D.2.3. Summary of Pilot-related regulatory requirements

PROJECT Coach assistant via projected and tangible interface GRANT AGREEMENT Nr. 769830

D.2.3. – Summary of Pilot-related regulatory requirements

SUBMISSION DUE DATE DELIVERABLE VERSION Month 15, 28.02.2019 #3.0 ACTUAL SUBMISSION DATE Month 15, 28.02.2019

This project has received funding from the European Union's Horizon 2020 research and innovation programme under grant agreement No 769830

Ref. Ares(2019)1383872 - 28/02/2019

CAPTAIN 769830 D.2.3.-Summary of Pilot-related regulatory requirements

2 | P a g e

DELIVERABLE T ITLE Summary of Pilot-related regulatory requirements

DELIVERABLE No. D.2.3

Deliverable Version #3.0

Deliverable Filename Captain_D2.3_Summary of Pilot-related regulatory requirements_v.3.docx

Nature Of Deliverable R = Report

Dissemination Level Public

Number Of Pages 32

Work Package WP2. Requirements elicitation and Technical specification

Partner Responsible SIT

Author(s) Valentina Conotter (SIT), Maurizio Gianordoli (SIT), Giulia Onorati (SIT)

Contributor(s) Eliana Eliadou (AMEN), Evdokimos Konstantinidis (NIV), Pjotr Mjakosin (DIG), Unai Diaz-Orueta (MU) Antonis Billis (AUTH), Andoni Beristain (VIC) Rosa Almeida (INTRAS), Alejandro Rivero Rodrìguez (SAL) Wolfgang Kniejski (INI), Walter Mattei (APSS)

Editor Valentina Conotter (SIT)

Reviewed by Christos Frantzidis (AUTH), Pjotr Mjakosin (DIG)

Approved by Panos Bamidis, Project Coordinator

PROJECT FULL T ITLE Coach assistant via projected and tangible interface

Type Of Action Research & Innovation Action (RIA)

Topic H2020-SC1-PM-15-2017: Personalised coaching for well-being and care of people as they age

Start Of Project 1 December 2017

Duration 36 months

Project URL www.captain-eu.org


3 | P a g e

Table of Contents LIST OF ACRONYMS ............................................................................................................................................... 4

LIST OF TABLES ...................................................................................................................................................... 4

1 EXECUTIVE SUMMARY ................................................................................................................................... 5

2 INTRODUCTION ............................................................................................................................................. 5

2.1 REGULATORY CONSTRAINTS: RATIONALE ................................................................................................................ 5 2.2 DELIVERABLE INTERDEPENDENCIES ........................................................................................................................ 5 2.3 COLLECTION OF LEGAL AND ETHICAL REQUIREMENTS FROM THE PARTNERS ............................................................. 6

3 ETHICAL CONSTRAINTS AND REGULATIONS .................................................................................................. 6

3.1 THE DECLARATION OF HELSINKI ............................................................................................................................ 7 3.2 EUROPEAN DIRECTIVES AND REGULATIONS ............................................................................................................ 10 3.3 NATIONAL REGULATIONS AND LOCAL NORMS ........................................................................................................ 12

3.3.1 Greece .................................................................................................................................................... 12 3.3.2 Spain ...................................................................................................................................................... 12 3.3.3 Ireland .................................................................................................................................................... 13 3.3.4 Italy ........................................................................................................................................................ 13 3.3.5 Cyprus .................................................................................................................................................... 13

4 SECURITY AND PRIVACY REGULATIONS ....................................................................................................... 14

4.1 DATA PROTECTION DIRECTIVE (95/46/EC) AND E-PRIVACY DIRECTIVE (2002/58/EC) ............................................. 15 4.2 GENERAL DATA PROTECTION REGULATION 2016/679 (GDPR) .............................................................................. 16 4.3 INFORMED CONSENT ........................................................................................................................................ 18 4.4 NATIONAL LAWS ............................................................................................................................................. 19

4.4.1 Greece .................................................................................................................................................... 19 4.4.2 Spain ...................................................................................................................................................... 21 4.4.3 Ireland .................................................................................................................................................... 23 4.4.4 Italy ........................................................................................................................................................ 26 4.4.5 Cyprus .................................................................................................................................................... 26 4.4.6 France .................................................................................................................................................... 27 4.4.7 Germany ................................................................................................................................................ 27 4.4.8 Estonia ................................................................................................................................................... 29

5 CONCLUSION ............................................................................................................................................... 31

6 REFERENCES ................................................................................................................................................ 32


