 Everyone and thank you for your interest in our webinar. I would just like to introduce to those who are not that familiar with OpenIR to what OpenIR is. The OpenIR's mission is to shift the scholarly communication towards openness and transparency, and thus facilitate innovative ways to communicate and monitor research. To do so, we work with a variety of stakeholders, like policy makers, librarians, researchers, support staff, and obviously researchers. And we also provide a variety of resources targeting these stakeholders, such as webinars, guides. In particular, for researchers, we have an extensive number of resources targeting different aspects, such as issues related to compliance with horizon mandates, making their research data how to make them comply with fair principles and other issues. Here, you can see under the support section of OpenIR the different resources that we have developed over the years. In addition, you can also browse through the OpenIR different services that we provide for researchers, among other stakeholders. And I would also like to point out that OpenIR has a network of national open access desks that we call them NOAADS. So there is a NOAAD in each country. So if you're a researcher and you have a question that is related to open access and open science related issues, you can also reach out to your NOAAD and ask for their support. And also, this is a webinar that takes place in the context of the policy and legal task force that has been developed within OpenIR. The policy aspect mainly targets policymakers and aims at assisting them in developing and adopting open science policies. But in terms of the legal part, we have also developed a number of resources to support researchers. And this is why we have decided to organize this webinar. So just to introduce our speakers. So the first speaker is Thomas Margoni, who is a senior lecturer in intellectual property and internet law and co-director of CREATE at the School of Law at the University of Glasgow, where he also convenes the LLM program in intellectual property and digital economy. Thomas' research focuses on the relationship between law and new technologies, with particular focus on the role of the internet as the new medium to access, create, and disseminate knowledge in the information society. Our second speaker is Prodromos Tiavos, who is the head of the digital development of the Onassis Cultural Center and is also a senior research fellow at the Media Institute in London. Currently, Prodromos is advising Athena Research Center on legal and ethical aspects of data science. And he has also worked in a variety of national and European institutions, such as the National Hellenic Research Foundation, the European Commission, the Special Secretary for Digital Convergence, among others. And our third speaker is Jacques Flores, who is an information and research data management specialist. He comes from a neuroscience research background. And his role is to support researchers and students throughout the various stages of the research workflow, from data collection, storage management and analysis to data sharing and accessibility. Jacques is also a certified information privacy profession, which allows him to help researchers who handle personal data as part of their research. So that's it from my side. So I will now give the floor to our first speaker, Thomas Margot. Thank you very much. Thank you very much for the invitation, for having me, and for the very flattering intro. Let me share my presentation with you. OK, so hopefully you are all seeing my full screen slides by now. Again, thank you very much. It's great to see so much interest in our legal and policy webinars. I like to think that you're genuinely interested in the legal aspect connected with science. It's not that you are so terribly bored to stay home that even a legal seminar may be interesting. But we'll try to do our best to meet your expectations. So as Marina and when before mentioned, I will start by offering you a brief overview of how corporate law treats data. This means that my presentation will focus mostly on aspects connected with ownership and will focus mostly on what we call non-personal data, whereas prodromos and job presentations will focus mostly on personal data. So this is the first big distinction that we need to make and that lawyers makes when we discuss data. And it's important to keep this in mind because for researchers, for non-lawyers, often data are data that needs to be used or reused or shared or analyzed. And the way in which the law classifies this data shouldn't represent an obstacle, which unfortunately most of the time is. So I will offer you a brief overview of, as I said, of the concept of data ownership. Again, this focus mostly on non-personal data, so on data that does not identify individuals. And the main big question here is whether this data is owned by anyone. So from a corporate point of view, the traditional answer would be no. Data as such is not protected. The specific wording of international and national copyright instruments usually replicate more or less what are reported in this slide. That is to say, ideas, procedures, method of operations, mathematical concepts, et cetera, are not protected by copyright. What copyright protects are only original expressions, intellectual creations, we could say. And as a consequence of this, factual information and data as such failed to qualify for corporate protection. This does not mean, however, that there is no protection whatsoever from, we could say, property or quasi-property point of view. There are other areas of law that may offer some sort of protection. And this could be trade secrets, contracts, data protection, which we will see in the second part, public sector information, et cetera. However, these forms of protection or regulation do not commonly meet the higher standards of copyright. And this may be a technical distinction, but it's very important because it means that the kind of protection and the kind of remedies that the law offers in these cases are much more limited in comparison to what would be the case if, again, data as such, think of factual information was protected by copyright. What about databases? Because we know that I just told you that data as such is not protected. This may be surprising is, in fact, usually when I give live presentations and I see the faces of the audience generates sentiments that go from surprise to outrage. Because, after all, you as a researcher probably spent a considerable amount of time collecting this data. And it's yours because not only the effort that you put in collecting them, but also because the way in which you did that reflects somehow the kind of a scientist or researcher that you are. A different researcher would have collected something different. So let's have a deeper, quick look into this aspect and pay some attention to the concept of databases. Because databases, not data, but databases, which receive a quite detailed definition by the law, may be protected by copyright. But only the selection or arrangement or better, only if the selection or arrangement of the