Skip to content

Data Protection Obligations when Submitting to GHGA

Introduction

Alongside the signing of a Data Processing Contract (or the DKFZ Internal Terms of Use), there are additional data protection obligations that Data Submitters should be aware of before they submit data to GHGA.

The difference between a Data Controller and a Data Submitter

The GDPR defines a Data Controller as the party which "determines the purposes and means of the processing of personal data". Within the context of GHGA, we also use the term Data Submitter to mean the person or institution who are submitting Research Data to the GHGA Data Portal. In many cases, the Data Controller and Data Submitter will be the same but this is not always true; it is therefore important for the Data Submitter to check who the Data Controller is for the data they wish to submit. In this guide, we will use the term Data Controller, as it is the Data Controller who is required to sign the GHGA Data Processing Contract.

When a study is submitted to GHGA, GHGA Central (the DKFZ) acts as a Data Processor for the submitted Research Data and Personal Metadata, with the GHGA Data Hubs acting as sub-processors to GHGA Central. The Research Data Controller (RDC) is responsible for defining the legal bases under which the transfer to GHGA can take place.

In general, the Research Data and Personal Metadata submitted to GHGA are classified as personal data according to Art. 4 GDPR, and because they include omics data and, potentially, data related to the health of the Data Subject, they also incorporate special categories of personal data according to Art. 9 GDPR. As such, when submitting to GHGA, a Research Data Controller (RDC) must ensure that there is a legal basis for processing under both Art. 6 (1) GDPR and Art. 9 (2) GDPR.

A majority of studies submitted to GHGA rely on consent as a legal basis for both Art. 6 (1) and Art. 9 (2) GDPR but the Research Data Controller (RDC) is free to define whichever legal bases for their submission that they wish to rely on. Through the Data Processing Contract (DPC), the Research Data Controller (RDC) is obliged to confirm that they have valid legal bases for the processing and could demonstrate it if requested to do so. However, the contract does not specify that only certain legal bases would be considered acceptable or appropriate by GHGA Central.

For submissions from the DKFZ, the DKFZ is the Research Data Controller (RDC) for the submitted Research Data and Personal Metadata but the Principle Investigator / Division Head is responsible for checking and confirming that there are suitable legal bases for the data to be shared via GHGA.

Records of Processing Activity (RoPAs)

When personal data is processed, and certain conditions are met, Art. 30 GDPR requires Data Processors and Data Controllers to keep a record of the processing that they perform.

This requirement does not apply to institutions which employ fewer than 250 people unless:

  • the processing being carried out is likely to result in a risk to the rights and freedoms of the Data Subjects,
  • the processing is not occasional,
  • the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.

As the Research Data and Personal Metadata submitted to GHGA includes special categories of personal data, Data Controllers should record the processing in a RoPA at their institutions. Most institutions will have a standardised approach for how they should be recorded. If a RoPA is in place, it is important to check that the submission of data to GHGA, and its future sharing with Data Requesters, possibly even including the decision-making process of the responsible Data Access Committee (DAC) at the institution, has been described.

PIs or Division Heads at the DKFZ should contact datenschutz@dkfz-heidelberg.de if they are unsure if a new RoPA is required, or an existing RoPA requires updating.

Data Protection Impact Assessments (DPIAs)

When data processing is likely to result in a high risk to the rights and freedoms of the Data Subjects, Data Controllers are required to perform a Data Protection Impact Assessment (Art. 35 GDPR). A DPIA is used to identify what risks might emerge, their likelihood, and the severity of their impact, so that appropriate safeguards to reduce those risks can be implemented.

Due to the sensitive nature of both omics data and data related to health, it may be necessary for Data Controllers wishing to submit Research Data and Personal Metadata to GHGA to perform a DPIA. The Data Protection Officer at the institution of the Research Data Controller (RDC) will be able to advise as to whether a DPIA is required. If a DPIA has been performed already, you should check that the proposed submission to GHGA and the risks associated with the sharing of data with Data Requesters has been considered.

In order to help Data Controllers in this task, GHGA has performed a Risk Assessment to identify the risks that could emerge from when the data are submitted. The Risk Assessment and the associated report can be made available to Research Data Controller (RDC) upon request via the GHGA Helpdesk so that they can be integrated in their own DPIAs.

PIs and Division Heads at the DKFZ should contact datenschutz@dkfz-heidelberg.de if they are unsure if a DPIA is required, or an existing DPIA requires updating.