4 | P a g e

LIST OF ACRONYMS

Acronym Description

ADL Activities of Daily Living

DoA Description of Action

DPO Data Protection Officer

ePR ePrivacy Regulation GDPR General Data Protection Regulation

LL Living Lab

WMA World Medical Association

LIST OF TABLES Table 1 Deliverable interdependencies ......................................................................................................................... 6


5 | P a g e

1 EXECUTIVE SUMMARY

This document delivers the results of the activities carried out in the Task 2.4 associated with the collection and analysis of the requirement of all partners in terms of ethical approval, data management and privacy regulation, harmonizing it with general EU regulations. Chapter 3 deals with ethical constraints regulations at both European and national level starting from Helsinki Declaration. This is followed by an overview on how the European directive has been adopted in the several participating countries. Issues related to privacy and security are described in Chapter 4, including data management, data protection and informed consent regulations both at European and national level.

2 INTRODUCTION

2.1 REGULATORY CONSTRAIN TS: RATIONALE

The main objective of CAPTAIN is to design, implement and test a transparent technology able to turn the home of the older adults into a ubiquitous assistant to offset their memory impairments and empower them during ADLs. In order to achieve such goal, it is necessary to involve all the supply chain: primary end-users (elderly), secondary users (formal and informal caregivers), intermediaries (e.g., patient associations, community services) and customer buyers (e.g., tech/service and healthcare provides).

The acceptance and adoption of healthcare and assistive technologies depends on a close collaboration between end-users and technologists from the early phases of the deployment of CAPTAIN, as based on the adopted agile methodology. As such, ethical and legal factors play an important role in CAPTAIN. Securing the rights of all the involved stakeholders is an integral and important aspect of the project. T1.4 is responsible for ensuring ethical and security compliance, while T1.5 is responsible for ensuring data management and privacy compliance. Few European Regulations, Directives and their transpositions into National laws and regulations are important: (a) Privacy: EU General Data Protection Regulation (GDPR) 2016/679, which entered in force in mid 2018, and (b) Medical devices and Patient’s safety: Medical device directive legislation with extensions to software, whose new form entered in force at the same time as the GDPR. The CAPTAIN project will take these regulations into consideration in the design of the CAPTAIN application, data architecture and operationalisation in respect to the health environment (T3.1). Moreover, CAPTAIN will comply with Horizon 2020 regulations on ethics and privacy acting in accordance with EU regulations and directive (1982/2006/2014/2016 EC) as well as respective national regulations.

2 .2 DELIVERABLE INTERDEP ENDENCIES

This deliverable leverages on some information gathered so far within the rest WPs, and, as such, contains either implicit or explicit references to the deliverables summarized in the following table.

Deliverable name Description Delivered at

D1.2

First version of Ethics and Safety Manual

This deliverable reported the ethical challenges relating to user involvement in the CAPTAIN project that need to be considered by the consortium throughout the project.

M6

D1.5

Data Management Plan

This deliverable defined the initial data sets to be used in CAPTAIN project along with processes associated with those data sets and user rights definition according to GDPR. This

M6


6 | P a g e

document reported data sets and guidelines associated with each type of data set and processes of data collection, storage, publication and security.

Section 5 – Ethics and Security

Section 5 presented a preliminary analysis of the ethical aspects as well as to implications in terms of information security, privacy that CAPTAIN has to consider, due to the sensitive nature of the data being handled by the system.

Description of Action (DoA)

D10.1

H – Requirement No. 1

This deliverable describes the procedures and criteria that will be used to identify/recruit research participants throughout the project's timeline and actions taken to ensure absolute respect of their ethical rights in different stages of the study with an emphasis on meticulous informed consent procedures followed.

M12

D10.2

POPD – Requirement No. 2

This deliverable covers the requirement of confirmation by the competent Institutional Data Protection Officer and/or authorization or notification by the National Data Protection Authority and the definition of action measures taken within the consortium that proper authorization to not publicly available data is ensured.

