CTC - GDPR questionnaire

Your study

S-number (enter in format SXXXXX, e.g. S12345)

Processing data
KU Leuven GDPR questionnaire to be filled in (only available for KU Leuven personnel)

Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Pseudonymised personal data can still be attributed to a natural person by the use of additional information and is therefore to be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.

The principles of data protection do not apply to “anonymous data”, namely data which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable (by any person or by any means). Where that data subject cannot be identified, the information will not constitute personal data and the duties and obligations of the GDPR will not apply. The principles of data protection indeed only apply to any information concerning an identified or identifiable natural person. When assessing anonymity, you should however take into account that GDPR applies to directly identifiable data (the data subject can be identified because of a name or another specific identifier) and to indirectly identifiable data (the data subject can be identified because in their combination the collected data allow to single out an individual). As such account should for example also be taken of the size of the population of which the individual is part. For example aggregated data, where information about many individuals are combined into broad classes, groups or categories, so that it is no longer possible to distinguish information relating to those individuals will most likely be considered as anonymous. Additionally, you should be aware that data can only be considered anonymized when it is not possible to re-identify the data subject. This means that no key is held to re-convert key-coded data. This also means that data cannot be anonymous to you, while they are not anonymous to the holder of the original source data.
 
Data controller versus data processor
Is there (next to UZ Leuven) another university, research institution or partner involved in the study?
Who determines the purposes and means of the study? (this means solely financing is insufficient)
Also in case UZ Leuven would take on the role of national coordinator for Belgium, UZ Leuven would in principle act as data processor. 
Has a data processing agreement or “DPA” been drafted between the controller and the processor or another type of data processing arrangement between the parties (in function of parties’s roles under GDPR, for example a joint controllership agreement or a controller-to-controller transfer agreement)?
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
Research

The following sections needs to be completed in Dutch and in layman terms as it will serve to properly inform the data subjects in accordance with the information and transparency obligation under GDPR.

Personal data subjects
Whose personal data are being processed in the framework of the research?
Data description and collection
Primary versus secondary collection
Are new (personal) data being collected (primary processing – prospective study)?
And/or are only already collected (personal) data being processed (secondary processing – retrospective study)?
Are personal data received from someone outside UZ Leuven or are you sending personal data to someone outside UZ Leuven?

In accordance with article 3, §2 of the Belgian law on experiments dated 7 May 2004 which excludes retrospective studies from its scope , the term “retrospective” needs to be understood as follows: the study is being conducted using only data from the past that have already been collected in existing patient dossiers, medical or administrative files or databases and without use of any new data with respect to these patients.
Categories of personal data
What categories of data are being processed?
Are you collecting “regular” personal data and/or are you collecting “special” (sensitive) categories of personal data?

Please note that genetic data and data concerning health are to be considered as “special” (sensitive) categories of personal data.

Anonymous data are not personal data. Please note that in case you yourself anonymize personal data, such anonymization process does fall under the scope of GDPR. 

Pseudonymised personal data can still be attributed to a natural person by the use of additional information and is therefore to be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.

Data concerning health is broadly defined under GDPR and means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status. Health data is considered sensitive data and in principle processing of such data is prohibited under GDPR except if performed under certain conditions.
 

Specify regular personal data
Specify special/sensitive categories of personal data

“data concerning health” is broadly defined under GDPR and means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status. Health data is considered sensitive data and in principle processing of such data is prohibited under GDPR except if performed under certain conditions.
Data subjects
Whose personal data are being processed for the purpose of the research (in accordance with the protocol)?
Provision of information

Will the required information (see link to templates) be provided to the data subjects or has this information already been provided? In particular, does the data subject know why his/her data are being processed and to whom he/she can address his/her questions in this respect? 

Primary and/or secondary processing

Please, note that the data subject always has to be informed in case of primary processing! In case UZ Leuven is the sponsor of the study, the data subject will be informed of his/her data being processed for research purposes through the MyNexuzHealth application.

Will the patient be informed of the processing of his/her data in case of secondary processing?
Please note that in case UZ Leuven or a MyNexuz hospital is sponsor of the study that the duty to inform the data subject can be performed through the MyNexuzHealth application. In all other cases, motivate why the provision of the information proves to be impossible or would involve a disproportionate effect.
In particular please motivate why this information duty would be impossible or seriously impair the achievement of the objectives of the processing.
Will in this case the information be made publicly available, for example through a study-specific website?
Export of data
Will the collected personal data be transferred to or shared with persons/institutions outside UZ Leuven?
Is there a (draft) agreement present with respect to the transfer/sharing of such data?
Are these persons/institutions located outside or inside the EU?
Is it a country on the “white list”?
Technical and organisational measures
Where are data being stored?
Decentrally managed systems
I confirm that no other than the investigator and his/her study team have access to directly identifiable personal data (other than in case of monitoring/audit/inspection)?
Pseudonymizing data
Motivate why working with anonymized or pseudonymized data is not possible
Pseudonymize personal data
Specify the process of pseudonymization and storage of the key/code
Lawfulness of processing
Lawful basis

Please note opinion of the European Data Protection Board (Opinion 3/2019) in this respect: (…) However, it must be kept in mind that even though conditions for an informed consent under the CTR are gathered, a clear situation of imbalance of powers between the participant and the sponsor/investigator will imply that the consent is not “freely given” in the meaning of the GDPR. As a matter of example, the EDPB considers that this will be the case when a participant is not in good health conditions, when participants belong to an economically or socially disadvantaged group or in any situation of institutional or hierarchical dependency. Therefore, and as explained in the Guidelines on consent of the Working Party 29, consent will not be the appropriate legal basis in most cases, and other legal bases than consent must be relied upon (…)
 
In order to lawfully process personal data you will need a lawful basis. This basis is determined at the moment of the primary collection of data. In case your research concerns a secondary processing of personal data, you will need to consult the initial data controller to understand on what lawful basis the initial collection of personal data was performed.
Agreement with the UZ Leuven principles regarding processing of personal data and data protection impact analysis (“DPIA”)

The processing of “special categories” of personal data (such as “data concerning health” or genetic data) in the framework of research constitutes a high privacy risk for the data subjects.

Is UZ Leuven data controller? Please indicate under which DPIA of UZ Leuven your research fits.
  • In case you tick the box “None of the above”, a separate DPIA will need to be established with the assistance of the DPO. In such case please contact the DPO as soon as possible by sending an e-mail.

  • The investigator hereby acknowledges review of the GDPR guidance document for clinical researchers.

A completed questionnaire is a requirement for admissibility to submit your study to the EC. The EC does not receive the completed GDPR questionnaire automatically. Please therefore always provide the EC with the GDPR questionnaire in PDF-version.

Last edit: 25 april 2024