scholarly journals Biobank and Biomedical Research: Responsibilities of Controllers and Processors Under the EU General Data Protection Regulation

2021 ◽  
pp. 61-89
Author(s):  
Ana Nordberg
Keyword(s):  
Biomedical Research ◽  
Public Interest ◽  
Data Protection ◽  
Personal Data ◽  
Historical Research ◽  
General Data Protection Regulation ◽  
The Public ◽  
General Data ◽  
The Eu

AbstractBiobanks are essential infrastructures in current health and biomedical research. Advanced scientific research increasingly relies on processing and correlating large amounts of genetic, clinical and behavioural data. These data are particularly sensitive in nature and the risk of privacy invasion and misuse is high. The EU General Data Protection Regulation (GDPR) developed and increased harmonisation, resulting in a framework in which the specific duties and obligations of entities processing personal data—controllers and processors—were defined. Biobanks, in the exercise of their functions, assume the role of controllers and/or processors and as such need to comply with a number of complex rules. This chapter analyses these rules in the light of Article 89 GDPR, which creates safeguards and derogations relating to ‘processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes’. It identifies key compliance challenges faced by biobanks as data controllers and processors, such as determining whether the GDPR is applicable and its intersection with other regulations; when a biobank should be considered controller and processor; and what are the main duties of biobanks as data controllers and processors and options for compliance.

scholarly journals COVID-19 Research: Navigating the European General Data Protection Regulation (Preprint)

2020 ◽  
Author(s):  
Regina Becker ◽  
Adrian Thorogood ◽  
Johan Ordish ◽  
Michael J.S. Beauvais
Keyword(s):  
Public Interest ◽  
Data Protection ◽  
Personal Data ◽  
Individual Member ◽  
Sensitive Data ◽  
General Data Protection Regulation ◽  
The Public ◽  
General Data ◽  
High Standards ◽  
National Legislatures

UNSTRUCTURED Researchers must collaborate globally to rapidly respond to the COVID-19 pandemic. In Europe, the General Data Protection Regulation (GDPR) regulates the processing of personal data, including health data of value to researchers. Even during a pandemic, research still requires a legal basis for the processing of sensitive data, additional justification for its processing, and a basis for any transfer of data outside Europe. The GDPR does provide legal grounds and derogations that can support research addressing a pandemic, if the data processing activities are proportionate to the aim pursued and accompanied by suitable safeguards. During a pandemic, a public interest basis may be more promising for research than a consent basis, given the high standards set out in the GDPR. However, the GDPR leaves many aspects of the public interest basis to be determined by individual Member States, which have not fully or uniformly made use of all options. The consequence is an inconsistent legal patchwork that displays insufficient clarity and impedes joint approaches. The COVID-19 experience provides lessons for national legislatures. Responsiveness to pandemics requires clear and harmonized laws that consider the related practical challenges and support collaborative global research in the public interest.

scholarly journals COVID-19 Research: Navigating the European General Data Protection Regulation

10.2196/19799 ◽  
2020 ◽  
Vol 22 (8) ◽  
pp. e19799 ◽  
Author(s):  
Regina Becker ◽  
Adrian Thorogood ◽  
Johan Ordish ◽  
Michael J.S. Beauvais
Keyword(s):  
Public Interest ◽  
Data Protection ◽  
Personal Data ◽  
Individual Member ◽  
Sensitive Data ◽  
General Data Protection Regulation ◽  
The Public ◽  
General Data ◽  
High Standards ◽  
National Legislatures

Researchers must collaborate globally to rapidly respond to the COVID-19 pandemic. In Europe, the General Data Protection Regulation (GDPR) regulates the processing of personal data, including health data of value to researchers. Even during a pandemic, research still requires a legal basis for the processing of sensitive data, additional justification for its processing, and a basis for any transfer of data outside Europe. The GDPR does provide legal grounds and derogations that can support research addressing a pandemic, if the data processing activities are proportionate to the aim pursued and accompanied by suitable safeguards. During a pandemic, a public interest basis may be more promising for research than a consent basis, given the high standards set out in the GDPR. However, the GDPR leaves many aspects of the public interest basis to be determined by individual Member States, which have not fully or uniformly made use of all options. The consequence is an inconsistent legal patchwork that displays insufficient clarity and impedes joint approaches. The COVID-19 experience provides lessons for national legislatures. Responsiveness to pandemics requires clear and harmonized laws that consider the related practical challenges and support collaborative global research in the public interest.

