A ruling on the processing of personal data related to Danish research projects
The Icelandic DPA has issued a ruling in a case regarding a complaint about the processing of personal data related to Danish research projects by the genetic research company deCODE Genetics. The processing has taken place with reference to data processing agreements which the Danish Capital Area has made with the company, and the complainant considered that the company had exceeded its role as a processor and thus itself become a controller of unlawful processing. The DPA did not consider the case file to support this and the conclusion was therefore that the processing had been in accordance with the law.
Ruling
On 8 September 2022, the Data Protection Authority issued a ruling in case no. 2020123091:
I.
Procedure
1.
Outline of the case
On 12 December 2020, the Data Protection Authority received a complaint from the Danish organisation Patientdataforeningen on behalf of […] (hereafter “the complainant”) regarding the processing of personal data by deCODE Genetics. The complaint states that on 3 November 2020, the complainant received a letter from the Biobank of the Capital Region of Denmark, Region Hovedstadens Biobank, according to which her tissue samples had been sent to the private company deCODE Genetics in Iceland where extensive genetic data would be extracted and then stored with the company. In this regard, it is stated on the Capital Region of Denmark's website, that the Capital Region of Denmark is the controller and deCODE Genetics the processor for the project, that the project is subject to the Capital Region of Denmark's general assessment of data protection, and furthermore, that the Capital Region of Denmark has decided to conduct a special assessment concerning the collaboration with deCODE Genetics. Relating to this, the following four grievances are specified:
1. Data in Iceland are processed without authorisation, as the separation of duties between deCODE Genetics and the Biobank of the Capital Region of Denmark is in fact such that deCODE Genetics is the controller for genetic data in Iceland and that a processing contract can therefore not be considered to entail an authorisation.
2. The project data do not come under the general data protection impact assessment of the Capital Region of Denmark, and before the data processing was implemented, such an assessment should have been formulated for the project specifically. In addition, it is unclear whether deCODE Genetics has prepared such an assessment for the project.
3. Genetic data are processed without the permission of the National Bioethics Committee in Iceland.
4. Genetic data are processed without the authorisation of the Icelandic Data Protection Authority, and it has therefore not had the opportunity to comment on the processing to the relevant science ethics committee.
2.
Further details on the complaint
In connection with the above, the complaint addresses the division of responsibilities according to the General Data Protection Regulation, (EU) 2016/679, in individual areas of processing of personal data in which more than one party is involved. It is asserted that the definition of who is the controller depends on the roles of the parties. A decision must be made as to who controls the data, as it is the party that decides the purpose of the processing of personal data and the methods used that is the controller. Individual parties to a research collaboration have different responsibilities regarding data protection, depending on their role. In other words, the controller is the party who has direct responsibility for the processing of personal data and who in day-to-day operations has the right to utilise the data that becomes part of the processing.
It is also stated that, considering the nature of research, collaborative projects are a creative process that develops over time. This can especially be the case in long-term collaborative research projects. It does, of course, present a challenge within the collaborative effort in terms of compliance with laws and regulations in the field of data protection legislation. However, this should not be considered as exonerating circumstances when the necessary initiative is not taken to build collaboration on as just a basis as possible. Furthermore, legal, and ethical obstacles to a collaboration should never lead to the mixing of projects so that they can be approved without reflecting the actual structure of the collaboration and the separation of duties.
In addition, it is stated that it follows from many research collaborations, in complete accordance with the Vancouver Convention on best practice in research, that the party, who was responsible for a project and dictated analyses, has the right to be identified as the first author of a research article, as well as in many instances, the right to be identified as the last author. For clarification, it is explained that by responsibility of a project is meant the determination of purpose and that by dictation of analysis is meant the determination of methods. Furthermore, it is stated that the aforementioned should be considered in the separation of duties.
The complaint also discusses rules on the responsibility of the controller according to Regulation (EU) 2016/679 to assess the risk of the processing of personal data and to assess the impact on data protection. In addition, it is pointed out that a breach of the Regulation can result in administrative fines.
3.
Explanation from deCODE Genetics
By letter, dated 18 March 2021, deCODE Genetics was given an opportunity to comment on the complaint. Response was received by letter, dated 7 May 2021. Regarding statements in the complaint on long-term collaborative research projects, where the collaborative arrangements and separation of duties are not adequately reflected, a case concerning a tip to the Data Protection Authority from Patientdataforeningen on 6 July 2020 (Authority case no. 2020072030) is invoked. The tip referred to a legal opinion from 19 June 2020 prepared by the law firm Kammeradvokaten for the Ministry of Social Affairs and Senior Citizens in Denmark (D: Sundheds- og Ældreministeriet), according to which it was likely that deCODE Genetics was the controller for a specific research study of Danish biological samples even though the company was registered as a processor. The Data Protection Authority sent a letter to deCODE Genetics on the occasion, dated 3 December 2020, requesting explanation of the above. Subsequently, a letter was received from deCODE Genetics, dated 17 December 2020, and in its letter, dated 7 May 2021, the company iterates the answers given there.
More specifically, deCODE Genetics refers to its earlier answers, according to which the opinion presented the results of an audit of the processing of personal data and biological samples by its contracting party in Denmark, Statens Serum Institut (SSI), in particular the transfer of such data to Stanford University in the United States, appearing to have occasioned the audit. It is specified that there was discussion of collaboration between SSI and several parties within the EEA, including deCODE Genetics, and that the possibility was considered whether deCODE Genetics should possibly be regarded as a co-controller in the research project “Genetic study of diverticular disease”, although nothing was firmly established and relevant reservations were made. Furthermore, it is cited from the opinion that the controller, SSI, considered deCODE Genetics to have the status of a processor only, as provided in the processing contract between deCODE Genetics and SSI. It is stated that the complainant therefore makes too broad a deduction from the opinion and, in addition, makes unwarranted defamatory claims about deCODE Genetics' collaboration with the controller.
