freedom of the data subjects

• Data subjects exercise their rights according to Arts. 16-21
  • Information on action should be given within 4 weeks
  • Where request cannot be complied with or action is delayed:
    Information and justification of this fact within 4 weeks
  • Communication to be aligned with DPO
    
    

• Transparency tool
  • Online information for data subjects in research studies
    
    
• Midterm
  • Generic information on all research projects (aim, partners) plus relevant changes should be easily accessible
  • Information on safeguards
    
    
• Longterm
  • Data subjects can exercise their rights through the portal
  • The information provision in the Portal will be mandatory for all researchers if the institution has decided to participate in this Portal

• The applicable rights depend on the legal basis for the processing
• The following rights apply in principle
  • Right to transparency (Arts 13,14,15): always
  • Right to informational self-determination: different rights apply
    • Withdrawal of consent: if based on Art. 6(1)(a) and/or 9(2)(a) Consent
    • Objection to the processing: if based on Art. 6(1)(e) public interest or (f) legitimate interest
    • Right to be forgotten: in all the above cases
    • Restriction of processing (i.e. keep the data but not work on them):
      can apply under all legal bases, but is subject to certain processing conditions
    • Not being subject to automated decision making: always
  • Rectification: always
  • Portability: if based on Art. 6(1)(a) and/or 9(2)(a) Consent

• Inform before commencing the processing about the rights of the data subject, how to exercise the rights and in particular where rights (foreseeably) may not be granted (example: erasure from archives)
• Foresee and communicate to data subjects adequate communication channels (secure, easy to exercise, possibility to identify)
  • Foresee means and mechanisms for identification e.g.
    • Personal contact F2F where data subjects identify themselves by means such as passport / ID card or similar
    • 2-way communication channels to re-confirm in case of remote contact
    • Electronic means: 2-factor-authentication with strong authentication
  • Possibility to bridge between person and pseudonym
    • Procedures in place to link data and person without revealing the person’s identity on side of the researchers / research database
    • Where no identity information is kept but pseudonym created, explore possibilities to provide link through re-creation of pseudonym
      (e.g. hashes of identity data should create the same pseudonym if these data are provided by the data subject)
• Comply with requirements detailed under “Transparency” link
  • In particular: inform about outcome of request (implementation or explanation why request cannot be implemented) including possibility to launch a complaint

• Oblige with expressed wishes of data subjects where possible
• Have policies established on implementing the data subjects’ requests (e.g. involvement of DPO strongly recommended), including communication policy for informing data subjects on actions taken
• Store data and all copies in a way that processing restrictions, erasure or rectification requests can be exercised
• Foresee possibilities to notify of subsequent recipients (joint controllers, processors, third parties) on requests under informational self-determination; this could include:
  • Keep documentation of data shares and relevant contacts (including pseudonym matching table);
  • Foreseeing the reach-through in contracts (where applicable)
  • If it is impossible to directly notify all recipients (e.g. because data have been made public), measures such as publication of information on a website and in relevant places should be taken
• Foresee documentation of the requests and the answers provided

• If there is no possibility to identify the data subject
  • Data has been anonymised
  • Pseudonymised data is without matching table (deleted or never set up)
    • No mechanism to link identity to pseudonym exists
    • No possibility that data subject provides additional data that allows mapping back of data subject
• Where researchers can provide evidence that the exercise of right impairs or makes impossible the research `
  (Arts. 14, 16, 15, 17, 16, 18, 21 as well as withdrawal of consent)
  • Includes archiving obligations of already achieved research results
  • Research purposes must be proportionate in comparison to the effect on the data subject’s rights and freedom
  • Includes that the research aims at a public interest outcome (health, environment, socio-economic well-being of the population), in particular for Art. 21
• Additional reasons for derogation:
  • Disproportionate effort (Art. 14); e.g. where efforts so high that a research project cannot be finished with the available resources
  • If the exercise impacts the right and the freedom of other persons (Access (Art. 15); portability(Art. 20))
  • If the processing is necessary for the performance of a task in the public interest (Art. 20)

• Consider in the project planning the impact of exercising the data subjects rights
• Identify where the rights will seriously impair the research at any stage
• A necessity and a proportionality test has to be performed together with the DPO
• Where known from beginning that a derogation will be needed:
  inform data subjects in initial information
• Where the derogation applies only in specific case (unforeseen):
  • explain to data subject within 4 weeks (maximum) that no action is taken,
  • the reasons for it,
  • the additional safeguards taken (where applicable)
  • the effect for / applicability to future research (if appropriate) and
  • the right to make a complaint to the CNPD
• In all cases: the reasons for rejecting the request need to be documented
• A Data protection impact assessment needs to be performed
  • Focussed on the derogation;
  • Assessment of the impact on the data subject;
  • Assessment if additional safeguards are required (as described in LU DP Act Art. 65)
    (justification needed if any of them is not implemented)

