 Before proceeding to the presentations, as Gwen said, I would like to give a short introduction on what OpenAir is, what we do, and the different ways in which we can support you. OpenAir started in 2008. At that time, it aimed mainly at supporting the open access pilot in FP7. Currently, we have a much wider vision and mission, which is to shift the scholarly communication towards openness and transparency and to facilitate innovative ways to communicate and monitor research. While doing so, we work with a variety of stakeholders like policy makers, content providers, research support staff, IT experts, legal experts as well, and obviously researchers, and we provide a variety of services and tools to support all these stakeholders in their work. So what we support? First of all, we support the development and the adoption of open science policies. We support policy makers and institutions and funders in developing and aligning their policies with the European framework, and we have developed a number of templates and fact sheets to support you in this work. We also provide interoperability services that connect research and enable researchers, content providers, funders, and research administrators to adopt open science. We help you in reaching your metadata and also we provide statistics for repository access, and at the same time, we help researchers, funders, I'm sorry, to monitor the outputs of the research they fund. We also support researchers with their research data in complying with the fair principles. We have also developed services such as Amnesia to help you in anonymizing sensitive data and also the Argos tool to support automated processes to creating, managing and sharing data management plans. And obviously, we also support you in providing open access to your publication through the development of different guides by helping you to choose a repository that better suits your needs. How do we support you also in more practical ways? We have a help desk where you can ask us questions related to open access and open science issues, whether this has to do with compliance with the horizon framework or more specific issues such as legal aspects such as the ones that we will be discussing today. We have also developed FAQs where you can find answers in different And over the years, we have also developed a variety of resources such as, as I mentioned before, guides, templates to facilitate the development of open access to your publication. We also facilitate institutions and funders in adopting open science policies, fact sheets dealing with issues such as, for example, copyright issues. And also we have developed an extensive program of training, physical meetings and workshops where you are all invited to participate. And webinars focusing again on different aspects, not just those that are related to compliance with the horizon Monday, but also tackling other aspects of open science, such as, for example, citizen science or open innovation. A key element and a very important aspect of open air is the network of the National Open Access Desks, usually referred to as NOAADS. It's a pan-European network covering 34 countries. And its creation lies in the fact that while research is global, support is local. We have all come to realize that obviously this support needs to be tailored and taken to consideration the differences between countries and also the different levels of maturity in terms of the infrastructure that exists in each country. Whether they already have policies or they might not have, the level of where in terms of open science and its different aspects. This means that there is no one-size-fits-all approach and therefore this network of National Open Access Desks is there to help all of you, whether you're a researcher, a policymaker, or a content provider, and guide you in locating the different resources and having the appropriate support. As Gwen mentioned in the beginning, we have developed a number of different guides that are available in different countries. We encourage you to visit our portal and browse through the different materials and resources that are available. And as I mentioned before, the focus is on the different resources that are available in the open-air portal. We encourage you to visit our portal and browse through the different materials and resources that are available. And as I mentioned before, they focus on different aspects, not just how to comply with the horizon, for example mandate, but also with legal aspects, providing support in locating trustworthy repositories for your data or your publications, for example. Finally, we organize a number of webinars that are free to join. The recordings are also available on our portal. So again, we encourage you to visit the open-air website and browse through the materials that we have developed over the years. So I will now present our three speakers. The first one is Thomas Margoni, who is a senior lecturer in intellectual property and internet law, and co-director of CREATE at the School of Law at the University of Glasgow, where he also convenes the LLM program in intellectual property and digital economy. Thomas' research focuses on the relationship between law and the new technologies, with a particular attention to the role of the internet, of the new medium to access, create, and disseminate knowledge in the information society. Our second speaker is Prodromos Tiavos, who is the head of the digital development of the HONASSES Cultural Centre in Athens, and he's also a senior research fellow at the Media Institute in London. Currently, Prodromos is advising Athena Research Centre on legal and ethical aspects of data science and is teaching legal and ethical aspects of data science of the Athens University of Economics and Business. Prodromos, Thomas, and myself are also coordinating the policy and legal task force. And finally, Jacques Flores, who is our third speaker, is an information and research data management specialist at the Utrecht University. He comes from a neuroscience research background and his role is to support researchers and students throughout the various stages of the research flow, from data collection to storage, management, and analysis to data sharing and accessibility. He's also a certified informancy professional, which allows him to help researchers who handle personal data as part of their research. So I will now give the floor to Thomas. Thank you very much, Marina. So I cannot share my screen yet. I need to be made. Or you're still sharing your screen, Marina. I'm still sharing my screen. I think that now I've stopped sharing my screen. Thank you very much. Let me see if this is the right one. Yeah, perfect. So good afternoon, everyone. Thank you very much to Marina and Gwen for the nice introduction, the kind words, and especially for their effort to organize these two webinars on policy and legal aspects, which have proved to be so far very popular. So another thank you to everyone who is dedicating their time to follow this discussion, which revolves around topics that are complicated, and that are for especially for researchers and something that it's not their main focus. They do research how to deal with the other results of their activity from a legal point of view is something that should be as seamless as possible for them. And I think that today's webinar is especially important because the idea is that together so through our presentation and through hopefully the new knowledge or the better understanding that many of you as a professional who work in the research organization framework, we will all together be able to make the life of researchers, if not easier, at least a bit more understandable from a corporate point of view. Today, my presentation will be very similar to the one I gave in my, sorry, in my previous webinar. I have mildly adjusted it to in the light of some of the feedback so I will try to be less technical if I can. I'll probably go a bit faster on some of the more technical topics and I collected the questions that some of you sent in before the webinar and I tried to offer some answers. So maybe I'll try to focus more on these last two, three slides. And obviously, if there are more questions, I'm very happy to take them on the live chat or at the end of the three presentations. So my focus today is on the ownership side of data. And as such, the legal area that is mostly affected by this situation, it's that of copyright broadly understood. And the main question that, you know, often causes a lot of confusion is what is whether data is owned. We all often hear about, you know, this is my data or, well, you know, my PI said that the data I collected is his, or, you know, want to move to a different university or, you know, I got a job, can I take my data with me. So obviously these are very intricate questions, but hopefully we'll try to make some clarity. And I think that the main most important point here is to understand that copyright as such says that data cannot be owned. Ideas, procedures, methods of operation, mathematical concepts, et cetera, et cetera, are not protected by copyright. All national international conventions are very clear on that. Only original expressions are protected. So the example is that, you know, if you want to write a tale about a doctor who goes crazy and wants to create a monster made of pieces of other humans and then the monster, you know, the monster turns out more crazy than the doctor and then there is, I don't know, an ironic view on the role of, you know, humanity in modern times, then you can do that. What you cannot do is to copy the expressive, the original expression by Mary Shelley. So under this point of view, we can easily see that factual information and data as such, and as such is very important, failed to qualify for copyright protection precisely for this reason. Now that this doesn't mean that there is no whatsoever legal protection for data. We can find other areas of law that offer to a certain degree protection for data, but it's not a fully fledged, let's say property