In addition, reference is made to discussion in the complaint about the right of the controller for research to be identified as the first or last author. It is stated that the complainant's assertion in this regard is not substantiated in EEA case law or data protection guidelines and that this is therefore merely the complainant's opinion and not a valid argument.
Furthermore, it is requested that the complaint be dismissed as the subject should be directed to the Danish Data Protection Agency, Datatilsynet. In support of this, it is pointed out that the data subjects are wholly or for the most part in Denmark and that the controller for the processing in question is Danish. The competent authorities are therefore the Danish Data Protection Agency, as well as the Danish National Committee on Health Research Ethics, National Videnskabsetisk Komité, for the research projects in question.
It is also stated, in connection with the plea of inadmissibility, that a case similar to the complaint is being investigated by the Danish Data Protection Agency and has also been addressed previously by the Danish National Committee on Health Scientific Ethics. The Agency has sent the controller for the project specified in the complaint, i.e. the Biobank of the Capital Region of Denmark, a request for details of the collaboration with deCODE Genetics and the processing of personal data on account of this. Following a response from the Biobank, the Committee has stated its position that data protection was satisfactory and that the necessary contracts were in place, but that it was up to the Danish Data Protection Agency to decide whether certain provisions of the legislation were complied with. On 12 March 2021, the Biobank received a letter from that Agency regarding an information letter in November 2020 to those who had undergone blood sampling for treatment at one of the hospitals in the Capital Region of Denmark. This is the same information letter that accompanied the complaint, and the Biobank responded to that letter on 8 April 2021. The SSI also recently informed deCODE Genetics that the Danish Data Protection Agency is examining a research project under its auspices. No criticism has been directed at deCODE Genetics' role as a processor on behalf of SSI.
As part of the plea for dismissal, it is also stated that the Danish Data Protection Agency should be the lead supervisory authority in this case, within the meaning of Regulation (EU) 2016/679, Article 4(23)(b) and with reference to guidelines at the pan-European level in the run-up to the entry into force of the Regulation, i.e. Chapter 2.3 in Guidelines for identifying a controller or processor's lead supervisory authority, dated 13 December 2016 (revised 5 April 2017), from the Working Party according to Article 29 of Directive 95/46/EC. In addition, it is stated that according to the Regulation, it is prohibited to bring cases to more than one data protection authority (forum shopping) and in this regard, reference is made to Chapter 2.2 in the Guidelines in question. Since a representative of Patientdataforeningen has in the Danish media been wary of research conducted by the controller, it is appropriate to investigate whether the case, which was dealt with by the Danish National Committee on Health Research Ethics in 2020, was due to a complaint from the organisation or the organisation's client. It is also stated that it is likely that the organisation's complaint to the Icelandic Data Protection Authority was sent to the Authority as the authority in the country where the alleged breach took place, cf. Regulation (EU) 2016/679, Article 77(1), at the same time as a complaint on behalf of the organisation was submitted in Denmark on the basis that the complainant is a permanent resident there. It is stated in this connection that the provisions of the Regulation, according to which it is sufficient to lodge a complaint in one place (one stop shop), were not intended to enable the initiation of the same case with more than one organisation, thus pitting them against one another, but to simplify the procedure, especially for communication between the controller and the data protection authorities and to promote co-ordination of the implementation of the Regulation within the EEA. Proceedings such as these must therefore be stopped without delay, as they are not in accordance with the nature of the Regulation.
Next, deCODE Genetics comments on the four grievances specified in the complaint, cf. section 1 above. Regarding deCODE Genetics working with data as a controller without authorisation, it is stated that the company is a processor as defined in the processing contract between the company and the Bloodbank of the Capital Region of Denmark. A research project, in which the company participates in accordance with the contract, has been approved by the Danish National Committee on Health Research Ethics and deCODE Genetics has no knowledge of who the data subjects are.
In connection with the processing at deCODE Genetics going beyond the general assessment of data protection in the Capital Region of Denmark, it is stated that it is the controller's to assess whether such an assessment needs to be made and to answer all questions in that regard. The controller has informed deCODE Genetics that he has responded to such a question from a representative of Patientdataforeningen and that according to the response, it has been decided to make an assessment based on processing contracts for individual research projects. In addition, deCODE Genetics, in accordance with Article 28(3)(h) of Regulation (EU) 2016/679 and at the request of the controller, has assessed the impact of the processing of foreign biological samples on data protection and has sent the information to the Copenhagen Bloodbank, which forms part of the Bloodbank of the Capital Region of Denmark.
Regarding data being processed without the permission of the National Bioethics Committee in Iceland, it is stated that this is a research project in accordance with Danish law, approved by the Danish National Committee on Health Research Ethics, and that the Icelandic Committee has no jurisdiction here, cf. Article 2(1) of Act no. 44/2014 on Scientific Research in the Health Sector, as the controller is Danish and the research population entirely Danish.
