12 April 2021

Written by Veronika Keck, GESIS – Leibniz Institute for the Social Sciences, edited by Irena Vipavc Brvar, Mathilde Steinsvåg Hansen, and Ina Nepstad

Working in open access, implementing reusability of research data, and FAIR principles, addressing legal and ethical issues are some of the key aspects of daily work for researchers striving to be in line with the principles of integrity, accountability, independence and impartiality. In recent years, many researchers have indicated the need for some guidance, standards, a code of conduct to support them to comply with GDPR while using data for the research. To fill this gap and support open access and reusability of research data within the context of EOSC, the SSHOC partners initiated work on a Code of Conduct for the Social Sciences and Humanities. The first results and achievements, outstanding work, and examples of creating a Code of Conduct for Health and Life Science were communicated during a 2,5-hours online workshop held on 17th of March 2021.

About 35 participants attended the event, organized by NSD and supported by UL-ADP, LIBER, and GESIS. It started with an introduction of the speakers and a Mentimeter survey on participant’s backgrounds. Followed by three presentations, a lively Q&A part, break-out sessions for expert discussions, and a plenary session at the end. This workshop provided the scientific community an opportunity to discuss the need and work-in-progress of a formal common framework that facilitates the harmonization of data-sharing rules and practices in relation to research.


The Key Implications of GDPR for EOSC 


The first presentation of findings from the SSHOC Report 5.7. focused on the impact of the GDPR on research and its implications for EOSC. The report describes and compares the national implementation of the GDPR across Europe, by examining some European countries' national laws and conducting interviews with researchers. It also describes what implications GDPR might have for EOSC.

A part of the presentation covered processing of special categories of personal data. To lawfully process the special categories of personal data one would need a lawful basis that can be found under Art. 9 of the GDPR. The speaker stressed that it is prohibited to process sensitive data unless you have legal ground. It is common to use explicit consent or in a case of research the public interest/research purposes. 

Which bases are to be used to lawfully process personal data depends on the purpose of use. The GDPR Art. 6 no.1 (e) is in some countries used for research purposes, that is researchers can process personal data, since their work is considered as the work done in the public interest, without documented consent from a person whose data are being used. This shows the need for the lawful processing of personal data in the public interest.

Further, the speaker stressed that some countries have provided lists of safeguards in addition to GDPR art. 89 (1), others have not. These varied approaches require standardization or a unified approach. 

The speaker pointed out the following implications for EOSC:

  • As all processing of personal data must have a legal ground, the different interpretations and supplements in national legislations might affect the users of EOSC. 
  • The wording in the consent given from the data subject to the researcher might cause hinders for sharing data with others, including through EOSC. 
  • A plan should be made for the assessment of personal data within EOSC. 
  • The required safety measures differ from one country to another. When organizing EOSC, a plan should be made for the assessment of the suggested safety measures is sufficient.

Anatomy of a Code of Conduct

In the second presentation, the keynote speaker introduced the concept of the Code of Conduct, its definition, and its relevance. The Code of Conduct can be defined as a set of voluntary accountability tools/guidelines which set our specific data protection rules for categories of controllers and processors. A Code, therefore, assists members of the specific Code with data protection compliance and accountability. The code will be applicable in specific sectors or relating to particular processing operations. It identifies and resolves key data protection challenges that are important to the sector, with insurance from supervision authorities that the code is appropriate. A code is written by an organization/association representing a sector in a way that the sector understands and enables the sector to solve these challenges. The basis for a Code of Conduct is regulated in GDPR art. 40 and 41.

A code of conduct is relevant because it will help the sector to comply with GDPR. It can be a useful and effective accountability tool, providing a detailed description of the most appropriate, legal, and ethical set of behaviors for a sector. From a data protection viewpoint, code can therefore operate as a rulebook for controllers and processors who design and implement GDPR compliant data processing activities. Developing a code of conduct can help build public trust and confidence in the concrete sector`s ability to comply with data protection laws. Moreover, it can help to reflect on the processing activities and ensure that rules of a specific field are followed to achieve best practice. The creation of a Code of Conduct might be potentially cost-effective.