rights of a very strong right as it would have been in the case of copyright. Here we have trade secrets, much more common in the private sector rather than in universities, but they exist also in public research, contracts, data protection, as we will see later today, PSI, et cetera, et cetera. The main message here is that these tool can offer some limited protection, but you cannot really talk about data ownership usually under these tools or not completely. What about databases because this, at least from a legal point of view is a completely different categorization. The law says that databases are protected by copyright if the selection or arrangement is original, but in this case, what is protected is the original element, so only the selection and arrangement, we could say the structure of the database, not the contained data. So for example, if we had an original database composed of copyright protected elements, let's say journal articles, then we would have a protected structure and then the elements of this database would also be protected, but not because they are data from a legal point of view, but because they are work of ownership, they are journal articles. If the contents of this database were, let's say, no protected data such as temperature measurements, then we would have a copyright in the database structure, which however does not extend to the content of the database. So these measurements could be easily reused by anyone because this data as such is not protected. Now in Europe, this is more or less, you know, with a good degree of, you know, with some approximation but not too much, the situation worldwide. In Europe, there is an additional layer, a form of protection for non-original databases, which extends to data in certain cases. So in this situation, we still need a database, so a methodological organization of elements that are individually accessible. But we're not looking at the structure anymore, we're looking at whether there has been a substantial investment in obtaining verifying or presenting the data, not in creating the data, and that obviously opens a huge door in terms of what data are created and which one are obtained. In this case, the substantial amount of the data, so not a single datum, but, you know, a substantial amount, again, how to quantify it's another big question, is protected by the SGDRS, why generous database, right, think of a lighter form of copyright. This means that we could have up to three different layers of rights protecting a database. So the copyright in the structure, the copyright in the single elements if they are protected by copyright, and this SGDRS in the substantial investments that protect the fact of a substantial amount of data. This is very important because it also means that if you want to reuse that database, you need to ensure that you have an authorization that covers all these three layers. And if you are the author of the database, then it means that you need to choose the right license, so a license that will cover all three layers, and in this case, a CC byte 4.0, it's a very good choice. There is another category of data, so those data that are not contained in the database, but in a work. So the example here that, you know, most applies to maybe natural language processing, machine learning, etc., etc., is whether you can extract statistical information, say, about the English language from a Harry Potter novel. So in theory, the answer would be yes, because this information is not protected as such, but in practice because how especially EU law is framed, and I will avoid to enter into the details here, no, you need an authorization, and this authorization can take the form of a TDM exception, for example, so this is a statutory authorization, let's say, or a contractual authorization, let's say a license. So we are in a weird situation because, you know, modern data analytics rely heavily on extracting these unprotected elements from protected words. So under this point of view, we can reach the conclusion that even though there is no such a thing as ownership in data as such, we are in a situation where because of how copyrighting works, and that's why generous database writing databases work, very often you need some sort of authorization, either license or exception, even though as we say data as such is not owned or protected, which as you can imagine, it's the source of all your headaches when you receive this question and you don't know how to answer. It's also useful to keep in mind that these extremely complicated situations peculiar of the EU, whereas abroad in the States, but also Canada, Singapore, Japan, you name it, not every country, but a growing number of countries. This has been solved on a much more, you know, sometimes I say pro innovation way. And obviously this leaves the EU research and innovation sectors at a disadvantage if compared with these other countries. So is data owned and why does it matter for open science? I think that this is a very important aspect that should be made clear, especially when you talk to researchers who say, well, you know, I spent the last three years collecting this data, how can you say they are not mine. So the goal of the law here, it's by excluding protection of ideas, principles, factor information, non original expression, etc, etc, is to avoid the creation of monopolies over the information needed by everyone to think, communicate and create new knowledge. And this is very important for not only for scientific freedoms, but you know, for us as a society in general, so for the, you know, basic fundamental rights to freedom of communication, freedom to impart and receive communication, freedom of scientific inquiry, etc, etc. And similarly, by excluding in databases, they created data element. The goal of the law is to avoid a single source database is because this would create very anti competitive situations. So the idea behind the theory of the law would be that on the one hand, these basic breaks of human knowledge, ideas and data such are not owned because everyone should have access to them in order to reuse them, verify them, replicate them because, you know, it shouldn't be a peculiarity of open science, verifiability and replicability. It should be, you know, what the term means, whether something is scientific or not. If something is not very characteristic, it has to be reusable, then it's simply not scientific. And, you know, in many fields of replicability. On the other hand, the law recognizes that there is an investment that people make in collecting this data. And they offer a limited reward to compensate for this investment and this limited reward is or should be if the copyright law followed copyright theory, you know, would be framed around the distinction between creating and obtaining data. So this is why it's so important and why it's matter for open science. Now here I brought an example that I will not discuss in detail, but is the text and data mining exception. How it works in the UK and in Europe. So the reference to the CDPA is the Corporate Design Patent Act UK and the CDSM is the Corporate Individual Single Market Directive, the U Directive and you see how many limitations the text and data mining exception has to follow. So if we were in, say, again, the States, the only word in this slide would be, can I text and data mine? Yes. You see how different is the approach and you can imagine the implication for research and innovation. So here I have some list of the guides. We don't have to go through them, but I think they are very important. And I really would like to ask you to please follow them, look at them, read them and tell us, you know, if they are useful, how useful they are. If there is anything that we do not cover, what do you need in addition? Because for us, it's extremely important to know what you do not know because, you know, I know the, not all of the answers, but I know many of the answers. So, you know, for me, in order to create a guide that covers something else, I need to know what you don't know. And, you know, the same is true for prodromos, I'm sure. So please give us feedback. That's very important. Again, I have a couple of minutes left. So this is a list of recent initiatives connected to the COVID pandemic. Again, open access is probably, is not recent, but it's the best approach because it means that you do not have to ask for permission on every single occasion. You have a general public license, thus a general public permission. And there are many initiatives that, you know, try to push for a similar approach, at least in connection with the current pandemic. Again, you have the links, you have the recording of the previous seminar if you want a discussion that enters a bit more in the details of these initiatives. And here, I'll try to go through very quickly. On my watch, I have one minute and 30 seconds left. So sorry if I am a bit fast, but I think it makes sense to go through some of the questions we collected. How can I guarantee their use of data? The short answer is apply a CC0, because we said that data as such are not protected. With a CC0, you make sure that even if there is some form of protection, let's say, so a generous database, right, you waive those rights. Now the long question, sorry, the long answer, you find it in the guides and it depends a little bit on that situation that I described in the case of databases where we have up to three different layers. So, you know, the short answer is CC0 is probably the best license for data because it's not a license, it's just a waiver of any eventual right that could exist. Otherwise, please consult the guides. The open data directive and the IPR may conflict. They may, but it really depends on a number of factors. In the simplest scenario, open data requires usability, but accessibility is a matter of national law. Also, the PSO, the open data directive makes save IP rights that belong to third parties. So that's another, you know, area of exemption. Again, it also depends how this reusability is framed under national guidelines, laws