Response to the EU General Data Protection Regulation (GDPR)

The new European General Data Protection Regulation (GDPR) will enter into force in the EU on 25 May 2018. The GDPR covers the protection of all data that allow identification of an individual, including images and recordings as well as biological data.

Data concerning health are sensitive data, which have additional requirements. GDPR prohibits processing of sensitive data, unless it is for medical care, public health, or research purposes, and is only possible when explicit consent has been given OR it is in the interest of the data subject or another person OR it is necessary for the purposes of preventive medicine or public health.

GDPR requires research and healthcare institutions to have a data protection officer, appropriate security measures and be transparent to the patients about what data are stored, for how long and for what purposes.

According to the GDPR, the consent must be:

  • freely given – the patient cannot be forced to sign the consent by refusing to provide healthcare
  • specific – the data can be used only for a specific purpose, e.g. a specific research project. For every project that wasn’t considered before, the researcher must find and re-contact the patient to get a new consent.
  • informed – the patients must be provided with sufficient information, presented in an understandable way
  • unambiguous – the consent must precisely state how and by whom the data will be processed
This EURORDIS webinar explains the new data protection regulation in the EU and how it will influence rare disease research.

more videos at

These requirements, although justified in many other contexts, in case of rare diseases create obstacles for reusing and sharing data in research, diagnosis and development of new therapies. This, in consequence, is harmful for the patients.

In response to the new legislation, RD-Connect is engaged in the ongoing collaborative effort on the Code of Conduct for data sharing in biomedical research.