Joint controllers in large research consortia: a funnel model to distinguish controllers in the sense of the GDPR from other partners in the consortium

Large European research consortia in the health sciences face challenges regarding the governance of personal data collected, generated and/or shared during their collective research. A controller in the sense of the GDPR is the entity which decides about purposes and means of the data processing. C...

Descripción completa

Detalles Bibliográficos
Autores principales: Van Veen, Evert-Ben, Boeckhout, Martin, Schlünder, Irene, Boiten, Jan Willem, Dias, Vasco
Formato: Online Artículo Texto
Lenguaje:English
Publicado: F1000 Research Limited 2022
Materias:
Acceso en línea:https://www.ncbi.nlm.nih.gov/pmc/articles/PMC10521071/
https://www.ncbi.nlm.nih.gov/pubmed/37767227
http://dx.doi.org/10.12688/openreseurope.14825.1
_version_ 1785110060162088960
author Van Veen, Evert-Ben
Boeckhout, Martin
Schlünder, Irene
Boiten, Jan Willem
Dias, Vasco
author_facet Van Veen, Evert-Ben
Boeckhout, Martin
Schlünder, Irene
Boiten, Jan Willem
Dias, Vasco
author_sort Van Veen, Evert-Ben
collection PubMed
description Large European research consortia in the health sciences face challenges regarding the governance of personal data collected, generated and/or shared during their collective research. A controller in the sense of the GDPR is the entity which decides about purposes and means of the data processing. Case law of the Court of Justice of the European Union (CJEU) and Guidelines of the European Data Protection Board (EDPB) indicate that all partners in the consortium would be joint controllers. This paper summarises the case law, the Guidelines and literature on joint controllership, gives a brief account of a webinar organised on the issue by Lygature and the MLC Foundation. Participants at the webinar agreed in large majority that it would be extreme if all partners in the consortium would become joint controllers. There was less agreement how to disentangle partners who are controllers of a study from those who are not. In order to disentangle responsibilities, we propose a funnel model with consecutive steps acting as sieves in the funnel. It differentiates between two types of partners: all partners who are involved in shaping the project as a whole versus those specific partners who are more closely involved in a sub-study following from the DoA or the use of the data Platform. If the role of the partner would be comparable to that of an outside advisor, that partner would not be a data controller even though the partner is part of the consortium. We propose further nuances for the disentanglement which takes place in various steps. Uncertainty about formal controllership under the GDPR can stifle collaboration in consortia due to concerns over (shared) responsibility and liability. Data subjects’ ability to exercise their right can also be affected by this. The funnel model proposes a way out of this conundrum.
format Online
Article
Text
id pubmed-10521071
institution National Center for Biotechnology Information
language English
publishDate 2022
publisher F1000 Research Limited
record_format MEDLINE/PubMed
spelling pubmed-105210712023-09-27 Joint controllers in large research consortia: a funnel model to distinguish controllers in the sense of the GDPR from other partners in the consortium Van Veen, Evert-Ben Boeckhout, Martin Schlünder, Irene Boiten, Jan Willem Dias, Vasco Open Res Eur Open Letter Large European research consortia in the health sciences face challenges regarding the governance of personal data collected, generated and/or shared during their collective research. A controller in the sense of the GDPR is the entity which decides about purposes and means of the data processing. Case law of the Court of Justice of the European Union (CJEU) and Guidelines of the European Data Protection Board (EDPB) indicate that all partners in the consortium would be joint controllers. This paper summarises the case law, the Guidelines and literature on joint controllership, gives a brief account of a webinar organised on the issue by Lygature and the MLC Foundation. Participants at the webinar agreed in large majority that it would be extreme if all partners in the consortium would become joint controllers. There was less agreement how to disentangle partners who are controllers of a study from those who are not. In order to disentangle responsibilities, we propose a funnel model with consecutive steps acting as sieves in the funnel. It differentiates between two types of partners: all partners who are involved in shaping the project as a whole versus those specific partners who are more closely involved in a sub-study following from the DoA or the use of the data Platform. If the role of the partner would be comparable to that of an outside advisor, that partner would not be a data controller even though the partner is part of the consortium. We propose further nuances for the disentanglement which takes place in various steps. Uncertainty about formal controllership under the GDPR can stifle collaboration in consortia due to concerns over (shared) responsibility and liability. Data subjects’ ability to exercise their right can also be affected by this. The funnel model proposes a way out of this conundrum. F1000 Research Limited 2022-06-17 /pmc/articles/PMC10521071/ /pubmed/37767227 http://dx.doi.org/10.12688/openreseurope.14825.1 Text en Copyright: © 2022 Van Veen EB et al. https://creativecommons.org/licenses/by/4.0/This is an open access article distributed under the terms of the Creative Commons Attribution Licence, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
spellingShingle Open Letter
Van Veen, Evert-Ben
Boeckhout, Martin
Schlünder, Irene
Boiten, Jan Willem
Dias, Vasco
Joint controllers in large research consortia: a funnel model to distinguish controllers in the sense of the GDPR from other partners in the consortium
title Joint controllers in large research consortia: a funnel model to distinguish controllers in the sense of the GDPR from other partners in the consortium
title_full Joint controllers in large research consortia: a funnel model to distinguish controllers in the sense of the GDPR from other partners in the consortium
title_fullStr Joint controllers in large research consortia: a funnel model to distinguish controllers in the sense of the GDPR from other partners in the consortium
title_full_unstemmed Joint controllers in large research consortia: a funnel model to distinguish controllers in the sense of the GDPR from other partners in the consortium
title_short Joint controllers in large research consortia: a funnel model to distinguish controllers in the sense of the GDPR from other partners in the consortium
title_sort joint controllers in large research consortia: a funnel model to distinguish controllers in the sense of the gdpr from other partners in the consortium
topic Open Letter
url https://www.ncbi.nlm.nih.gov/pmc/articles/PMC10521071/
https://www.ncbi.nlm.nih.gov/pubmed/37767227
http://dx.doi.org/10.12688/openreseurope.14825.1
work_keys_str_mv AT vanveenevertben jointcontrollersinlargeresearchconsortiaafunnelmodeltodistinguishcontrollersinthesenseofthegdprfromotherpartnersintheconsortium
AT boeckhoutmartin jointcontrollersinlargeresearchconsortiaafunnelmodeltodistinguishcontrollersinthesenseofthegdprfromotherpartnersintheconsortium
AT schlunderirene jointcontrollersinlargeresearchconsortiaafunnelmodeltodistinguishcontrollersinthesenseofthegdprfromotherpartnersintheconsortium
AT boitenjanwillem jointcontrollersinlargeresearchconsortiaafunnelmodeltodistinguishcontrollersinthesenseofthegdprfromotherpartnersintheconsortium
AT diasvasco jointcontrollersinlargeresearchconsortiaafunnelmodeltodistinguishcontrollersinthesenseofthegdprfromotherpartnersintheconsortium