or regulation, because if there is a right, then that right probably it's licensed following either a CC license or an open government license. And in that case, the third party who would like to reuse that data has to follow the license. Again, it depends what kind of rights exist in that data. So this brings us back to the first question. I won't enter into the details, but, you know, there is a situation where there is a license that is applied to data which are not protected and what is the value of that license. If you want to know the answer, please, you know, ask me if you don't know what I'm saying, please discard completely this issue because it's interesting, maybe more from, you know, the academic point of view. How under, how and under which umbrella can data legally be protected. So hopefully this is clear now that as such is not protected by cooperatives or this way generates database right that the structure in a database may be protected by the S GDR. If there is substantial investment obtaining refining or presenting by not creating trade secrets may protect that as such so there's no need for a database but only under certain conditions contracts may do that as well but only between parties. To that contract. How can information be retrieved out being considered a plagiarism. Well, the, you know, general answer is ideas and facts are not protected. So you can reuse them original expressions are so do not copy original expressions. This is the answer from the legal point of view, but the law doesn't cover all aspects of our lives so there are also norms that apply in a certain community. So in the scientific community, even if you copy the, say, I don't know a noble idea by a colleague without really infringing on his copyright, the scientific norm, which comes with some sort of, you know, social remedies is to a knowledge that idea. So you're discussing a new idea that you heard at a conference and you say, well, you know, thank you to Professor X and Y for inspiring me this idea is illegal to summarize my thesis an article that may be published in the International Journal. So if it is your thesis so the copy belongs to you and you did not transfer to anyone. And there is no, let's say, you know, it's it's already been public you defended it, then you can do in principle whatever you want from a corporate point of view. I'm interested in how to make research to understand that is important to protect results before publishing results, many of them are extremely focused on in publishing the results and eventually have some problem when trying to protect them be a patent for example. So in the case of patents, yes, you have to, you know, if you disclose your potentially potential invention before you file for a patent, then you're the strong novelty. So you could preclude yourself that path, but that applies only to patents and usually hopefully universities have technological transfer offices that are dedicated to advise people, scientists in in this area. It's also true that this applies mostly to patents because patents need to be registered, whereas copyright and so a generous database right, operate automatically so you don't need to register copyright by the, you know, the expression is the sole fact of creation. You are protected by copyright so in the case of copyright this form of protection is more automatic. And then it depends a lot on the strategy of universities, more and more universities are realizing that only certain patents can be properly exploited commercially but a lot of the information and the knowledge that university generate should not be exploited through the standard patent route. So, you know, this is perhaps more of a university strategy issue that applies specifically to the patent field. This I think is the last question. I hope I didn't rush too much through them. And thank you very much. Thank you, Thomas. Just before proceeding to our second speaker just to remind everyone that if you have questions for the presenters you can use the Q&A window and for all other questions that are more general nature, more technical or related to the infrastructure, please use the chat window. So, Prodromos, the floor is all yours. Thank you very much. Just give me a second to share the screen. Yes. So, it's great to be here. And as similar to Thomas, I have adapted the presentation on the basis of the feedback we have received after last week's presentation. And so I hope it's going to be less technical, although it's inevitable to make reference to certain legal provisions. So, again, I'll try to... Sorry, I'm interrupting. You have your vision as in presenting mode, in presenter mode instead of... For some reason in one second, let me just try. Let's just stop sharing and perhaps I'll try, because I have to monitor this perhaps for some reason. That is the case. Let me try again. Let me know. Oops, sorry. Some reason it doesn't work. Give me a second. Try again. All right. So, trying to give at the beginning the outset of the GDPR, which I think is quite essential to understand why it is important to actually both adhere to GDPR but also see as basically a set of instructions rather than any pediments. So, the key items about how do we go about when we have a data set which contains personal data, a bit of a setting in relation to what constitute scientific research, and also defining the scientific research in the context of GDPR. So, the first thing is about the purpose processing, the legal basis, and the data subject rights, and then I tried similarly to Thomas to collect questions we have received over the past couple of days and try to address them within the context of our presentation. So, the first point which is for me quite important is to appreciate that the general data protection regulation is mostly a piece of regulation which is about indicating how we are to share our data. It is not just about protecting natural persons from the processing of personal data, but also about the free movement of such data. And this is a very important thing because when we actually have any data sets, we need to be able to actually identify the different range of data that we have to deal with. What is the kind of processing we would like to do. Very, very important. What is the purpose of the processing and scientific research is a very broad purpose and we need to be more specific about it because that directly links to the legal basis. And here we need to be particularly careful with the case of sensitive personal data, the special categories of personal data, precisely because they require extra protection and extra care from our site and this is translated in very specific steps. And of course, making sure that whatever we do in terms of the processing and the purpose we have in this category by the legal basis, you know, we tend to this later. The setting with which we work is normally within a recessed the form of organization and this practically means we need to adhere to two sets of rules. The first thing is the general data protection regulation as it is, it has been exercised within our jurisdiction. And that is quite important in relation to the, particularly the rights of the data subject. Now we tend to this point later. And secondly, in relation to the ethics framework that we have in our recessed performance organization. The reason why this is so important is that it's very frequent that the ethics framework provides additional obligations. We will say it in quite a few times, but it could be that we could use as a legal basis the public task, but we end up with consent, precisely because we need to do so, due to the ethics framework we have in our institution. The second thing is the EU or other collaborative projects. And this is a classic question what happens when I have a collaborative project, let's say a consortium responding to an EU call, and there are some personal data involved. And here, there is of course no answer that actually covers all cases, but we would generally suggest that we actually check the web packages and see where exactly the data process, the data, personal data are processed, are they processed by a single partner by multiple partners in the CA and the work packages, the consortium agreement of the work packages, we would actually let us know about that. We would tell us about that. And at the same time, it is important to understand why we are processing this data. So for instance, in almost all European projects we will have examination packets, it will certainly have different databases in relation to people or institutions would like to contact. When we have this list of people, which are natural persons we have to make sure we do that in order to the general data protection regulation and here, the legal basis is not going to be the scientific here, the legal basis would most probably be legal interest or consent or some other justification we have as to how the data have been obtained. If the data have been obtained by multiple sources, we have to make sure there is a legal basis, both of how they have been collected and how they have reached us. The second area where we see a lot of personal data processing is the actual data. And here, the purpose is purely scientific, but we have to see how they have been collected. For instance, directly from the data subject or from a third source, and why are we doing that. In that case, we have to see how we are compliance with ethics and data protection requirements which again they have to, at the point of processing in the work of the data and the records where the data are being processed. Again, we may have collaborative projects which happen within a single jurisdiction or in multiple jurisdiction, or as we will see at the end, in relation to other institutions and entities in third countries, that is non EU countries. We need to make sure that these institutions have an adequate framework of data protection as we do. That is mostly going to be expressed in the contracts or between these third parties and us, either when we work as a as a processor or as a