Top Back to top

Data Protection & Privacy

The EBMT Registry collects data for research and development of new and improved transplant, cell therapy and immunosuppression procedures, and to improve the quality of these procedures through the accreditation of treatment units.

EBMT is strongly committed to protecting the privacy of personal data that we maintain about patients, donors, members and employees. The EBMT ensures that all personal data under its responsibility is processed according to the EU General Data Protection Regulation (GDPR).
The data is stored in an electronic database located in a European country which is protected by safeguards that ensure security, including compliance with ISO27001 certification. The data will only be accessible by EBMT employees and appropriately authorised non-EBMT parties such as National Registries, following a stringent access control policy.

Patient Privacy Statement

This webpage details what personal data EBMT collects from patients, how it is collected and stored and the purposes for which it is used.  There is also information on how to contact the registry and the rights of individual data subjects. It was generated in response to new legislation, the General Data Protection Regulation (Regulation (EU) 2016/679, hereafter “GDPR”).

Privacy Policy

This webpage details what personal data EBMT collects from members, how it is collected and stored and the purposes for which it is used.  There is also information on how to contact the Registry and the rights of individual data subjects. It was generated in response to new legislation, the General Data Protection Regulation (Regulation (EU) 2016/679, hereafter “GDPR”).

Data Use and Processing Policy

This Policy regulates the management of Personal Data relating to patients reported to the EBMT Registry and provides rules and procedures which apply to all departments and individuals within the EBMT, aimed at ensuring that Patient Personal Data is processed and protected properly in all countries and regions and in accordance with the European General Data Protection Regulation (GDPR).

Joint Controllership Agreement with Centers with full EBMT Membership

EBMT is strongly committed to protecting the privacy of personal data that we obtain from patients, members and employees. In this context, EBMT has developed a Joint Controllership agreement with Centers with full EBMT membership which describes the responsibilities concerning data protection of the data reported to EBMT.

At the same time, the agreement includes all the requirements established by the General Data Protection Regulation (EU 2016/679) (GDPR) concerning data processing and controllership obligations for EBMT members and EBMT. This document has been produced by the EBMT GDPR working group, revised and endorsed by the EBMT legal advisors for compliance with GDPR, and finally approved by the EBMT Executive Committee.

It is of great importance that EBMT members who report data to the EBMT Registry sign this document and return it to the EBMT. 

If you have any comments or questions about how EBMT processes personal data, please send them to data.protection@ebmt.org

Joint Controllership Agreement for Data reporting to SFGM-TC and EBMT

EBMT encourages the use of this Joint Controllership Agreement for centres that wish to report to EBMT and SFGM-TC. It is of great importance that an institutional representative of the EBMT/SFGMTC centre member, which reports data to the EBMT and SFGM-TC Registries, signs this document and returns it to data.protection@ebmt.org

This document has been adapted to French speaking SFGM-TC centres located outside of France: Belgium, Switzerland, Lebanon and Algeria.

Data Confidentiality

The confidentiality of the patient data stored in the Registry is of paramount importance to the EBMT and procedures are in place to ensure the data is transferred and stored with the highest possible level of security.

In addition to the above, the transfer or storage of confidential patient data must abide by the General Data Protection Regulation (Regulation (EU) 2016/679, hereafter “GDPR”). As the EBMT is registered as a Dutch foundation, Dutch law applies to the EBMT, and we abide by the implementation of the European Union (EU) GDPR regulating how personal data is to be handled, through the Dutch application of this law.

The law regulating transfer of data within the EU does not cover countries outside EU/EEA (European Economic Area), and the EBMT must ensure that centres lying outside this zone agree to conform to the EU law as stated above. 

The law requires that the patient consents to the data being transferred to the EBMT. In addition, if the centre intends to forward data, either directly or through the EBMT, to countries located outside the EU/EEA, they must ensure this is explicitly stated in the patient consent form. Please see examples of consent forms in the link below. It is the centre’s responsibility to ensure that the patient has consented before data is forwarded to the EBMT.

EBMT Registry Conditions of Use