M12

Table 1 Deliverable interdependencies

2.3 COLLECTION OF LEGAL AND ETHICAL REQUIREMENT S FROM THE PARTNERS

We established procedures in order to collect the relevant information related to the requirements of all partners in terms of ethical approval, data management and privacy regulation, together with general EU applicable regulations. We have collected information about the requirements to be considered in CAPTAIN by contacting partners and providing them with specific guidelines (draft of table of contents of the deliverable and preliminary examples of content) so to collect all the relevant information related to:

1. National and local regulations to be followed for the deployment of the CAPTAIN technologies in terms of

a. Ethics; b. Privacy; c. Data management;

2. Legal requirements, for involving end-users in the co-creation and testing activities.

3 ETHICAL CONSTRAINTS AND REGUL ATIONS

Utmost attention has to be paid to ethical and legal aspects when conducting a project that involves users and especially trials in the health domain such as CAPTAIN [1]. As described in the DoA, CAPTAIN project adopts the Living Lab approach to develop radically new solution for independent living in aging citizens that may experience mild cognitive impairment and functional deficits, as memory impairment. Living Labs (LL) are spaces of innovation constituting a network of real people with rich experience, following a community-based innovation approach. In LLs, citizens provide the engine for sensing, prototyping, validating and refining new and complex solutions, developed as part of the user-driven trend in innovation [2]. In LL approach for health care innovative technology


7 | P a g e

development, all the supply chain, including researchers, industries, formal and informal carers and users can be involved in the innovation process by co-designing and co-creating products and services in real-life contexts [3]. However, while LL approach has been demonstrated to be successful and more and more adopted, there is lack of ethical guidelines on building and developing LLs. The living labs have to develop research considering ethical dimensions not only referring to legality and international rules, but also considering the group they work with [4]. As research project developed in a Living Lab, CAPTAIN raises several moral and ethical issues dealing with personal freedom, autonomy, privacy and responsibility. Moreover, Living Labs in the CAPTAIN project will work with new technological solutions never experienced before in real settings. This leads to a lack of data on safety and person reaction to their use, leading to the need to pay great attention to cautionary criteria [5]. To overcome this issue, it seems reasonable to develop a set of guidelines that provide information to help members to deal not just with situations reflected in the codes but also with any situations that arise during the research period [6].

During the collection and analysis of all ethical constraints related to CAPTAIN, already considered also in D1.2 First version of Ethics and Safety Manual, D10.1 H – Requirement No. 1 and D10.2 POPD – Requirement No. 2, we have identified three groups of regulations:

1. Declarations of ethical principles; 2. European directives; 3. National laws and local norms.

In the following sections of this deliverable, we report only excerpts of the identified group of constraints that are significant and relevant to the CAPTAIN project. For the complete documents, one may refer to the original documents, either reported as attachments to this document or available, where possible, online.

3.1 THE DECLARATION OF H ELSINKI

The involvement of human participants requires strict adherence to rules of law regarding ethics. The CAPTAIN beneficiary and partner organisations will conduct research in the spirit of the Helsinki Declaration where applicable and commit to abide strictly to the principles of:

• Respecting human dignity and integrity;

• Ensuring honesty and transparency towards participants and notably getting free and informed consent (as well as assent whenever relevant);

• Protecting vulnerable persons;

• Ensuring privacy and confidentiality;

• Sharing of the benefits with disadvantaged populations;

• Following the highest standards of research integrity (i.e. avoiding any kind of fabrication, falsification, plagiarism, unjustified double funding or other type of research misconduct) as defined in the European Code of Conduct for Research Integrity.

The Declaration of Helsinki was developed for the medical community by the World Medical Association (WMA) and is considered as the cornerstone document on human research ethics [7]. The Declaration of Helsinki was generally adopted in June 1964 and it underwent several revisions since then (the most recent in October 2013).

Although the Declaration is morally binding for physician, it does not constitute a legally binding instrument under the international law. These concepts are stated in the Preamble, as follows: • Art. 1. The World Medical Association (WMA) has developed the Declaration of Helsinki as a

statement of ethical principles for medical research involving human subjects, including research on identifiable human material and data;


8 | P a g e

• Art. 2. Consistent with the mandate of the WMA, the Declaration is addressed primarily to physicians. The WMA encourages others who are involved in medical research involving human subjects to adopt these principles.

On the other hand, the Declaration draws its authority from the degree to which it has been coded or influenced, namely national or regional legislation and regulations. In this regard, the Declaration recommends that ethical considerations must always take precedence over laws and regulations.

• Art. 9. It is the duty of physicians who are involved in medical research to protect life, health, dignity, integrity, right to self-determination, privacy, and confidentiality of personal information of research subjects [...].

The fundamental principle to consider in doing research involving human subjects is the respect for the individual, as stated in Section “General principles”, in particular Articles 6, 7 and 8, as follows: • Art. 6. The primary purpose of medical research involving human subjects is to understand the causes,

development and effects of diseases and improve preventive, diagnostic and therapeutic interventions (methods, procedures and treatments). Even the best-proven interventions must be evaluated continually through research for their safety, effectiveness, efficiency, accessibility and quality;

• Art. 7. Medical research is subject to ethical standards that promote and ensure respect for all human subjects and protect their health and rights;

• Art. 8. While the primary purpose of medical research is to generate new knowledge, this goal can never take precedence over the rights and interests of individual research subjects.