controller, or as co-controllers. In most of the cases, we are going to be operating as co-controllers and we need to make sure all necessary measures are in place and they have to be expressed in the contractual agreements. There has been a question as to whether there is model such agreements. Indeed, there are and we are going to speak about them at the end, but we would always suggest that you get advice from the legal department as to how for them, because the it's very different. Also, they call may have additions in relation to developing an ethics report and the protection impact assessment or other additional requirements that stem from the code itself for the project. When we have a tender and it's not a simple goal, the tender with the commission, for instance, or a public authority or a private entity, which actually asks you to perform some kind of research, then the legal basis is not going to be the contract itself. And in all cases or in most cases, you're going to be operating as a processor or co-controller, but not as a controller. In all these cases, it is important to identify who the data protection officer is and how the data protection officer of your institution interacts with other data protection officers in a consortium or in a tender in any kind of agreement you have with any kind of contracting authority. Now, in terms of the definitions of scientific research, we find in multiple places within the general data protection regulations. Most important are is the article 899 where we have a definition and operation of the scientific research, but we also find it in several recitals, as well as in the definition of processing, but also in the limitations and exceptions. Actually, to the exceptions or in relation to the data subject rights. So this is quite important to see where it is relevant. Scientific research is relevant as a legal basis or to tell us things about the legal basis or it is very relevant in order to understand the range of processing we can do or finally how the rights of the data subject may be exercised. Scientific research, what we see in Europe in particular is that this is something which is mostly false under the daughter public interest legal basis. That's so this is not the only possible legal basis. As I mentioned before, very frequently we would have the case where we have consent as a reason why we are processing personal data and there could be other legal basis as well, but mostly these are the most frequently found ones. Another thing is that very, it's another very frequent thing is that the processing for scientific purposes constitutes itself for the processing or it could lead further processes. Let me give you two examples. First case, I obtained data from a public source public hospital. And then I process them for scientific reasons, or I obtained the data from social media. In both cases, they have been collected by a third party initially for purpose one. And then when I engage in scientific research, I change the purpose and therefore even the legal basis and more about it later. What is essential is in all these cases that the appropriate safeguards are there. So it is the, it remains a fact that the general data protection regulation provides you with a pretty good basis for processing personal data, but you still have to put appropriate safeguards in place. And this would normally be of two kinds, data minimization, which means you only use the data you need. For instance, if you are processing a child's personal data, because you're doing research which involves children. It's not necessary that you keep the name, even if it could be that you keep their image or you don't necessarily, you don't get their address unless you need it for other reasons. For instance, for contacting their parents. In all cases, also it is wrongly suggested that the data are pseudonymized, at least, if not anonymized. And this is a necessary, let's say, condition for processing them, unless as we see later, this interferes with the research itself. Now, when we have space categories of data, which means what we used to call sensitive data, you will see that we have a repetition of some of the key principles of personal data protection, especially proportionality, respect of the rights of data protection and also providing again suitable and specific measures to safeguard fundamental rights. And these suitable measures, again, they would pretty much have to do only one kind with minimization and pseudonymization, but also with how the data subject is able to exercise their rights. So it's very important to me, for instance, I process, let's say, sensitive health data, I have to make sure that all necessarily notices are there. I have to make sure that if the data subject wants to object, they have the possibility to do so. And I have to make sure that I have in place organizational and technical measures to prevent any kind of leakage of the data. Now, in terms of the purpose itself, we have, as we said, the overall purpose is always scientific, but specific types of research may require specific types of legal justification and legal basis. And in that sense, we need to see how we link those two. So it could be that I do a secondary use while the original collection has been done by a public authority for statistical reasons. And when I say within the same legal basis in name, for instance, public task, I have to explain how this public task is retained, and I'll return to this question when we talk more about the feather processing of data. And we mentioned quite a few, some of the legal basis, public interest, contracts, consent, and how this change. So let me go give you an example. And here again, you can see the legal basis. And if we have, in order to understand how this legal basis remains, we have to trace the data, we have to follow the data, using the data management plan as a backbone is a very important yardstick for what we want to do. And we can see how different types of data processing, they may serve different purposes and have different legal basis, but we also have to stay within the legal basis. For instance, I get the example which I mentioned before, the data collection is taking place because of public interest reasons by public authority. So this is the data collection stage and this is processing, but we have a researcher who's actually taking this data and updates them and reaches them improves them in order to perform the research which is again public interest but is a different public interest from the one. So this is a case of further processing. And it could be that this needs to be presented for let's say five years after research has taken place for reasons of auditing, which is a legal obligation or it could be a contractual obligation. And then, when the data are to be released, because let's say they will be possible and or it wasn't relevant for the research to be anonymized or fully fully and unmatched to do the mice. Then what they research it does, it obtains a good sentence. So in all cases, you may have the same data set or slightly different which changes places as it is the process you see there is always a legal basis. We will see how this works at the end in the question section, but before going there, I just would like to finish the main presentation by actually saying that the processing of personal data for scientific purposes is also entailing a severe limiting of data set subject rights, which is however accompanied by a series of a kind of measures that try to mitigate the damage that the person whose data are being processed the data subject is actually carrying. So, more specifically, there are limitations in terms of the data subject rights to be informed, but this has to be the can be done, but then the provision of their sets, either in the provision of the information is either impossible, or would involve a disproportionate effort, which means, for instance, if I have collected data from a public source, and in order to contact all individuals of my data sets, this would render it impossible because of cost and time, then it is very likely that I don't have to actually provide such information. And in all cases, I would make sure that this doesn't kill my visits and I should be sure, but whether I do, I try to protect the data subjects interest as much as possible. Secondly, the right to be forgotten can be also limited for the obvious reason that it could be that such right actually stops visits. It could be that I need to have, for instance, in the context of historical research, I'm mainly to retain certain pictures. If someone has or exercises the right to be forgotten these skills they said, then I have the right to check to it. And finally, the data subject wants us to stop the processing of data because of objection. I can, I can reject that as a researcher for reasons of public interest. Another important thing is always look at your national laws because there may be national derogations in four types of rights, right of access, rectification, restriction of processing and right to object so national laws may provide variations in relation to how the data subject may exercise that rights. Now, moving to the questions we have received, I have collected some of them here in questions and let's try to see each one of them separately. The first question is what if I reuse data which I have harvested from publicly available resources or in general data which have been obtained from different sources. In all cases I have to check what was the original purpose of the processing. So why were these data obtained in the first place. So if this is for instance data found on on Facebook or social media, they would have as their legal basis a contractual relationship or consent depending on the situation. And then I have to check what am I going to do with my processing this processing. And in order to do, you know, in order to actually be engaged in great processing will have to notify the data subject for a range of things from the identity of the controller and the my data protection officer to the