Regarding genetic data being processed without the permission of the Icelandic Data Protection Authority, so that the Authority has not had the opportunity to comment on the processing to the relevant National Bioethics Committee, it is stated as an international research principle that a permit is obtained in the country where the study cohort and the controller for the research study are located. This applies even if a limited part of the processing takes place in a third country. This principle applies to EU grants for research and innovation, cf. Article 34.2 of Directive (EU) 1290/2013, and that legislation does not provide for the ethics committees of many countries dealing with scientific research carried out in one country and with a study cohort from the same country. Furthermore, it is stated that the Icelandic Data Protection Authority and the Icelandic National Bioethics Committee do not have jurisdiction in the research projects in question and that the jurisdiction lies instead with the National Videnskabsetisk Komité and Datatilsynet in Denmark.
Following this, deCODE Genetics responds to questions on certain issues raised in the Data Protection Authority's letter to the company, dated 18 March 2021. What is stated in the responses is for the most part identical to the comments in connection with the complaint in the case. Considering this, it is not necessary to detail each question of the Data Protection Authority and deCODE Genetics' responses to it. However, in addition to what has been stated above, it should be noted that according to the responses, biological samples from the complainant have been used for the benefit of three research projects (according to later explanations, they were one fewer, as it had been found that the complainant was not among the participants in one of these projects, cf. section 5 below). It is stated in that regard that there is a processing contract for each of them, which the Bloodbank of the Capital Region of Denmark has made with deCODE Genetics, and copies of the processing contracts in question were attached to deCODE Genetics' explanations. Furthermore, reference is made to a collaboration contract, dated 1 August 2017, and a provision in an annex to that contract, to the effect that the Danish collaborating partners have received the necessary permits from the Danish Data Protection Agency and are awaiting permission from the Danish National Committee on Health Research Ethics, being responsible as well for obtaining the necessary permits that may later be required. It is also stated that deCODE Genetics has received confirmation that such permits have been obtained but does not have authorisation to make them public. The Data Protection Authority is encouraged to contact the authorities concerned to gain access to these or to advise the data subject to do so.
4.
Comments from Patientdataforeningen
By letter, dated 18 June 2021, the Data Protection Authority gave Patientdataforeningen the opportunity to comment on the above explanations from deCODE Genetics. Response was received by letter, dated 6 July 2021. It states that deCODE Genetics' comments are of concern to the organisation. The company works with some of the most sensitive data imaginable and does not seem to be very interested in securing the interests of the data subjects. When a processor processes the genetic data of more than 400,000 patients, and the processing is based on new information technology, including artificial intelligence, this is processing which entails a high risk to the rights of the data subject.
However, in deCODE Genetics' explanations, the emphasis is not on the rights of the data subject. Instead, the focus is on defending the company against criticism. It is Patientdataforeningenʼs assessment that this is glaringly obvious and misguided. In addition, Patientdataforeningenʼs concerns seem to offend deCODE Genetics. Instead, the company should be grateful that light is shed on shortcomings and ambiguities so that the rights of the data subject can be guaranteed. This should be in everyone's interest. However, deCODE Genetics' explanations do not seem to reflect the slightest gratitude for being able to use the very sensitive genetic data of the individuals in question for the benefit of their own research goals and with their own research resources.
An assessment of the impact on data protection must be available when it is likely that a certain type of processing can entail a high risk to the rights and freedoms of data subjects, including the protection of personal data. The risk assessment should therefore relate to the risk for the data subject and not the risk of the party processing the data. To ensure the rights of the data subject, it is crucial that in projects such as this, an impact assessment on data protection is carried out before processing begins. This is done, inter alia, to define exactly who is the processor and who is the controller.
If any party, controller, or processor, is alerted to the fact that he has failed to assess the impact on data protection, all access to data should be terminated without delay, as well as all research projects. DeCODE Genetics cannot close its eyes to the lack of assessment of the impact on data protection, regardless of whether the company is a controller, in accordance with the position of Patientdataforeningen, or a processor working in line with instructions from the controller. If such an assessment has been carried out, contrary to what the organisation assumes, deCODE Genetics should easily be able to submit this to the Icelandic authorities.
It is true that in addition to the Icelandic Data Protection Authority, Patientdataforeningen has sent a letter to the Danish authorities. However, Datatilsynet decided not to initiate a case based on the organisation's letter. Considering, inter alia, that deCODE Genetics is in fact the controller for genetic data in Iceland, it is also the organisation's position that only the Icelandic data protection authorities should be contacted here. As a result, Patientdataforeningen has informed Datatilsynet in Denmark that their deliberation of the organisation's letter is no longer requested. It is the organisation's position that Icelandic data protection authorities should be involved in a case where complainant's extensive genetic data, as well as the data of 400,000 other Danes, is being processed in Iceland without statutory assessment of the impact on data protection and apparently on the basis of a processing contract that does not accurately reflect the reality of the arrangements. It may mean that this is one of the most extensive international scandals in relation to health data to date, especially as deCODE Genetics' processing of English genetic data could also be affected.
Regardless of the actions of Datatilsynet in Denmark, the Icelandic data protection authorities and deCODE Genetics must take measures due to the lack of assessment of the impact on data protection and questions about authorisation. deCODE Genetics is aware that the company uses Danish genetic data for its own research purposes and without instructions on processing procedures. In addition, Patientdataforeningen believes that deCODE Genetics' responsibility for genetic data in Iceland is shaped by the fact that copies of the same data can be found in Denmark.