The second principle of the Declaration is the right of the subject of research to self- determination and the right to make informed decisions (Articles 25, 26 and 31). This applies to participation in research, both initially and during the course of the research. In particular, according to Article 26, the subject must express explicit consent in the appropriate form. • Art. 25. Participation by individuals capable of giving informed consent as subjects in medical research

must be voluntary. Although it may be appropriate to consult family members or community leaders, no individual person capable of giving informed consent may be enrolled in a research study unless he or she freely agrees;

• Art. 26. In medical research involving human subjects capable of giving informed consent, each potential subject must be adequately informed of the aims, methods, sources of funding, any possible conflicts of interest, institutional affiliations of the researcher, the anticipated benefits and potential risks of the study and the discomfort it may entail, post-study provisions and any other relevant aspects of the study. The potential subject must be informed of the right to refuse to participate in the study or to withdraw consent to participate at any time without reprisal. Special attention should be paid to the specific information needs of individual potential subjects as well as to the methods used to deliver the information. After ensuring that the potential subject has understood the information, the physician, or another appropriately qualified individual, must then seek the potential subject’s freely-given informed consent, preferably in writing. If the consent cannot be expressed in writing, the non-written consent must be formally documented and witnessed. All medical research subjects should be given the option of being informed about the general outcome and results of the study;

• Art. 31. The physician must fully inform the patient which aspects of their care are related to the research. The refusal of a patient to participate in a study or the patient’s decision to withdraw from the study must never adversely affect the patient-physician relationship.

In the CAPTAIN project, inclusion, exclusion and discontinuation criteria are being defined to include participants all able to give consent by their own, thus not requiring seeking informed consent from their


9 | P a g e

relatives. In any case, the signing of the informed consent is mandatory for all participants for starting any project activities involving them. The Declaration recommends special vigilance on the recognition of the vulnerable individuals and groups (Articles 19 and 20) and, consequently, their special protection, which must be carefully considered, given that the CAPTAIN project might deal with mildly cognitively impaired people:

• Art. 19. Some groups and individuals are particularly vulnerable and may have an increased likelihood of being hurt or of incurring additional harm. For this reason, all vulnerable groups and individuals should receive specifically considered protection;

• Art. 20. Medical research with a vulnerable group is only justified if the research is responsive to the health needs or priorities of this group and the research cannot be carried out in a non-vulnerable group. In addition, this group should stand to benefit from the knowledge, practices or interventions that result from the research.

Regarding the design and approval of the research study, the principle is that of minimization of the risks and careful evaluation of the benefits (Articles 17, 18), appropriateness and necessity of the study (Articles 21, 22), and the requirement that the study protocol must be discussed and approved by an “independent” and “duly qualified” Ethics committee (Article 23).

• Art. 17. All medical research involving human subjects must be preceded by careful assessment of predictable risks and burdens to the individuals and groups involved in the research in comparison with foreseeable benefits to them and to other individuals or groups affected by the condition under investigation. Measures to minimize the risks must be implemented. The risks must be continuously monitored, assessed and documented by the researcher.

• Art. 18. Physicians may not be involved in a research study involving human subjects unless they are confident that the risks have been adequately assessed and can be satisfactorily managed. When the risks are found to outweigh the potential benefits or when there is a conclusive proof of definitive outcomes, physicians must assess whether to continue, modify or immediately stop the study.

• Art. 21. Medical research involving human subjects must conform to generally accepted scientific principles, be based on a thorough knowledge of the scientific literature, other relevant sources of information, and adequate laboratory and, as appropriate, animal experimentation. The welfare of animals used for research must be respected.

• Art. 22. The design and performance of each research study involving human subjects must be clearly described and justified in a research protocol. The protocol should contain a statement of the ethical considerations involved and should indicate how the principles in this Declaration have been addressed. The protocol should include information regarding funding, sponsors, institutional affiliations, potential conflicts of interest, incentives for subjects and information regarding provisions for treating and/or compensating subjects who are harmed as a consequence of participation in the research study. In clinical trials, the protocol must also describe appropriate arrangements for post-trial provisions.