purposes of processing the categories of personal data used. Who else is going to get the data, if there is someone outside Europe is going to get the data and where it came from. Now, apparently, in these cases or further processing I have to see how to what extent this is something which is feasible. And again, I have to see what is again the legal basis under which I am processing the data. As we said before, it always has to be there always has to be a legal basis. So this legal basis either is the same, or it is consent, or I have to somehow identify a new legal basis. And when I have when I want to further proceed without obtaining a fresh consent from the data subject. Then I have to check how what is the relationship between the previous legal basis and my new legal basis so if the hospital has obtained the data in order to contain an epidemic is my new processing compatible to this. This is not process or if it has been obtained as a result of the contract is my research compatible and the the general data protection directive regulation gives us five very specific conditions to check that to see what is the link between original the further processing what is the context, if there are special categories what external measures have I taken and what are the safeguards, which I'm using for processing my data. So in all cases, the information of the data subject has to be given, and I should always try to so don't imagine to don't realize this data. If the data transfer to a third country. There is a whole again range of conditions for doing so very important what is the contractual relationship between us and the third and the entity in the third country and that's why before I mentioned the contract and also the the possible consortium agreements, also the, if there is a standard contractual close and here again we have some conditions, some contractual close by the EU, which I would also suggest for those that want to see one to action check the SEC closes. What happens if the initial collection is for a legitimate interest and secondary research to use here what is important is to have a very solid notification process to the data subject and a very solid objection process so that it is possible for the data subject to get out of the processing if she wishes to do so. Whenever we have further processing the obligations of accuracy and minimization really decrease. So it means we have to make sure that we follow all the conditions mentioned before, but we also have to make sure we minimize data as much as possible. Health data and GDPR Jack is going to talk more about this one. Always bear in mind these are special categories of data and we have to see how we actually process that state in order to make sure that the purposes is proportional to the legal basis we use data sharing codes of contact. I suggest to check the ICO in the UK. I think this is a very good document to see different data sharing codes of practices and of course the relevant OECD webpage which has the ethics codes of contact list. Someone has asked if there is a personal data for a small project rather than Excel. I would say if it's a small research project Excel rules, unfortunately, but how you feel in and how you construct such Excel document is quite important. And I would make some very simple suggestion, suggestion, specify your research purpose and define data range. Make sure you specify and document your legal basis. If you have consent, make sure you manage properly. So it means that you provide all necessary information you store the consent and make sure it covers all the types of processing and your purposes. As I said before, use data management plan as your backbone and always consult with your ethics committee and data protection officer. So I try to cover most of the questions in 20 minutes. I don't know whether we are going to address questions now or later. Let's, there are quite some questions for you in the Q&A. Let's address them after Jack's talk. That's okay. Yeah, that's fine. You should all now be able to see my screen. Is that correct? Yes. Well, good afternoon, everyone. I'm Jack Flores. So I introduced a little bit. But what I want to talk about is an extension of what Prodromos just talked about, right? So I'm still going to be going over the GDPR, but a little bit more on how it applies in research setting, given my experience also within research. Let's go over the legal basis once again. Just from our perspective, we see it similar. So there's quite a few ways in which you can lawfully process personal data. Now we have informed consent and legitimate interest of the controller. Now, normally at our university we use informed consent as a legal basis. And this is because it also meets the ethical obligations that we have towards a participant. So even if you use, let's say, public interest as your legal basis, oftentimes you will also require informed consent because it's also an ethical demand. And as such, this is the road that we take. Now, sometimes we've actually used legitimate interest of the controller. Now, this is a particularly difficult legal basis to define sometimes, but it can be used in certain circumstances. But if you are to use this, you must know very well why you think you're allowed to use this. And in our case, when we do recommend this, sometimes for social media or similar studies, we do demand a data protection impact assessment, which is a very detailed look into whether you can actually process this data and what the risks are to the data subjects. Now, public interest is something that we've considered as using as a legal basis by default, but we're still not entirely certain when something is actually to the public interest entirely. Now, we know that we are a public institution, but does this denote that we are actually everything every research that goes on is for the public interest and it's necessary for the public interest. Now, we know for certain cases, for example, COVID-19, the European Data Protection Board has already made it certain that if you are doing research and you want to share data concerning this, this is actually in the public interest. Now, the fact that they make a statement for the COVID-19 still makes us consider maybe in the future, we can use this legal basis more freely and not be afraid that perhaps it does not apply to every single research instance. Now, when we are talking about informed consent, there are some things that should also always be there. Now, so for researchers, since we use this as our main legal basis, and as well as our ethical one, we try to make sure that they're making these the right way. Now, of course, they're freely given specific and informed, and usually in the informed part is where sometimes we see some things give out. Now, at the end of this presentation, my aim is to give some input on how to make informed consent more suitable for sharing data. Now, an important part of information, and Prodromos already showed this, is some of the information that should be there. So I'm not going to go over this since it's already been presented, but these are things that definitely should be in every single informed consent and more restrictions apply if you have, say, you're transferring the data to another country. We also looked at purpose limitations, so Prodromos talked about this and further processing. Now, this is quite important for research. So I really wanted to expand on this and show you guys how we use this, how we look into this to make sure that certain research can go ahead more easily. So the GDPR distinguishes between two types of data use. We have the, let's say the initial data collection use, which is when you use data directly collected for a particular purpose, a scientific study in this case. And then you have the secondary use, which is when you're reusing data. So if you've collected already big health data for a particular purpose, but then you want to repurpose this, so reuse this for another purpose, which is research in this case. Now, when that secondary use is research, it is actually allowed to do so in the GDPR. Now, I'm paraphrasing a little bit here, but basically, so long as you're reusing this and this particular purpose is research, then you can go ahead and do this without, let's say, requiring extra consent from the individuals. So long as you apply the proper technical and organizational measures to make sure that you are protecting your data subjects. Now, what does this mean? What are technical and organizational measures? Well, to put it simply, it's these things, for example, so there are more that can apply, but most of the time we say, you know, if it's really sensitive data, we recommend encryption. Now, this is really something that we recommend when it's really sensitive data because encryption can lead to issues when you forget the password. And trust me, it does happen. Then we have pseudonymization, anonymization, minimization, aggregation, abstraction, and of course restricted access. Now, anonymization is actually very difficult to achieve if you follow the definition of the GDPR. So in most cases, we really go towards saying, towards researchers and say, make sure that you're pseudonymizing the data and make sure that you're promising or speaking of your data as being pseudonymized. And only if you're absolutely certain, say it is anonymized. Because if it is anonymized, then the individuals can no longer be re-identified, in which case the GDPR does not apply at all. And that's a leap that you only want to make sure when you're entirely certain because if you're wrong, well, then a lot of things are going to happen and not in your benefit. So to exemplify this a little bit more, this idea of further processing, does that mean basically if something was collected for research, let's say epidemiological research. And we want to reuse this data for epidemiological research. Does the GDPR say that this is okay? Well, yes it does so long as you have the proper safeguards in place. But let's say we want to use it for a different sort of research. So we gather