Patientdataforeningen's understanding is that a copy of the genetic data in Denmark can be found on the supercomputer Computerome at Danmarks Tekniske Universitet (DTU) in Risø under pseudonymisation. There, two database managers have access to an identification key. All operations on Computerome are logged and Danish researchers are controllers in this regard. Genetic data stored on Computerome are separate from samples from Danish patients in Iceland. It is deCODE Genetics who has paid for the genetic analysis of those samples, as stated in a letter from Rigshospitalet in the Capital Region of Denmark to the representative of Patientdataforeningen, dated 14 July 2020, of which a copy was attached to the response from Patientdataforeningen. Samples sent for analysis with deCODE Genetics receive new identification numbers and as a result have double pseudonymisation. Only the database managers have the identification key. When genetic data are analysed from Danish samples at deCODE Genetics, a copy of the data is sent to Computerome in Denmark, but a copy is also saved with deCODE Genetics. In this way, it is possible to carry out genetic testing at deCODE Genetics at will on an individual basis, even if pseudonymisation is used. In Iceland, there is no access to Danish ID numbers (CPR numbers), or the code used to analyse samples in Computerome in Denmark. All of this would need to be reflected in an impact assessment on data protection.
Following on from this, Patientdataforeningen lists the issues on the basis of which it considers deCODE Genetics to have the position of controller for the analysis of the samples in question. In that regard, it is stated that:
1. DeCODE Genetics has paid DKK 80 million for the Danish data, as stated in the letter from Rigshospitalet, dated 14 July 2020. DeCODE Genetics does not mention this in its explanations.
2. According to the Memorandum of Understanding attached to Patientdataforeningenʼs response, the research group that controls the research project should have first and last authorship. This means that the research group in control can either be in Denmark and use genetic data there or in Iceland and at the same time use genetic data there. deCODE Genetics does not mention this in its explanations.
3. DeCODE Genetics publishes scientific articles on the Danish data based on research and calculations in Iceland. Furthermore, the company has first and last authorship in scientific articles based on that work, as evident in the article “Genetic variability in the absorption of dietary sterols affects the risk of coronary artery disease”, a copy of which was attached to the response from Patientdataforeningen. DeCODE Genetics does not mention this in its explanations.
4. According to this, deCODE Genetics uses data for the purpose of its own research objectives and makes independent decisions about procedures, and when the company uses the Danish data for the purpose of such objectives, it is not in accordance with instructions from Danish researchers. Patientdataforeningen considers that when researchers in Denmark initiate research projects in the country for which they are responsible, research analyses are carried out there in the supercomputer Computerome and that when researchers in Iceland initiate research projects in that country for which they maintain control, research analyses are carried out there by deCODE Genetics. DeCODE Genetics does not mention this in its explanation.
5. When data subjects in Denmark inform Danish researchers that they no longer wish to be part of a research project, data are not deleted in Iceland. If deCODE Genetics were only a processor, data should be deleted with the company at the same time, but this is impossible in practice as it has no access to Danish ID numbers. Therefore, it is the position of Patientdataforeningen that even though the complainant has opted out of a study in Denmark, her genetic data have not been deleted in Iceland and that consequently, it is still possible to obtain the data in that country. DeCODE Genetics does not mention this in its explanation.
6. In Denmark, data subjects enjoy the protection of being able to block access to the copy of their genetic data stored in that country by registering on the Web Use Register (D: Vævsanvendelsesregister). When researchers in Denmark access the genetic data stored there, they must first look up the ID number of the persons concerned in this register to find out whether they have requested that access is blocked. This does not occur when deCODE Genetics uses data which is stored in Iceland but is identical to the data in Denmark, since browsing is impracticable as deCODE Genetics has no access to Danish ID numbers. DeCODE Genetics does not mention this in its explanation.
According to this, deCODE Genetics is in fact the controller for genetic data stored in Iceland. A copy of the same data is kept in Denmark, and it is beyond doubt that Danish researchers are controllers there. Without this separation of duties, the dual preservation of extensive genetic data in two countries, regardless of the principle of data minimisation and the circumstances in the case, is nonsensical.
5.
The case put in a pan-European channel – Further explanations from deCODE Genetics
On 21 December 2021, the case was placed in a pan-European channel on the grounds that it concerned the processing of information on data subjects in more than one country within the EEA. This was done by entering information about the case on the IMI-net, i.e. the EU and EEA data protection authorities' common information system. Individual institutions were thereby given the opportunity to state their position on whether and if so, how they considered the matter to affect their field of work, i.e. whether they should be considered a lead supervisory authority or a supervisory authority concerned, cf. Article 60 of Regulation (EU) 2016/679. Considering that the case concerns the processing of data from Denmark, the Danish Data Protection Agency, Datatilsynet, was also informed of the case by letter dated 21 December 2021, and a response from the Agency was received through the IMI-net on 18 January 2022, to the effect that it considered itself to have the status of a concerned supervisory authority.
In addition to the case being put in the above channel, deCODE Genetics was sent a letter on 21 December 2021, whereby the company was given an opportunity to comment on Patientdataforeningen's letter, dated 6 July 2021. Response was received by letter, dated 15 February 2022. It stated that deCODE Genetics' contracting party, the Bloodbank of the Capital Region of Denmark, had informed the company in January that year that the Head of Patientdataforeningen had on a few occasions requested data from the Bloodbank about the project “The Danish Blood Donor Study” and “Copenhagen Hospital Biobank” with emphasis on, inter alia, the relationship between controller and processor. As far as deCODE Genetics is aware, his claims on the subject before the Danish National Committee on Health Research Ethics and the Bio- and Genome Bank Denmark (D: Regionernes Bio- og Genombank) were subsequently rejected. Claims comparable to those raised in this case have therefore been resolved several times in Denmark.