Creation of a Code of Conduct in Health Research 

The BBMRI ERIC’s presentation focused on a Code of Conduct for health research.

The EU General Data Protection Regulation entered into force on 25 May 2018, with direct effect in the Member States. Given that legal texts are not always easily accessible, BBMRI-ERIC, together with other stakeholders, considers the code of conduct as described in Art 40, 41 of the GDPR as a key tool to develop a guide for researchers and administrative staff (especially data controllers and processors) to reduce unnecessary fear relating to compliance and to enhance data sharing to stimulate research.

The purpose of the Code of Conduct for Health Research initiative is:

  • To contribute to the proper application of the regulation, taking into account the specific features of processing personal data in the area of health;
  • To clarify and specify certain rules of the GDPR for controllers who process personal data for purposes of scientific research in the area of health;
  • To help demonstrate compliance by controllers and processors with the regulation; and
  • To help foster transparency and trust in the use of personal data in the area of health research.

The speaker provided step-by-step explanations about how the working group of BBMRI ERIC created a Code of Conduct in health research. Their Code does not promote one legal basis over another, as the decision is context-dependent and might have a specification in national law (country derogation). The presenter stressed that the anonymization of data is context-dependent. The key topics of the BBMRI ERIC Code of Conduct are legal basis/consent, personal data/anonymization, controller/joint controller/processor. The structure of the Code of Conduct is based on the FAQ style, where the question is followed by a rule/recommendation, then explanation, and an example. The language used is non-legalistic.


Take-home messages from the Q&A Session and Experts Discussions


Code of Conduct is a tool for education and organic work in the community.

One of the tasks of the code is to clarify GDPR, anonymization, etc. The general Code of Conduct is of European scope that should be communicated to national authorities. It should be reviewed on a European level and therefore it is subject to approval by European bodies.

In some countries, e.g. Finland and the UK the most commonly used legal basis is a public interest, while in others, e.g. Norway it is more common to use consent, whenever possible. Public interest is only used for practical reasons when informed consent is not possible. 

Ethical consent is widely misunderstood as the legal basis. Though public interest might be the legal basis, the fact that one is still required to gather ethical consent in many projects confuses many.

National legislation across Europe presents different terms in relation to which appropriate safeguards are required when “public interest/scientific or historical research purposes” are being used as a legal basis, cf. art. 89 nr. 1. When processing research data several safeguards should be used that are named in GDPR, e. g. encryption and de-identification of personal data.

The single most common problem in terms of reusing data is the lack of information being given to the data subjects at the start of the original research project. They are often not informed of the intention of re-using the data at a later stage, which makes such recycling impossible. To make sure that they receive information about the planned re-use of the data would go a long way in making more data available. 

Though GDPR aims at harmonizing information requirements and safety measures, national legislation may still vary between European countries. Specific demands in various countries may render sharing across borders. It is difficult if they include strict safety measures which are uncommon in other countries. 


Outcomes & Further Development

  • Further support of harmonization, interpretation and consistent implementation of the GDPR across the EU is warranted.
  • The terms and conditions for processing sensitive personal data vary from one country to another, but the common denominator in most countries is the importance of ensuring that the processing of special categories of personal data is subject to adequate safeguards, cf. Article 89 (1).
  • A mutual understanding as to what measures will satisfy the requirement of appropriate measures (“suitable, specific, technical, organizational”) according to Article 89 (1), would make sharing of research data across borders easier.
  • Example of developing a Code of Conduct in the health research field shows that it is a long process requiring the participation of experts in consultation with the public: a. on an individual level (esp. use cases on a case-by-case basis), b. on sections of the code via reference groups, c. on the whole code and submission process.





European Data Protection Board Register for Codes of Conduct

SSH GDPR Code of Conduct