The Danish Data Protection Agency is investigating the research area
Many research projects involve processing of large amounts of personal data, including sensitive information. Therefore, it is crucial that the rules in the research area are complied with in order to be able to take into account the individual data subjects. The Danish Data Protection Agency is therefore initiating a broad effort in the area consisting of both supervisory activities and more concrete and targeted guidance.
The Data Protection Agency has stated: "In Denmark, there is a wide access to conducting extensive research, and it provides an opportunity to conduct important research. But the broad access to conducting research is based on the premise that it is done in a responsible way, where the rules are complied with, so that Danes can have confidence that their information is processed properly when they are part of a the research project”.
On this background, the Danish Data Protection Agency has initiated a number of supervisory activities in the research area.
On 22 June 2020, the Danish Data Protection Agency published a news that the Agency would take a closer look at Kammeradvokatens (the primary attorney to the Danish state) reports on Statens Serum Institut's (SSI)1 processing of personal data for research use. Based on the preliminary conclusions in Kammeradvokatens reports, the Danish Data Protection Agency has decided to take up a case against SSI for – among other things – the unlawful transfer of personal data to the US without proper legal ground. In this connection, the Danish Data Protection Agency has asked the institute to explain a number of the issues that recur in the preliminary reports. The Danish Data Protection Agency is also awaiting the final report from Kammeradvokaten, which is expected to be published in November 2020. The Danish Data Protection Agency will then decide to what extent this gives the Agency cause for further reactions to SSI.
In order to investigate whether the same issues as with SSI are recurring with other similar data controllers, the Danish Data Protection Agency has also initiated a number of written inspections of public authorities that carry out research. The audits focus on:
- Roles and responsibilities (data responsibility)
- Basis for processing
- Transfer of personal data to recipients in EEA countries and to recipients in countries outside the EEA
- Supervision of data processors
- The Danish Data Protection Agency's possible permission for disclosure, cf. the Data Protection Act, section 10, subsection 3
- Records of processing activities, cf. GDPR article 30
- Policies/guidelines on data protection in connection with the implementation of research projects
Based on the challenges mentioned in Kammeradvokatens report on SSI's processing of personal data for research use, the Danish Data Protection Agency has also decided to prepare new guidelines in the research area.
1 SSI is under the under the auspices of the Danish Ministry of Health. Its main duty is to ensure preparedness against infectious diseases and biological threats as well as control of congenital disorders. Further, SSI houses the Danish National Biobank which stores more than 22 million biological samples, such as serum, plasma, buffy coat, whole blood and DNA.
Article provided by: Claas Thöle (NJORD Law Firm, Denmark)
Dr. Tobias Höllwarth (Managing Director INPLP)