• Art. 23. The research protocol must be submitted for consideration, comment, guidance and approval to the concerned research ethics committee before the study begins. This committee must be transparent in its functioning, must be independent of the researcher, the sponsor and any other undue influence and must be duly qualified. The committee must take into consideration the laws and regulations of the country or countries where the research is to be performed as well as applicable international norms and standards. The latter must not be allowed to reduce or eliminate any of the protections for research subjects set forth in the Declaration. The committee must have the right to monitor on-going studies. The researcher must provide monitoring information to the committee, especially information about any serious adverse events. No amendment to the protocol may be made without consideration and approval by the committee. After the end of the study, the researchers


10 | P a g e

must submit a final report to the committee containing a summary of the study’s findings and conclusions.

Finally, the Declaration provide recommendations on the protection of the privacy regarding the subjects of the research, any issue strictly related to the protection of privacy in the case of data treatment with ICT systems (see Chapter 9):

• Art. 24. Every precaution must be taken to protect the privacy of research subjects and the confidentiality of their personal information.

In accordance with ethical practice in experiments with human participants, the individual CAPTAIN living labs managers will inform participants of their right to decline or to withdraw whenever they want, even if they have previously given consent, without giving any reason for having done so. All partners who will be dealing with human participants will be subject to the control of ethical committees in place at the institutional level of their respective institutions/organisations.

3.2 EUROPEAN DIRECTIVES AND REGULATIONS

The principles stated in the Declaration of Helsinki are acknowledged in the preamble (point 2) of the Directive 2001/20/EC of the European Parliament and of the Council of 4 April 2001 “on the approximation of the laws, regulations and administrative provisions of the Member States relating to the implementation of good clinical practice in the conduct of clinical trials on medicinal products for human use” [8]:

• Art. 2. The accepted basis for the conduct of clinical trials in humans is founded in the protection of human rights and the dignity of the human being with regard to the application of biology and medicine, as for instance reflected in the 1996 version of the Helsinki Declaration. The clinical trial subject's protection is safeguarded through risk assessment based on the results of toxicological experiments prior to any clinical trial, screening by ethics committees and Member States' competent authorities, and rules on the protection of personal data.

The Directive explicitly specifies the applicability in the member States (Article 3, section 1): • Art. 3.1. This Directive shall apply without prejudice to the national provisions on the protection of

clinical trial subjects if they are more comprehensive than the provisions of this Directive and consistent with the procedures and time- scales specified therein. Member States shall, insofar as they have not already done so, adopt detailed rules to protect from abuse individuals who are incapable of giving their informed consent.

The scope of the Directive is given in Article 1, Section 1: • Art. 1.1. This Directive establishes specific provisions regarding the conduct of clinical trials, including

multi-centre trials, on human subjects involving medicinal products as defined in Article 1 of Directive 65/65/EEC, in particular relating to the implementation of good clinical practice. This Directive does not apply to non-interventional trials.

Article 2 provides some definition of the concepts referred to in the Directive. Of particular importance is the definition of what it is meant by “clinical trial” and “intervention trial” (letter a, b, and c): • (a) ‘Clinical trial’: any investigation in human subjects intended to discover or verify the clinical,

pharmacological and/or other pharmacodynamics effects of one or more investigational medicinal product(s), and/or to identify any adverse reactions to one or more investigational medicinal product(s) and/or to study absorption, distribution, metabolism and excretion of one or more investigational medicinal product(s) with the object of ascertaining its (their) safety and/or efficacy. This includes clinical trials carried out in either one site or multiple sites, whether in one or more than one Member State.


11 | P a g e

• (b) ‘Multi-centre clinical trial’: a clinical trial conducted according to a single protocol but at more than one site, and therefore by more than one investigator, in which the trial sites may be located in a single Member State, in a number of Member States and/or in Member States and third countries.

• (c) ‘Non-interventional trial’: a study where the medicinal product(s) is (are) prescribed in the usual manner in accordance with the terms of the marketing authorisation. The assignment of the patient to a particular therapeutic strategy is not decided in advance by a trial protocol but falls within current practice and the prescription of the medicine is clearly separated from the decision to include the patient in the study. No additional diagnostic or monitoring procedures shall be applied to the patients and epidemiological methods shall be used for the analysis of collected data.

Based on these definitions, CAPTAIN will not be considered as a clinical trial, but only as a human non-interventional research study. Of particular interest for the project are also the definitions of informed consent and ethics committee (letter j and k): • (j) ‘Informed consent’: decision, which must be written, dated and signed, to take part in a clinical

trial, taken freely after being duly informed of its nature, significance, implications and risks and appropriately documented, by any person capable of giving consent or, where the person is not capable of giving consent, by his or her legal representative. If the person concerned is unable to write, oral consent in the presence of at least one witness may be given in exceptional cases, as provided for in national legislation.

