Sharing and re-using personal data is one of the key activities within our HBM4EU project. These personal data are obviously subject to the GDPR (General Data Protection Regulation). Since the GDPR clearly impacts our work and the way in which data can be shared we are organising a number of short awareness sessions, each of them focusing on a specific topic.
These sessions will last no longer than one hour and will be given by our Data Protection Officer Koert Van Espen, who has an extensive experience in privacy and information security in research.
HBM4EU Data Protection Awareness Session 1: Anonymisation versus Pseudonymisation
Truly anonymous data is no personal data and therefore the GDPR is not applicable. However, truly anonymous data is very difficult to achieve – most likely, at most your data will be pseudonymous. In this awareness session, we will explain the differences, and some techniques to make data really anonymous.
CONTENTS
- Data minimisation principles
- Anonymisation versus pseudonymisation: consequences
- Anonymisation techniques
HBM4EU Data Protection Awareness Session 2: Data Processing Impact Assesment (DPIA) – What, When, How, and Who?
A DPIA, or Data Processing Impact Assessment, helps to identify and minimise the data protection risks and is an instrument to demonstrate GDPR compliance. However, this GDPR is pretty vague in defining when exactly such DPIA has to be made. In this awareness session, we will explain the purpose of a DPIA, draw the circumstances in which such assessment should be made, and show some useful tools to conduct this.
CONTENTS
- Purpose of a DPIA
- When should a DPIA be made?
- Necessary elements of a DPIA
- Practicalities – tools, role of DPO
- Next steps
HBM4EU Data Protection Awareness Session 3: Secondary use of data for scientific research
Research on personal (health) data is often done on data initially collected for another purpose (“secondary use”). The distinction between scientific research based on primary or secondary usage of health data is very important with respect to the legal basis for the processing, the information obligations, and the purpose limitation principle. In this awareness session, the consequences of secondary use will be explained (for instance, how to cope with the information obligations in case of “old” data).
CONTENTS
- Scientific research: clarification in the context of GDPR
- Secondary use: meaning and examples
- Legal base for processing: consent, or other?
- Transparency and information to data subjects
- Purpose limitation and presumption of compatibility
- Data subject rights
HBM4EU Data Protection Awareness Session 4: Dealing with data breaches
A data breach can have serious consequences for the data controller or processor, but also for the data subjects (affected people) and even for 3rd parties. However, it is not always very clear which incidents count as a data breach, and what exactly must be done in case such a data breach occurs. In addition, actions often must be taken within a challenging timeframe. During this awareness session, these aspects will be clarified. Moreover, it will be explained how your organisation can prepare itself to minimise the consequences.
CONTENTS
1. Incidents versus data breaches
2. Types of data breaches and obligations arising from the GDPR
3. Examples
4. Practicalities, processes, and affected roles within your organisation
For additional information you may consult the Guidelines on Examples regarding Data Breach Notification of the EDPB (European Data Protection Board)
HBM4EU Data Protection Awareness Session 5: Data subject rights and research
The GDPR stipulates quite some rights for data subjects (citizens, patients, …), such as the “right to be forgotten” and the right to object. However, these are not always absolute rights, in particular within the context of research. In this awareness session, we will dig into the details.
CONTENTS
- Overview of the data subject rights
- Research, public interest, or both?
- Restricted data subject rights in a research context
- How to deal with data subject rights in practice?
HBM4EU Webinar ‘Availability aggregated data aligned studies HBM4EU’ (08.04.2021)
Click the image to watch the webinar’s recording. You can also download the presentation PowerPoint here.
Disclaimer
The HBM4EU project was launched in 2016 with the aim of improving the collective understanding of human exposure to hazardous chemicals and developing HBM as an exposure assessment method. The project had €74m in funding and jointly implemented by 120 partners from 28 participating countries – 24 EU member states plus Norway, Switzerland, Iceland and Israel and the European Environment Agency. One of its aims was to ensure the sustainability of HBM in the EU beyond 2021. The project ended in June 2022. The website will not be updated any longer, except the page on peer reviewed publications, but will be online until 2032.