content of the database is original, then that selection or arrangement can be protected. This means that the structure of the database is protected by copyright, not the content. So if we have a database of items that are in themselves protected by copyright, think of a database of journal articles, then both the selection, if original, and the content, the journal articles, are protected by copyright. But if your database is composed by elements that are not in their own right protected by copyright, think of Excel spreadsheet that includes temperature measurements over the past year, five times a day, then the structure might be original and thus protected. But the content is not protected. Even if the structure is protected, the content is not. And that's a first thing to keep in mind. In Europe and only in Europe, however, there is an additional right, another layer, that protects the content of the database. Not the single datum, but only substantial amount of data. This, however, only happens if the making of the database has required a substantial investment in obtaining, verifying, or presenting the data. And in this case, the protection is offered by the Swai-Generes database right, which you might have heard of. It's just a lighter form of copyright. It's important to keep in mind here that only obtained data, not created data, are protected. And we'll see why in a second. So we are in a situation where a database could not be protected at all. But if these three aspects are all satisfied, a single database could be protected by three different layers, two copyright and one Swai-Generes database which needs to be properly cleared. If you are the owner, you possess three different rights. It could actually happen that there are three different owners of these three different copyrights on the same database, so things can get complicated. And if you want to reuse it, you have to ensure, or if you want to allow reuse, you have to ensure that you choose the right license, such as CC-BY-4.0, which adequately addresses all these three layers. What about a third category of data, which is data contained in a work, not in a database? So the example here would be, if you are in, say, NLP, could you extract statistical information about the English language from a Harry Potter novel or any other protected literary work? Well, in theory, yes, under what has become famous as the right to read is the right to mind, but in practice, no. You need a text and data mining exception. And the reason why without entering into the details is that temporary copies that are usually needed in order to extract information for text and data mining purposes need to be authorized. I don't want to enter into the details, but it basically has to do with how the harmonization of your corporate law has proceeded, harmonizing broadly rights on the one hand, but not doing the same with exception on the other hand. And this may create a problem, because a lot of modern data analytics, as the current events show us on a daily basis in this period, require the extraction of information, of principles, data correlations from databases or from published articles, which are in themselves protected. And whereas in other countries outside the European Union, there are flexible norms, say, fair use in the US, but we could identify many countries that possess this flexibility. EU corporate law and the corporate laws of the European Union members didn't lack this flexibility. So under this point of view, we are a bit locked in the attention of authorization from whoever the corporate owner is. Very important to keep in mind is why I stress so much the importance that ideas, principles, and factual information are not protected and should not be protected by copyright or similar, right? Or in other words, why does it matter for open science? So the goal of the law in excluding ideas and facts from protection is to avoid the creation of monopolies over the information needed by everyone in order to communicate their results, in order to create new knowledge, in order to think or speak and avoid the distortion to scientific freedoms and to fundamental rights. The same is applicable to the protection of databases. On the one hand, you don't want to protect created data because this would create single source databases, which are dangerous for the circulation of knowledge. On the other hand, the EU law, at least the underlying idea, is to offer some sort of limited reward to the makers of databases for obtaining the data. Because this would somehow justify the investment that they had to make in the obtaining of the data. So in the creation of the database, not in the creation of the data. This is a database directive, not a data directive. And this balance is very, very important in order to ensure that everyone can have access to this knowledge, to this information, but also everyone can verify, reuse, and replicate this knowledge. And we all know how important it is, the verifiability and replicability of scientific results. In this specific moment, but also in general, we all know the crisis of replicability that hard sciences are suffering. So I have a few other slides. Here I have a few examples regarding the text and data mining exceptions in the way in which they are implemented under UK law and in the way in which they have been implemented in the European Union, cooperated in the single market directive, which will be implemented into the laws of European Union member states within a few months. It is a limited one. So just to be very, very brief, the idea is that not everyone can text and data mine, but only research institution for research purposes or for non-commercial purposes. There are different combinations. I'm happy to discuss this further in the Q&A if this is of interest. As open air, we have created a number of guides that ideally will guide you through this complexity. Some of these are taken, well, all of these are taken from the screenshot that Marina showed you at the very beginning. In particular, these three focus on the issues that have presented today to you. There are a couple of other resources in the second part of the slide that you might also find useful. And then I thought to also include a couple of recent initiatives that are specifically tailored to the COVID pandemic and how they relate to IP and corporate in particular. The first, to be very honest, the first and most important is open access and open science in general, because everything that is under a CC by 4.0, CC0, or any equivalent license can be freely copied, reused, and redistributed, and also mined. So everything on Wikipedia or on, for example, it is here, corporateuser.org, which is a very interesting project, especially if you're based in the UK, that will guide corporate users through the rights and the exceptions of corporate law in a way that is understandable to non-lawyers. So if you don't know this resource, please check it because it is very, very well done. More specific and created specifically for the current situation is the open COVID pledge. The underlining idea is to make our intellectual property available free