Mervinskiy 363

Page 1

07September2022 Opinion19/2022 DirectivesforsubstancesstandardsontheProposalforaRegulationonofqualityandsafetyforofhumanoriginintendedhumanapplicationandrepealing2002/98/ECand2004/23/EC

UnderWojciechdataUniondataensuringunderTheEuropeanDataProtectionSupervisor(EDPS)isanindependentinstitutionoftheEU,responsibleArticle52(2)ofRegulation2018/1725‘Withrespecttotheprocessingofpersonaldata…forthatthefundamentalrightsandfreedomsofnaturalpersons,andinparticulartheirrighttoprotection,arerespectedbyUnioninstitutionsandbodies’,andunderArticle52(3)‘…foradvisinginstitutionsandbodiesanddatasubjectsonallmattersconcerningtheprocessingofpersonal’.RafałWiewiórowskiwasappointedasSupervisoron5December2019foratermoffiveyears.

1

Article 42(1) ofRegulation2018/1725,theCommissionshall,‘followingtheadoptionof perspective.ThisthatinformationcommentsrepealingstandardsThisdataimpact218proposalsforalegislativeact,ofrecommendationsorofproposalstotheCouncilpursuanttoArticleTFEUorwhenpreparingdelegatedactsorimplementingacts,consulttheEDPSwherethereisanontheprotectionofindividuals’rightsandfreedomswithregardtotheprocessingofpersonal’.OpinionrelatestoaProposalforRegulationoftheEuropeanParliamentandoftheCouncilonofqualityandsafetyforsubstancesofhumanoriginintendedforhumanapplicationandDirectives2002/98/ECand2004/23/ECThisOpiniondoesnotprecludeanyfutureadditionalorrecommendationsbytheEDPS,inparticulariffurtherissuesareidentifiedornewbecomesavailable.Furthermore,thisOpinioniswithoutprejudicetoanyfutureactionmaybetakenbytheEDPSintheexerciseofhispowerspursuanttoRegulation(EU)2018/1725.OpinionislimitedtotheprovisionsofthedraftProposalthatarerelevantfromadataprotection

2 ExecutiveSummary durationLastly,inalsopersonalOnprocessingrequirement,donationdonatedgivenTheproportionalityprinciplesprotectionandprinciplepositivelycitizensTheimprovingMemberspermSoHOs,SubstancesintendedTheintendedPaOn14July2022,theEuropeanCommissionissuedaProposalforaRegulationoftheEuropeanrliamentandoftheCouncilonstandardsofqualityandsafetyforsubstancesofhumanoriginforhumanapplicationandrepealingDirectives2002/98/ECand2004/23/EC.Proposalaimstoregulatethestandardsofqualityandsafetyforsubstancesofhumanoriginforhumanapplication(‘SoHO’)byensuringsafetyandqualityforpatientstreatedwithofHumanOrigintherapiesandfullyprotectthemfromavoidableriskslinkedtoensuringsafetyandqualityforSoHOdonorsandforchildrenbornfromdonatedeggs,orembryos,strengtheningandallowingforharmonisationofoversightpracticesamongStates,facilitatingthedevelopmentofsafeandeffectiveinnovativeSoHOtherapiesandtheresilienceofthesector,mitigatingriskofshortages.EDPSwelcomesthattheProposalaimstobringpositiveimpactonfundamentalrightsofsuchashealthprotection,nondiscrimination,privacyandinformedconsent,whilealsonotesthatprogrammespromotingthedonationofSoHOsshouldbefoundedontheofvoluntaryandunpaiddonation,altruismofthedonorandsolidaritybetweendonorrecipient.Inthisregard,theEDPSwelcomesthereferencestospecificprinciplesofdatainthecontextoftheSoHOPlatform,inparticulartheprovisionsthatgiveeffecttotheofpurposelimitation,dataminimisation,aswellastherequirementsofnecessityandEDPSwelcomesthattheProposalwouldrequirethatinformedconsentfordonationisfreelyanddonorsortheirrepresentativesareinformedwithregardstotheintendeduseofthematerial.Atthesametime,theEDPSrecallsthatthedonor’sinformedconsenttotheofmaterialundertheSoHORegulation,whilebeinganessentialethicalandlegalisnotthesameasconsentreferredtointheGDPRasoneofthelegalbasisfortheofpersonaldata.thereuseofdata,whiletheEDPSwelcomestheexplicitidentificationofallthecategoriesofdatalistedintheProposalandthespecificpurposeforwhichthesewillbeprocessed,heconsidersthatthespecificpurposeforwhichdatawouldbereusedshouldbeclearlyidentifiedtheenactingtermsoftheProposal.theEDPSrecommendsthatthecolegislatorclearlydefineintheProposalthemaximumforwhichpersonaldatamaybestored.