• (k) ‘Ethics committee’: an independent body in a Member State, consisting of healthcare professionals and nonmedical members, whose responsibility it is to protect the rights, safety and wellbeing of human subjects involved in a trial and to provide public assurance of that protection, by, among other things, expressing an opinion on the trial protocol, the suitability of the investigators and the adequacy of facilities, and on the methods and documents to be used to inform trial subjects and obtain their informed consent.

The principle of the protection of the rights of the subject, the grounds of the Helsinki Declaration, is stated in Article 3 (Protection of clinical trial subjects).

In CAPTAIN, ethics approval must be sought and obtained prior to commencing the project at the host organisation and at any other collaborating organisation involved in the data collection. Consent will be sought from the participants and their carer / guardian. The application for ethics approval will contain: 1) a summary of the project, 2) research methodology and protocols, including how participants will be selected (inclusion, exclusion and discontinuation criteria), any risks associated with the project and how they will be managed, 3) information regarding the project such as a lay (non-technical) descriptions for potential participants and carers, 4) letters of consent, 5) all questionnaires, interview schedules, focus group scripts, and protocols. The consent forms will clearly state the purpose and benefits of the research, any associated risks, discomforts and adverse side effects, if any, resulting from participating in the study. The form will provide also explanation of confidentiality concerning personal information and data, contact person for withdrawing from study, and any consequences that may result from withdrawing, and a contact person who can respond to questions about the research. More details about security, information about personal data storage, processing and anonymization can be found in the D1.5 Data Management Plan and updates will be continuously reported in the revisions of this deliverable.


12 | P a g e

3.3 NATIONAL REGULATIONS AND LOCAL NORMS

3.3.1 Greece

Guidelines for Internet-Mediated Research (remote acquisition of data included)

• Directive 2002/58/EC: Processing of personal data and the protection of privacy in the electronic communications sector;

• Directive 99/5/EC: Radio equipment and telecommunications terminal equipment and the mutual recognition of their conformity.

Data Protection guidelines for consideration in ethical applications

• Law 2472/1997; • Law 3471/2006 (Protection of personal data and privacy in the electronic telecommunications sector

and amendment of law 2472/1997). Ethical guidelines for Health-related Research involving Human Participants

• Directive 95/46/EC: Protection of individuals with regard to the processing of personal data and on the free movement of such data;

• Medical device Directive (MDD 93/42/EEC).

3.3.2 Spain


• REGULATION (EU) No 910/2014 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC;

• DIRECTIVE (EU) 2016/1148 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union.


• Opinion 05/2014 on Anonymisation Techniques (Working Party was set up under Article 29 of Directive 95/46/EC);

• Orientaciones y garantías en los procedimientos de ANONIMIZACIÓN de datos personales (Agencia Española de Protección de Datos, 2016) / Guidance and guarantees in the procedures of ANONYMIZATION of personal data (Spanish Agency for Data Protection, 2016);

• Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales;

• REGLAMENTO (UE) 2016/679 DEL PARLAMENTO EUROPEO Y DEL CONSEJO de 27 de abril de 2016 relativo a la protección de las personas físicas en lo que respecta al tratamiento de datos personales y a la libre circulación de estos datos y por el que se deroga la Directiva 95/46/CE (Reglamento general de protección de datos).

Ethical guidelines for Health-related Research involving Human Participants

• CIOMS International Ethical Guidelines for Health-related Research Involving Humans; • Declaration of Helsinki – Ethical Principles for Medical Research Involving Human Subjects;


13 | P a g e

• Ley 14/2007, de 3 julio, de Investigación Biomédica.

3.3.3 Ireland


• REGULATION (EU) No 910/2014 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC;

• DIRECTIVE (EU) 2016/1148 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union;

• Code of Professional Ethics of the Psychological Society of Ireland.


• Anonymisation and Pseudonymisation (Irish Data Protection Commission); • Data Protection Guidelines on Research in the Health Sector (Irish Data Protection Commission); • The Freedom of information Act 2014 - provides for members of the public to gain access to records

held by public bodies subject to certain conditions. Ethical guidelines for Health-related Research involving Human Participants

• CIOMS International Ethical Guidelines for Health-related Research Involving Humans; • Declaration of Helsinki – Ethical Principles for Medical Research Involving Human Subjects.

