Your study S-number S-number (enter in format SXXXXX, e.g. S12345) Processing data UZ Leuven will process (pseudonymized) personal data. UZ Leuven will process anonymous data supplied by a third party. UZ Leuven will work with anonymized personal data. KU Leuven will process personal data without UZ Leuven being data controller or processor for the purpose of the study (eg. KU Leuven acting as sponsor). KU Leuven GDPR questionnaire to be filled in (only available for KU Leuven personnel) Note about personal and anonymous data Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Pseudonymised personal data can still be attributed to a natural person by the use of additional information and is therefore to be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection do not apply to “anonymous data”, namely data which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable (by any person or by any means). Where that data subject cannot be identified, the information will not constitute personal data and the duties and obligations of the GDPR will not apply. The principles of data protection indeed only apply to any information concerning an identified or identifiable natural person. When assessing anonymity, you should however take into account that GDPR applies to directly identifiable data (the data subject can be identified because of a name or another specific identifier) and to indirectly identifiable data (the data subject can be identified because in their combination the collected data allow to single out an individual). As such account should for example also be taken of the size of the population of which the individual is part. For example aggregated data, where information about many individuals are combined into broad classes, groups or categories, so that it is no longer possible to distinguish information relating to those individuals will most likely be considered as anonymous. Additionally, you should be aware that data can only be considered anonymized when it is not possible to re-identify the data subject. This means that no key is held to re-convert key-coded data. This also means that data cannot be anonymous to you, while they are not anonymous to the holder of the original source data. Specify process of anonymization and provide a description of the data Data controller versus data processor Is there (next to UZ Leuven) another university, research institution or partner involved in the study? No, it is a monocentric study within UZ Leuven without third party involvement and UZ Leuven is the sponsor of the study and hence data controller Yes Who determines the purposes and means of the study? (this means solely financing is insufficient) ? This is solely determined within UZ Leuven (UZ Leuven is sponsor of the study and hence data controller; another university, research institution or partner involved in the study is acting as data processor, or is acting as separate data controller) UZ Leuven determines this together with someone outside of UZ Leuven (joint controllership) UZ Leuven executes on behalf of someone outside of UZ Leuven (UZ Leuven is data processor) Also in case UZ Leuven would take on the role of national coordinator for Belgium, UZ Leuven would in principle act as data processor. This is solely determined by someone outside of UZ Leuven and UZ Leuven does not act as data processor (controller-to-controller transfer) Specify someone outside of UZ Leuven Has a data processing agreement or “DPA” been drafted between the controller and the processor or another type of data processing arrangement between the parties (in function of parties’s roles under GDPR, for example a joint controllership agreement or a controller-to-controller transfer agreement)? Yes No “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; Research Title/titel Name of data controller/Naam van verwerkingsverantwoordelijke? The following sections needs to be completed in Dutch and in layman terms as it will serve to properly inform the data subjects in accordance with the information and transparency obligation under GDPR. Description/beschrijving? Purpose(s)/doelstelling(en)? Link to website(s) with additional information/ Link naar website(s) met bijkomende informatie Personal data subjects Whose personal data are being processed in the framework of the research? Patients of UZ Leuven Patients of other hospitals than UZ Leuven Healthy volunteers UZ Leuven personnel Only deceased persons Other (e.g. are personal data of UZ Leuven/ KU Leuven students the object of the research?) Specify Data description and collection Primary versus secondary collection Are new (personal) data being collected (primary processing – prospective study)? And/or are only already collected (personal) data being processed (secondary processing – retrospective study)?? Primary processing (Prospective study) and/or Secondary processing (Retrospective study) Are personal data received from someone outside UZ Leuven or are you sending personal data to someone outside UZ Leuven? Yes No Retrospective studies In accordance with article 3, §2 of the Belgian law on experiments dated 7 May 2004 which excludes retrospective studies from its scope , the term “retrospective” needs to be understood as follows: the study is being conducted using only data from the past that have already been collected in existing patient dossiers, medical or administrative files or databases and without use of any new data with respect to these patients. Categories of personal data What categories of data are being processed? Are you collecting “regular” personal data and/or are you collecting “special” (sensitive) categories of personal data? Regular personal data Special/sensitive categories of personal data Please note that genetic data and data concerning health are to be considered as “special” (sensitive) categories of personal data. Categories of personal data Anonymous data are not personal data. Please note that in case you yourself anonymize personal data, such anonymization process does fall under the scope of GDPR. Pseudonymised personal data can still be attributed to a natural person by the use of additional information and is therefore to be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. Data concerning health is broadly defined under GDPR and means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status. Health data is considered sensitive data and in principle processing of such data is prohibited under GDPR except if performed under certain conditions. Specify regular personal data Name and/or address Contact details (tel. number, e-mail address,…) Date/year of birth and/or age Initials, personal identification number assigned to data subjects participating in the study such as EAD number Other… Specify Specify special/sensitive categories of personal data Health data (e.g. description of characteristics of physical features of the body, medical history and medical test information (such as blood samples results from scans and biopsies)) Genetic data Other (e.g. data revealing racial or ethnic origin, social security number…) Specify Data concerning health “data concerning health” is broadly defined under GDPR and means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status. Health