3 Contents 4.3.4.3.3.3.2.3.1.3.2.1.Introduction.....................................................................4Generalremarks..............................................................5Specificremarks..............................................................7Rolesandresponsibilitiesoftheactorsinvolved...........7Categoriesofpersonaldataandpurposelimitation......7Storageduration...........................................................8Otherspecificcomments...............................................8Conclusions......................................................................9

1.On14July2022,theEuropeanCommissionissuedaProposalforaRegulationoftheEuropeanParliamentandoftheCouncilonstandardsofqualityandsafetyforsubstancesofhumanoriginintendedforhumanapplicationandrepealingDirectives2002/98/ECand2004/23/EC 2(‘theProposal’).

(‘the23HavingHavingregardtotheTreatyontheFunctioningoftheEuropeanUnion,regardtoRegulation(EU)No2018/1725oftheEuropeanParliamentandoftheCouncilofOctober2018ontheprotectionofindividualswithregardtotheprocessingofpersonaldatabyUnioninstitutions,bodiesofficesandagenciesandonthefreemovementofsuchdataEUDPR’) 1,andinparticularArticle42(1)thereof,

HASADOPTEDTHEFOLLOWINGOPINION:

4 THEEUROPEANDATAPROTECTIONSUPERVISOR,

4.ThepresentOpinionoftheEDPSisissuedinresponsetoaconsultationbytheEuropeanCommissionof14July2022,pursuanttoArticle42(1)EUDPR.TheEDPSwelcomesthereferencetothisconsultationinRecital51oftheProposal.Inthisregard,theEDPSalsopositivelynotesthathewasalreadypreviouslyinformallyconsultedpursuanttorecital60ofEUDPR.

3.TheProposalispartoftheEU’sambitiontobuildastrongerEuropeanHealthUnion,inorderto:(1)betterprotectthehealthofourcitizens(includingpatients,donorsandoffspring);(2)equiptheEUanditsMemberStatestobetterpreventandaddressfuturepandemics(surveillance,dataanalysis,riskassessment,earlywarningandresponse)and(3)improvetheresilienceofEUhealthsystems 4 .

2.TheProposalincludesmeasuresthataimto:ensuresafetyandqualityforpatientstreatedwithSubstancesofHumanOrigin(‘SoHO’)therapiesandfullyprotectthemfromavoidableriskslinkedtoSoHOs;ensuresafetyandqualityforSoHOdonorsandforchildrenbornfromdonatedeggs,spermorembryos;strengthenandallowforharmonisationofoversightpracticesamongMemberStates;facilitatethedevelopmentofsafeandeffectiveinnovativeSoHOtherapies;improvetheresilienceofthesector,mitigatingriskofshortages 3

1OJL295,21.11.2018,p.39. COM(2022)338final.

3COM(2022)338final,p.6.

4COM(2022)338final,pp.23.

2

1.Introduction

10.TheimpactassessmentaccompanyingtheProposalstatesthat“

7TheEDPSalso theSoHOspositivelynotesthat,inlinewiththeProposal,programmespromotingthedonationofshouldbefoundedontheprincipleofvoluntaryandunpaiddonation,altruismofdonorandsolidaritybetweendonorandrecipient.

