Data Protection Notice for Patients and Study Participants

Integrated BioBank of Luxembourg (IBBL), 1 rue Louis Rech L-3555 Dudelange, Luxembourg (‘we’) is an autonomous institute within the Luxembourg Institute of Health (LIH), 1A-B rue Thomas Edison L-1445 Strassen, Luxembourg, a public health research institute. We aim to generate knowledge on disease mechanisms and contribute to the development of new diagnostics, preventive strategies, innovative therapies and clinical applications that impact the healthcare of individuals.

We are committed to compliance with laws and regulations that govern the conduct of health research. This includes the General Data Protection Regulation EU 2016/679 (the ‘GDPR’) and any other applicable EU or local legislation or regulation implementing GDPR (notably the Luxembourg law of 1 August 2018 on the organisation of the National Commission for Data Protection and the implementation of the GDPR), as well as their successor texts (together ‘Data protection legislation’).

As a public research institute under the law of 3 December 2014 on the organisation of public research centres, we conduct research in the public interest and make sure our research serves the interests of society as a whole. Some of our research may be conducted in collaboration with commercial organisations and funders. In any case, our research follows Luxembourg laws and regulations applicable to research.

This Data Protection Notice is directed to patients and participants in our scientific research, studies or projects (‘you’). It provides you with detailed information relating to the protection of your personal data by us.

Further information may be provided when necessary when you are in contact with us for a specific research activity.

1. WHO IS THE CONTROLLER OF YOUR PERSONAL DATA?

Integrated BioBank of Luxembourg (IBBL), 1 rue Louis Rech L-3555 Dudelange, Luxembourg is responsible as a data controller, for collecting and processing your personal data in relation to your participation in our scientific research, studies or projects. The purpose of this Data Protection Notice is to inform you on which personal data we collect, the reasons why we use and share such data, how long we keep it, what rights you have and how you can exercise them.

2. WHAT PERSONAL DATA DO WE PROCESS?

We collect and use your personal data to the extent necessary to achieve the research objectives of our projects you are participating in.

We may notably collect the following types of personal data in relation to specific research projects:

  • identification data (first name, surname, reference code or pseudonym);
  • contact details;
  • personal characteristics (age, sex, weight, height…);
  • personal life (life and consumption habits, family status);
  • education and professional life;
  • data concerning health (physical or mental health, pathology, family history, healthcare, risk behaviour, death cause, etc);
  • genetic data;
  • data revealing your racial or ethnic origin, or sex life or sexual orientation.

We collect information about you (i) directly from you, or (ii) indirectly from your medical records or from databases (e.g. data concerning healthcare provided to you and held by social security authorities) and/or biological samples collections constituted in accordance with applicable laws.

Where we need to collect other categories of data about you in a specific research, study or project, we will inform you of this by appropriate means.

3. WHAT ARE THE PURPOSES OF AND THE LEGAL BASES FOR OUR PROCESSING?

We collect and use your personal data for the following purposes:

  • the provisions of research-support services to support our research units, academia, other research institutes and international pharmaceutical industry players, providing them with biological material and associated data collection, storage and high quality methodological services;
  • to improve our internal processes and achieve maximum efficiency in our internal organisation,
  • to manage disputes, complaints and litigation in which we are involved,
  • to defend ourselves in any legal or court proceedings arising in relation to our activities,
  • for security and protection of our organization, IT networks and information.

Data protection legislation requires from us to have a valid legal reason (‘legal basis’) to process and use personal data about you. In the context of research, we collect your personal data on the following legal bases:

  • to comply with our legal and regulatory obligations related to public health (article 6.1c GDPR), or
  • for the performance of a task carried out in the public interest (article 6.1e GDPR), or
  • for our legitimate interests (article 6.1f GDPR), or
  • with your consent (article 6.1a GDPR) when legally required or permitted.

Where we also collect and use sensitive personal data (health, genetic …) we only do so where:

  • ‘the processing is necessary for reasons of public interest in the area of public health’ (article 9.2i GDPR), or
  • ‘the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes’ (article 9.2j GDPR), or
  • we have obtained your explicit consent (article 9.2a GDPR) when legally required or permitted.

Where we need to rely on a different legal basis, we will inform you of this by appropriate means.

4. WHO DO WE SHARE YOUR PERSONAL DATA WITH?

Depending on the nature and scope of our research activities, your personal data may be shared with the following recipients:

  • our scientific team in charge of a specific research, study or project,
  • professionals intervening in a specific research, study or project,
  • professionals in charge of data collection, quality controls, processing and statistical analysis of your personal data under our responsibility,
  • other researchers or research organisations for the purpose of research.

We may access or share your data in a way that we can identify you as a research, study or project participant. However, your personal data is always coded or pseudonymised, especially before sharing with researchers and before publishing the research outcomes.

When we are working with other organisations and information is shared with them, more detailed information will be given to you in a specific information notice (“Subject Information Sheet”) before your inclusion in a study/project.

We may communicate your personal data to:

  • third-party service providers/vendors that perform services on our behalf to support our research, study or project,
  • law enforcement or other government and regulatory bodies or agencies, upon request and to the extent permitted by law
  • certain regulated professionals such as lawyers or auditors.
  • researchers from private or public research institutions.

