07September2022 Opinion19/2022 DirectivesforsubstancesstandardsontheProposalforaRegulationonofqualityandsafetyforofhumanoriginintendedhumanapplicationandrepealing2002/98/ECand2004/23/EC
UnderWojciechdataUniondataensuringunderTheEuropeanDataProtectionSupervisor(EDPS)isanindependentinstitutionoftheEU,responsibleArticle52(2)ofRegulation2018/1725‘Withrespecttotheprocessingofpersonaldata…forthatthefundamentalrightsandfreedomsofnaturalpersons,andinparticulartheirrighttoprotection,arerespectedbyUnioninstitutionsandbodies’,andunderArticle52(3)‘…foradvisinginstitutionsandbodiesanddatasubjectsonallmattersconcerningtheprocessingofpersonal’.RafałWiewiórowskiwasappointedasSupervisoron5December2019foratermoffiveyears.
1
Article 42(1) ofRegulation2018/1725,theCommissionshall,‘followingtheadoptionof perspective.ThisthatinformationcommentsrepealingstandardsThisdataimpact218proposalsforalegislativeact,ofrecommendationsorofproposalstotheCouncilpursuanttoArticleTFEUorwhenpreparingdelegatedactsorimplementingacts,consulttheEDPSwherethereisanontheprotectionofindividuals’rightsandfreedomswithregardtotheprocessingofpersonal’.OpinionrelatestoaProposalforRegulationoftheEuropeanParliamentandoftheCouncilonofqualityandsafetyforsubstancesofhumanoriginintendedforhumanapplicationandDirectives2002/98/ECand2004/23/ECThisOpiniondoesnotprecludeanyfutureadditionalorrecommendationsbytheEDPS,inparticulariffurtherissuesareidentifiedornewbecomesavailable.Furthermore,thisOpinioniswithoutprejudicetoanyfutureactionmaybetakenbytheEDPSintheexerciseofhispowerspursuanttoRegulation(EU)2018/1725.OpinionislimitedtotheprovisionsofthedraftProposalthatarerelevantfromadataprotection
2 ExecutiveSummary durationLastly,inalsopersonalOnprocessingrequirement,donationdonatedgivenTheproportionalityprinciplesprotectionandprinciplepositivelycitizensTheimprovingMemberspermSoHOs,SubstancesintendedTheintendedPaOn14July2022,theEuropeanCommissionissuedaProposalforaRegulationoftheEuropeanrliamentandoftheCouncilonstandardsofqualityandsafetyforsubstancesofhumanoriginforhumanapplicationandrepealingDirectives2002/98/ECand2004/23/EC.Proposalaimstoregulatethestandardsofqualityandsafetyforsubstancesofhumanoriginforhumanapplication(‘SoHO’)byensuringsafetyandqualityforpatientstreatedwithofHumanOrigintherapiesandfullyprotectthemfromavoidableriskslinkedtoensuringsafetyandqualityforSoHOdonorsandforchildrenbornfromdonatedeggs,orembryos,strengtheningandallowingforharmonisationofoversightpracticesamongStates,facilitatingthedevelopmentofsafeandeffectiveinnovativeSoHOtherapiesandtheresilienceofthesector,mitigatingriskofshortages.EDPSwelcomesthattheProposalaimstobringpositiveimpactonfundamentalrightsofsuchashealthprotection,nondiscrimination,privacyandinformedconsent,whilealsonotesthatprogrammespromotingthedonationofSoHOsshouldbefoundedontheofvoluntaryandunpaiddonation,altruismofthedonorandsolidaritybetweendonorrecipient.Inthisregard,theEDPSwelcomesthereferencestospecificprinciplesofdatainthecontextoftheSoHOPlatform,inparticulartheprovisionsthatgiveeffecttotheofpurposelimitation,dataminimisation,aswellastherequirementsofnecessityandEDPSwelcomesthattheProposalwouldrequirethatinformedconsentfordonationisfreelyanddonorsortheirrepresentativesareinformedwithregardstotheintendeduseofthematerial.Atthesametime,theEDPSrecallsthatthedonor’sinformedconsenttotheofmaterialundertheSoHORegulation,whilebeinganessentialethicalandlegalisnotthesameasconsentreferredtointheGDPRasoneofthelegalbasisfortheofpersonaldata.thereuseofdata,whiletheEDPSwelcomestheexplicitidentificationofallthecategoriesofdatalistedintheProposalandthespecificpurposeforwhichthesewillbeprocessed,heconsidersthatthespecificpurposeforwhichdatawouldbereusedshouldbeclearlyidentifiedtheenactingtermsoftheProposal.theEDPSrecommendsthatthecolegislatorclearlydefineintheProposalthemaximumforwhichpersonaldatamaybestored.
