CTC - GDPR Questionnaire

Questionnaire with respect to the processing of personal data in the framework of clinical studies

The GDPR has come into force on 25 May 2018, bringing with it increased requirements with respect to processing personal data. Processing of personal data needs to be lawful, fair and transparent.

UZ Leuven is committed to responsible processing of information relating to individuals and to respecting their rights to data privacy. Although the consideration of GDPR may seem like an additional burden, much of it is plain common sense and consistent with the ethical requirements of many research projects. The present list of questions is intended to faciliate compliance with GDPR and collect all necessary information regarding the processing of personal data in accordance with the GDPR.

Note that personal data that have been pseudonymised – e.g. key-coded – fall within the scope of the GDPR. Data that have been anonymised are considered to be out of scope of GDPR.

Your study
Processing data
KU Leuven GDPR questionnaire to be filled in (only available for KU Leuven personnel)

Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Pseudonymised personal data can still be attributed to a natural person by the use of additional information and is therefore to be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.

The principles of data protection do not apply to “anonymous data”, namely data which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable (by any person or by any means). Where that data subject cannot be identified, the information will not constitute personal data and the duties and obligations of the GDPR will not apply. The principles of data protection indeed only apply to any information concerning an identified or identifiable natural person. When assessing anonymity, you should however take into account that GDPR applies to directly identifiable data (the data subject can be identified because of a name or another specific identifier) and to indirectly identifiable data (the data subject can be identified because in their combination the collected data allow to single out an individual). As such account should for example also be taken of the size of the population of which the individual is part. For example aggregated data, where information about many individuals are combined into broad classes, groups or categories, so that it is no longer possible to distinguish information relating to those individuals will most likely be considered as anonymous. Additionally, you should be aware that data can only be considered anonymized when it is not possible to re-identify the data subject. This means that no key is held to re-convert key-coded data. This also means that data cannot be anonymous to you, while they are not anonymous to the holder of the original source data.
Data controller versus data processor
Is there (next to UZ Leuven) another university, research institution or partner involved in the study?
Who determines the purposes and means of the study? (this means solely financing is insufficient)
Also in case UZ Leuven would take on the role of national coordinator for Belgium, UZ Leuven would in principle act as data processor. 
Has a data processing agreement or “DPA” been drafted between the controller and the processor?
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
Research
This section needs to be completed in Dutch and in layman terms as it will serve to properly inform the data subjects in accordance with the information and transparency obligation under GDPR.
Data description and collection
Primary versus secondary collection
Are new data being collected (primary processing – prospective study)?
And/or are only already collected data being processed (secondary processing – retrospective study)?
Are the data received from someone outside UZ Leuven or are you sending the data to someone outside UZ Leuven?

In accordance with article 3, §2 of the Belgian law on experiments dated 7 May 2004 which excludes retrospective studies from its scope , the term “retrospective” needs to be understood as follows: the study is being conducted using only data from the past that have already been collected in existing patient dossiers, medical or administrative files or databases and without use of any new data with respect to these patients.
Categories of personal data
What categories of data are being processed?
Are you collecting “regular” personal data and/or are you collecting “special” (sensitive) categories of personal data?

Please note that genetic data and data concerning health are to be considered as “special” (sensitive) categories of personal data.

Anonymous data are not personal data. Please note that in case you yourself anonymize personal data, such anonymization process does fall under the scope of GDPR.

Pseudonymised personal data can still be attributed to a natural person by the use of additional information and is therefore to be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.

Data concerning health is broadly defined under GDPR and means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status. Health data is considered sensitive data and in principle processing of such data is prohibited under GDPR except if performed under certain conditions.

Specify regular personal data
Specify special/sensitive categories of personal data

“data concerning health” is broadly defined under GDPR and means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status. Health data is considered sensitive data and in principle processing of such data is prohibited under GDPR except if performed under certain conditions.
Data subjects
Whose personal data are being processed in the framework of the research?
Provision of information

Will the required information (see link to templates) be provided to the data subjects or has this information already been provided? In particular, does the data subject know why his/her data are being processed and to whom he/she can address his/her questions in this respect?

Primary and/or secondary processing

Please, note that the data subject always has to be informed in case of primary processing! In case UZ Leuven is the sponsor of the study, the data subject will be informed of his/her data being processed for research purposes through the MyNexuzHealth application.

Will the patient be informed of the processing of his/her data in case of secondary processing?
Please note that in case UZ Leuven or a MyNexuz hospital is sponsor of the study that the duty to inform the data subject can be performed through the MyNexuzHealth application. In all other cases, motivate why the provision of the information proves to be impossible or would involve a disproportionate effect?
In particular please motivate why this information duty would render impossible or seriously impair the achievement of the objectives of the processing.
Will in this case the information be made publicly available, for example through a study-specific website?
Export of data
Will the collected personal data be transferred to or shared with persons/institutions outside UZ Leuven?
Is there a (draft) agreement present with respect to the transfer/sharing of such data?
Are these persons/institutions located outside or inside the EU?
Is it a country on the “white list”?
Technical and organisational measures
Where are data being stored?
Decentrally managed systems
Does someone other than the investigator and his/her study team have access to the personal data (other than monitoring/audit/inspection)?
Pseudonymizing data
Motivate why working with anonymized or pseudonymized data is not possible
Pseudonymize personal data
Specify the process of pseudonymization and storage of the key/code
Lawfulness of processing
Lawful basis

Please note opinion of the European Data Protection Board (Opinion 3/2019) in this respect: (…) However, it must be kept in mind that even though conditions for an informed consent under the CTR are gathered, a clear situation of imbalance of powers between the participant and the sponsor/investigator will imply that the consent is not “freely given” in the meaning of the GDPR. As a matter of example, the EDPB considers that this will be the case when a participant is not in good health conditions, when participants belong to an economically or socially disadvantaged group or in any situation of institutional or hierarchical dependency. Therefore, and as explained in the Guidelines on consent of the Working Party 29, consent will not be the appropriate legal basis in most cases, and other legal bases than consent must be relied upon (…)
In order to lawfully process personal data you will need a lawful basis. This basis is determined at the moment of the primary collection of data. In case your research concerns a secondary processing of personal data, you will need to consult the initial data controller to understand on what lawful basis the initial collection of personal data was performed.
Agreement with the UZ Leuven principles regarding processing of personal data and data protection impact analysis (“DPIA”)

The processing of “special categories” of personal data (such as “data concerning health” or genetic data) in the framework of research constitutes a high privacy risk for the data subjects.

Is UZ Leuven the sponsor (“opdrachtgever”) of the research and hence data controller? Please indicate under which DPIA of UZ Leuven your research fits.

The investigator hereby acknowledges review of the GDPR guidance document for clinical researchers.

Laatste aanpassing: 24 januari 2020