of charge for using ending the pandemic. It takes the form of two specific licenses, one that covers the copyright and the patents of the entity adopting the license, the second one only, the patents. And it's very important to know that very big companies have adopted this license in order to offer free access to their IP, we would say. A similar statement has been made by the Wellcome Trust about sharing data and findings relevant to the coronavirus outbreak. It should be clear at this point that all these initiatives have to somehow come from the right holder. Copyright works in a way that is automatic. So you are automatically the corporate owner, and automatically all rights are reserved. And this is how corporate works. So it's very important to, on the one hand, choose the right licenses because otherwise everything cannot be reused. That's one of the main obstacles that corporate creates in our digital and interconnected world nowadays. So a fourth and last link is to a pledge that a number of us corporate scholars have made to the WIPO because we need to build more flexibilities in the current corporate system. Flexibilities could take the name of free uses of exception of other type of uses that do not require a prior authorization because this is one of the locking factors that slows down research in many fields. And this happens in the EU much more than in other countries. So it's also a matter of EU competitiveness in this field. I hope to have met the expectations in terms of time and interest. I thank you very much, and I'm very happy to take questions at the end of the webinar. Thank you. Thank you very much, Thomas. I think that we can now proceed with our second speaker. So Prodromo, the floor is all yours. And just as a reminder, you can write your questions at the Q&A box. Thank you very much, Marina. And I'm really glad to be here and be able to actually give this presentation. This is in relation to general data protection directive and how it is applicable in the open science context. And the idea is to actually give you an overview of what the general data protection directive regulation is, talk a bit about how data protection structure works, legally speaking, provide you with a bit of the setting in a research organization, and then focus on specifically how scientific research is defined within the GDPR context, and then focusing on some very specific issues, the issue of processing purpose, legal basis, the limitations in the exercising of the data subject rights as a result of the scientific research provisions in GDPR and finding some cases that came from questions. And I will also answer one of the questions that has been posed in relation to GDPR and its retroactive application. This presentation actually builds on a previous presentation which we did in the context of these webinars, the how open is open, but it contains much more information and we will go through the slides without going in all detail, but you can find the presentation available and you will be able to use it also as a key kind of guide in relation to open science and GDPR. I always start with this going back to the title of GDPR. The whole idea of the regulation is to actually enhance the free movement of data within the context of the digital single market and it's important to understand that because just because there are personal data in a specific data set, it doesn't mean that you are not allowed to use such data sets. This is also reflected in the way in which any data protection scenario works. So you have the range of personal data which are to be processed and probably contained in your data sets and then you define the way in which the data, the special data are to be processed, the purpose of the processing and finally the legal basis for such processing. Here we have to pay particular attention to the legal basis because we need to provide specific legal basis when we have special categories of data, what we used to call in the past sensitive personal data and at the same time, we need to make sure that the legal basis covers your work and then this is really important because as we will see the life cycle of the data set, this is something which is in the life cycle of the data set, this is something which may change. So the purpose of processing and the type of processing may be changing as the time passes. Let me go to the next slides. A setting and we've covered that in the previous time, we spoke about GDPR, there are different ways in which personal data are processed within a recessed performing organization. It's important as a checklist to make sure that you've seen as you've gone through your ethics framework, if you have one in your organization, but it's also important to see within which context this thing happens. So whether this is in the context of an EU or collaborative project and there it is important to see which are the ethics and data protection requirements from the grant, your national law and I will return to that because we have variations in the way that GDPR is applied in relation to the data subject rights depending on national implementations. Another important which we will cover in the cases and other important aspect is whether the data are somehow transferred to third countries or are obtained by third countries and there you need to adhere to specific rules. And finally, you need to see which are the conditions of the call to which you're answering because they may be providing additional ethical requirements. A tender in the European context is very different from a grant, which means you're probably going to be most probably the controller or co-controller if it's a consortium of the data set is very different from when you have a grant where you operate as the data controller. Here as data, sorry, in the tender you are a processor or a co-processor. If it is a grant, then you become a controller because in the tender you're probably processing on behalf of the European Commission. Again, in a collaborative project, you need to see who is going to operate as the data protection officer for the consortium not just for the research performing organization and if there are multiple laboratories in your university or in your institution. Also, how have you structured the DPO? What is the DPO structure within your ecosystem? And finally, if there is an ethics committee, whether you have passed through such a committee. Now, how are we scientific research defined? This is quite crucial for us because most of the work we do would be qualified as scientific research. The most important article is article 89 which provides the main framework but there are multiple other encyclicals and articles within the GDPR which may be useful to you and we'll go through them quickly today. Scientific research normally falls on wonder what we would call the broader public interest legal basis. So it is a legal basis for processing lawfully personal data which very much is in the family of what we would call public interest reasons which means that in principle and as a starting point you will not need to obtain consent although you will need to inform your data