3 Contents 4.3.4.3.3.3.2.3.1.3.2.1.Introduction.....................................................................4Generalremarks..............................................................5Specificremarks..............................................................7Rolesandresponsibilitiesoftheactorsinvolved...........7Categoriesofpersonaldataandpurposelimitation......7Storageduration...........................................................8Otherspecificcomments...............................................8Conclusions......................................................................9
1.On14July2022,theEuropeanCommissionissuedaProposalforaRegulationoftheEuropeanParliamentandoftheCouncilonstandardsofqualityandsafetyforsubstancesofhumanoriginintendedforhumanapplicationandrepealingDirectives2002/98/ECand2004/23/EC 2(‘theProposal’).
(‘the23HavingHavingregardtotheTreatyontheFunctioningoftheEuropeanUnion,regardtoRegulation(EU)No2018/1725oftheEuropeanParliamentandoftheCouncilofOctober2018ontheprotectionofindividualswithregardtotheprocessingofpersonaldatabyUnioninstitutions,bodiesofficesandagenciesandonthefreemovementofsuchdataEUDPR’) 1,andinparticularArticle42(1)thereof,
HASADOPTEDTHEFOLLOWINGOPINION:
4 THEEUROPEANDATAPROTECTIONSUPERVISOR,
4.ThepresentOpinionoftheEDPSisissuedinresponsetoaconsultationbytheEuropeanCommissionof14July2022,pursuanttoArticle42(1)EUDPR.TheEDPSwelcomesthereferencetothisconsultationinRecital51oftheProposal.Inthisregard,theEDPSalsopositivelynotesthathewasalreadypreviouslyinformallyconsultedpursuanttorecital60ofEUDPR.
3.TheProposalispartoftheEU’sambitiontobuildastrongerEuropeanHealthUnion,inorderto:(1)betterprotectthehealthofourcitizens(includingpatients,donorsandoffspring);(2)equiptheEUanditsMemberStatestobetterpreventandaddressfuturepandemics(surveillance,dataanalysis,riskassessment,earlywarningandresponse)and(3)improvetheresilienceofEUhealthsystems 4 .
2.TheProposalincludesmeasuresthataimto:ensuresafetyandqualityforpatientstreatedwithSubstancesofHumanOrigin(‘SoHO’)therapiesandfullyprotectthemfromavoidableriskslinkedtoSoHOs;ensuresafetyandqualityforSoHOdonorsandforchildrenbornfromdonatedeggs,spermorembryos;strengthenandallowforharmonisationofoversightpracticesamongMemberStates;facilitatethedevelopmentofsafeandeffectiveinnovativeSoHOtherapies;improvetheresilienceofthesector,mitigatingriskofshortages 3
1OJL295,21.11.2018,p.39. COM(2022)338final.
3COM(2022)338final,p.6.
4COM(2022)338final,pp.23.
2
1.Introduction
10.TheimpactassessmentaccompanyingtheProposalstatesthat“
7TheEDPSalso theSoHOspositivelynotesthat,inlinewiththeProposal,programmespromotingthedonationofshouldbefoundedontheprincipleofvoluntaryandunpaiddonation,altruismofdonorandsolidaritybetweendonorandrecipient.
