Search for a command to run...
1.1 Cross Border Data Access and Data Protection Impact Assessment. The core element of the Beyond One Million Genomes Project (B1MG) is the provision of access to genomic data of a data subject by a data controller(s) in one Member State(s) to a data user(s) from another Member State(s) ("Cross Border Data Access"). As the provision of Cross Border Data Access is likely to involve the processing of (directly or indirectly) identifying data (personal data), it is likely to be subject to the EU General Data Protection Regulation ("GDPR"). As the processing concerns the processing, on a large- scale, of special categories of data (i.e. genetic data and data concerning health), the processing is deemed by GDPR to be likely to result in a high risk to the rights and freedoms of the data subjects concerned. Specifically, the provision of Cross Border Access will exacerbate these risks, as (i) it could be subject to diverging, if not conflicting, sector-specific national Member State laws, regulations and codes, (ii) the GDPR allows Member States a 'margin to manoeuvre' with respect to processing of personal data for research purposes, which inter alia allows a Member State to derogate from various GDPR data subject rights, and (iii) under the GDPR, Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning healthconsensus on the envisaged data flows, risk types and levels, and standard-setting related to privacy and security safeguards. Consequently, a controller providing Cross Border Data Access must, ex ante, carry out an assessment of the impact of the provision of Cross Border Data Access on the protection of personal data (Data Protection Impact Assessment (DPIA). 1.2 Common Elements for a DPIA of Cross Border Data Access. The 1+MG projects builds in part on existing (national or local) data collections. We assume that the controllers of these collections and cohorts already conduct their own DPIAs with respect to the data these collections contain and may therefore be hesitant to perform a separate DPIA for the processing under 1+MG projects. Therefore the following sets forth a number of Common Elements for a DPIA which specifically address the cross border aspects, as an "add on" to existing DPIAs, with the aim to coordinate the identification, assessment, and mitigation of the data protection issues triggered by Cross Border Data Access. Establishing Common Elements should also help achieve shared standards or approaches for the safeguards for the rights and freedoms of data subjects required under GPDR, for example the use of remote access, pseudonimisation and governance of access. The Common Elements are expressly limited to Cross Border Data Access for purposes of scientific research processing operations by healthcare providers for clinical purposes, but are amenable to "upgraded" for healthcare purposes.