Furthermore, it is stated that in 2021, the Danish Data Protection Agency, on behalf of the Danish government, conducted an audit of the Statens Serum Institut (SSI), a research institute in the field of health sciences. In the summer of 2021, SSI had requested an update of the processing contract between the parties, and this had been granted. The audit therefore confirmed the role of deCODE Genetics as a processor, and it should be noted that deCODE Genetics performs the same kind of work for SSI as for the Bloodbank of the Capital Region of Denmark.
In connection with the complainant's comments on the lack of assessment of the impact on data protection, deCODE Genetics reiterated what it stated in its letter, dated 7 May 2021, that deCODE Genetics had assessed the impact on data protection due to the processing of foreign biological samples and sent the data to the Copenhagen Bloodbank, which is part of the Bloodbank of the Capital Region of Denmark. It is also objected to as absurd and completely inaccurate that deCODE Genetics has paid DKK 80 million for data from Denmark and that no payment has been made between the parties, as stated in Rigshospitaletʼs letter, dated 14 July 2020, to the Head of Patientdataforeningen, a copy of which was attached to the organisationʼs letter, dated 6 July 2021.
The letter from deCODE Genetics also states that a memorandum referred to in Patientdataforeningenʼs letter in connection with the specification of first and last authorship of a scientific article regards the project “Danish Blood Donor Study” (DBDS). According to information received by deCODE Genetics from the controller, data on the complainant are not being processed for that project and the processing of her personal data is only related to the Bloodbank of the Capital Region of Denmark. However, regarding the identification in question, it is stated that researchers who conduct genome-wide association studies (GWAS), frequently meta-analyse pseudonymised results for the entire research population (summary statistics) from their own research and compare with other published research or with data from scientific collaborations that focus on the same phenotype. The overall results for the entire research population that have been published in recognised scientific journals are almost always made available to other scientists. The same applies to the overall results of meta-analysis. With its advent, and thus larger databases with more statistical power than individual databases in isolation, there has been considerable progress in analysing common genetic variables. Both deCODE Genetics and DBDS researchers have participated in meta-analysis and have not been identified as first or last author in some of the scientific articles that appeared as a result. In other articles, however, deCODE Genetics has had first and/or last authorship, and in others still, the DBDS researchers were identified as authors, cf. e.g. “Joseph Dowsett et al. Eleven genomic loci affect plasma levels of chronic inflammation marker soluble urokinase-type plasminogen activator receptor”. Therefore, no absolute conclusions can be drawn from the ranking of authors in a scientific article on who is the controller for the processing of personal data. It is determined by the scientific contribution of each researcher and is in that respect based on international standards, e.g. the Vancouver Criteria (“Recommendations for the Conduct, Reporting, Editing, and Publication of Scholarly Work in Medical Journals”). In other respects, on the identification of authors, reference is made to deCODE Genetics' comments in their previous letter, dated 7 May 2021.
In addition, deCODE Genetics' letter states that false and unsubstantiated allegations are made where in Patientdataforeningenʼs letter, it is insinuated that the company works with data in defiance of and without instructions from the controller. An independent external audit, commissioned by the controller, is referred to as confirmation of the contractual obligations having been complied with. Specifically, BDO, an auditing firm in Copenhagen, has on two occasions, in 2020 and in 2021, carried out an audit in accordance with the ISAE 3000 standard on security in the processing of personal data at deCODE Genetics. The audits confirmed that deCODE Genetics' processing on behalf of the controller was in accordance with the law and that all procedures, which deCODE Genetics had committed itself to implement in the processing contract with the controller, had been adhered to. The collaboration is ongoing and deCODE Genetics is working in accordance with a processing contract and a trial protocol on the grounds of permits issued by the competent Danish scientific ethics committees.
As for data not being deleted in Iceland, it is asserted that this is a misstatement by Patientdataforeningen and sheer misrepresentation. DeCODE Genetics regularly receives a list from the controller of sample numbers (Alias) of participants who have opted out of a study, including those who have registered with the “vævsanvendelsesregisteret”. As a result, deCODE Genetics starts a “Process for withdrawn consent” where the person's biological samples are erased and the PN number for the relevant sample number with deCODE Genetics is disconnected (Alias-PN connection is interrupted), thus preventing the possibility of using the numbers in further research. After this, deCODE Genetics sends a confirmation of this to the controller. This implementation has been reviewed without criticism in the BDO audits.
6.
DeCODE Genetics' explanation of communication with the company as a processor
By letter to deCODE Genetics, dated 8 April 2022, the Data Protection Authority referred to the statement made by the complainant in an e-mail to the Authority on 16 September 2021, that if deCODE Genetics was indeed a processor, there should be examples of researchers in Copenhagen sending the company instructions on the purpose of the processing and methods to be used by e-mail, letter, or telephone. The Data Protection Authority provided the company with an opportunity to comment on this statement and furthermore requested data on communication such as the ones in question that might exist within the company.