it for epidemiological research, we want to use it for cancer immunology. But it's still both a research. GDPR still says okay, as long as you have the safeguards in place. But we move further along. And we can see that something is collected, for example, in hormone research. And then when you want to reuse this, but not for hormone research, but for gender studies. And it's still research and gender studies. The GDPR would actually still say this is okay because it's not distinguished between types of research. It simply says so long as the second purpose is for research purposes, then this is allowed as long as proper safeguards are in place. Now this poses a problem for us in that we have to also look at the ethical aspects of it. So just because it would be legal, it doesn't necessarily mean it is ethical. And why I make this example is because you could see why some individuals, although they lend themselves or their data, their personal data for hormone research, they might have some issues with gender studies for whatever personal reasons they may have. And in which case, there might be some reasons as to why we shouldn't be processing this data, not from a legal standpoint, but from the ethical standpoint, and how these two meet is sometimes difficult to see. Now, we talked about further processing. You can process it. You don't need to be asked for consent per se. But what still applies, and this is one of the rights that Podromos introduces is the right to information, which means that you still need to make an effort show that you show to your data subjects that something else is happening to the data. Now you don't need to consent for it, but they need to be informed. Unless of course, and this is a derogation that may apply to research in some cases is when it involves this proportionate effort to comply to it. What does this mean? What is this proportionate effort? Well, the way we see it is, imagine if your data set has no contact information, but the data has been heavily pseudonymized. And we think that this data, for example, poses a low risk to the individual. So we're not talking about something that if we were made public, it could cause harm to these individuals. And there is no central forum or platform where these individuals may be or have access to in which you could make this information available. In this case, we would all for saying perhaps here this proportion that applies and you do not need to inform all of these individuals. Now, well, onto the heart of what I want to say is when you do want to share personal data, it is possible, but you do have to think of it ahead of time. Oftentimes researchers come to us and they have a funder mandate that says they should share data. But of course it's personal data, and they say, can we share it? What do we need to share it? Well, I usually say, let's look at the informed consent because that's what we use as a legal basis, of course. And of course, it's also the ethical aspect of it. And see how you formulated it because if you made promises that you cannot keep up or you haven't set up your data in such a way, then it's actually no longer possible for you to share your personal data at all. Now, one of the first do's of sharing data and your informed consent is to, well, actually tell them that you intend to share in this data. Transparency is key in the GDPR, right? So if you make it clear to them that this is one of the aims, you're already ahead of the curve. And just let them know that, you know, other researchers may request access for this data in the future and make sure that they're okay with this. But also be transparent about the information that you will make available. Oftentimes I see that researchers just say, is it okay if we make your data available? Sure, this is nice, but you want to let them know exactly which of the personal data that you've collected from them, in the case there's various variables, you're actually going to make it available, which ones are actually necessary. Sometimes it is all of them. Sometimes it doesn't need to be. Moreover, also let them know that you're going to protect this data in some way, so that you're going to pseudonymize it, that you're going to aggregate it. Now, here comes an issue that I want to raise up, which is how much information can you possibly fit in these things. And that's true. You don't want your informed consent to become available. You still want to have some balance, because it also makes it easier to understand for your data subject. Now, a lot of this information can be layered with an informed consent, which makes it easier to send this information towards your participants. But do be granular about which personal data you're collecting from them and which you plan to make available and with which privacy measures in place. Perhaps a little bit more important and something that I find quite often is what you shouldn't put an informed consent if you plan or you want to share the data. Now, one of them as I mentioned this already is avoid terms such as fully anonymous, because it is very difficult to achieve. And to be truly anonymous, it doesn't even matter whether you can no longer identify these individuals within your own data set, but nobody else, no other organization should be able to identify these individuals. So then you can always be certain of this. And for this reasons, we always just recommend just mention that it is pseudonymous and not anonymous. Also avoid promises to destroy all the data after they've finished with it. If you've destroyed the data, you cannot possibly share it. It's as simple as that. Sometimes you may have an interview in audio and then transcribe this into text and you will delete the audio. This is fine, but make sure that you state this and you just simply don't say all the data will be destroyed, but be granular about which data will be destroyed. Also avoid promises that the data will only be accessed by the research team for obvious reasons. Obviously, if you're sharing the data, it will not only be accessed by the research team, but you've already made this promise. It sounds nice, but it's actually not what you plan to do. Now, when you do share data, it's important to share the metadata and place the data on the restricted access. It doesn't always need to be the case, but it does help you protect this data a lot more. Now this can sometimes be troublesome. So for how long are you going to keep this data and who is actually going to take care of this? And I think I have a question later on that I will address that covers this. And it's always good that if you are transferring this data that there is a data transfer agreement in place. This makes sure that there are legal requirements that must be met by the other party requesting this data. Now overall, the GDPR really just asked researchers to be transparent towards the participants as to how their data will be handled and for what purpose. And research does hold a privileged spot. There are derogations in place that soften some of the restrictions so long as it is for research and so long as there are proper measures that are being adopted by their researchers. So most of all, it comes to understanding what you need. And the things that we mentioned today is, for example, understanding what is your legal basis? Which one are you using? And also, at which point of the data flow does this switch? Perhaps, and I think Prodromos explained this quite nicely, is sometimes you have different legal basis for different aspects of the research. And simply understanding this will go a long way. What's nice is that you can reuse this a lot of the times when you have similar research. Now I wanted to address some of the questions that were put in, that were raised. So the first one was about what is the best way to deal with international research consortia? And can you talk about the personal data and how it will be governed within these agreements? Or do you need something else? Now it's actually very important to put this in the consortium agreements. The problem is that a lot of the templates and the default consortium agreements do not cover personal data at all. So by the time that they're done, there's just nothing in place. Now it doesn't need to be in the consortium agreement. It just needs to be somewhere. But definitely when you're working with other institutions, how this data has been handled needs to be sorted out. Now it doesn't necessarily need to be standard contractual clauses. There can be simply documentation saying how is it that you're actually going to, who is the controllers? How is the data going to be transferred between one institution and the other? Is there going to be a data transfer agreement in place? Or is the legal basis, if you're using consent, does this already denote that there's going to be many controllers? Again, think of these ahead of times can go a long way in facilitating the way that data can be exchanged in this consortium. And the consortium agreement is a great place to put them, but they do need to be adapted for this particular case. Now, another question was, does the GDPR apply for European Union only? Or does it cover other countries? Now this is what is called the territorial scope. Now what needs to be understood is basically if you're a European institution, it doesn't matter whose personal data you're collecting, the GDPR will apply to you. So for example, if I collect data from Peru, from Perugian citizens, and I am a European institution, so I'm from Utah University, the GDPR will apply even though all of this data may belong to non-European citizens. And I think in that case, if you're a European institution, it will always apply. When are patient data sufficiently identified to be able to share data sets publicly online? What should be in place? What's it take into account? This depends so much on the actual patient data set, right? So what variables do you have? And also it depends on the legal basis and the promises that you've made to your patients. So it's a question that is difficult to answer, but I can