scholarly journals The EU General Data Protection Regulation (GDPR)

2020 ◽  
Keyword(s):  
Data Protection ◽  
Personal Data ◽  
Privacy Regulation ◽  
General Data Protection Regulation ◽  
Data Protection Directive ◽  
Ongoing Work ◽  
Protection Legislation ◽  
Recent Reform ◽  
General Data ◽  
The Eu

This new book provides an article-by-article commentary on the new EU General Data Protection Regulation. Adopted in April 2016 and applicable from May 2018, the GDPR is the centrepiece of the recent reform of the EU regulatory framework for protection of personal data. It replaces the 1995 EU Data Protection Directive and has become the most significant piece of data protection legislation anywhere in the world. This book is edited by three leading authorities and written by a team of expert specialists in the field from around the EU and representing different sectors (including academia, the EU institutions, data protection authorities, and the private sector), thus providing a pan-European analysis of the GDPR. It examines each article of the GDPR in sequential order and explains how its provisions work, thus allowing the reader to easily and quickly elucidate the meaning of individual articles. An introductory chapter provides an overview of the background to the GDPR and its place in the greater structure of EU law and human rights law. Account is also taken of closely linked legal instruments, such as the Directive on Data Protection and Law Enforcement that was adopted concurrently with the GDPR, and of the ongoing work on the proposed new E-Privacy Regulation.

scholarly journals The GDPR as Global Data Protection Regulation?

AJIL Unbound ◽  
2020 ◽  
Vol 114 ◽  
pp. 5-9 ◽  
Author(s):  
Cedric Ryngaert ◽  
Mistale Taylor
Keyword(s):  
International Law ◽  
Data Protection ◽  
Personal Data ◽  
Fundamental Rights ◽  
General Data Protection Regulation ◽  
Data Protection Directive ◽  
Protection Legislation ◽  
General Data ◽  
Global Data ◽  
The Eu

The deterritorialization of the Internet and international communications technology has given rise to acute jurisdictional questions regarding who may regulate online activities. In the absence of a global regulator, states act unilaterally, applying their own laws to transborder activities. The EU's “extraterritorial” application of its data protection legislation—initially the Data Protection Directive (DPD) and, since 2018, the General Data Protection Regulation (GDPR)—is a case in point. The GDPR applies to “the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services . . . to such data subjects in the Union; or (b) the monitoring of their behaviour . . . within the Union.” It also conditions data transfers outside the EU on third states having adequate (meaning essentially equivalent) data protection standards. This essay outlines forms of extraterritoriality evident in EU data protection law, which could be legitimized by certain fundamental rights obligations. It then looks at how the EU balances data protection with third states’ countervailing interests. This approach can involve burdens not only for third states or corporations, but also for the EU political branches themselves. EU law viewed through the lens of public international law shows how local regulation is going global, despite its goal of protecting only EU data subjects.

International Organizations and the EU General Data Protection Regulation

2019 ◽  
Vol 16 (1) ◽  
pp. 158-191 ◽  
Author(s):  
Christopher Kuner
Keyword(s):  
International Law ◽  
International Organizations ◽  
Data Protection ◽  
Personal Data ◽  
Eu Law ◽  
Protection Measures ◽  
General Data Protection Regulation ◽  
General Data ◽  
High Level ◽  
The Eu

The importance of personal data processing for international organizations (‘IOs’) demonstrates the need for them to implement data protection in their work. The EU General Data Protection Regulation (‘GDPR’) will be influential around the world, and will impact IOs as well. Its application to them should be determined under relevant principles of EU law and public international law, and it should be interpreted consistently with the international obligations of the EU and its Member States. However, IOs should implement data protection measures regardless of whether the GDPR applies to them in a legal sense. There is a need for EU law and international law to take each other better into account, so that IOs can enjoy their privileges and immunities also with regard to EU law and avoid conflicts with international law, while still providing a high level of data protection in their operations.

scholarly journals La responsabilidad proactiva de las Administraciones Públicas en la protección de datos personales.

