Advising a leading German scientific research institution on data protection in research projects and employee data

Background

My client is an internationally renowned research institution with a wide range of research fields.

Consulting in the research context involves many novel, complex and often not yet fully addressed topics. Compliance with data protection requirements in research projects, which are often publicly funded, is a top priority. In this respect, the legal consultancy has to meet high expectations; at the same time, it must be practically oriented and facilitate research projects rather than preventing them.

In addition, scientific research often takes place in co-operation with other organizations and requires coordination and consensus on an eye-to-eye level with a wide range of partners from industry and science.

My Legal Support

My legal data protection consulting services included:

• Drafting, reviewing and designing data protection agreements in research cooperations (e.g. data protection clauses in research and cooperation agreements, joint controller agreements within the meaning of Art. 26 GDPR, controller processor agreements as per Art. 28 GDPR, data provision agreements / data usage agreements).
• Advice on (de facto) anonymization of data in the research context (e.g. health data, patient data, biospecimen) and on pseudonymization of research data.
• Advice on the lawfulness of using personal data, including health data, for scientific purposes with and without consent, advice on sec, 27 of the German Federal Data Protection Act (BDSG) ("research privilege"), drafting of consents including "broad consent".
• Advice on international data transfers (e.g. to research partners or service providers), including standard contractual clauses (SCC) and carrying out transfer impact assessments (TIA)
• Advising scientists on the preparation of data protection concepts and the performance of data protection impact assessments (PIA) for their scientific research projects.
• Data protection law support for IT-related research projects (e.g., apps, collaboration platforms), data protection law review and accompanying advice, drafting of data protection notices/data protection policies and terms of use.
• Advice on the data protection-compliant use of artificial intelligence (AI) in a scientific context (e.g., analysis of CT scans or X-rays, autonomous driving).
• Advice on general employee data protection issues (e.g., use of collaboration tools, IT security tools).

Expertise gained      

• Insight into the operation and functioning of a leading scientific research institution
• Legal engagement with many cutting-edge and novel topics (such as artificial intelligence, autonomous driving)
• Filtration of information relevant to data protection in complex research projects
• Coordination with research partners and colleagues from other specialist areas (e.g. medical law)

Added Value

• Support in drafting standard contracts, checklists, and handouts  (e.g., on cookies, data protection policies, third-country transfers, joint controller agreements) to enable self-service assessment by scienticsts and researches
• Reduction of the workload on the client's internal resources in the data protection and legal department and standardization of instructions and procedures
• Tailored data protection training (e.g., on anonymization requirements or image processing using AI)