subject. And I understand this is not what is going to happen in most of the cases because you will need to obtain consent either because you're going to be in practice using some kind of processing some kind of special category of data or because you are going to be you will have to go through an ethics committee and this requires consent but public interest is the main legal basis. Very frequently again because we don't obtain data only from the field but we obtain them from third sources scientific research processing special data within the context of scientific research may amount to what we call feather processing or this is how it is defined in GDPR but we also call it reuse or feather use or repurposing of the personal data. Whatever you do with personal data which are in the context of scientific research GDPR allows you to do quite a few things. However, you always have to have technical and organizational measures in place. These are two, the law gives us two examples the regulation gives us two examples. Data minimization and it tells us that this could be done through pseudonymization but in any case this can be done and has to be done only to the extent that it doesn't affect your research objectives. So if your research requires you to know who the data subject is or the publication of it requires that then you may not have to go through a pseudonymization stage. In terms of special categories of personal data again they fall within the broader legal basis of public interest but there you need to make sure that you have three more elements. The category or the processing of such data has to be proportionate to the aim pursued which means that if again it goes back to what you can do with this data do you really need them to be as personal data and do you really need to publish them as personal data? Of course you the overall need to protect the rights to data protection you cannot totally eradicate and you need to protect the rights of the data subject and finally you need to actually again provide suitable and specific measures to safeguard such rights. Again you need to have organizational technical measures in place. So this is something which I think is the most important question so which are such measures and how can we apply them? Now moving from what is scientific data to the purpose what we call processing purpose. Again here the purpose is be broadly speaking scientific research what you do but you need to further specify it in terms of the type of research you're doing and whether you are going to allow further use and exploitation and I will return to these points when we speak about specific cases. However what is important to understand here is that you may start with at the collection states with purpose A but as you move on and you engage in different types of processing the legal basis may change as well. So what is the legal basis? We said several times about the public interest but we may have other I give you two examples here if you're operating as a processor not as a controller in the case of a tender or another contract with a private entity then it could be the contract that is the legal basis and in specific types of research and as I said before for reasons of passing through ethics committees you're very frequently going to use consent as well. Now here if we see the different types in the left column of legal basis you will see that public interest is what is mostly quoted. However it could be legal obligations so it could be that you're a public RPO and you have to conduct a certain type of research. It could be public interest of different kinds if you're working on behalf of a public authority particularly for instance in the context of COVID-19 and Jack is going to tell us more about that but it could be also that you're contractually bound and you operate in relation to let's say pharma or it could be that you have obtained consent for all sorts of reasons. Legitimate interest which is also one of the questions I have received. I think it is the one for research which is the least possible to use. First of all because you cannot have legitimate interest when you actually have as your legal basis public interest or legal obligations and finally because there is no reason why you should go for these kinds of legal justification when you have much more powerful tools at your disposal. As I said before it's important to trace the life cycle of the data and see how the legal basis and purposes change. For instance, I may want to conduct a statistical research in order to develop some to write a paper on epidemiology. So that was my purpose and it's legal basis A but as these data are to be preserved it could be that I preserve them not just because I did these research but because this was a European project so I may need to preserve them for reasons of auditing or it could be that I need to update them for reasons of let's say corporate policy or I need to update them for legal reasons in my own jurisdiction. It means that the writing, let's say the updating or the preservation of the data is done on a different legal basis. Finally, it could be that I share this data again for different reasons. It could be because of COVID-19 that I need to share the data further because of illegal obligation if such obligation exists. So what I want to say is that every time you're examining a processing type and whether you want to assess whether you are compliant with a GDPR don't do it in abstract but try to see the processes that the data are subjected to in the course of their life cycle. Now what is important also here is to understand that the general data protection regulation provides a lot of exceptions in relation to how the data subject could perform her rights. And let me go through them more specifically. The first thing is that the rights to offer data subject to be informed is limited to the extent that these three conditions are satisfied the provision of that information makes the research impossible or it would involve disproportionate effort it is the latter normally but increasingly you need to justify why this is the case because if you have had technical and organizational measures in place it is very unlikely that you won't be able to provide the information of data subject with barriers. The second thing is because that would impair the achievements of the objectives of scientific research again here you have to make a very powerful argument how you will do that and again I think it's very difficult to actually satisfy these conditions and at the same time be compliant to your ethics framework especially the ones we've seen in different universities and sets from organizations. And finally in all cases even you don't provide this information you would still have to make sure that the legitimate interests of the data subject are somehow protected. So it means that there needs to be a lot of emphasis on the protection of the data subject. In terms of the right to be forgotten the right of erasure the only way in which you can retain this data is if the erasure of the data would actually totally impair the research. So you need to make sure