Implementation of the new General Data Protection Regulation (GDPR)
On May 25, 2018, the new General Data Protection Regulation (GDPR), which uniformly regulates Data Protection in the EU member states, was implemented. This increased the requirements for processing your personal data. As part of your participation in CoBi, you should have already been informed about the Data Protection aspects. The handling of your data described in the Participant Information and Declaration of Consent will continue to apply.
Below you will find a brief overview of the rights laid down in the GDPR (Article 12 et seq. GDPR):
The legal basis for processing your personal data in the CoBi is your voluntary written Informed Consent in accordance with the GDPR as well as the Declaration of Helsinki (Declaration of the World Medical Association on Ethical Principles for Medical Research on Human Beings) and the Guideline for Good Clinical Practice. At the same time as the GDPR, the revised Federal Data Protection Act and the new Data Protection Regulations of the German Federal States have come into force in Germany.
You have the following rights regarding your data (Article 13 ff. GDPR, §§ 32 ff. Federal Data Protection Act):
- The processing of your personal data is only lawful with your consent. You have the right to revoke your consent to the processing of personal data at any time. However, the data collected up to this point may be processed by the bodies named in the Participant Information and Declaration of Consent.
You have the right to obtain information regarding the personal data about you which is collected, processed or, if necessary, passed on to Third Parties within the framework of the CoBi (the provision of a copy free of charge).
You have the right to have incorrect personal data relating to you corrected.
- You have the right to have your personal data deleted, e.g. if this data is no longer necessary for the purpose for which it was collected and there are no legal retention periods to prevent its deletion.
You have the right to receive the personal data about you that you have provided to CoBi. You may request that this data be provided either directly to you or, as far as technically possible, to another body designated by you.
For further information and relevant contacts, please contact your treatment centre or email to firstname.lastname@example.org directly.
Privacy and Ethics
CoBi has been established in accordance with national and international legal requirements for research with human specimens and data, including Federal and State Data Protection laws and the Helsinki Declaration in its current version.
Furthermore, recommendations for the establishment of a long-term biobank were considered and incorporated into the implementation. Guidelines of the Working Group of Medical Ethics Commissions in the Federal Republic of Germany e.V. were implemented.
The TMF e.V. (Telematics Platform for Medical Research Networks) publication series was also consulted and implemented to establish the processes. The TMF e.V. is the umbrella organization for collaborative medical research in Germany. It forms a platform for interdisciplinary exchange and cooperation across projects and locations in order to jointly identify and solve the organisational, legal-ethical and technological problems of modern medical research.
Within the CoBi, all technical work and laboratory processes are carried out according to required quality standards delivered by defined processes (called Standard Operating Procedures). These Standard Operating Procedures are regularly checked and, if necessary, updated so that a high level of quality can be assured.
Data Protection Concept
In order to ensure an appropriate Data Protection standard for CoBi in accordance with the Data Protection Regulations of the Federal Government and the states, all technical and organisational measures taken have been laid down in a Data Protection Concept. The Data Protection Concept was provided by the DKMS as operator of the CoBi and has been evaluated by the TMF e.V. with a positive vote. Thus the Data Protection Concept is aligned with the Data Security Manual of the TMF e.V., which was coordinated with the data security representatives of the Federation and the countries.
All cooperating and contractual partners of CoBi are obliged to maintain secrecy and to comply with the Data Protection Concept or must ensure the IT security measures taken by them in their own Data Protection Concept.
The Data Protection Concept of CoBi describes not only the separate storage of the data records (personal identifying data, medical data and data concerning sample analysis) but also the measures taken to protect the data against virtual or physical intrusion (password control, backup copies, alarm system, etc.). Since the personal identifying data is managed in a separate database by the Trusted Third Party, access to this participant data is only possible for the treatment centre. The CoBi database contains exclusively encrypted, so-called pseudonymised data concerning the medical treatment of the participant and their sample analysis. These encrypted data records can be accessed by authorized employees of the treatment centre and by persons authorized by the DKMS for control purposes.
Data protection for sample storage
The sample-data is only sent to the sample manager in encrypted form, using a numeric and/or letter code, and the sample is prepared for storage there for 25 years. The sample manager does not receive any information about the person who donated the blood sample.
Transfer of samples and data for research projects
If samples and/or medical data are requested for a scientific research project, double-pseudonymised publication will be conducted. This means that the samples and/or associated data are re-encrypted prior to publication. This double encryption for each individual research project largely excludes identification of a single person by unknown persons. The samples and data may only be used for the research purpose applied for, as long as this is in accordance with the Usage Framework laid down for CoBi and usage may not possible for other purposes. These research projects can take place in cooperation or under the sole management of another institution, in another country or in a private company. Direct commercial use of the samples and data provided is contractually excluded.
A list of research projects that have already been supported by CoBi with samples and/or data can be found here.