5 2.Generalremarks

8

5.AccordingtotheExplanatoryMemorandumtotheProposal

6

10

9

7

9.8.TheEDPSconsidersthattheprotectionofthefundamentalrightstoprivacyandtotheprotectionofpersonaldatainthecontextoftheProposalgohandinhandwiththeprotectionofhumandignity,oftheintegrityoftheperson,andnondiscrimination(thatcouldfollowunduedisclosureofpersonaldatarelatedtotheindividualsconcerned).TheEDPStakesnotethatanEUSoHOPlatformmustbeestablished,managedandmaintainedbytheCommissioninordertofacilitatetheexchangeofinformationconcerningSoHOactivitiesintheUnion,namelythesubmission,retrieval,storage,management,handling,exchange,analysis,publicationanddeletionofsuchdataanddocuments.TheEDPSalsonotesthat,inlinewiththeProposal,theprocessingofpersonaldatabycompetentauthoritiesmustonlybecarriedoutforthepurposeofperformingSoHOrelatedactivitiesinaccordancewiththeRegulationandincompliancewiththeapplicabledataprotectionlegislation .TheEDPSnotesthattheSoHOPlatformwillalsobeprocessing specialcategoriesofpersonaldata10 [a]singleITsystemwill barriersEuropeanItestablishmentsbringimportantbenefitsasitcanhostflexiblesolutions,allowingMemberStatesandtomaintainandconnectwiththeirownsystemorreuseexistingcomponents.couldbecomeanimportantnodeintheEUdigitalecosystem,andinparticularinthefutureHealthDataSpace(EHDS),whichaimsatopeningopportunitiesandremovingtotheuseandreuseofhealthdata,fortheprovisionofhealthcare,personalised

5,theBloodDirective

6

9

7.TheEDPSwelcomesthattheProposalaimstobringpositiveimpactonsomefundamentalrightsofcitizens(suchashealthprotection,nondiscrimination,privacyandinformedconsent),particularlybystrengtheningtheprovisionsrelatingtodonors’andrecipients’protectionandvigilanceandthereportingofgeneticconditionsinchildrenbornfrommedicallyassistedreproductionwiththirdpartydonation,andbyensuringthatrequirementsforsafetyandqualityarebasedonscientificevidence.

6.casethequality2022/98/ECandtheTissuesandCellsDirective2004/23/EC(‘BTClegislation’)setsoutandsafetyrequirementsforallstepsfromdonationtohumanapplication(unlessdonationsareusedtomanufacturemedicinalproductsormedicaldevices,inwhichthelegislationonlyappliestodonation,collectionandtesting).TheaimoftheProposalistoaddressshortcomingsoftheBTClegislationinordertoensureabetterlevelofhealthprotection,togetherwiththepossibilityforsuchframeworktobeeffectivelyimplementedandresistanttonewrisksandtrends,whileensuringatthesametimeappropriatesafetyandqualityrequirements

8

5COM(2022)338final,p.1. COM(2022)338final,p.2. COM(2022)338final,p.12. SeeRecitals18and19oftheProposal. SeeArticle73oftheProposal. SeeRecitals43,44,46,47oftheProposal,andArticles53(1)(d),55(3),73and76oftheProposal.

17SeeRecital44andArticle55oftheProposal. 18

13

11.TheEDPSwelcomesRecital42oftheProposal,whichemphasisesthattheprocessingofpersonaldataundertheProposalmustbesubjecttostrongguaranteesofconfidentialityandcomplywiththeEUDPRandwithRegulation(EU)2016/679 12(‘theGDPR’).

12.Moreover,theEDPSwelcomesthespecificreferencestotheprinciplesofdataprotectionasregardstheprocessingofpersonaldatainthecontextoftheSoHOPlatform 13,in particulartheprovisionsthatgiveeffecttotheprinciplesofpurposelimitation14,data minimisation(andrelatedpseudonymisationofpersonaldata)15aswellastherequirements ofnecessityandproportionality16 .

17Inthisregard,theEDPSrecallsthatthedonor’sinformedconsent tothedonationofmaterialundertheSoHORegulation,whilebeinganessential ethicalandlegalrequirement,similarlytoclinicaltrials18 ,isnotthesameasconsent datareferredtointheGDPRasoneofthelegalbasisfortheprocessingofpersonal .TheEDPSthereforerecommendstoincludesuchaclarificationintheProposal.

andSeeEDPBOpinion3/2019concerningtheQuestionsandAnswersontheinterplaybetweentheClinicalTrialsRegulation(CTR)theGeneralDataProtectionregulation(GDPR)(art.70.1.b)),23January2019.

14SeeArticle73(3)oftheProposal.

