Presentation by Prodromos Tsiavos (Senior Legal Advisor - ARC/ Director - Onassis Group) as delivered during the OpenAIRE Legal Policy Webinar series on May 4th 2020. More information and recordings: https://www.openaire.eu/item/openaire-legal-policy-webinars

1. Open Science & GDPR
Basic Concepts and Cases
Dr. Prodromos Tsiavos
Senior Legal & Policy Adviser
ARC/ ΟpenAIRE
https://www.athena-innovation.gr/ptsiavos@athenarc.gr

2. Open Science and GDPR
1. What is GDPR
2. Key DP structure
3. The setting
4. How is scientific research defined
5. Purpose
6. Legal Basis
7. Exercising data subject rights
8. Cases

3. What is GDPR?
Regulation (EU) 2016/679 of the European Parliament and of the
Council of 27 April 2016 on the protection of natural persons with
regard to the processing of personal data and on the free movement of
such data, and repealing Directive 95/46/EC (General Data Protection
Regulation)
1

4. Key DP structure
Personal Data
Type of processing
Purpose
Legal Basis
Be careful with
special categories
(sensitive) of
personal data
Make sure that the
legal basis covers
purpose and
personal data
2

5. The setting
Research within an RPO: check legal and ethics framework
EU or other collaborative projects - check WPs re who is processing what and
why:
Ethics and Data Protection Requirements (at the point/ WP of processing)
National Law
3rd countries
Call conditions (e.g. ethics report/ DPIA)
Tenders
Are you a data processor or (co)controller)?
Who is the DPO in a project (check the Consortium and Grant Agreement)?
3

6. How is scientific research defined
Sources:
- Recitals: 26, 33, 50, 52, 53, 62, 65, 113, 156, 157, 159, 160, 161, 162
- Relevant articles: 5(1)(b), (e), 89 (1), (2), (3), 9(j), 14(5)(b), 17(3)(d), 21(6).
Most important article:
- Art. 89
4

7. Defining Scientific Research I: Definitions
• It falls under the broader public interest legal basis (though this is not the
only possible legal basis)
• Could be a form of further processing (e.g. when obtaining data from a
public source or e.g. the government)
• Need to be subjected to appropriate safeguards
• Technical and organizational measures are in place
• Focus on data minimization (use only necessary data)
• Means: pseudonymization (without affecting research objectives)

8. Defining Scientific Research II: Special Categories
• In relation to special categories of data (art.9), the processing:
• shall be proportionate to the aim pursued
• needs to respect the right to data protection
• needs to provide suitable and specific measures to safeguard the
fundamental rights and interests of the data subject

9. The purpose
Possible purposes:
Overall: scientific research (art. 89 GDPR)
Specific type of research
Further use/ exploitation
What happens when the purpose changes over time?
Legal basis? [e.g. from public task to consent / collection by a public hospital – secondary use
by researchers)
Am I covered by the legal basis?
5

10. Legal Basis
Mostly forms of public interest (needs to be specifically documented per
institution and research project)
Contract (tender)
Consent (specific research)
Could change from collection, to retaining to sharing. There always needs to be
one covering the purpose of processing.
6

11. • Vital Interest
• Public Interest
• Legal Obligation
• Contract
• Consent
• Legitimate Interest
No discretion
discretion
Decision: both parties
Decision: data controller

12. Trace the life cycle
Follow the data (use the DMP as your backbone)
Different types of data processing may have different purposes and legal bases
Always stay within the legal basis

13. Data management plan
(processing/ purposes/ legal basis)
Data collection
- From the data
subject
- From 3rd party
- From publicly
available sources
Data Management
- Read
- Write (update/
improve/ enrich)
- Preservation
- Erasure
- Access
Data Sharing
- 3rd Parties
- Data processor
- Further use
- Subject
- Publishing
Purpose Α
Public Hospital
Public Interest A
Purpose C
Research Performing
Organisation
Legal Obligation
Purpose D
Research Performing
Organisation
Consent
Purpose Β
Research Performing
Organisation
Public Interest B

14. Exercising data subject rights
Limitation of rights of the data subject (arts. 14(5)/17(3)/ 21(6) GDPR))
Scientific research/ statistical purposes/ archiving
Public interest
Technical and organizational measures (mostly pseudonymization)
Condition: “it is likely to render impossible or seriously impair the achievement of
the objectives of that processing”
Notices (proactive data subject information)
7

15. Limitations to data subject’s rights:
(I) information
• Information to be provided where personal data have not been obtained
from the data subject (art. 14(5)(b)
• Researchers are exempt when:
• The provision of such information proves impossible or would involve a
disproportionate effort
• Such obligations would render impossible or seriously impair
achievement of the objectives of scientific research
• The controller takes appropriate measures to protect the data subject’s
legitimate interests

16. Limitations to data subject’s rights:
(II) erasure
• Right to erasure (‘right to be forgotten’) (art. 17(3)(d)
• Researchers are exempt when:
• Such obligations would render impossible or seriously impair
achievement of the objectives of scientific research

17. Limitations to data subject’s rights:
(III) objection
• Right to object (art. 21(6)
• Researchers are exempt when:
• the processing is necessary for the performance of a task carried out
for reasons of public interest.