5 2.Generalremarks
8
5.AccordingtotheExplanatoryMemorandumtotheProposal
6
10
9
7
9.8.TheEDPSconsidersthattheprotectionofthefundamentalrightstoprivacyandtotheprotectionofpersonaldatainthecontextoftheProposalgohandinhandwiththeprotectionofhumandignity,oftheintegrityoftheperson,andnondiscrimination(thatcouldfollowunduedisclosureofpersonaldatarelatedtotheindividualsconcerned).TheEDPStakesnotethatanEUSoHOPlatformmustbeestablished,managedandmaintainedbytheCommissioninordertofacilitatetheexchangeofinformationconcerningSoHOactivitiesintheUnion,namelythesubmission,retrieval,storage,management,handling,exchange,analysis,publicationanddeletionofsuchdataanddocuments.TheEDPSalsonotesthat,inlinewiththeProposal,theprocessingofpersonaldatabycompetentauthoritiesmustonlybecarriedoutforthepurposeofperformingSoHOrelatedactivitiesinaccordancewiththeRegulationandincompliancewiththeapplicabledataprotectionlegislation .TheEDPSnotesthattheSoHOPlatformwillalsobeprocessing specialcategoriesofpersonaldata10 [a]singleITsystemwill barriersEuropeanItestablishmentsbringimportantbenefitsasitcanhostflexiblesolutions,allowingMemberStatesandtomaintainandconnectwiththeirownsystemorreuseexistingcomponents.couldbecomeanimportantnodeintheEUdigitalecosystem,andinparticularinthefutureHealthDataSpace(EHDS),whichaimsatopeningopportunitiesandremovingtotheuseandreuseofhealthdata,fortheprovisionofhealthcare,personalised
5,theBloodDirective
6
9
7.TheEDPSwelcomesthattheProposalaimstobringpositiveimpactonsomefundamentalrightsofcitizens(suchashealthprotection,nondiscrimination,privacyandinformedconsent),particularlybystrengtheningtheprovisionsrelatingtodonors’andrecipients’protectionandvigilanceandthereportingofgeneticconditionsinchildrenbornfrommedicallyassistedreproductionwiththirdpartydonation,andbyensuringthatrequirementsforsafetyandqualityarebasedonscientificevidence.
6.casethequality2022/98/ECandtheTissuesandCellsDirective2004/23/EC(‘BTClegislation’)setsoutandsafetyrequirementsforallstepsfromdonationtohumanapplication(unlessdonationsareusedtomanufacturemedicinalproductsormedicaldevices,inwhichthelegislationonlyappliestodonation,collectionandtesting).TheaimoftheProposalistoaddressshortcomingsoftheBTClegislationinordertoensureabetterlevelofhealthprotection,togetherwiththepossibilityforsuchframeworktobeeffectivelyimplementedandresistanttonewrisksandtrends,whileensuringatthesametimeappropriatesafetyandqualityrequirements
8
5COM(2022)338final,p.1. COM(2022)338final,p.2. COM(2022)338final,p.12. SeeRecitals18and19oftheProposal. SeeArticle73oftheProposal. SeeRecitals43,44,46,47oftheProposal,andArticles53(1)(d),55(3),73and76oftheProposal.
17SeeRecital44andArticle55oftheProposal. 18
13
11.TheEDPSwelcomesRecital42oftheProposal,whichemphasisesthattheprocessingofpersonaldataundertheProposalmustbesubjecttostrongguaranteesofconfidentialityandcomplywiththeEUDPRandwithRegulation(EU)2016/679 12(‘theGDPR’).
12.Moreover,theEDPSwelcomesthespecificreferencestotheprinciplesofdataprotectionasregardstheprocessingofpersonaldatainthecontextoftheSoHOPlatform 13,in particulartheprovisionsthatgiveeffecttotheprinciplesofpurposelimitation14,data minimisation(andrelatedpseudonymisationofpersonaldata)15aswellastherequirements ofnecessityandproportionality16 .
17Inthisregard,theEDPSrecallsthatthedonor’sinformedconsent tothedonationofmaterialundertheSoHORegulation,whilebeinganessential ethicalandlegalrequirement,similarlytoclinicaltrials18 ,isnotthesameasconsent datareferredtointheGDPRasoneofthelegalbasisfortheprocessingofpersonal .TheEDPSthereforerecommendstoincludesuchaclarificationintheProposal.
andSeeEDPBOpinion3/2019concerningtheQuestionsandAnswersontheinterplaybetweentheClinicalTrialsRegulation(CTR)theGeneralDataProtectionregulation(GDPR)(art.70.1.b)),23January2019.
14SeeArticle73(3)oftheProposal.