data is considered sensitive data and in principle processing of such data is prohibited under GDPR except if performed under certain conditions. Data subjects Whose personal data are being processed for the purpose of the research (in accordance with the protocol)? Patients of UZ Leuven Patients of other hospitals than UZ Leuven Healthy volunteers UZ Leuven personnel Only deceased persons Other (e.g. are personal data of UZ Leuven/ KU Leuven students the object of the research?) Specify Provision of information Will the required information (see link to templates) be provided to the data subjects or has this information already been provided? In particular, does the data subject know why his/her data are being processed and to whom he/she can address his/her questions in this respect? Primary and/or secondary processing Primary processing (Prospective) Secondary processing (Retrospective) Primary and secondary processing (Prospective and Retrospective) Please, note that the data subject always has to be informed in case of primary processing! In case UZ Leuven is the sponsor of the study, the data subject will be informed of his/her data being processed for research purposes through the MyNexuzHealth application. Will the patient be informed of the processing of his/her data in case of secondary processing? Yes No Please note that in case UZ Leuven or a MyNexuz hospital is sponsor of the study that the duty to inform the data subject can be performed through the MyNexuzHealth application. In all other cases, motivate why the provision of the information proves to be impossible or would involve a disproportionate effect. In particular please motivate why this information duty would be impossible or seriously impair the achievement of the objectives of the processing. The high mortality figures in the patient population that is the object of your research makes it inappropriate or impossible to comply with the above mentioned information duty The size of the patient population that is the object of your research makes and/or the period under scrutiny makes it practically or logistically impossible to ensure an individual provision of the required information The controller does not know the identity of the data subject: compliance with the information duty would oblige the controller to process additional information in order to identify the data subject for the sole purpose of complying with the above-mentioned information duty Other Specify Will in this case the information be made publicly available, for example through a study-specific website? Yes No Export of data Will the collected personal data be transferred to or shared with persons/institutions outside UZ Leuven? No Yes Is there a (draft) agreement present with respect to the transfer/sharing of such data? Yes No Are these persons/institutions located outside or inside the EU? Inside EU (Also) Outside EU Is it a country on the “white list”? Yes No White list Consult the “white” list. In both cases a data processing/data transfer agreement will be required. Technical and organisational measures Where are data being stored? Only centrally managed tools/systems/technology such as for example KWS, LWS Also decentrally managed tools/systems/technology What tools/systems/technology are being used (other than the tools/systems/technology for the processing of personal data made available by UZ Leuven) Decentrally managed systems Filemaker server Filemaker separate file Office documenten: Word, Excel,… Google Drive Access server Access separate file Outlook Wiki (internally) Jira Intranet Muzlidoc OpenClinica Redcap Other CTC - GDPR questionnaire I confirm that no other than the investigator and his/her study team have access to directly identifiable personal data (other than in case of monitoring/audit/inspection)? Yes No Specify Pseudonymizing data UZ Leuven will pseudonymize personal data. UZ Leuven will work with non-pseudonymized (identifiable) personal data. CTC - GDPR questionnaire Motivate why working with anonymized or pseudonymized data is not possible Pseudonymize personal data With tools supplied by UZ Leuven With tools other than those supplied by UZ Leuven Specify Specify the process of pseudonymization and storage of the key/code Lawfulness of processing Lawful basis Academic research is carried out in the public interest, this means that it is conducted to contribute to an increase of knowledge and insight that will benefit (directly or indirectly) society. The data subject has given consent to the processing of his personal data for one or more specific purposes. The processing is necessary for the purpose of legitimate interests pursued by the sponsor (“opdrachtgever”). Other… Specify European Data Protection Board Opinion regarding consent as legal basis Please note opinion of the European Data Protection Board (Opinion 3/2019) in this respect: (…) However, it must be kept in mind that even though conditions for an informed consent under the CTR are gathered, a clear situation of imbalance of powers between the participant and the sponsor/investigator will imply that the consent is not “freely given” in the meaning of the GDPR. As a matter of example, the EDPB considers that this will be the case when a participant is not in good health conditions, when participants belong to an economically or socially disadvantaged group or in any situation of institutional or hierarchical dependency. Therefore, and as explained in the Guidelines on consent of the Working Party 29, consent will not be the appropriate legal basis in most cases, and other legal bases than consent must be relied upon (…) In such case the sponsor (data controller) needs to substantiate why such legitimate interests are not overridden by the fundamental rights and freedoms of the data subjects. In order to lawfully process personal data you will need a lawful basis. This basis is determined at the moment of the primary collection of data. In case your research concerns a secondary processing of personal data, you will need to consult the initial data controller to understand on what lawful basis the initial collection of personal data was performed. Agreement with the UZ Leuven principles regarding processing of personal data and data protection impact analysis (“DPIA”) The processing of “special categories” of personal data (such as “data concerning health” or genetic data) in the framework of research constitutes a high privacy risk for the data subjects. Is UZ Leuven data controller? Please indicate under which DPIA of UZ Leuven your research fits. DPIA retrospective study DPIA prospective study None of the above In case you tick the box “None of the above”, a separate DPIA will need to be established with the assistance of the DPO. In such case please contact the DPO as soon as possible by sending an e-mail. The investigator hereby acknowledges review of the GDPR guidance document for clinical researchers. Your e-mail A completed questionnaire is a requirement for admissibility to submit your study to the EC. The EC does not receive the completed GDPR questionnaire automatically. Please therefore always provide the EC with the GDPR questionnaire in PDF-version. Last edit: 25 april 2024