3.3.4 Italy


• N/A


• “Regole deontologiche per trattamenti a fini statistici o di ricerca scientifica pubblicate ai sensi dell’art. 20, comma 4, d.lgs. 10 agosto 2018, n. 101 - 19 dicembre 2018” (Ethics rules for data protection in statistic or scientific research complying with art.20, clause 4 of the Italian Legislative Decree n.101 of 19 Dicember 2018).


• Declaration of Helsinki – Ethical Principles for Medical Research Involving Human Subjects.

3.3.5 Cyprus


• The Regulation of Electronic Communications and Postal Services (Amendment) Law of 2006


• Law No. 31 (III)/2001: Oviedo Convention on Human Rights and Biomedicine; • The Safeguarding and Protection of Patients’ Rights Law (2004);


14 | P a g e

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);

• LAW 125(I) of 2018 law providing for the protection of natural persons with regard to the processing of personal data and for the free movement of such data.


• CIOMS International Ethical Guidelines for Health-related Research Involving Humans; • Declaration of Helsinki – Ethical Principles for Medical Research Involving Human Subjects.

4 SECURITY AND PRIVACY REGULATIONS

The CAPTAIN project will pay utmost attention to security and privacy of the collected data of the involved stakeholders, studying and analysing all the aspects related to data management. The iterative nature of the CAPTAIN agile methodology applies also to data management studies, that will constitute a live process, whose results will be reported in subsequent updates in the D1.5 Data Management Plan (M18 and M30).

The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data [10] states:

“There is a need for such legal rules in view of the increasing use made of computers for administrative purposes. Compared with manual files, automated files have a vastly superior storage capability and offer possibilities for a much wider variety of transactions, which they can perform at high speed. Further growth of automatic data processing in the administrative field is expected in the coming years inter alia as a result of the lowering of data processing costs, the availability of "intelligent" data processing devices and the establishment of new telecommunication facilities for data transmission”.

The Convention addresses also trans-border flow of personal data undergoing automatic processing or collected with the goal of being processed in an automatic manner.

The legal framework on privacy and security issues related to data protection within the EU is essentially represented by the General Data Protection Regulation (GDPR) [9], that substituted the “Data Protection Directive” (Directive 95/46/EC), and the “ePrivacy Directive”, as detailed hereafter.

As stated in D1.2, in terms of Data Protection, the research activities carried on within CAPTAIN will be compliant with the General Data Protection Regulation (GDPR) that is applicable since 25th May, 2018 [9] in all member states to harmonize data privacy laws across Europe, acknowledging and applying all the stated directives.

In order for CAPTAIN to gain wide-scale acceptance and to comply with relevant EU Directives and National laws, an important criterion that will need to be fulfilled regarding end-user involvement will be “Transparency and Confidentiality”.

Furthermore, the consortium will liaise with the World Medical Association Ethics; Charter of fundamental rights; and the EGE - European Group on Ethics in Science and New Technologies (EGE) for counselling. End-users and other stakeholders (e.g. informal and formal carers) will contribute to the discussion on user needs as part of requirements gathering and evaluation in a continuous process. The methods for eliciting user needs are face-to-face interviews, focus group discussions, and questionnaire-based surveys; data collection will use audio recordings. The data thus collected may include personally identifiable

https://www4.dcu.ie/sites/default/files/research_support/cioms-ethicalguidelines_health_humans.pdf


15 | P a g e

information as well as some health information (e.g. regarding mobility or diagnosed condition). Such information will always be anonymised and kept in secure locations. All the information about data anonymizations are contained in the D1.5, Data Management Plan and subsequent updates.

As the deployment process evolves, CAPTAIN will be evaluated and feedback will be gathered again through interviews and surveys. All activities involving users or their carers will take place only after ethical approval has been granted from the appropriate regional/national ethics bodies.

4.1 DATA PROTECTION DIRE CTIVE (95/46/E C) AND E -PRIVACY DIRECT IVE (2002/58/EC)

Before GDPR, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 [11] was the reference text, at European level, on the protection of personal data. It applied to processing of personal data and to the free movement of such data. Together with the Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 [12] concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and Electronic Communications) [33], it provided indications about data processing.

They set up a regulatory framework that seeks to strike a balance between a high level of protection for the privacy of individuals and the free movement of personal data within the European Union (EU). Personal data are defined as “all information on an identified or identifiable person”, considering an identifiable person as anyone whose identity might be determined, directly or indirectly, in particular by means of an identification number or one or several specific elements, characteristics of his physical, physiological, mental, economic, cultural or social identity, and attributes special protection to health data [D1.2].

