Patient Personal Data Protection Statement
The European Society for Blood and Marrow Transplantation (EBMT) maintains an international medical database known as the EBMT Registry. The Registry goes back to the beginning of the 1970’s and contains clinical data including aspects of the diagnosis, first line treatments, haematopoietic stem cell transplant (HSCT) or cell therapy associated procedures, complications and outcome.
This document details what personal data EBMT collects, how it is collected and stored and the purposes for which it is used. There is also information on how to contact the registry and the rights of individual data subjects. It was generated in response to new legislation, the General Data Protection Regulation (Regulation (EU) 2016/679, hereafter “GDPR”).
A registry is considered a separate type of data collection by privacy authorities. The importance for “coupling information from registries” in order to obtain “new knowledge of great value” is explicitly recognized (consideration 157 GDPR). The GDPR applies to usage of personal data for research and calls for interpreting the research purpose in a broad manner including for instance applied research (consideration 159 GDPR).
Why is Patient Data collected?
The EBMT Registry collects data for research and development of new and improved transplant, cell therapy and immunosuppression procedures, and to improve the quality of these procedures through the accreditation of treatment units.
How is personal data obtained?
The EBMT works in partnership with local healthcare providers to collect data on patients undergoing bone marrow or stem cell transplantation, cell therapies, and immunosuppressive treatments for any disease.
Following the GDPR, and to ensure the maximum accordance with the law of all EU/EEA nations, personal data of patients residing in EU member countries shall only be used for research through EBMT when appropriate informed consent is ensured. This has been common practice for many years already.
The informed consent is collected by the individual centres or donor registries submitting data to the EBMT to make certain that the respective national laws are followed. EBMT makes patient consent a prerequisite for submitting the data and provides all necessary information about usages of the data, to ensure appropriate consent is obtained in all cases.
What personal data is sent to the EBMT Registry?
Data collected to identify a person is limited to the hospital UPN (Unique Patient Number), patient initials, date of birth, and gender. These items are the minimal personal data necessary to ensure that medical data collected at different times is accurately stored in the same record. They are not used for identification of the individual and stored separately as enhanced security.
This process of separate storage is known as pseudonymisation[i] and is defined in the GDPR regulations. Each patient’s report is given a unique and non-informative database number (Unique Identity Code) which is the one used for research purposes. A minimum amount of patient personal data is necessary for this type of registries, contributing to the accuracy of the data, and therefore contributing to improvements in care and outcome.
How is personal data processed?
The EBMT ensures that all personal data under its responsibility is processed according to the GDPR:
- Processed lawfully, fairly and in a transparent manner in relation to the data subject;
- Collected for scientific research legitimate purposes;
- Processed adequately, relevantly and limited to what is necessary in relation to the purposes for which they are collected and/or further processed;
- Accurate and up to date;
- Kept for an unlimited period in a form which permits identification of data subjects for no other purpose than historical, statistical or scientific research purposes;
- Processed in a manner that ensures appropriate security of the personal data through technical and organisational measures.
Where is the Personal Data Stored?
The data is stored in an electronic database located in a European country. Only European countries that follow the GDPR, regardless of whether they are members of the European Union or not, can host the data. The database is protected by safeguards that ensure security, including compliance with NEN7510/ISO27001 certification,. The data will only be accessible by the EBMT employees for the performance of their job following a stringent access control policy
Personal Data Transfers
The EBMT works with many researchers on international collaborations across scientific or clinical institutions and so, under previously gathered consent, the patient pseudonymised personal data may be sent to countries outside the EEA that are provided with the same level of protection for privacy such as countries that adhere to EU-US and Swiss-US Privacy Shield Frameworks.
Medical data sent outside this area in the context of EBMT research projects will be identified by the non-informative database number, and items such as date of birth, initials or the hospital UPN will not be exported.
EBMT will not sell, distribute or lease personal data to third parties unless the data subject has provided EBMT with his or her consent or it is allowed by law.
What the Rights of the Data Subjects?
The Data Subject has the right to the following information about its personal data being processed:
- Confirmation as to whether data related to him or her are being processed;
- Information about the purposes of the processing operations, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed;
- Communication of the data undergoing processing.
The Data Subject shall have the rights listed below:
- Access to information on his or her processed personal data;
- Rectification of any inaccurate or incomplete personal data;
- Withdraw consent and the personal data will no longer be made available for future research;
- Request that his or her personal data be completely erased from the EBMT Registry database and from databases to which the data has been exported;
- Any other right granted to the Data Subject with regard to his personal data, under his or her respective local legislation.
If as a Data Subject you wish to exercise any of the rights listed above. Please send an email to Data.Protection@ebmt.org or use the postal address below.
The Data Protection Officer
Edifici Dr. Frederic Duran i Jordà
Passeig Taulat, 116
08005 Barcelona (Spain)
The Data Subject also has the right to lodge a complaint with a supervisory authority.
Comments or questions
If you have any comments or questions about this patient personal data protection statement, please send them to Data.Protection@ebmt.org
[i] Pseudonymisation -the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. Article 4 sub (5) GDPR.