Response was received by letter, dated 28 April 2022. Reference is made to processing contracts between the Capital Region of Denmark and deCODE Genetics, which were attached to the company's letter, dated 7 May 2021, and it is stated that the attached annexes to the contracts contain instructions on how personal data should be handled. One of these contracts is for the project “Danish Blood Donor Study”, in which the complainant is not a participant according to deCODE Genetics' citation to information from the controller for that study, cf. section 5 above. The other contracts are for the project “Genetics of pain and degenerative musculoskeletal diseases – a Genome Wide Association study on repository samples from Copenhagen Hospital Biobank” (contract, dated 24 April 2019), and for the project “Genetics of osteoporosis and fractures – the disease trajectories” (contract, dated 23 September 2019). The annexes mentioned above are in both cases called “Data Processing Instructions” and “Joint Regional Data Protection Policy”. The latter document contains a general data protection policy and a separation of responsibility for maintaining an appropriate security level and for related aspects. The former contains a description of the various measures to be taken to ensure the security of data.
In addition to the above contracts, deCODE Genetics refers to three letters from Rigshospitalet in Denmark, dated 11 March 2020, with instructions to deCODE Genetics to perform genetic analysis, quality control and statistical analysis of phenotypes in individual projects. DeCODE Genetics also refers to an e-mail chain that covers the period from 30 July to 8 August 2020 and contains Rigshospitalet's instructions to erase data on specific individuals in a research sample, e-mail communication from 16 December 2020 with such instructions to deCODE Genetics from Rigshospitalet, an e-mail to deCODE Genetics from Rigshospitalet from 7 September 2021, also with such instructions, as well as an e-mail from deCODE Genetics to Rigshospitalet from 19 January 2021 confirming that such instructions have been carried out.
It is stated in deCODE Genetics' letter that with the documents attached, it is further demonstrated that deCODE Genetics is a processor for the Bloodbank of the Capital Region of Denmark and that it complies with the instructions of the controller. It is also stated that deCODE Genetics considers it unnecessary to dwell further on the complaint in the case and encourages the Data Protection Authority to issue a ruling in the case in accordance with the actual and written procedures that have been put in place between the controller and the processor, deCODE Genetics. As deCODE Genetics has stated in previous explanations regarding the case, the company always relies on foreign partners having obtained the necessary administrative permits in the respective country for aspects of investigative collaboration pertaining to deCODE Genetics in accordance with domestic law, as well as complying entirely with that law in the preparation process. This is the responsibility of the collaborative partners towards deCODE Genetics and the processing contract stipulates that jurisdiction is in the country from which the research data originates.
7.
Data protection impact assessment
In a letter to deCODE Genetics, dated 30 May 2022, the Data Protection Authority referred to discussion in the company's letter, dated 7 May 2021, on a data protection impact assessment concerning the processing of foreign biological samples and asked for a copy of it. Response was received by letter, dated 7 June 2022, with which were enclosed four documents with a data protection impact assessment. Those are an assessment concerning genome-wide association studies, covering both domestic and foreign data, an assessment concerning delivery of genotyping results on foreign samples, an assessment concerning phenotype collection and processing of foreign samples, and an assessment concerning sample collection and genotype processing, covering both domestic and foreign samples. In those documents, it is stated, among other things, that work takes place on the grounds of permits from ethics committees, domestic or foreign, and that no processing is undertaken unless it is in accordance with such a permit, that foreign controllers guarantee that a permits have been obtained for foreign research studies, that deCODE Genetics is a processor when it comes to such studies, that data are pseudo-anonymised, and that there is a special procedure in place for the withdrawal of consent of participants in foreign research studies. Furthermore, it is logged that the documents were created on 24 February 2021 and changed the last time on 25 March of the same year. It is stated in deCODE Genetics' letter, dated 7 June 2022, that the documents were sent to the Bloodbank of the Capital Region of Denmark with a letter, dated 12 April 2021.
8.
An access request and further comments from Patientdataforeningen
In an e-mail to the Data Protection Authority on 31 May 2022, Patiendataforeningen requested for access to the aforementioned letter of deCODE Genetics, dated 28 April 2022. In the light of a reservation in the letter, according to which documents enclosed with it could contain information exempted from a partyʼs access right, cf. Article 17 of the Administrative Procedures Act, no. 37/1993, the DPA invited the company to express itself on the request, i.e. in an e-mail on 3 June 2022. An answer was received in an e-mail on 5 June 2022, in which the company stated that it did not have objections to the granting of access, given that e-mail addresses were deleted in the enclosed documents, which at the same time were sent accordingly modified to the DPA. One document was lacking, however, and the DPA raised the attention of deCODE Genetics of this in an e-mail on 9 June 2022. After a reiteration had been sent on 15 June 2022, an answer was received from the company in an e-mail, i.e. on the 20 of the same month, with an attachment containing the document in question with e-mail addresses deleted. Patientdataforeningen was, then, granted access to the requested documents, i.e. in an e-mail on 24 June 2022.
In the wake of this, Patientdataforeningen made remarks in relation to the aforementioned letter from deCODE Genetics, i.e. in an e-mail on 3 July 2022. There, it is observed that communications between the controller in Denmark and deCODE Genetics, which can be seen in documents enclosed with the letter, are limited and it is asked whether before or after certain dates, processing of Danish data took place without the researchers in Denmark having decided on the purpose and means of the processing. A reference is also made to the scientific article, mentioned in item 3 in the enumeration in section 4 above, and it is asked whether it has been documented that Danish researchers took decisions in that regard in relation to the processing and whether it could be that employees of deCODE Genetics, including the first, second and last authors of the article, took those decisions. Furthermore, it is stated that if processing in breach of data protection legislation took place at deCODE Genetics, it is the DPA that must investigate that processing and decide on sanctions.
In addition to the aforementioned, Patientdataforeningen sent an e-mail to the DPA on 12 August 2022, informing it about a decision of the Danish DPA, cf. an entry on its website from 25 March 2022. By the decision, a fine was imposed for processing of genetic data without the authority first having been consulted, and according to the complainant, this decision is perhaps of significance in relation to this case.