11COM(2022)338final,p.12.
SeeRecital43oftheProposal.
16SeeRecital45oftheProposal.
15SeeRecital45andArticle45(2)(c)oftheProposal.
15.Finally,theEDPSwelcomesthespecificationinthelastsentenceofRecital45oftheProposal,accordingtowhichdonors,recipientsandoffspringsshouldbeinformedoftheprocessingofpersonaldatainlinewiththeGDPRandtheEUDPR.
6 medicine,researchandinnovation,policymakingandregulatoryactivities.”11Tothisend,the categoriesEDPSwouldliketopointoutthatthatthestorageandprocessingofavarietyofdatainasingleintegratedITsystemmaycreaterisks .Tominimisesuchrisks,due protectionconsiderationmustbegiventotherequirementsofdataminimisation,databydesignandsecurity
12 DatawithRegulation(EU)2016/679oftheEuropeanParliamentandoftheCouncilof27April2016ontheprotectionofnaturalpersonsregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata,andrepealingDirective95/46/EC(GeneralProtectionRegulation)(TextwithEEArelevance),OJL119,4.5.2016,p.188.
14.13.TheEDPSnotesthat,accordingtoRecital45,theProposalshouldprovidealegalbasisunderArticle6GDPRand,whererelevant,fulfiltheconditionsunderArticle9(2),point(i)GDPR,fortheprocessingofsuchpersonaldata.Additionally,thesameRecitalalsostatesthat,withrespecttopersonaldataprocessedbytheCommission,theProposalshouldprovidealegalbasisunderArticle5EUDPRand,whererelevant,fulfiltheconditionsunderArticle10(2),point(i)EUDPR.TheEDPSwelcomesthattheProposalwouldrequirethatconsentfordonationisfreelygivenanddonorsortheirrepresentativesareinformedwithregardstotheintendeduseofthedonatedmaterial.
3.1.Rolesandresponsibilitiesoftheactorsinvolved
3.2.Categoriesofpersonaldataandpurposelimitation
20.19.TheEDPSwelcomesArticle76point(1),(2)and(3)oftheProposal,whichexplicitlyidentifiesallthecategoriesofpersonaldatalistedintheProposalandthespecificpurposeforwhichthesewillbeprocessedinlinewiththeProposalIndeed,theEDPSnotesthattheneedtoprotectthedignityandintegrityofdonors,recipientsandoffspringsbornfrommedicallyassistedreproduction,referredtoinRecital44oftheProposal,callsfor thehighestpossibledataprotectionsafeguards,aswellas strictpurposelimitation.TheEDPShighlightsthattherightofdignityoftheindividuals personaltheirdonationconcernedmustalwaysbetakenintoaccount,particularlybyensuringthatconsentforofSoHO,asanethicalandlegalrequirement,isfreelygivenandthatdonorsandrepresentativesarefullyinformedinparticularwithregardstoanyprocessingoftheirdata. 19SeeRecitals33,36and38andArticles29(7)(a),35(3),35(13),36(3),36(5),56(4)(a)(i),62(5),62(7)(b)and68(1)(e)oftheProposal. 20 EuroProposalforaRegulationoftheEuropeanParliamentandoftheCouncilamendingRegulation(EC)No851/2004establishingapeanCentrefordiseasepreventionandcontrol.COM/2020/726final.
7 3.Specificremarks
18.17.16.TheEDPSwelcomesthatArticle76(6)oftheProposalprovidesthat,inrelationtotheirresponsibilitiestoprocesspersonaldatatocomplywiththeobligationsoftheProposal,theSoHOentities,meaningthecompetentauthorityorauthoritiesoftheMemberStatesthatareconferredresponsibilityfortheSoHOsupervisoryactivities,shallberegardedas‘controllers’asdefinedinArticle4(7)GDPR.Moreover,theEDPSwelcomesthatArticle76(7)oftheProposalprovidesthat,inrelationtoitsresponsibilitytoestablishandmanagetheEUSoHOPlatform,theCommissionshallberegardedascontrollerasdefinedinArticle3(8)EUDPR.Inthisregard,theEDPSalsonotesthat,asreflectedintheExplanatoryMemorandumtotheProposal,theProposalestablisheslinks 19withtheEuropeanCentreforDisease strengthenedPreventionandControl(‘ECDC’),forwhichthemandatehasbeenproposedtobe 20,alsointhefieldofSoHOs.Tothisend,theEDPSconsidersthatfurther actinneeded.clarityastowhetherECDCwillbeprocessingpersonaldatawithintheSoHOPlatformisShouldthisbethecase,theEDPSconsidersthattheECDCwouldlikely(also)begasacontrollerwithinthemeaningofdataprotectionlaw. TheEDPStherefore invitesthecolegislatortoclarifyfurtherintheProposalwhethertheECDCwould beprocessingpersonaldatawithintheSoHOPlatformand,ifso,toidentify explicitlyitsrolewithinthemeaningofdataprotectionlaw.