that there is reason why this data need to be out there. And finally similarly the objection is when the object again here it would be a balancing exercise whoever is to actually understand make an assessment as to whether you should allow the data subject to object or not really you need to have it very clear that there is a bigger research interest and on that basis actually to disallow the data subject to object to the processing of the data. Finally what is interesting and this is where you need to check your national legislation is that in terms of access by the data subject rectification restriction of processing and again the right to object there will always be the possibility for the member states to introduce further derogations. So they could provide their own rules in relation to these four categories of exercising the data subject rights. So as strongly as you actually go and put out your national installations in relation to that. What is important is that when we have reuse of personal data in the research context this new reuse has to be satisfying a certain range of provisions and we will see that just now. So here made a collection of questions you have asked and we'll go very quickly through them. The first one is the case when you actually have a special data for publicly available resources and in this case whatever you do you have to check always. You start with how did the original owner of the source obtain the, what was the purpose of the processing of the personal data processing and what was the original legal basis. So you need to have this information because you are only able to further process if you know those two things and we'll see that in the next slides. In addition to that, you have to go back to the data subject and notify her about all the seven elements that you see here. Now, more specifically, if you want to repurpose to reuse the data there are two scenarios. You are feather processing data which has been obtained for let's say reason A and now you're doing it for research, scientific research objectives. And the second case is that they have been obtained for research scientific research purposes and they are being used for another purpose. In the former case, you're in a rather fortunate position because you actually the regulation provides you with as we saw a lot of reasons why you could process them. But in all cases, unless there is consent of the data subjects or a legal obligation or another new legal basis, then you need to actually check five things. What is the link between the original and the feather processing? What is the context of the processing? If there are special categories, whether you have one of the 10 legal basis which are necessary for processing special categories of data, what are the consequences of the data subjects and what kind of safeguards have you obtained? As you can see these five things are quite, I mean, there are potentially possible for you if you actually use someone else's personal data, but if you release openly a data resource that contains personal data, I think it becomes much more burdensome for the commercial, especially we user to actually reuse the data unless they obtain a new consent. There is a legal application or there is a fresh legal basis. And finally, there are, there is, you need always to provide the information to the data subject. Always remember that it has been asked in quite a few times and if it is possible to pseudonymize. Third country is if you are in a consortium with an organization or you are working with an organization that is in the third country, we have a whole chapter, chapter five in GDPR that talks about it. What is really helpful there is if there is some kind of certification, scheme or seal in the country where the data are going in the third country. And in that particular case, this would help you a lot because it gives you an understanding of the level of protection for this particular organization. But most importantly, we need to go back to the contract and we also need to see how this, if there is an adequacy decision from the commission in relation to that particular jurisdiction where you have an agreement with and that would help you to also assess how this is being done. But what is very important here is the contract and basically whatever obligations you have your partner in the third country should also have. I would definitely suggest you to check the easy standard contractual clauses for data transfers between EU and non-EU countries which could give you more detailed examples of how a contract of that kind would look like. Another question I someone collected for legitimate interest, as I said before, a rather weak legal basis and you wanted to do a secondary research use, you definitely need to notify and the objection process, you need to notify in accordance to the elements found in Article 14. We talked about them before but you need to certainly provide an opt-out process. We always suggest that people that actually we use such data, they present an email to the possible data subjects and make sure they have a form or a very simple way in which they can withdraw consent or object, actually withdraw consent object to the secondary use. Further processing and accuracy minimization, I think the question is to what extent are these two compatible or openness compatible with that? I think they are totally are. You need, whenever you do a further processing you have additional conditions, you should certainly be accurate and this is something you also in a sense preserve through the notices you send the data subject, you need to minimize and you could do that both through minimization of the necessary fields. So it has to be set and be linked to the purpose of your research and if there's any way in which you can pseudonymize or anonymize the better it is. Has data in GDPI a huge issue? And I think Jacques is going to talk more about this one. It's always, they're always special categories of data. They constitute a form of further processing in quite a few cases. Again here, we need to give particular emphasis on what your legal basis is. Final question that was asked about what happens if I want to reuse a set of data that was collected before the introduction of the general data protection regulation, the answer is actually quite straightforward. What you're doing is further processing. Now you're under the GDPR regime. You have to go all through these processes through all these conditions and steps I mentioned before which you have to do with making sure you notify the data subjects and also making sure that you try to establish a link between what you do and what it has been done in the original stage of collection of the data. And unless you manage to obtain new legal basis or you obtain consent or you have a legal obligation. Thank you very much. Thank you, Krodramus, for the presentation. I think that we can now continue with Jacques. Wonderful, can you all hear me well? Yes. All right, I'll just share my screen now. Well, hello everyone. My name is Jacques Flores. As Marina already introduced me, I work for Utah University Library and I'm a