say what to take into account? Well, take into account the legal basis that you've had and take into account the risks that may be posed to your patient data, to your data subjects, if this information is made public as you wish. What do you think of the privacy conditions of online meeting applications such as Zoom? They're not the greatest. So I mean, it's definitely not, the privacy is low, but what you actually store in there, you have to be very careful when using them. How to manage publish but control access data sets for the long term? Should participants be receiving updates about how the data are being used and who will be determining whether a third party gets access? Yes, so this is the question that I mentioned earlier. And this is something that we deal quite a lot. And it's difficult. We do say not to hand this responsibility to the PhDs, because PhDs sometimes are often the ones who know the most about that particular data set, but because they leave and the university should have is at the end, the ones that are responsible for this data, they are the controllers. Now, this is not an easy question to answer since PIs may also move and we've also had this occur. And we've run into problems where somebody has requested access for data sets, and we had to find someone outside of the university to give access, even though we were the controllers, which should actually not be the case if we're the controllers, we should have control over these things. So I don't have a perfect answer. But as long as you can keep that responsible person within the institution from where this data is being stored with the controller is, that's the best way forward. But we're still moving forward trying to figure out what is the best way to handle this, and must be honest. Ideally, when sharing data that falls under the GDPR purview, we want to have third parties finally data sharing agreement. Can we set up standard models for such an agreement? Now, so we use data transfer agreements. And there are standard models, so to speak, we went for the university, but we're very careful in handing these out. I've had it where people have sent me the standard model that they had for an agreement. And just simply because of the way in the nature of the processing that they were hoping, basically they had a certain idea of what should happen to this data. And they use a standard model. Now the standard model had a clause within it that actually prevented them from doing exactly what they wanted to do, which is they wanted to use information and link it with another set, which is fine. Now, because they did not understand it simply thought that a standard model would cover everything. They were about to restrict themselves from actually being able to use this data the way they wanted to. So basically the answer to this is that it's oftentimes very case dependent. And you, it's good to use some standard models for data transfer agreements, but you should definitely have a look at them and make sure that they are adapted to your particular purpose. The last question for data that doesn't meet the standards of what is anonymous but would be quite difficult to identify is there an option to control access solely by requiring the user, the re user to digitally sign a list of terms of conditions. So this is somewhat similar as having something that is standard that can just be signed off automatically. I don't think this is something that could be done. It's just too easy to just say yes and then the data gets sent off. And as a as a controller of the data, that means that you're not really controlling who's accessing this data but they just have to say yes thing or the other, and you haven't made sure that these people will actually hold up hold up their end of the deal. So I think that doesn't provide enough protection to the data that you're working with. Maybe in certain situations it would apply, but that would fall outside of my, my understanding. That's all the questions that I wanted to answer at the moment. I know there must be more so I'll give the floor away to the questions and answers. Thank you for your attention. Thank you very much, Jack for this very useful addition or just final part of the webinar. I'm just going to show you the link to the satisfaction so before we go on with the Q&A because there are quite some Q&As left in the chat window. I just have a couple of other practical announcements and the first one is that, so I will paste the link to the satisfaction survey in the chat. The second one is that we got a couple of requests from people, I forgot to say this in my introduction actually, who were asking about local versions of this webinar in local languages, not in English. And I just want to let you know that we're looking into that with the open-air know-it's. There already have, there already have been organized some webinars if you look at our page on the subject in other languages. So please take a look there and we'll try to keep you in the loop if anything, if we manage to organize other ones. And finally, just picking up on a question that was asked by a couple of people and Jack mentioned it as well about the use of Zoom for a webinar infrastructure. We do have unfortunately only limited options for using webinars of this, for hosting webinars of this size, but we can guarantee you that we will not be. So as you don't, you're not registering through the system, so we will not, we're not sharing your emails with the system. And also we are not recording the chat. So we try to be as privacy-friendly as possible in a not very privacy-friendly infrastructure. I just want to mention that and now I will give the floor to Marina, who will coordinate the answer, question and answers that are still in the list. Okay, so thank you, Gwen. As you mentioned, there's still a number of questions that are still open. So the first one, how does the right to be forgotten work in practice for published research data? If a subject wants to be forgotten, once the data is published, what are the researchers' obligations? Do you want to say something on this one? Yes. Yes, please. Yeah, there are two things. One thing is always to remember that the right to be forgotten in relation to scientific research may be limited to the extent that that's right to actually prohibit the research itself. So we already have a first boundary as to how it can be exercised, which means practically if you have someone posing this question, it is again an issue of how you justify a possible denial. Having said that, if you decide to erase the data nevertheless, what you should be doing is basically make sure, first of all, that you stop disseminating from now on. And secondly, if there is something which you have shared with not just publicly making it available, but in different ways, then, which means sharing with specific institutions, you can notify them in relation to that particular data set. So if it is an open data set, I think it's almost impossible to be retracted. In that sense, if something is being released under an open license, similarly to the function of the copyright, symmetrically speaking, it's going to be impossible to retract it. So this is something that the data subject needs to know or you need to have assessed as a risk when you make the original publication. Of course, that depends on your legal basis as well. We have another question specifically addressed to Prodromos, how to obtain proper legal basis for using data collected from social media and research when informed consent from individual data subject is not possible. Okay, that's again a very good question. I think, first of all, it's probably not going to be possible, especially if you work with any kind of large data sets collection. So there you have to see whether your public interest legal basis could actually, you can get away with this, which means you have to anonymize the data as much as possible. And this as much as possible, it has to do with the purpose of your research. So if your research itself does not allow you to pseudonymize or to anonymize, then you have to figure out a way to at least notify. So even if you don't obtain a consent, you should have some kinds of notification. And this could be even the form of a public announcement if you cannot really contact each and every individual, which is very likely you won't be able to do so. So I would suggest as a as a basics, the public interest one, since you it's not possible for you to obtain consent. And I would say I would prefer that from the legal interest one. If I were to substantiate it adequately, which means in relation to the objectives of my research, the mission of my institution. And as this is describing statutory documents or other provisions, if it is public law provisions, if it's a public research institution. Thank you. We also have a question related to public interest and how to prove that something is public interest and is reuse of the data in health research combining the research data from various studies to make data stronger public interest by default or some criteria has to be fulfilled. I don't know, again, because it relates to slightly mentioned that in the previous question, the public interest has to be substantiated specifically so it's not a generic like a black it's legal basis. So you need to see what is the nature of your institution and the nature of your processing in order to be able to justify that something is public interest. If you come from an institution that has a public remit public task by itself. That's the first criteria met, but it's not necessarily the only one, then you have to go and see what is the research you're doing and what extent can classify this public interest. In that sense to make the your classification of public interest now in relation to the combination of multiple data sets from the health sector. I think that's even more it's even more important to justify why this in that particular instance. It justifies the public interest. So of course, it's much easier to justify research as public interest compared