11COM(2022)338final,p.12.

SeeRecital43oftheProposal.

16SeeRecital45oftheProposal.

15SeeRecital45andArticle45(2)(c)oftheProposal.

15.Finally,theEDPSwelcomesthespecificationinthelastsentenceofRecital45oftheProposal,accordingtowhichdonors,recipientsandoffspringsshouldbeinformedoftheprocessingofpersonaldatainlinewiththeGDPRandtheEUDPR.

6 medicine,researchandinnovation,policymakingandregulatoryactivities.”11Tothisend,the categoriesEDPSwouldliketopointoutthatthatthestorageandprocessingofavarietyofdatainasingleintegratedITsystemmaycreaterisks .Tominimisesuchrisks,due protectionconsiderationmustbegiventotherequirementsofdataminimisation,databydesignandsecurity

12 DatawithRegulation(EU)2016/679oftheEuropeanParliamentandoftheCouncilof27April2016ontheprotectionofnaturalpersonsregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata,andrepealingDirective95/46/EC(GeneralProtectionRegulation)(TextwithEEArelevance),OJL119,4.5.2016,p.188.

14.13.TheEDPSnotesthat,accordingtoRecital45,theProposalshouldprovidealegalbasisunderArticle6GDPRand,whererelevant,fulfiltheconditionsunderArticle9(2),point(i)GDPR,fortheprocessingofsuchpersonaldata.Additionally,thesameRecitalalsostatesthat,withrespecttopersonaldataprocessedbytheCommission,theProposalshouldprovidealegalbasisunderArticle5EUDPRand,whererelevant,fulfiltheconditionsunderArticle10(2),point(i)EUDPR.TheEDPSwelcomesthattheProposalwouldrequirethatconsentfordonationisfreelygivenanddonorsortheirrepresentativesareinformedwithregardstotheintendeduseofthedonatedmaterial.

3.1.Rolesandresponsibilitiesoftheactorsinvolved

3.2.Categoriesofpersonaldataandpurposelimitation

20.19.TheEDPSwelcomesArticle76point(1),(2)and(3)oftheProposal,whichexplicitlyidentifiesallthecategoriesofpersonaldatalistedintheProposalandthespecificpurposeforwhichthesewillbeprocessedinlinewiththeProposalIndeed,theEDPSnotesthattheneedtoprotectthedignityandintegrityofdonors,recipientsandoffspringsbornfrommedicallyassistedreproduction,referredtoinRecital44oftheProposal,callsfor thehighestpossibledataprotectionsafeguards,aswellas strictpurposelimitation.TheEDPShighlightsthattherightofdignityoftheindividuals personaltheirdonationconcernedmustalwaysbetakenintoaccount,particularlybyensuringthatconsentforofSoHO,asanethicalandlegalrequirement,isfreelygivenandthatdonorsandrepresentativesarefullyinformedinparticularwithregardstoanyprocessingoftheirdata. 19SeeRecitals33,36and38andArticles29(7)(a),35(3),35(13),36(3),36(5),56(4)(a)(i),62(5),62(7)(b)and68(1)(e)oftheProposal. 20 EuroProposalforaRegulationoftheEuropeanParliamentandoftheCouncilamendingRegulation(EC)No851/2004establishingapeanCentrefordiseasepreventionandcontrol.COM/2020/726final.

7 3.Specificremarks

18.17.16.TheEDPSwelcomesthatArticle76(6)oftheProposalprovidesthat,inrelationtotheirresponsibilitiestoprocesspersonaldatatocomplywiththeobligationsoftheProposal,theSoHOentities,meaningthecompetentauthorityorauthoritiesoftheMemberStatesthatareconferredresponsibilityfortheSoHOsupervisoryactivities,shallberegardedas‘controllers’asdefinedinArticle4(7)GDPR.Moreover,theEDPSwelcomesthatArticle76(7)oftheProposalprovidesthat,inrelationtoitsresponsibilitytoestablishandmanagetheEUSoHOPlatform,theCommissionshallberegardedascontrollerasdefinedinArticle3(8)EUDPR.Inthisregard,theEDPSalsonotesthat,asreflectedintheExplanatoryMemorandumtotheProposal,theProposalestablisheslinks 19withtheEuropeanCentreforDisease strengthenedPreventionandControl(‘ECDC’),forwhichthemandatehasbeenproposedtobe 20,alsointhefieldofSoHOs.Tothisend,theEDPSconsidersthatfurther actinneeded.clarityastowhetherECDCwillbeprocessingpersonaldatawithintheSoHOPlatformisShouldthisbethecase,theEDPSconsidersthattheECDCwouldlikely(also)begasacontrollerwithinthemeaningofdataprotectionlaw. TheEDPStherefore invitesthecolegislatortoclarifyfurtherintheProposalwhethertheECDCwould beprocessingpersonaldatawithintheSoHOPlatformand,ifso,toidentify explicitlyitsrolewithinthemeaningofdataprotectionlaw.