We require all third parties to respect the security of your personal data and to process it in accordance with applicable laws and regulations.

5. WHERE DO WE TRANSFER YOUR PERSONAL DATA?

Our activities may involve transfers of your personal data to countries outside of the European Union/European Economic Area (EU/EEA). In this case, the transfer of your personal data may occur where the European Commission has decided that the country outside the EU/EEA ensures an adequate level of data protection.

For transfers to countries outside the EU/EEA for which the level of protection has not been recognised as adequate by the European Commission, we will either implement appropriate safeguards provided for by data protection legislation (e.g. the entry into standard data protection clauses) or rely on a derogation applicable to specific situations (such as your explicit consent).

You can obtain more information regarding relevant safeguards we rely on by contacting us at dpo@lih.lu.

6. SECURITY OF YOUR PERSONAL DATA.

The processing of your personal data is carried out through IT, electronic and manual tools, with logics strictly related to the aforementioned purposes and, in any event, in compliance with the appropriate technical and organisational measures required by law to ensure a level of security that is adequate to the risk, in order to avoid unauthorised loss or access to your data.

In order to protect your rights and the confidentiality of your personal data, and especially when processing sensitive data (e.g. health, genetic…) for scientific research purposes, we must have suitable and specific safeguards in place to help protect your personal data. Our researchers are notably asked to implement anonymization or pseudonymisation (e.g. remove identifiers such as your name and replace this with a unique code or key) wherever feasible and at the earliest opportunity.

7. HOW LONG DO WE KEEP YOUR PERSONAL DATA?

We will retain your personal data as long as necessary to fulfil the purposes we collected it for and for the time necessary for compliance with our legal obligations. The time periods for which we retain your personal data depends on the type of data and the purposes for which we use it. Please note that personal data may be stored for longer periods insofar as the personal data will  be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (subject to regular reviews by competent authorities). If this is the case, we will take appropriate technical and organizational measures to protect your personal data.

In accordance with the data minimisation principle, we ask our researchers to anonymise, pseudonymise or delete personal data collected as part of their research at the earliest opportunity.

We will inform you by appropriate means (e.g. participant information sheet) with regards to how long your personal data will be kept for in specific research projects.

8. WHAT ARE YOUR RIGHTS REGARDING YOUR PERSONAL DATA?

In accordance with data protection legislation, you may exercise at any time individual rights in relation to your personal data:

  • right to access, which enables you to obtain from us confirmation of whether personal data is being processed or not and, if so, obtain access to such data; we process a large quantity of information, and can thus request, in accordance with GDPR, that before the information is provided, you specify the information or processing activities to which your request relates;
  • right to rectification, which enables you to obtain from us the correction and/or integration of any of your personal data that are incorrect and/or incomplete; and

in certain limited cases (in which case we will analyse whether the conditions for the exercise of such rights are fulfilled, in line with GDPR);

  • right to erasure, which enables you, in specific cases provided for by art. 17 GDPR, to obtain from us the erasure of your personal data;
  • right to restriction of processing, which enables you, in the specific cases provided for by art. 18 of the GDPR, to restrict the processing of your personal data by us;
  • right to object, which enables you to object to the processing of your personal data when certain conditions are met;
  • right to data portability, which enables you, in certain cases and with regard only to the data you have provided to us, to request receipt of your personal data in a structured and commonly machine-readable format.

Please note that the extent to which these rights apply to research will vary and that in some circumstances rights may be restricted. It should also be noted that we can only implement your rights during the period upon which we hold personal data about you. Once the data we hold about you has been irreversibly anonymised and becomes part of a research data set it will not be possible to access your personal data.

If you have provided your consent to the processing of your personal data, you can withdraw such consent at any time and this will not adversely affect your medical care.

To exercise any of these rights, you may contact our Data Protection Officer by email dpo@lih.lu  or by postal mail:

Luxembourg Institute of Health (LIH)
Data Protection Officer
1A-B rue Thomas Edison
L-1445 Strassen

You have the right to lodge a formal complaint with the Commission nationale pour la protection des données (CNPD). Full details may be accessed on the complaints section of CNPD’s website (https://cnpd.public.lu).

9.CHANGES TO THIS DATA PROTECTION NOTICE

Changes may occur in the way we process your personal data. In case these changes oblige us to update this Data Protection Notice, we will clearly communicate it to you, either via our website or via other appropriate means. The latest applicable version of this Data Protection Notice will always be available on our website.

10.GLOSSARY

Anonymisation means the irreversible process of rendering personal data anonymous in such a manner that the data subject is not or is no longer identifiable;

Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

Consent means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

Genetic data means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;

Data concerning health means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;

Data protection legislation means the General Data Protection Regulation EU 2016/679 (the ‘GDPR’) and any other applicable EU or local legislation or regulation implementing GDPR (notably the Luxembourg law of 1 August 2018 on the organisation of the National Commission for Data Protection and the implementation of the GDPR), as well as their successor texts;

Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (as defined by GDPR);

Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

Sensitive personal data or special categories of data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation;

Third party means natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;