research data management consultant. So I deal a lot with research data management but over the last few years, given the importance of it, I've dealt quite a lot in the GDPR and how it affects researchers. And what I'll talk about today is a lot of the things that Krodramus has introduced, just a little bit how we applied at Utah University and how it's been affecting us so far. So legal basis, this was already kind of covered in depth but so we mentioned informed consent, legitimate interest of the controller and public interest. So one thing that I wanted to mention and mention about informed consent is that yes, it can be a legal basis but one of the reasons why it's always there even if it's not a legal basis, it's also because it meets our legal ethical obligation as a researcher, right? So it's something that must always be there regardless. When we talk about legitimate interest of the controller, we have recommended it a few times when getting data from social media. So basically what this information was meant for the public domain, it's one of the cases in which we could use this legal basis. Lastly, public interest. So Krodramus spoke quite a lot about this and how we are a public institution at the university and I know a few universities, many actually that do use this as their kind of default legal basis. At Utah University, we actually use informed consent as a legal basis, mostly because of the ethical aspect of it but depending also in the type of work that you're doing. So for example, for the DPB just considered any research from COVID-19 as recognized as a public, important public interest and as such it would apply as a legal basis for any research surrounding it. A main reason why us at Utah University sometimes don't use public interest as a legal basis is because it has to be proven that it is necessary for the public interest. Now in many cases this is obvious but we are still somewhat doubtful as to whether this will always apply just because we are a public institution. And I think as more information comes about in the future then we'll be able to maybe move more towards public interest and feeling more safe in using it as a legal basis. Now when we're talking about informed consent there are four things of course that are quite important, freely given, specific, informed, unambiguous. Now all of these are equally important but one of them which sometimes goes, it's you know we don't understand exactly how much information we need to give or what exactly does it mean to be informed. So actually Prodromes already carried this, already showed a little bit about this but here's just some information that really needs to be there to make sure that you're being compliant. So I skimmed a little bit over legal basis. What I wanna focus on more so is purpose limitation. This is the second principle of the GDPR and it really applies about how can I share or reuse data compliantly. So the GDPR really distinguishes between two types of data use and that is the first type. So this is the primary use which is where I'm actually directly collecting this data and then it's for scientific studies for example, right? This is the initial data collection but then we also have data that has already been collected for perhaps another purpose in this case could be medical conditions and so on that it is then reused for another purpose. This is a secondary use of the data, right? So this goes into the further processing that was already introduced. Now why is this important? Well, the GDPR allows for the secondary use of data so further processing if it is for research purposes only. Now of course I'm paraphrasing a little bit here but what it really means is that even though we collected initially this data for a particular purpose, if we want to reuse it then so long as this reuse is for research then there are derogations in the laws that allows us to do this. Of course, if we want to do this, we do need to abide by certain technical and organizational measures to ensure that we're protecting the privacy of our data subjects and what these technical and organizational measures are and what they need to be will also depend on the data itself amongst other things. Now some of these could be minimization, encryption, pseudonymization, abstractor, access control all of these contribute also the platform that you're using, all of these contribute towards making sure that you can reuse this research data. Also having the right documentation and the transfer agreement, the list goes on on how many things you can apply to it to make sure that you can do it. Now I wanted to exemplify some of what this exactly means because sometimes it's a bit confusing. So when we talk about further processing for research purposes and we say that this is considered to be a compatible purpose, we mean the following. So let's say I collected initially data for epidemiological research and then I want to reuse this for epidemiological research. So long as I have all the right safeguards, the GDPR says I am allowed to do this without let's say having to ask for reconcent. Now let's say I want to use this epidemiological research for something different, it's in a sense it's not that compatible with epidemiological research but it is still research. The GDPR is worth it such that it also would be able you would be able to do this as long as the proper safeguards and so on are in place. Now what we have some problems is that let's say I collected something for hormone research and then I want to reuse this for gender studies. Now these are both research. You could find ways in which the GDPR says this is okay so long as you have the right safeguards and so on. But what we found is that this doesn't necessarily mean that it is ethical. I mean some people for whatever reasons they may have even though their data was additionally collected for a particular purpose, even if that second purpose is still research, if their data is being used for something that they don't agree with or something they don't stand for, we should be careful with that and that's exactly where the ethical committee comes in at our university to make sure that these things are being looked after since sometimes legal things may be unethical. Now all that being said, so there are ways to facilitate the reuse of research within the GDPR. This further processing clause is the irrigation for research. But even though you may not need reconcent in order to reuse this research, you still need to inform them. Now, Prodromos mentioned that there are some derogations so if it involves a disproportionate effort to comply, then you can get away with perhaps not informing these individuals. Of course, it falls upon you to show this as a controller of this data that you've made the reason efforts and that you actually can prove that it's too much of an effort, which can sometimes be a little bit difficult. Let's say if a data set has no contact information and you've heavily zonalized it, the risk of the individuals are quite low and so on, then you can maybe say you do not need to inform these individuals that you will be reusing their data. Now, on to sharing