9.
Feedback on the pan-Europan level
As described earlier, i.e. in section 5 above, this case was placed in a pan-European channel on 21 December 2021 by entering information about the case into the IMI-net, i.e. the EU and EEA data protection authorities' common information system. In relation to this procedure, the DPA entered a draft ruling in the case into the system on 28 June 2022 and concerned data protection authorities within the EU and the EEA were given an opportunity to make comments on the draft to be received no later than on 26 July 2022, cf. Article 60(4) of Regulation (EU) 2016/679. Following this, a notification from the Danish DPA was entered into the system, i.e. on 22 July 2022, according to which no comments were made on the draft. Other data protection authorities did not make observations.
II.
Criteria and conclusion
1.
Scope of Act no. 90/2018 and Regulation (EU) 2016/679
The scope of Act no. 90/2018 on Data Protection and the Processing of Personal Data and Regulation (EU) 2016/679, and thereby the competence of the Data Protection Authority, cf. Article 39(1) of the Act, applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system, cf. Article 4(1) of the Act and Article 2(1) of the Regulation.
Personal data include information relating to an identified or identifiable natural person and an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier or to one or more factors specific to the identity of that natural person, cf. Article 3(2) of the Act and Article 4(1) of the Regulation.
Processing also means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, cf. Article 3(4) of the Act and Article 4(2) of the Regulation.
This case concerns the processing of data about the complainant for scientific research that is being carried out at deCODE Genetics. As shown by the case file, data in this research are pseudonymised. It is also clear that at the Bloodbank of the Capital Region of Denmark, it is possible to link the pseudonymisation to the actual identification of the persons concerned. For that one reason, it must be considered that the case concerns processing of personal data that is covered by data protection legislation.
2.
Controller and processor – Conclusion
The person responsible for the processing of personal data is called the controller, which refers to the natural or legal person, public authority or other body which determines, alone or jointly with others, the purposes and means of the processing of personal data, cf. Article 3(6) of Act no. 90/2018 and Article 4(7) of Regulation (EU) 2016/679. This means that the party in question has decision-making power over the processing of personal data, the means of the processing, the purpose of the processing, what the software used is to do, as well as the dissemination of the data in other respects, as stated in Article 3(6) of the Act.
The controller may make a contract with another party to handle the processing of personal data on his behalf and that party is then called the processor. More specifically, this refers to a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller, cf. Article 3(7) Act no. 90/2018 and Article 4(8) Regulation (EU) 2016/679.
As stated in Article 25(1) of the Act, cf. Article 28(1) of the Regulation, the controller shall only use processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the Regulation and ensure the protection of the rights of the data subject. Furthermore, Article 29 of the Regulation states that the processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law.
In addition, Article 25(3) of the Act, cf. the beginning of Article 28(3) of the Regulation, states that processing by a processor shall be governed by a contract or other legal act under law that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data, categories of data subjects and the obligations and rights of the controller. Also, in Paragraph 3 of the provision of the Regulation, there is a list of matters to be specified in the contract with the processor, i.e. a so-called processing contract, or other legal act under the law used. Among these is that the processor processes the personal data only on documented instructions from the controller, unless required to do so by Union or Member State law to which the processor is subject, in which case, the processor shall inform the controller (point a); that the processor takes all measures required pursuant to Article 32 of the Regulation (point c); that the processor assists the controller to fulfil his obligation to respond to requests from the data subjects as they exercise their rights (point e); and that the processor, at the choice of the controller, deletes or returns all personal data to the controller after the end of the provision of services relating to the processing, and deletes all copies unless Union or Member State law requires otherwise (point g).
According to the case file, personal data about the complainant have been processed by deCODE Genetics for two scientific studies, i.e. the study “Genetics of pain and degenerative musculoskeletal diseases – Genome Wide Association study on repository samples from Copenhagen Hospital Biobank” and the study “Genetics of osteoporosis and fractures – the disease trajectories”. It is evidenced that the Capital Region of Denmark has entered into processing contracts with deCODE Genetics for this research, i.e. a contract dated 24 April 2019 for the first research and a contract dated 23 September 2019 for the latter research, cf. also written instructions dated 11 March 2020 on the basis of both of the contracts.
The complainant claims that deCODE Genetics has exceeded its authority as a processor and refers to articles on the results of the research, which the company has worked on for the Capital Region of Denmark, where scientists from the company are identified as first and last authors.
The Data Protection Authority considers that Danish legislation on scientific research in the health sector must be observed here, as the above research has been approved by the Danish National Committee on Health Research Ethics, Dansk Videnskabsetisk Komité, cf. an overview on the committeeʼs website of approved studies in the first quarter of 2019, p. 57 in the annual report of the Danish research ethics committees 2019 (D: De Videnskabsetiske Komiteers fælles årsberetning 2019), as well as an overview (D: sagsoversigt) from the Danish health data authority, Sundhedsdatastyrelsen, of studies in 2020 where its data have been used. The permits in question are based on the Danish Act on Research Ethics Review of Health Research Projects (D: Lov om videnskabsetisk behandling af sundhedsvidenskabelige forskningsprojekter). That Act presupposes that research is carried out in line with a special trial protocol, i.e. a document describing objectives and implementation of the research as further defined in Article 2(10) of the Act, and that protocol shall accompany the application for research to the competent ethics committee, cf. Article 16(1) of the Act. Significant amendments of the trial protocol must also be approved by an ethics committee, as stated in Article 27(1) of the Act.
