Mindful of its public mandate and the sensitivity of the data it handles, EMBL has always ensured a high level of data protection in its activities. With the advent of the EU General Data Protection Regulation (GDPR) from May 2018, data protection in Europe is evolving – and EMBL keeps pace. Taking advantage of the express reference that the GDPR, for the first time, is making to international organisations, EMBL has self-regulated this area to clarify its status in the framework of the GDPR. By this communication, EMBL wishes to share with the scientific community the motivation for, and results of, its efforts in this respect.
EMBL was established in 1974 as an intergovernmental institution by way of an international treaty now signed by its 24 member states. Like most other International Organisations (e.g. the United Nations, CERN) EMBL enjoys certain privileges and immunities (i.e. exemptions from the applicability of national law) and also may self-regulate its activities (i.e. establish its own institutional legal framework) within the framework of its founding act of 1973, general principles of public international law and conventions signed with its host countries.
Accordingly, EMBL has in the past regulated its research-related personal data processing activities relating to the use of human biological material. Expanding thereon, EMBL adopted, in 2018, a broader framework, namely the EMBL Internal Policy No 68 on general data protection. Adapted to the needs of international scientific research, it reflects the principles of European data protection law while remaining within the boundaries of EMBL’s international legal status.
In particular, as regards substantive provisions, the framework defines commonly used terms such as ‘personal data’, ‘processing’, ‘data controller’. It lays down the principle of data quality, according to which controllers must have a legal basis for processing personal data, render the processing transparent, specify the purpose of processing and observe that purpose, minimise the data processed, keep data accurate and up-to-date, ensure security and be able to readily demonstrate their compliance. Data transfers to outsiders are made conditional upon data subjects being protected by the data recipient. Lastly, the fundamental freedom of scientific research is safeguarded through an overarching exception.
As regards formal provisions, the framework requires from controllers to keep records, instruct staff reporting to them, carry out impact assessments and respond to data subjects’ requests for information, correction, erasure, etc.
As regards institutional provisions, the framework establishes, firstly, the position of a data protection officer (DPO). The DPO is independent and reports to the Director-General, advises controllers, processors and data subjects, monitors compliance, and acts as liaison between EMBL and its supervisory authority. The latter, called Data Protection Committee, is equally independent, hears complaints and has investigative and corrective powers. Moreover, the Director General may impose sanctions on controllers, and the Staff Association receives reports from the DPO, and may question the same, on the processing of staff-related data.
EMBL places great value in maintaining collaboration with researchers who are subject to the GDPR. For that reason, it is of utmost importance for EMBL to handle data received from those collaborators in a secure and responsible manner. To achieve this, EMBL engaged in extensive consultations with stakeholders.
EMBL deems its updated framework on data protection to be ‘adequate’ in the sense of GDPR. As in the past, EMBL welcomes controllers and processors who are subject to the GDPR to validly rely on the derogation of ‘important reasons of public interest’ under Article 49(1)(d) of the GDPR and under its predecessor, Article 26(1)(d) of Directive 95/46/EC, for transferring personal data to EMBL. Data entrusted to EMBL will be subject to adequate technical and organisational security measures. EMBL recalls specifically the mandate of EMBL to conduct world-class basic research and to enable international co-operation, as laid down in its founding act of 1973, ratified by 20 of the 28 member states of the European Union; and the mandate of the European Union under Article 179(2) of the Treaty on the Functioning of the European Union to encourage research centres and universities in their research activities of high quality and to support their free cross-border cooperation as important reasons of public interest.
Under Art. 50 GDPR, EMBL will also engage with the European Commission on the role of International Organisations under GDPR in general, and the GDPR-adequacy of EMBL‘s self-regulatory framework in particular.
Where GDPR insiders require additional assurances beyond this, EMBL will engage with competent national supervisory authorities to agree on tailor-made variations to the EC’s Standard Contractual Clauses for international data transfers, in order to make them suitable for data transfers to International Organisations.
Pending the outcome of this engagement, and in the event where GDPR insiders do need to rely on the existing Standard Contractual Clauses, EMBL is prepared to accept these on an interim basis, without prejudice to EMBL’s international status.