personal data. So let's say you actually want to proceed and share this data. There are ways in which you can formulate an informed consent form to be able to facilitate this. Now, like I said, at Utah University, we use informed consent forms as our legal basis. And some of the things that we always recommend researchers is to tell the data subjects from the get go that there is a chance that you will be sharing this data for whatever reasons, right? Be precise and inform them as to the need that this happens in research because not all of them are aware that this is a possibility and allow them to say no if they don't want to. The next thing is to be transparent about what you will make available. Now, not all information is meant to be available to others. Not everything needs to be. So be granular if you're going to give information about let's say impulsivity test scores, weight, age and gender data, telling them that is what you're going to be made available and their names and perhaps other things that you are also collecting will not be for privacy reasons. Moreover than that, it also goes into making sure that you let them know what you're gonna put in place, what privacy measures you're gonna use to make sure that you're protecting their privacy, right? So maybe instead of just saying impulsivity test scores, tell them that it's gonna be pseudonymized, tell them that their weight and age are gonna be aggregated, that all of these things are being done to take care of them. Now, this is more also from an ethical point of view to make sure that you are letting them know exactly how you're protecting them and let them feel at ease in consenting to do so. Now, more importantly is something that we see a lot are informed consent forms that are done in such a way that they actually prevent you from sharing the data. And this is probably more important than the dues in some ways. But one of them is to always avoid terms that's fully anonymous. Well, why? Because it's actually very difficult to make data truly anonymous according to the GDPR. Their definition is very strict such that chances are that your data on the GDPR is recognized as pseudonymous. And if you promise to share anonymized data and it's not fully anonymous, well, you can no longer do it since you actually made a promise about it. So it's better to be real and say, we will pseudonymize your data and share this than to just sell them the story that's just simply not true. Also avoid promises that you're going to destroy the data. If the data is destroyed, you can't possibly share it. And this is something that we see a lot is in a way done so as to convince the researchers the data subjects that their data is well taken care of that the privacy is gonna be protected. But oftentimes you actually want to share this data. If you are going to destroy the data for whatever reason, be specific about it. Now I know that when we have interviews, for example, we always say make the transcript and after the transcript has been pseudonymized properly, you can delete the audio file. Now of course you got to do this properly, but this is some of the ways that you can go about it. Now we also have to avoid promises that the data will only be accessed by the research team. I find this in a lot of informed consent forms. Why? Because it sounds nice. But if we're sharing this data, we're not going to keep this promise just as simple as that. Now how to share this data? Well oftentimes it's much better to actually share the metadata about the project and the data only be made available on the restricted access. So that when people request the data from you, the requesters have to sign a data transfer agreement and then go over what particular things can be done or not done with this data as they become controllers. This not only protects your data subjects, it protects you as a controller and makes sure that things are going smoothly, right? It's part of the technical and organizational measures that you take to protect this data. Now the basically takeaway message that I usually give researchers is that the GDPR asks you to be transparent. Transparency is key on how you're using this data and for what purposes. And also that it's okay to work with personal data, even sensitive data within the GDPR, right? There are derogations, there are ways that make it easier to work with personal data if your researcher, if your purpose is research and to simply make sure that you understand what measures you're taking and that you're showing this to your data subjects. That is all I wanted to show about today but I'm happy to now give the room away for the questions. Thank you, Jacques. So just before proceeding to the Q&A session, I would like to ask when to share the link to the survey. Thank you, Marina. It should be in the chat. Okay, great. Our presenters are very fast and most of the questions have been answered but nonetheless there are a couple that are still open. So the first one from Rosalie that has, it's basically two questions. So when the controller is not a public institution but rather a higher education organization governed by private laws such as a foundation engaging in scientific research, then legal grounds for data processing might be either consent or legitimate interest as opposed to public interest. How do you feel this impacts the opportunities and challenges of what type of research may fall within this scope? Well, I think I covered that one a little bit because at Utah University we use consent as a legal basis and not public interest. And I don't think it's hindered us much thus far. Sometimes it is difficult because you cannot obtain consent and this is when it does become a little bit more difficult and very case specific. And then the second part is about requesting for informed consent from research participants and the level of detail that should be provided in the information letter to explain how data are processed, which third parties will have access to the data and which technical and organizational measures the researcher is taking to protect the data. I think again that Jacques mentioned at least like in terms of the last part of the question but I don't know whether you would like to add something. Yeah, sure. So there's always has to be a balance because there's a lot of detail that you do have to provide. I mean, it's even said sometimes all the rights of the data subjects must be in there, which in quite honestly is just not a practical use. So you really have to evaluate what do you think is important for your data subjects for them to know. So for example, the right to withdraw consent or to object, these might be very important things that should be in information whereas perhaps the right to data portability when it comes to research data is not something that should be mentioned it would actually just make your consent ambiguous or at least difficult to understand. Now something that can be done within the GDPR is to layer information. So whereas the most important things can be done succinctly in one or two pages extra information can always be provided to links or external means so that if the