personal data: legal issues in research data collection and sharing by eudat

Exp

on

en

tia

l gro

wth

Legal Issues in Research Data Collection and Sharing: Personal Data

www.eudat.eu1

Exp

on

en

tia

l gro

wth

Part of an EUDAT series on Legal Issues www.eudat.eu

Content generated by

Pawel Kamocki, IDS Mannheim

V1.0 – June 2014

Table of ContentsI. Personal Data

What is personal data?What is processing?What are special categories of personal data?When is processing of personal data lawful?What is consent?

www.eudat.eu2

II. Personal Data - New regulationIII. About EUDAT

What is consent?What are the obligations of the data controller?What are the rights of the data subject?Are there any exceptions?

I. Personal Data

• Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data

• National implementations

www.eudat.eu 3

• National implementations

• General Data Protection Regulation 2014?

I. Personal Data• What is personal data?• What is processing?• What are special categories of personal data?• When is processing of personal data lawful?• What is consent?

www.eudat.eu 4

• What is consent?• What are the obligations of the data

controller?• What are the rights of the data subject?• Are there any exceptions?

I. Personal Data• What is personal data?

• any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to

www.eudat.eu 5

by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

• to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used (recital 26)


• What is processing?• any operation or set of operations which is performed upon

personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission,

www.eudat.eu 6

retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction = everything


• What is processing?

• What are special categories of personal data?• personal data revealing racial or ethnic origin,

political opinions, religious or philosophical beliefs, trade-union membership, and the

www.eudat.eu 7

beliefs, trade-union membership, and the processing of data concerning health or sex life.

• processing prohibited unless the data subject has given explicit consent or makes the data manifestly public.



• What are special categories of personal data?

• When is processing of personal data lawful?• the data subject has unambiguously given his consent• necessary for the performance of a contract to which the

www.eudat.eu 8

• necessary for the performance of a contract to which the data subject is party

• necessary for the compliance with a legal obligation to which the data controller is subject




• When is processing of personal data lawful?

• What is consent?• any freely given specific and informed

(a) the identity of the controller and of his

representative, if any;

(b) the purposes of the processing for

which the data are intended;

www.eudat.eu 9

• any freely given specific and informedindication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed

• writing recommended (if not obligatory)

• the consent for processing of special categories of personal data must be explicit

which the data are intended;

(c) any further information such as

- the recipients or categories of recipients

of the data,

- whether replies to the questions are

obligatory or voluntary, as well as the

possible consequences of failure to reply,

- the existence of the right of access to and

the right to rectify the data concerning him

in so far as such further information is

necessary, having regard to the specific

circumstances in which the data are

collected, to guarantee fair processing in

respect of the data subject.





• What is consent?

• What are the obligations of the data controller?

Data economy

Data security

www.eudat.eu 10

• data economy: adequate, relevant and not excessive data collected for specified, explicit and legitimate purposes and no further processed in a way incompatible with those purposes; data which is no longer necessary should at least be anonymized

• data security: must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access







• What are the rights of the data subject?

www.eudat.eu 11

• What are the rights of the data subject?• information• access to data (rectification, erasure, blocking of

unlawfully processed, inaccurate or incomplete data)• objection (to processing for direct marketing purposes)








www.eudat.eu 12


• Are there any exceptions?• the doctrine of compatible purposes (historical, statistical or scientific -

if Member States provide appropriate safeguards) (see: Opinion 03/2013 on purpose limitation)

• vary across jurisdictions• anonymized / pseudonymized data (see: Opinion 05/2014 on Anonymisation

Techniques)

II. Personal Data - New Regulation• Research exception in art. 83

1. In accordance with the rules set out in this Regulation, personal data may be processed for historical, statistical or scientific research purposes only if:

(a) these purposes cannot be otherwise fulfilled by processing data which does not permit or not any longer permit the identification of the data subject;

(b) data enabling the attribution of information to an identified or identifiable data subject is kept separately from the other information under the highest technical standards, and all necessary measures are taken to prevent unwarranted re-identification of the data subjects.

www.eudat.eu 13

• Exception for archive services in art. 83a• New, stricter definition of personal data:

• To determine whether a person is identifiable, account should be taken of all the means reasonably likely to be used either by the controller or by any other person to identify or single out the individual directly or indirectly. To ascertain whether means are reasonable likely to be used to identify the individual, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration both available technology at the time of the processing and technological development.

measures are taken to prevent unwarranted re-identification of the data subjects.

III. About EUDAT

a pan-European initiative building a sustainable cross-disciplinary and cross-national data infrastructure providing a set of shared services for accessing and preserving research data

EUDAT is...

www.eudat.eu

supporting multiple research communities by working closely with them to deliver these technical services as part of the EUDAT Collaborative Data Infrastructure (CDI)

III. About EUDATA truly pan-European Infrastructure

Research CommunitiesNational Data CentresTechnology Providers

Offering permanence,

www.eudat.eu

general data centrescommunity centres representing all the associatedcommunity data centres

Offering permanence, persistence, reliability and

long term solutions

III. About EUDATThe EUDAT services suite

www.eudat.eu

Contact us for more information [email protected]

www.eudat.eu 17

The author wishes to acknowledge the many valuable suggestions made by:

Marc Stauch, Ville Oksanen & Adam Carter

Content generated by

Pawel Kamocki, IDS Mannheim, [email protected]

Contact us for more information [email protected]

personal data: legal issues in research data collection and sharing by eudat

Data & Analytics