8 22.21.Againstthisbackground,theEDPSnotesthatRecital46oftheProposalprovidesthatentrustedcompetentauthoritiesasdatacontrollerswithinthemeaningoftheGDPRwillhavepowerstotakedecisionsontheaccesstoandreuseofdata.Inthisregard,theEDPSunderstandsthat,asoutlinedthroughouttheProposal,thepurposeforthereuseofsuchdata,ifany,wouldbepurelyhealthrelated. Therefore,theEDPS Proposalrecommendsthattheco-legislatorclearlyidentifyintheenactingtermsofthethespecificpurposeforwhichsuchdatawouldbereused ,particularly 23.principletakingintoaccountthehighrisksforthepersonsconcernedandthekeydataprotectionofpurposelimitationinlinewithArticle5(1)(b)GDPR.TheEDPSalsonotesthatArticles44,45and47oftheProposalprovidethatSoHOentitieswillbeobligedtoperformactivitiesofdatacollectionandreporting,traceabilityandcodingandvigilanceandreportingrespectively.Inthisregard,theEDPS,whileconsideringthatprocessingofpersonaldatamaypossiblyoccurinthiscontext,alsonotesthatArticle76oftheProposalondataprotectiondoesnotrefertotheprocessingoperationslistedintheaforementionedArticles.Forthesakeoflegalclarity, theEDPSrecommendstoclarify ProposaltakingintheaforementionedArticleswhetheranyprocessingofpersonaldatawouldbeplaceand,ifso,tospecifythepurposeofsuchprocessinginArticle76oftheitself .

3.4.Otherspecificcomments

3.3.Storageduration

25.Inthisregard,inlinewiththestoragelimitationprinciple,theEDPSunderlinesthatpersonaldatashouldbekeptinaformwhichpermitstheidentificationofdatasubjectsfornolongerthannecessaryforthepurposesforwhichpersonaldataareprocessed.TheEDPSrecallsthattheperiodoftimeshouldbeasshortaspossibleinrelationtothepurposepursuedandmustbejustifiedinordertoensurethatthestorageislimitedtowhatisnecessaryforthepurpose(s)pursued.Aslimitingtheretentionofpersonaldataconstitutesanimportantsafeguardtoprotectindividualsagainstmisuseoftheirpersonaldata, the maximumEDPSrecommendsthatthecolegislatorclearlydefineintheProposalitselfthedurationforwhichpersonaldatamaybestored .

26.TheEDPSwelcomesArticle53(1)(d)oftheProposalondonors’protectionandArticle55(3)(g)oftheProposalontherecordingandprotectionofdonors’personaldata,inChapterVI.However,theEDPSnotesthatsimilarprovisionsaremissinginChapterVIIoftheProposal,relatedtotheprotectionofSoHOrecipientsandoffsprings.

24.TheEDPSnotesthatArticle74(3)oftheProposalprovidesthat“[t]heCommissionshall thetheadoptimplementingactslayingdowntechnicalspecificationsfortheEUSoHOPlatform,(...),retentionperiodsforpersonaldataandthetechnicalandorganisationalmeasurestoensuresafetyandsecurityofpersonaldataprocessed ”,whileArticle76(8)oftheProposal providesthat“(...)theCommissionisempoweredtoadoptdelegatedactsinaccordancewith asArticle77supplementingthisRegulationbylayingdowntheretentionperiodsforpersonaldataappropriatetotheirpurpose(...) ”.

