General Data Protection Regulation
The General Data Protection Regulation (GDPR) regulates the collection and processing of personal data from individuals living in the European Union. Its provisions have far-reaching impact on researchers and their organisations.
Why does the GDPR matter?
The General Data Protection Regulation, adopted in 2016, applies to any type of scientific research that uses personal data, such as studies in (bio)medicine, the social sciences, and the arts and humanities. It affects EU researchers who need to be able to collect, process, and re-process personal data and collaborate internationally. It also affects research funding and performing organisations that want to establish international collaborations with other organisations.
The challenges for research organisations
Unfortunately, the GDPR legislation creates numerous challenges for research:
- Fragmented legal landscape due to incoherence in national rules complicates cross-border collaboration
- Provisions on joint or separate controllership leave room for interpretation and makes it difficult for research organisations and their partners to identify the correct approach
- Explanations on the correct legal form to use for agreements are often not applicable for public organisations
- Many ‘tools’ such as Standard Contractual Clauses (SCCs) or adequacy decisions are not applicable to public organisations
- Non-EU partners are reluctant to sign agreements on data protection due to lack of knowledge of the rules and implications
First steps towards solutions
Since the adoption of the legislation and the identification of the problems, Science Europe is pleased to report some remedial measures have been introduced:
- The European Data Protection Board (EDPB) Guidelines address a number of the challenges such as definition of joint or separate controllership
- A recent European Commission report reviews the implementation of the GDPR and foresees that the institution takes action to address a number of challenges such as updating the SCCs.
In its response to the European Data Protection Board (EDPB) Science Europe welcomes the detailed guidance on identifying whether controllership is joint or separate within a given collaboration and identifying an appropriate legal form to establish an agreement. However further clarification through the EDPB Guidelines would be helpful for public research organisations.
Joint Statement on Implementing the General Data Protection Regulation to Maintain a Competitive Environment for Research in Europe: Position of Research and Patient Organisations
This joint statement on the implementation of the Data Protection Regulation (DPR), facilitated by Science Europe and Wellcome and released by the wider research community, highlights the crucial role Member States must now play in its implementation by reviewing and amending their current laws to enable research to take place.