data subject requires more information from their own end, they are able to obtain it and then you provide this information in a layer fashion. Thank you, Jacques. And so the second question from Claudio for being exempt, how can we demonstrate that there is a disproportionate effort on provisioning such information? So from my end, I'm not entirely certain. So you have to demonstrate that you've attempted to you have to show that you cannot do so and it cannot be let's say as simple as I don't want it to do it or I think it'll take too much time it really has to be something that is preventing you from doing it. Now I know from some cases that have happened not related to research that even contacting so much as I don't know how many millions of subscribers for particular, for information and so on was not sufficient to say that it's disproportionate. Now, of course, this would be a case by case basis how it applied to a particular research case. Yeah, I'm afraid it would really involve some thinking and documentation writing things down and make sure that you've evaluated all the possible options. Beyond that, I'm afraid it can be of help. If I may add something here just to add to what Jacques has just said it does help to actually you certainly cannot be totally unjustified in why you actually not providing this information. On the other hand, you need to have some kind of cost analysis and then this is the classic guideline that is given throughout GDPR and you also need to have a baseline of effort. So this is the kind of person time that is required in order to address this question. This is for the size of my organization or operations this would be disproportionate but I don't think there's a single answer to this. When it's very briefly in relation to the two previous ones I think consent is something which we're very likely to see in a research organization for all the reasons that also Jacques mentioned before. I think legitimate interest has to be very thoroughly justified in order to be used as a legal basis for research. And unless there's a specific case where this is something which is expected by the data subject I wouldn't say that's necessarily the optimum legal basis. Thank you. We also have another question when research is done under a tender and not a grant is it acceptable for the legal basis for processing personal data be fulfilling contractual obligations? Jacques, can I take this one or do you want to take this one? Go ahead. Yeah, I think this is the classic this is the starting point. A tender normally you would be a processor and not a controller and you have to see what the terms of the tender were and what the terms in the contract are. So this is the basic the starting point in terms of your legal position. However, it depends really on what exactly you're doing. So it could be that you're not necessarily operating as a processor or it could be that you want to expand the ways in which you're going to be using the personal data. So it is highly contextual. I would say the contract as a legal basis would be certainly the starting point and I would investigate other legal basis if required. And also just to highlight as it has already been pointed out by Thomas and Prodromos that you can also consult our guides on different related obviously issues and that provide answers to some of the issues that we have already discussed. I don't know whether Prodromos or Thomas would like also to add anything also based on the answers that they have already provided to the questions. Marina, I think if we're exactly on time I don't think this has ever happened. But I think unless any of the presenters have anything to add to all of this. Oh, so there is a question about... So there is a question about... Yadranca? Has there been an answer? It's an open question. Can the author of the publicly available and published document ask whether it is to be removed from the library catalog or anything? I think that depends a lot on the repository or the library catalog. So it's... I don't see this as a GDPR question but more as the whatever platform that you're using to deposit your data. Well, they're the ones that allow you to whether change the metadata or not. In most cases, a lot of repositories unless the ones we work with, metadata can always be what's called edited whereas the data itself has to remain or be versioned. I don't know if that answers your question entirely. And also if I recall there was one question about dataverse and whether this can be used to store sensitive personal information. It was in the registration forms. Yes. So the dataverse, first of all, depends on which instance you use. So, you know, dataverse for dataverse Harvard there's dataverse NL and this will depend on a new particular institution. Now, whether you can store the data there or not, that depends also on the processing agreement that you have with whomever is running your dataverse. So if it's the actual university, it shouldn't be an issue. If it's in the case for the Netherlands we have a dance running that averse. We have a processor agreement that looks at exactly how the data is being handled. Now, whether you can actually share the data, so that has nothing to do with that averse in itself. But again, whether the promise that you made with your data subjects, the legal basis and so on. Okay, thank you. Thank you very much. What I would suggest is that we close now this webinar and if any other questions, specific questions for one of the presenters you still have after this webinar, please. You can always email them to us and we will make sure that they will get to the presenter. So if that's okay with you was also Jack and Prodromes and Thomas. Apart from that, I only have to, the only thing that remains for me is to thank our presenters for giving this very, I think it's a very challenging subject. And I think you've done a wonderful job in trying to explain it and let me call it human language. Thank you also for the examples. And I hope for all of the few participants that it was useful for you. Please fill in the survey also if you have any comments or questions. It's very useful for us to collect this feedback. And then the final thing that I want to say is that on Monday afternoon at the same time we will repeat this webinar, there will be more, we will aim that a little bit more for research administration, but in practice there will be a lot of overlap. So there's no need for you to attend twice, but if you have any colleagues who might be interested, who didn't manage to join or for some reason couldn't make it, feel free to pass it on. It's still possible to register for that webinar via the same form as you did for this one. I think I will close now here and you can stay tuned for the recordings which will be added to the webinar page. Like I said at the beginning, I will not send an email about this. And also Prodromos I think has a slightly updated presentation so I will make sure the version on the webinar portal is also the most recent one. So thank you very much again. Thank you for attending. Thank you for the presenters and hope to see you soon for another webinar.