1. EMBL was established in 1974 as an intergovernmental institution by way of an international treaty now signed by its 26 member states. Like most other International Organisations (e.g. the United Nations, CERN) EMBL enjoys certain privileges and immunities (i.e. exemptions from the applicability of national law) and also may self-regulate its activities (i.e. establish its own institutional legal framework) within the framework of its founding act of 1973, general principles of public international law and conventions signed with its host countries.
2. Mindful of its public mandate and the sensitivity of the data it handles, EMBL has always ensured a high level of data protection in its activities. With the entry into force of the EU General Data Protection Regulation (GDPR) in May 2018, data protection in Europe has evolved – and EMBL has kept pace. Taking advantage of the express reference that the GDPR, for the first time, is making to international organisations, EMBL has self-regulated this area to clarify its status in the framework of the GDPR. By this communication, EMBL wishes to share with the scientific community the motivation for, and results of, its efforts in this respect.
II. EMBL´s data protection framework
3. Accordingly, EMBL has in the past regulated its research-related personal data processing activities relating to the use of human biological material. Expanding thereon, EMBL adopted, in 2018, a broader framework, namely the EMBL Internal Policy No 68 on General Data Protection. Adapted to the needs of international scientific research, it reflects the principles of European data protection law while remaining within the boundaries of EMBL’s international legal status.
4. In particular, as regards substantive provisions, the framework defines commonly used terms such as ‘personal data’, ‘processing’, ‘data controller’. It lays down the principle of data quality, according to which controllers must have a legal basis for processing personal data, render the processing transparent, specify the purpose of processing and observe that purpose, minimise the data processed, keep data accurate and up-to-date, ensure security and be able to readily demonstrate their compliance. Data transfers to outsiders are made conditional upon data subjects being protected by the data recipient. Lastly, the fundamental freedom of scientific research is safeguarded through an overarching exception, aligned with the GDPR exceptions for scientific research.
5. As regards formal provisions, the framework requires from controllers to keep records, instruct staff reporting to them, carry out impact assessments and respond to data subjects’ requests for information, correction, erasure, etc.
6. As regards institutional provisions, the framework establishes, firstly, the position of a Data protection officer (DPO). The DPO is independent and reports to the EMBL Director General, advises controllers, processors and data subjects, monitors compliance, and acts as liaison between EMBL and its supervisory authority. The latter, called Data Protection Committee, is equally independent, hears complaints and has investigative and corrective powers. Moreover, the Director General may impose sanctions on controllers, and the Staff Association receives reports from the DPO, and may question the same, on the processing of staff-related data.
III. Information for collaborators
7. EMBL places great value in maintaining collaboration with researchers who are subject to the GDPR. For that reason, it is of utmost importance for EMBL to handle data received from those collaborators in a secure and responsible manner. To achieve this, EMBL engaged in extensive consultations with stakeholders.
8. EMBL deems its updated framework on data protection to be ‘adequate’ in the sense of GDPR. As in the past, EMBL welcomes controllers and processors who are subject to the GDPR to validly rely on the derogation of ‘important reasons of public interest’ under Article 49(1)(d) of the GDPR and under its predecessor, Article 26(1)(d) of Directive 95/46/EC, for transferring personal data to EMBL. Data entrusted to EMBL will be subject to adequate technical and organisational security measures. EMBL recalls specifically the mandate of EMBL to conduct world-class basic research and to enable international co-operation, as laid down in its founding act of 1973, ratified by 20 of the 28 member states of the European Union; and the mandate of the European Union under Article 179(2) of the Treaty on the Functioning of the European Union to encourage research centres and universities in their research activities of high quality and to support their free cross-border cooperation as important reasons of public interest.
9. The vast majority of inbound data transfers to EMBL will benefit from this derogation, while sectoral transfers, for example in cases where EMBL hosts scientific conferences, is recruiting staff, etc. may be subject to other derogations, notably explicit consent, or because they are necessary for the performance of a contract or the implementation of pre-contractual measures.
10. The European Data Protection Board has issued its Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679 which also confirm the applicability of Article 49(1)(d) of GDPR (important reasons of public interest) where data transfers are made in relation to objectives and international cooperation under international treaties and conventions.
IV. EMBL – EU Relations
11. Under Article 50 of the GDPR, EMBL has also engaged and will continue to engage with the European Commission on the role of International Organisations under GDPR in general, and the alignment between EMBL‘s self-regulatory framework and GDPR.
V. Questions or Complaints
12. Any questions regarding matters of data protection at EMBL should please be addressed to EMBL’s Data Protection Officer via email at: firstname.lastname@example.org
13. Complaints by data subjects should please be addressed to EMBL’s supervisory authority, the Data Protection Committee. Pending its final composition, these should also be addressed to EMBL’s Data Protection Officer.