8 22.21.Againstthisbackground,theEDPSnotesthatRecital46oftheProposalprovidesthatentrustedcompetentauthoritiesasdatacontrollerswithinthemeaningoftheGDPRwillhavepowerstotakedecisionsontheaccesstoandreuseofdata.Inthisregard,theEDPSunderstandsthat,asoutlinedthroughouttheProposal,thepurposeforthereuseofsuchdata,ifany,wouldbepurelyhealthrelated. Therefore,theEDPS Proposalrecommendsthattheco-legislatorclearlyidentifyintheenactingtermsofthethespecificpurposeforwhichsuchdatawouldbereused ,particularly 23.principletakingintoaccountthehighrisksforthepersonsconcernedandthekeydataprotectionofpurposelimitationinlinewithArticle5(1)(b)GDPR.TheEDPSalsonotesthatArticles44,45and47oftheProposalprovidethatSoHOentitieswillbeobligedtoperformactivitiesofdatacollectionandreporting,traceabilityandcodingandvigilanceandreportingrespectively.Inthisregard,theEDPS,whileconsideringthatprocessingofpersonaldatamaypossiblyoccurinthiscontext,alsonotesthatArticle76oftheProposalondataprotectiondoesnotrefertotheprocessingoperationslistedintheaforementionedArticles.Forthesakeoflegalclarity, theEDPSrecommendstoclarify ProposaltakingintheaforementionedArticleswhetheranyprocessingofpersonaldatawouldbeplaceand,ifso,tospecifythepurposeofsuchprocessinginArticle76oftheitself .
3.4.Otherspecificcomments
3.3.Storageduration
25.Inthisregard,inlinewiththestoragelimitationprinciple,theEDPSunderlinesthatpersonaldatashouldbekeptinaformwhichpermitstheidentificationofdatasubjectsfornolongerthannecessaryforthepurposesforwhichpersonaldataareprocessed.TheEDPSrecallsthattheperiodoftimeshouldbeasshortaspossibleinrelationtothepurposepursuedandmustbejustifiedinordertoensurethatthestorageislimitedtowhatisnecessaryforthepurpose(s)pursued.Aslimitingtheretentionofpersonaldataconstitutesanimportantsafeguardtoprotectindividualsagainstmisuseoftheirpersonaldata, the maximumEDPSrecommendsthatthecolegislatorclearlydefineintheProposalitselfthedurationforwhichpersonaldatamaybestored .
26.TheEDPSwelcomesArticle53(1)(d)oftheProposalondonors’protectionandArticle55(3)(g)oftheProposalontherecordingandprotectionofdonors’personaldata,inChapterVI.However,theEDPSnotesthatsimilarprovisionsaremissinginChapterVIIoftheProposal,relatedtotheprotectionofSoHOrecipientsandoffsprings.
24.TheEDPSnotesthatArticle74(3)oftheProposalprovidesthat“[t]heCommissionshall thetheadoptimplementingactslayingdowntechnicalspecificationsfortheEUSoHOPlatform,(...),retentionperiodsforpersonaldataandthetechnicalandorganisationalmeasurestoensuresafetyandsecurityofpersonaldataprocessed ”,whileArticle76(8)oftheProposal providesthat“(...)theCommissionisempoweredtoadoptdelegatedactsinaccordancewith asArticle77supplementingthisRegulationbylayingdowntheretentionperiodsforpersonaldataappropriatetotheirpurpose(...) ”.