According to the Act in question, the responsibility for the conducting of research lies with an individual who is called the Investigator (D: den forsøgsansvarlige), cf. Article 2(7) of the Act. This is a similar arrangement to that of the Icelandic Act no. 44/2014 on Scientific Research in the Health Sector, which stipulates a principal investigator (I: ábyrgðarmaður) for each scientific research, i.e. an individual responsible for the implementation of the study in accordance with a research protocol which has been approved by the National Bioethics Committee or an institutional review board, cf. Article 3(10) of the Act.
Within this arrangement, it has been assumed that the principal investigator works on a scientific study in collaboration with others, for example investigators other than the principal investigator, as well as research staff, cf. Article 17(2) of Act no. 44/2014. It must be assumed that the same applies in Denmark as in this country, so that the principal investigator for a study works according to that countryʼs law on the study along with other researchers.
Arrangements such as these have not been considered to mean that every researcher has the status of controller for the processing of personal data within the meaning of the data protection legislation. By that is meant that the application of scientific methodology alone, where data are studied and conclusions are drawn from them, does not inevitably imply controller status for such processing. It is also not always the case that the principal investigator of a research study, within the meaning of the legislation on scientific research in the health sector, is the controller, according to data protection legislation. More specifically, it must be borne in mind that according to both Danish and Icelandic law, the principal investigator for a research study must always be an individual, but depending on the circumstances, he or she can have that role as an employee of a specific legal entity. It may then be more appropriate to regard the legal entity as the controller for the processing of personal data rather than the specific individual.
It can be assumed that it is because of this that the Capital Region of Denmark, and not an individual with the position of principal investigator for a research study, is specified as the controller in processing contracts with deCODE Genetics for the above research. It must then be resolved whether deCODE Genetics has also been given the position of controller for the processing of personal data in connection with the research. As is the case here, it would especially be considered possible if the company itself makes decisions about the aims and implementation of the research to the extent that it would require changes to the trial protocol, which would need the approval of the relevant ethics committee. The complainant's understanding is that deCODE Genetics has exceeded its role as a processor and has in so doing become a controller for processing that goes beyond the relevant ethics committeeʼs permission for the research, keeping in mind that the companyʼs employees have been identified as first and last authors of a report of its results. It should be noted in connection with this that the Data Protection Authority does not consider the involvement of individual deCODE Genetics employees in the scientific implementation of the research, resulting in them being among the authors of scientific articles, to lead to deCODE Genetics having the position of controller, considering current legislation, and then regardless of the order in which the authors are named.
However, if deCODE Genetics has gone beyond the approved trial protocol, so that the companyʼs processing operations do not fall within the scope of the Danish ethics committeeʼs permits, the company itself has become the controller for the processing, in accordance with the provisions set out above.
It is clear that it is first and foremost up to the Danish National Bioethics Committee (National Bioetisk Komité), which has granted the permits in question, to assess whether the approved trial protocol has been exceeded. There are no Committee resolutions to that effect. In addition, there are no indications thereto in other respects, e.g. on the grounds that deCODE Genetics has collected data for the purpose of the relevant studies without consulting the holders of research permits or used data from the studies for researching other phenotypes than those covered by the permits. For this reason, it must be assumed that deCODE Genetics has not been given the position of controller for the research studies in question and that the company's processing is within the contract framework which the Capital Region of Denmark has made with the company as a processor.
Furthermore, in connection with the complainantʼs comments on the lack of a data protection impact assessment, it should be noted that according to the case file, deCODE Genetics has carried out such assessments for the processing of data in foreign research studies, where the company serves as a processor. The date of these assessments indicates that they were elaborated some time after the complaint in this case was received. In this connection it should be noted, however, that the obligation to make a data protection impact assessment, cf. Article 29 of Act no. 90/2018 and Article 35 of Regulation (EU) 2016/679, is imposed on the controller and not the processor.
It should also be noted, regarding the complainant's comments that deCODE Genetics cannot comply with requests for the deletion of Danish data and samples, that according to the case file, such requests are satisfactorily handled, cf. Article 20(1) of the Act and Article 17 of the Regulation, in relation to which reference can, among other things, be made to a discussion in section 6 in part I above. In other respects, it has not been established during the handling of this case that deCODE Genetics' processing of data and samples from Denmark has been in breach of the law.
In relation to comments from Patientdataforeningen in the latest stage of this case, where it is indicated that there might be a need for further documents on communications between the Capital Region of Denmark and deCODE Genetics, reference is also made to earlier discussion on such documentation, particularly on the processing contracts which have been made, as well as written instructions on the basis of them. Those are the documents that according to law must be elaborated and circumstances, giving a special occasion for gathering of documents in addition to those that already make part of the case file, do not present themselves.
Considering the above, the conclusion of the Data Protection Authority is that the processing of personal data about the complainant at deCODE Genetics has complied with data protection legislation.
C o n c l u s i o n:
The processing of deCODE Genetics' as a processor of personal data about […] in the conduct of research on behalf of the Capital Region of Denmark complied with Act no. 90/2018 on Data Protection and the Processing of Personal Data, as well as Regulation (EU) 2016/679.
At the Data Protection Authority, 8 September 2022
Ólafur Garðarsson
Chairman
Björn Geirsson Sindri M. Stephensen
Vilhelmína Haraldsdóttir Þorvarður Kári Ólafsson