2020 ◽  
pp. 138-153
Author(s):  
Aritz ROMEO RUIZ
Keyword(s):  
Public Administration ◽  
Data Protection ◽  
Main Idea ◽  
Personal Data ◽  
Practical Implementation ◽  
Organizational Changes ◽  
General Data Protection Regulation ◽  
The Public ◽  
General Terms ◽  
General Data

Laburpena: Lan honen helburua da administrazio publikoak datu pertsonalen tratamenduan duen erantzukizun proaktiboaren printzipioaren analisia eskaintzea, eta ikuspegi juridikoa ematea praktikan errazago aplikatzeko. Lana lau ataletan egituratuta dago. Lehenengoan, datu pertsonalen babesa arautzen duen esparru berriaren aurkezpen orokorra egiten da; hau da, Datuak Babesteko Erregelamendu Orokorrak (EB) ezartzen duen araudi berria aurkezten da. Bigarren atala erantzukizun proaktiboari buruzkoa da, administrazio publikoek datu pertsonalak tratatzeko oinarrizko printzipio gisa. Hirugarrenak proposatzen ditu administrazio publikoek praktikan erantzukizun proaktiboaren printzipioa betetzeko kontuan har ditzaketen hainbat neurri. Azkenik, laugarren atalak gogoeta egiten du antolamendu-aldaketak egiteko beharrari buruz, Erregelamendu Orokorraren printzipioak betetzen dituztela ziurtatzeko eta herritarrek eskubideak balia ditzaten ziurtatzeko; horrez gain, aipamen berezia egiten dio datuak babesteko ordezkariaren figurari. Ondorioztatzen den ideia nagusia da garrantzitsua dela administrazio publikoek datuak babesteko politika bat diseinatzea, lehenetsita aplikatuko dena, eta ez bakarrik erantzukizun politikoak dituztenei, baizik eta sektore publikoan lan egiten duten pertsona guztiei eragingo diena. Resumen: El presente trabajo tiene como objetivo ofrecer un análisis del principio de responsabilidad proactiva en el tratamiento de datos personales por parte de la administración pública, y pretende aportar una visión jurídica para facilitar su aplicación en la práctica. El trabajo está estructurado en cuatro apartados. En el primero de ellos se presenta, en términos generales, el nuevo marco regulador de la protección de datos personales, que es consecuencia del Reglamento (UE) General de Protección de Datos. El segundo apartado está dedicado a la responsabilidad proactiva como principio básico del tratamiento de datos personales por las administraciones públicas. El tercero propone una serie de medidas que las administraciones públicas pueden tener en cuenta para cumplir con el principio de responsabilidad proactiva en la práctica. Finalmente, el apartado cuarto aporta una reflexión sobre la necesidad de introducir cambios organizacionales para asegurar el cumplimiento de los principios del Reglamento General de Protección de datos y del ejercicio de derechos por la ciudadanía, con una especial mención a la figura del delegado o delegada de protección de datos. La principal idea que se concluye es la importancia de que las administraciones públicas diseñen una política de protección de datos que se aplique por defecto, e implique, no sólo a quienes ejercen responsabilidades políticas, sino a todas las personas que trabajan en el sector público. Abstract: The present work aims to offer an analysis of the principle of proactive responsibility in the treatment of personal data by the public administration, and aims to provide a legal vision to facilitate its practical implementation. The work is structured in four sections. The first of these presents, in general terms, the new regulatory framework for the protection of personal data, which is a consequence of the General Data Protection Regulation (EU). The second section is dedicated to proactive responsibility as a basic principle of the processing of personal data by public administrations. The third proposes a series of measures that public administrations can take into account to comply with the principle of proactive responsibility in practice. Finally, the fourth section provides a reflection on the need to introduce organizational changes to ensure compliance with the principles of the General Data Protection Regulation and the exercise of rights by citizens, with special reference to the figure of the Data Protection Officer. The main idea that is concluded is the importance for public administrations to design a data protection policy that is applied by default, and involves not only those who exercise political responsibilities, but also all those who work in the public sector.

scholarly journals Apply or not to apply?