18. Limitations to data subject’s rights:
(IV) Member States Derogations
• Member State derogations in relation to data-subject rights:
• Right of access by the data subject (art.15)
• Right to rectification (art.16)
• Right to restriction of processing (art.18)
• Right to object (art.21)

19. Cases
• Harvesting personal data from publicly available sources
• Data sharing with 3rd countries (international collaborations) – model
licences
• Initial collection for legitimate interest – secondary research use –
notification process - objection process
• Balancing reuse of research data and the GDPR principles of accuracy and
data minimization
• Health data and GDPR protection
• Data Sharing Codes of Conduct
• GDPR application for small projects
8

20. Cases
• Harvesting personal data from publicly available sources
• Check the original purpose of processing
• Check the original legal basis for processing
• It is a form of allowed further processing (art.5(b))
• Need to provide the following information to the data subject (art.14(1),(2)):
1. the identity and the contact details of the controller and, where applicable, of the controller's
representative
2. the contact details of the data protection officer, where applicable;
3. the purposes of the processing for which the personal data are intended as well as the legal
basis for the processing;
4. The categories of personal data concerned;
5. The recipients or categories of recipients of the personal data, if any;
6. When there is data transfer to 3rd countries, reference to the appropriate or suitable
safeguards and the means to obtain a copy of them or where they have been made available.
7. from which source the personal data originate, and if applicable, whether it came from
publicly accessible sources;
8a

21. Cases
• Conditions for further processing (arts.6(4)) + 13(3) + 14(4) + 89(1)):
1. Legal basis Consent; or
2. Legal obligations (by Member States); or
3. There is a new legal basis; or
4. Examine whether further processing is compatible with the purpose for which the personal
data were original collected:
1. What is the link between original and further processing
2. Context
3. If special categories exist and how they are protected
4. Consequences for the data subjects
5. Safeguards (e.g. encryption and pseudonymization)
5. When information is collected by the data-subject or third party, inform the data subject
regarding the further processing (prior to it) and any other relevant information (art.13(3) and
art.14(4))
6. Pseudonymize (if it is for research) art. 89(1)
8b

22. Cases
Transfers to 3rd countries
• Items:
• Conditions (contract or legal act) art.28
• Notifications and notices (data subject rights information – access ) (arts.13(1)(f), 14(1)(f),
15(1), (2))
• Keep records (art.30)
• Use of Codes of Conduct (art.40)
• Explore certification schemes, seals and marks (art.42(2))
• See entire Chapter V (arts.44-50)
• Adequacy decision
• Appropriate Safeguards
• Binding corporate rules
• Authorization by Union Law
• See EC Standard Contractual Clauses (SCC)
• Standard contractual clauses for data transfers between EU and non-EU countries.
8c

23. Cases
Initial collection for legitimate interest – secondary research use – notification process -
objection process
• Form of further processing
• Need to notify the data subject
• Include all notification principles of art.14
• There needs to be a clear opt-out/ objection process in the notification document:
• URL for automated opt-out
• At least email
• Always documented and confirmed
8d

24. Cases
Further processing and accuracy – minimization
• Adhere to all conditions of further processing
• Remain accurate through notices and notification
• Use only what is needed for the research purpose
• Erase data once the required processing is over (or retain data under archiving purposes)
8e

25. Cases
Health data and GDPR
- Special category of data (art.9)
- Form of Further Processing
- Emphasis on the legal basis
8f

26. Cases
Data Sharing CoCs
- ICO (UK)
[https://ico.org.uk/media/for-
organisations/documents/1068/data_sharing_code_of_practice.pdf]
- OECD
[http://www.oecd.org/gov/ethics/ethicscodesandcodesofconductinoecdcountries.htm]
8g

27. Cases
Personal data for small projects (excel rules…)
- Specify your research purpose and define data range
- Specify and document legal basis
- Manage and document consent
- Use DMP as your backbone
- Consult with your Ethics Committee and DPO
8h

28. q
a
ptsiavos@athenarc.gr