• Applies where legal basis for processing is consent
• When consent is withdrawn, the processing needs to be terminated
• This will be applicable to active and future research
• Data should be delete from active datasets
• Where there is a high interest to keep data for future research
  • Anonymisation can be considered to continue the processing:
    • Where data subjects agree to this approach
    • Where effective anonymisation is possible
    • Where a policy for anonymisation is in place (see anonymisation section / link)
  • Where withdrawal of consent will jeopardise the entire research project and anonymisation of data is impossible, a swap of the legal basis may be possible
    • Requires strong argumentation (to be established jointly with DPO)
    • Requires measures as described under Derogation of Data Subjects Rights
    • Requires change of legal basis (e.g. to public interest or legitimate interest – conditions: see section on legal basis)
• Where holding of data is needed for reproducibility of research results
  • Where necessary: swap legal basis to public interest or legitimate interest
  • Information of data subject about this archiving and the purpose limitation for it
  • Measures as described under Derogation of Data Subjects’ Rights

• In cases of legal basis is public or legitimate interest
• Applies when data subjects withdraw consent to the research or objects to new / additional / part of the processing
• For withdrawal of consent to research: Similar situation as under withdrawing of consent as legal basis
  • Delete the dataset from active research
  • If anonymisation is possible: processing can be continued after anonymisation
• Objecting to new processing or part of the processing – data cannot be included in that research
  • Keep the dataset separate from the data in the respective research
  • Alternative: set a flag in the database which precludes the use of the dataset in the respective research
• Legal basis legitimate interest:
  • Request needs to be complied with as described above unless compelling interests of research in the interest of society is established (to be done jointly with DPO)
  • Archiving for reproducibility of already performed research without further use is possible (safeguards in place)
• Legal basis public interest research:
  • Current research to which the data subject objected can be continued if removal of data seriously impairs the project and/or if finalisation of ongoing research was communicated in information sheet
  • Data should be excluded from future research to which the data subject objected unless the removal renders an entire data collection aimed for future use dysfunctional and the interest of society in the research outweighs the interest of the data subject (to be established with DPO)
• Potential reasons to argue for continued processing for research
  • Cohort becomes no longer representative
  • Loss of statistical significance
  • Relevant building block of research gets lost e.g. in family study
• In all cases of continued processing: rules for derogation will apply

• The processing may be restricted following a request for rectification of data or the objection to the research or parts of the research
• Where processing is restricted: active processing for the (respective) research needs to be stopped. This means the dataset needs to be removed from the respective active databases or flagged in a way that prevents its use for respective research
• Where such suspended processing is only temporary (e.g. until need for rectification is clarified) and such suspension jeopardises the research, processing can be continued
• Rules of derogation from data subjects’ rights will then apply

• Often request following the of withdrawal of consent or objection
• The researcher must delete the respective dataset
• A policy with clear internal procedures for deletion must be in place
  • More: see deletion of data link – the policy needs to cover effective erasure (sanitising) of all data entries from active storage media; effective erasure from back-ups or effective measures to ensure no-restoration / delete after restoration from back-up
• Anonymisation instead of deletion can be pursued
  • If this was agreed upfront before the collection (information sheet) or if agreed with data subject following the delete request
  • If data can effectively be anonymised
  • If a policy for anonymisation is in place (see anonymisation)
• Erasure may precluded where
  • The request is based on withdrawal of consent or objection to the processing and the erasure will seriously impair or make impossible the research
  • The request is based on the assumption that data are no longer needed and the researcher is able to demonstrate the continued need and usefulness of data for research
  • And in all cases: rules for derogation are applied

• Correct and complete data is in the interest of the researcher
• In the interest of both, research and the data subject, data should be corrected or completed following the request of the data subject
• Adaptations should be done in all copies of the data where possible
• Researchers may not comply with the request of the data subject
  • In data archives for data that have been already been used to obtain results and documentation is required how result was achieved;
  • Where data are correct in the context in which they were obtained e.g. :
    • Where data reflect status at the time
    • Where retrospective recollection of data subject on data may wrong
    • Where a request for rectification may be due to a changed opinion
    • Where new technologies (e.g. genomic sequencing) lead to different / better results, data may still be kept with a quality / error bar annotation and does not have to be replaced (Example: genomic sequencing – modern technologies have fewer “read errors of the DNA)
  • Where a completion is asked of data which are not needed to be complete for the research

See under Art. 15 / Transparency (link)

• Only applies in case of consent (and where data are stored electronically);
• Only covers data collected (directly from data subject or from devices), not derived data (results from research).
• Not relevant for data obtained from third parties;
• Largely overlaps for research with right to access (receive a copy); here: have a copy sent to someone else
• Can be relevant for making data more widely available
• Transmit or make available for download; in future – make available in Luxembourg participant portal
• Provide an interoperable format: commonly used open formats (e.g. XML, JSON, CSV,…) along with useful metadata
• Where data affects the rights and the freedom of others, they should not be made available Example: information on family members