28.recipientandoffspringprotectionTheEDPSalsonotesthatArticle55(g)oftheProposalprovidesthat,inadditiontootherinformationtobeprovidedpriortoconsentorauthorisation,“ [i]ncaseoflivingdonors, (...)”.inpersonalSoHOentitiesshallprovideinformationregarding(...)therecordingandprotectionofdonorandhealthdataandmedicalconfidentiality,includinganypotentialsharingofdatatheinterestofdonorhealthmonitoringandofpublichealth,asnecessaryandproportionate donorunclearInthisregard,theEDPSconsidersthat,asdrafted,theaforementionedArticleisbothastotheexactinformationthatwouldbeprocessed‘intheinterestofthe’,andastothenecessityandproportionalityassessmentinthiscontext.Therefore, placecontext,theEDPSrecommendstoexplicitlyclarifytheinformationtobeprocessedinthisaswellashowwouldthenecessityandproportionalityassessmenttake.
29.Lastly,theEDPSnotesthatArticle14(2)ofDirective20004/23/EConsettingstandardsofqualityandsafetyforthedonation,procurement,testing,processing,preservation,storageanddistributionofhumantissuesandcellscurrentlyprovidesthatMemberStatesmust“(...) donationsunauthorisedtransferunauthorisedensurethat:(a)datasecuritymeasuresareinplace,aswellassafeguardsagainstanydataadditions,deletionsormodificationstodonorfilesordeferralrecords,andofinformation;(b)proceduresareinplacetoresolvedatadiscrepancies;and(c)nodisclosureofinformationoccurs,whilstguaranteeingthetraceabilityof .” reinstatedTheEDPSconsidersthatsuchmoredetailedprovisionscouldbeusefullyintheProposal,initsproposedformofaRegulation ,inorderto strengthenprotectionfordonorsandrecipientsandoffspringsofSoHO.
27.Additionally,inordertoensureahighlevelofprotectionofpersonaldata,theEDPS personalrecommendsinsertingareferencetotherisksstemmingfromtheprocessingofdatainArticle52oftheProposal, ontheobjectivesregardingSoHOdonor protection,aswellasinArticle57oftheProposal,ontheobjectivesregardingSoHO
9
4.Conclusions
30.Inlightoftheabove,theEDPSmakesthefollowingrecommendations: (4)(3)(2)(1)toclarifythatinformedconsenttothedonationofmaterialundertheSoHORegulationisnotthesameasconsentreferredtointheGDPRasoneofthelegalbasisfortheprocessingofpersonaldata;toclarifyforwhichspecificpurposesreuseofpersonaldata,ifany,relatedtodonorsandrecipients,andoffsprings,ofSoHOisenvisaged,takingintoaccounttheethicalandlegalprincipleofinformedconsentlaiddownunderArticle3(2)oftheCharter,andthehighrisksforthepersonsconcerned.toclarifyintheProposalwhethertheECDCwouldbeprocessingpersonaldatawithintheSoHOPlatformand,ifso,toexplicitlyidentifyitsrolewithinthemeaningofdataprotectionlaw;toclearlyidentifyintheenactingtermsoftheProposalthespecificpurposeforwhichsuchdatawouldbereused,particularlytakingintoaccountthehighrisksforthepersonsconcernedandthekeydataprotectionprincipleofpurposelimitation;
(8)(7)(6)(5)toclarifyinArticles44,45and47oftheProposalwhetheranyprocessingofpersonaldatawouldbetakingplaceand,ifso,tospecifythepurposeofsuchprocessinginArticle76oftheProposalitself;toclearlydefineintheProposalitselfthemaximumdurationforwhichpersonaldatamaybestored;toinsertareferencetorisksstemmingfromtheprocessingofpersonaldatabothinArticle52oftheProposal,ontheobjectivesregardingSoHOdonorprotection,aswellasArticle57oftheProposal,ontheobjectivesregardingSoHOrecipientandoffspringprotection;toexplicitlyclarifyinArticle55(g)oftheProposaltheinformationtobeprocessedinthiscontext,aswellashowwouldthenecessityandproportionalityassessmenttakeplace.
WojciechBrussels,07September2022RafałWIEWIÓROWSKI [esigned]
10