28.recipientandoffspringprotectionTheEDPSalsonotesthatArticle55(g)oftheProposalprovidesthat,inadditiontootherinformationtobeprovidedpriortoconsentorauthorisation,“ [i]ncaseoflivingdonors, (...)”.inpersonalSoHOentitiesshallprovideinformationregarding(...)therecordingandprotectionofdonorandhealthdataandmedicalconfidentiality,includinganypotentialsharingofdatatheinterestofdonorhealthmonitoringandofpublichealth,asnecessaryandproportionate donorunclearInthisregard,theEDPSconsidersthat,asdrafted,theaforementionedArticleisbothastotheexactinformationthatwouldbeprocessed‘intheinterestofthe’,andastothenecessityandproportionalityassessmentinthiscontext.Therefore, placecontext,theEDPSrecommendstoexplicitlyclarifytheinformationtobeprocessedinthisaswellashowwouldthenecessityandproportionalityassessmenttake.

29.Lastly,theEDPSnotesthatArticle14(2)ofDirective20004/23/EConsettingstandardsofqualityandsafetyforthedonation,procurement,testing,processing,preservation,storageanddistributionofhumantissuesandcellscurrentlyprovidesthatMemberStatesmust“(...) donationsunauthorisedtransferunauthorisedensurethat:(a)datasecuritymeasuresareinplace,aswellassafeguardsagainstanydataadditions,deletionsormodificationstodonorfilesordeferralrecords,andofinformation;(b)proceduresareinplacetoresolvedatadiscrepancies;and(c)nodisclosureofinformationoccurs,whilstguaranteeingthetraceabilityof .” reinstatedTheEDPSconsidersthatsuchmoredetailedprovisionscouldbeusefullyintheProposal,initsproposedformofaRegulation ,inorderto strengthenprotectionfordonorsandrecipientsandoffspringsofSoHO.

27.Additionally,inordertoensureahighlevelofprotectionofpersonaldata,theEDPS personalrecommendsinsertingareferencetotherisksstemmingfromtheprocessingofdatainArticle52oftheProposal, ontheobjectivesregardingSoHOdonor protection,aswellasinArticle57oftheProposal,ontheobjectivesregardingSoHO

9

4.Conclusions

30.Inlightoftheabove,theEDPSmakesthefollowingrecommendations: (4)(3)(2)(1)toclarifythatinformedconsenttothedonationofmaterialundertheSoHORegulationisnotthesameasconsentreferredtointheGDPRasoneofthelegalbasisfortheprocessingofpersonaldata;toclarifyforwhichspecificpurposesreuseofpersonaldata,ifany,relatedtodonorsandrecipients,andoffsprings,ofSoHOisenvisaged,takingintoaccounttheethicalandlegalprincipleofinformedconsentlaiddownunderArticle3(2)oftheCharter,andthehighrisksforthepersonsconcerned.toclarifyintheProposalwhethertheECDCwouldbeprocessingpersonaldatawithintheSoHOPlatformand,ifso,toexplicitlyidentifyitsrolewithinthemeaningofdataprotectionlaw;toclearlyidentifyintheenactingtermsoftheProposalthespecificpurposeforwhichsuchdatawouldbereused,particularlytakingintoaccountthehighrisksforthepersonsconcernedandthekeydataprotectionprincipleofpurposelimitation;

(8)(7)(6)(5)toclarifyinArticles44,45and47oftheProposalwhetheranyprocessingofpersonaldatawouldbetakingplaceand,ifso,tospecifythepurposeofsuchprocessinginArticle76oftheProposalitself;toclearlydefineintheProposalitselfthemaximumdurationforwhichpersonaldatamaybestored;toinsertareferencetorisksstemmingfromtheprocessingofpersonaldatabothinArticle52oftheProposal,ontheobjectivesregardingSoHOdonorprotection,aswellasArticle57oftheProposal,ontheobjectivesregardingSoHOrecipientandoffspringprotection;toexplicitlyclarifyinArticle55(g)oftheProposaltheinformationtobeprocessedinthiscontext,aswellashowwouldthenecessityandproportionalityassessmenttakeplace.

WojciechBrussels,07September2022RafałWIEWIÓROWSKI [esigned]

10

Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.