to other types of research, but we shouldn't just think in terms of public benefit. Right, it is public interest. So it means that the most of research institution would probably be able to justify provided they have a consistent description and justification of what there is researching and that's why DNP so important. So next question. The freedom of the arts and sciences is written in the EU Charter of Fundamental Rights and therefore is a fundamental right guaranteed to everybody is performing scientific research then not in itself always a legitimate interest in the sense of article six GDPR Jack, do you want me to attempt to answer this question. So, I mean, obviously I'm not as familiar with the Charter of Fundamental Rights. I'm not a lawyer, but when I have looked into legitimate interest of the controller quite a lot and I've seen I've tried to see how it is that it can be applied to be used for research. For research in general. Now, something that I found when you want to apply legitimate interest, it cannot simply be that I have a legitimate interest and therefore I can use it, but you have to take into account a lot the user, and you also have to look into the data subject and think, why don't you expect me to be using this data for this particular purpose as well. And then from there you have to make sure that you have good documentation as to why you believe that your interest outweights the rights and freedoms, or the right to just say the rights of your data subjects. So there's an extra denim to that that you have to make sure that it does not get outweighed by their own rights. And I think this is where the discussion really begins. I don't know if you want to add to that. Yeah, just pretty much I'm not really in the substance just as I said in my presentation I think legitimate interest is like a poisonous fruit. It seems so easy to actually use it as a as a legal basis but it's not you have to be very diligent as to how you document why you have a legitimate interest. And precisely because this is this balancing exercise has to be made you require some kind of at least legally some legal implications assessment you need to have so it means quite a bit of hard work so I'm not sure it's the best legal pieces you could use. Yeah, agreed. If you want a fundamental right. Answer which it's repeating and confirming what Chuck and project said a by constant case law of the court of justice, none of the fundamental rights in the charter absolute but all of them have to be weighted against each other. So how to wait to the right to scientific research with the right of a protection of personal autonomy and and privacy. Well, in the way in which it has been established by the new legislator in the GDPR. So that you know the GDPR what we're discussing is that balance. So that is how you would answer this from a fundamental right point of view. Okay, so do you have any recommendations or guidance on how to best obtain consent for data sharing especially if data will be shared in a repository and the intention is that the data could be reused by any interested party. How do you fully inform the data subject so without overwhelming them with too much information. Yeah, so this is this this is an issue right so you know you should the way you go about actually being able to share data is by informing as much as possible. Everything that is planned for this particular data and of course you don't know what is going to be used for so how much can you actually say. So the idea is to just show the intent and also show what you're going to protect them when this data becomes out there and let them know that once this data is published. Yes, it is out of your control. What is going to be done with it but hope the privacy measures that you've put in are enough to protect to protect them. Now, when you're providing information something that is allowed in the GDPR is also to layer the information. Now when you have your informed consent form, you want to keep it concise because this allows this would also make less ambiguous. But if a data subject wants to be further informed, let's say for all of their rights, for example, you can put links and provide extra information available for them should they choose to. want to be informed more and this is one of the ways that I usually or at such a university. We recommend researchers if they have a public website or if they have somewhere to keep some of this information sort of for privacy and notice that all data subjects can go to and will cover. A lot of the rise and all the information so this is one way in which you can layer this information in the informed consent and not making it look as I said like a like a bio. And also a further question address to to Jacques in relation to your specific certification in in privacy. What certification do you have and would you recommend it to research data support staff members helping researchers with sharing personal data. Right so I have a CIPP, which means certified information privacy professional from in Europe. Now this was a certification that I obtained from the IPP, which is just simply this organization that is for privacy professionals. I do recommend it if you're planning to to delve into this a lot further. I found from my perspective it's it was necessary because quite honestly a lot of researchers require this kind of expertise and it's not an expertise that is it is sort of new at least in the sense that people are realizing how important it is that being said it's it does take. Is it you got to take a test for it. It's not the easiest test is very it's worded for lawyers so do take your time in studying and they do offer a lot of different services. I personally simply bought the textbook and then took the exam and I just read the textbook and basically memorized it, but it's very informative and it doesn't just apply to research. So you will be learning about other things that are well beyond what you would need from research, but it does give you a lot of confidence when you're going to be speaking to researchers about these topics. So I would recommend it but make sure that you're willing to put the investment in it. Yes, thank you. We also have a comment stating that some countries have specified in national legislation what legal basis for handling of personal data may apply to, for example, universities and research institution to make it easier. I was wondering whether maybe Thomas or Prodromos would like to say something in relation to the national legislation and what happens and also in the context of collaborations in European projects. In terms of personal rights, indeed some installations have provided more specific classification of the scientific research, normally they would put it under public interest, or they consider that as a self-sounding legal basis, and I think of course this makes things clear, but it's not the same across the union. Now when we have a consortium as mentioned during the presentation, and it was also covered, or actually at least by Jack as well, you have to see who is the processor and who is the controller in its particular reset scenario. Normally we go back to the work packages and see or the consortium agreement and we see first of all who has the main, who defines the purposes and the means for the data processing and that's the controller if there are multiple ones, but they equally define different, let's say stages in the life cycle of personal data processing, there again co-controllers. If you have some organizations doing that on behalf of others, then they are processors, but this is unlikely to see in the context of a consortium. And of course it's very different when you have the commission or a private funder or another funder to actually ask you to do a specific to perform a specific type of research and there you act as a processor. In all cases you may have multiple countries and multiple entities performing the processing. That's why it is important when you do, and the commission asks you to do that, when you do the ethics and data protection impact assessment or at least the DMP at the beginning to actually have a clear understanding who's processing data from the partners, other which conditions and terms, what purpose for, what are the legal basis and how this is done in a legal and ethical manner. And again I will repeat something that Jack said multiple times. These two things are parallel, they are successive layers. It has to be GDPR compliance, compliance has to be ethic committee or ethics committees comply. Normally the commission would ask for at least one ethics committee or at least one DPO to provide a kind of a letter or some kind of statements in relation to the legal and ethical status of the project in relation with respect to the data processing practices. Thank you. Thank you. I think that we have answered all questions. So, when any final comments. No, no, just that we are uploading the presentations to the portal and the recordings this evening or tomorrow morning. So, if you want to revisit this webinar please take a look there and maybe also Marina we can mention that we've we will certainly have some follow up webinars on this topic, maybe some more specific or some more example based judging from the comments we're getting in the survey, which is still open. I think there's a big need for this. So we'll definitely try to follow this up. And if that's going to be the final word, I would just like to thank very much to the speakers, Thomas Margoni, Provence Chavez and Jack Flores to take the time to present this topic twice over the last week it's a very complicated topic. I would really express our gratitude for them to take the time and to make make sure that that we have very good presentations that we will be able to share afterwards and use afterwards as well so and I would like to thank you as well, all of you participants for being in such a large attendance. Everybody stay safe and healthy and we're looking forward to seeing you in the next presentation or webinar. Thank you very much, it was a pleasure.