What are the possibilities and regulations for storing and processing of personal data within the Fenix Infrastructure?
When data is stored or processed that is considered as “personal data” according to the European General Data Protection Regulation (GDPR), precautions need to be taken to ensure the appropriate protection level. We enable storing and processing of personal data within the Fenix Infrastructure with the limitation that the data needs to be pseudonymised (Data Class B, for details see Table 1 below). The procedure for storing and/or processing of pseudonymised data within the Fenix Infrastructure is outlined below.
For each project which plans to store and/or process pseudonymised data the required regulations and restrictions are assessed individually together with the project team and the Fenix site where the data will be located (Fenix Resource Provider, for definitions of relevant actors see Table 2 below).
If you require more information related to the regulations concerning personal data, or if there are any open questions about using the Fenix Infrastructure, please contact us at: firstname.lastname@example.org.
Procedure for storing and processing of pseudonymised data:
- Indicate planned processing of pseudonymised data in resource application;
- In case of approval of the resource application, the ICEI Project Management Office (PMO) will request the project to provide the following information:
- Contact details of the relevant home institution’s Data Protection Officer(s) DPO(s);
- Declaration of the DPO of the home institution that all personal data collection and processing will be carried out according to EU and national legislation;
- In cases where derogations under GDPR apply this must be documented together with the possible implications concerning geo-locality of the data;
- The commitment that Fenix data repositories will only be used for storing pseudonymised data, and that no data that could allow re-identification of the data subjects will be uploaded to the Fenix Infrastructure;
- In case of HBP users: Commitment to comply with the HBP’s current version of the Data Policy Manual;
- ICEI PMO will request the Fenix Resource Provider, where for the given project resources have been allocated, to provide the following documentation:
- Documentation of the security measures that are in place and need to be respected by the Fenix User when processing the pseudonumised data;
- Declaration of the Fenix Resource Provider’s DPO on compliance and/or authorisation that is required under national law for collecting and processing of the data as described in the project proposal.
- ICEI PMO will perform a check whether the collected set of documents can be considered a complete Data Protection Impact Assessment (DPIA) for collecting and processing the data as described in the project proposal for complying with Art. 35 GDPR.
- ICEI PMO will make the provided information available to the European Commission.
Table 1. Description of different data classes
|Class||Description||Regulations for storing/processing within the Fenix infrastructure|
|A||Data sets containing information relating to an identified data subject.||This data must not be stored or processed within the Fenix Infrastructure.|
|B||Data sets containing information relating to an identifiable data subject, i.e. there is a known systematic way to (re)identify the data subject.||This data may be processed if pseudonymisation is applied such that no data that could allow to (re)identify a data subject enters the Fenix Infrastructure, and the “Procedure for storing and/or processing of pseudonymised data” (see above) is applied. The owner of pseudonymised data objects must be a Fenix User1, i.e. not a pseudo user, to ensure that there is an unambiguous and known relation between a Fenix User ID and a legal person2. The owner of pseudonymised data is responsible for deciding whether the data uploaded to the Fenix Infrastructure is truly rendered anonymous.|
|C||Data sets containing personal data rendered anonymous3 in such a manner that the data subject is not or no longer identifiable4.||This data may be stored or processed within the Fenix Infrastructure without restrictions. The responsibility for assessing and monitoring whether there are known technical means to transform the data such that it would allow to identify a data subject remains with the Data Controller, i.e. the Fenix User.|
|D||Data sets that contain no information relating to an identified or identifiable data subject.||
This data may be stored or processed within the Fenix Infrastructure without restriction as it is not of concern to the EU GDPR Regulation.
Table 2. Definition of relevant actors
|Fenix User||A Fenix User is a natural person, who has been granted access to Fenix Resources, which enables the user to process and/or store data within the Fenix Infrastructure. A Fenix User, who is uploading personal data to the Fenix Infrastructure, is in this context considered to be a Data Controller5.|
|Home Institution||A public authority, agency or other body to which a Fenix User is affiliated.|
|Data Protection Officer||A data protection officer has a security leadership role that takes the responsibility for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements.|
|Fenix Resource Provider||Data centre located in an EU member state or Switzerland that provides compute and storage resources within the Fenix Infrastructure. As Fenix Users may use the Fenix Infrastructure for processing personal data, the Fenix Resource Providers will act as Data Processors6.|
|ICEI PMO||Project Management Office of the ICEI project, which provides an initial realisation of the Fenix Infrastructure.|
1 A Fenix User is a natural person, who has been granted access to Fenix Resources, which enables the user to process and/or store data within the Fenix Infrastructure. A Fenix User, who is uploading personal data to the Fenix Infrastructure, is in this context considered to be a Data Controller. The primary component necessary to meet the controller designation is that the natural or legal person makes a specific determination regarding “the purposes and means” of data processing. In this case it will be the institutions/universities/hospitals that are collecting and processing personal data rather than those accessing the platform and downloading data, or using the platform. For further explanation of the data processor / data controller distinction in the HBP, see the Data Policy Manual, section 3.5.
2 Pseudo-users may be introduced to facilitate platform services to access, e.g. infrastructure services.
3 The bar for anonymization has been set very high under EU data protection law. To determine whether a person is identifiable, “all the means reasonably likely to be used, such as singling out, either by the controller or by another person, to identify the natural person directly or indirectly” must be considered.
4 See GDPR Recital 26. For further explanation of the challenges of creating truly anonymous data from a data protection perspective, see the Data Policy Manual Section 4.
5 The primary component necessary to meet the controller designation is that the natural or legal person makes a specific determination regarding “the purposes and means” of data processing. In this case it will be the institutions/universities/hospitals that are collecting and processing personal data rather than those accessing the platform and downloading data, or using the platform. For further explanation of the data processor/ data controller distinction in the HBP, see the Data Policy Manual, section 3.5.
6 Fenix acts here as Cloud service provider and/or IT-hosting provider as it is only providing storage and compute infrastructure services. The latter are generally considered to be Data Processors. It should be noted, however, that platform operators will generally be considered controllers or joint controllers, depending on their actions and data processing operations.