2020 ◽  
Vol 4 (2) ◽  
pp. 81-94
Author(s):  
Matúš Mesarčík
Keyword(s):  
Data Protection ◽  
Personal Data ◽  
The European Union ◽  
Privacy Regulation ◽  
New Era ◽  
General Data Protection Regulation ◽  
Consumer Privacy ◽  
Privacy Act ◽  
General Data ◽  
The Eu

A new era of data protection laws arises after the adoption of the General Data Protection Regulation (GDPR) in the European Union. One of the newly adopted regulations of processing of personal data is Californian Consumer Privacy Act commonly referred to as CCPA. The article aims to fill the gap considering a deep analysis of the territorial scope of both acts and practical consequences of the application. The article starts with a brief overview of privacy regulation in the EU and USA. Introduction to GDPR and CCPA follows focusing on the territorial scope of respective legislation. Three scenarios of applicability are derived in the following part including practical examples.

scholarly journals Personal Data Protection in Russia

2020 ◽  
pp. 95-113
Author(s):  
Alexander Gurkov
Keyword(s):  
Data Protection ◽  
Personal Data ◽  
Legal Framework ◽  
Fundamental Rights ◽  
Special Role ◽  
State Control ◽  
General Data Protection Regulation ◽  
Personal Data Protection ◽  
General Data

AbstractThis chapter considers the legal framework of data protection in Russia. The adoption of the Yarovaya laws, data localization requirement, and enactment of sovereign Runet regulations allowing for isolation of the internet in Russia paint a grim representation of state control over data flows in Russia. Upon closer examination, it can be seen that the development of data protection in Russia follows many of the steps taken at the EU level, although some EU measures violated fundamental rights and were invalidated. Specific rules in this sphere in Russia are similar to the European General Data Protection Regulation. This chapter shows the special role of Roskomnadzor in forming data protection regulations by construing vaguely defined rules of legislation.

Article 25 Data protection by design and by default

2020 ◽  
Author(s):  
Lee A. Bygrave
Keyword(s):  
Public Interest ◽  
Data Protection ◽  
Codes Of Conduct ◽  
Personal Data ◽  
Historical Research ◽  
Individual Decision Making ◽  
The Public ◽  
Definition Of ◽  
Article 5 ◽  
Data Subject

Article 4(5) (Definition of ‘pseudonymisation’) (see too recital 28); Article 5(2) (Accountability) (see too recital 11); Article 6(4)(e) (Compatibility); Article 22 (Automated individual decision-making, including profiling) (see too recital 71); Article 24 (Responsibility of controllers); Article 28 (Processors) (see too recital 81); Article 32 (Security of processing) (see too recital 83); Article 34(3)(a) (Communication of personal data breach to data subject) (see too recitals 87–88); Article 35 (Data protection impact assessment) (see too recital 84); Article 40 (Codes of conduct); Article 83(2)(d) and 83(4) (Fines); Article 89(1) (Safeguards relating to processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes).

scholarly journals The EU’s General Data Protection Regulation (GDPR) in a Research Context

2018 ◽  
pp. 55-71 ◽  
Author(s):  
Christopher F. Mondschein ◽  
Cosimo Monda
Keyword(s):  
Data Protection ◽  
Regulatory Mechanism ◽  
Personal Data ◽  
General Data Protection Regulation ◽  
Secondary Use ◽  
Research Context ◽  
Specific Focus ◽  
General Data ◽  
The Eu

AbstractThis chapter introduces the rational and regulatory mechanism underlying the EU data protection framework with specific focus on the EU’s General Data Protection Regulation (GDPR). It outlines the applicability of the research exemption included in the GDPR and discusses further or secondary use of personal data for research purposes.

Sign in / Sign up

Export Citation Format

Share Document