The privacy principles are summarized as follows: • The collection and processing of personal data shall neither intrude on the data subjects’ privacy nor

interfere with their autonomy and integrity; • Personal data shall be collected and processed only after the person involved provides explicit

consent; • Personal data shall be collected for specified, lawful and legitimate purposes; • The collection and processing of personal data shall be limited to the minimum necessary for

achieving the specific purpose. This includes that personal data shall be retained only for the time necessary to achieve the specific purpose;

• The disclosure of personal data to third parties shall be restricted and only occur upon certain conditions;

• Personal data shall be accurate, relevant, and complete with respect to the purposes for which they are collected and processed;

• The data subject shall be able to check and influence the processing of his/her personal data; • The processing of personal data, which are particularly sensitive for the data subject, shall be subject

to more stringent protection measures than other personal data; • Personal data shall be processed in a way that guarantees a level of security appropriate to the risks

presented by the processing and the nature of the data [13].

In relation to security of personal data processing, the Directives set strict limits on the collection and use of personal data and demands that each Member State set up an independent national body responsible for the protection of these data. In this regard, the main reference at the EU level is Article 17 of Directive 95/46/EC according to which:


16 | P a g e

• “Member States shall provide that the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected”;

• “The Member States shall provide that the controller must, where processing is carried out on his/her behalf, choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures”.

The CAPTAIN consortium will enforce the EU Directive 2002/58/EC concerning the processing of personal data and the protection of privacy; specifically, Council of Europe Convention No. 108/1981 for the protection of individuals with regard to automatic processing of personal data. In particular, special attention is paid to the Working Document authored by the Data Protection Working Party, ARTICLE 29 Processing of Personal Data addresses monitoring by Video Surveillance, 25th November, 2002. The conditions under which it is legitimate to process personal data are: transparency (purpose and contact points are publicly available typically by a “Register”), legitimate purpose and proportionality (purpose is constrained to specific need).

It is worth noting that the GDPR does not replace E-Privacy Directive – although it has amended the definition of consent. CAPTAIN will need to comply with both GDPR and E-Privacy Directive. The EU is in the process of replacing the current e-Privacy Law with a new ePrivacy Regulation (ePR). However, the new ePR is yet to be agreed.

4 .2 GENERAL DATA PROTECT ION REGULATION 2016/679 (GDPR)

In the deployment of the CAPTAIN network, all members will adhere to EU Regulation 2016/679 (GDPR) on both personal and local data protection rights and will ensure that personal data are treated in accordance with this regulation [9]. The GDPR apply to data processed by automated means (e.g. a computer database) and to data contained in or intended to be part of non-automated filing systems (traditional paper files).

GDPR applies to all the organisations that are registered in EU or have an establishment or subsidiary in EU. It also applies to an organisation which sells goods or services to citizens of the EU and process or monitor the personal data of EU residents. For CAPTAIN consortium it means that even CAPTAIN companies entities established in such country like Switzerland, should follow GDPR.

There are three major stakeholders under this regulation, namely: • Data controllers: decide the purposes and methods of processing personal data and coordinate

processing; • Data processors: are responsible for directly processing personal data based on the instructions

of data controllers. This could, for example, include subcontractors; • Data subjects: are the citizens of EU using goods and services provided by the data controllers.

GDPR has specific instructions for what types of security action may be required: • The encryption and pseudonymization of personal data; • Organisations should make provisions for regular testing, assessment, and evaluations of the

effectiveness of technical and organisational policies for ensuring the security of the data;


17 | P a g e

• Provisions for confidentiality, integrity, availability, and resilience of processing systems and services;

• In the event of a physical or technical incident, organisations are entitled to restore the availability and access to personal data in a timely manner.

Personal data

The GDPR intends to protect the personal data of EU residents and the data which deemed as personal are the following:

• Basic identity information such as name, email, address, and ID numbers • Web data such as location, IP address, cookies data, and RFID tags • Health, genetic, and biometric data • Racial or ethnic data • Political opinions • Sexual orientation

Penalty

The GDPR authorities will be able to issue fines of up to EUR 20 million or 4% of annual worldwide turnover, whichever is higher if there is a breach of terms listed by the authorities.

There are basic eight rights for individuals:

1. The Right to be Informed - Data Subject will be informed within predefined timeframe if data sets corresponding to him/her will be processed or there is a request to provide an access to Semi-Secured data, related to Data Subject. CAPTAIN will provide Data Subjects with information including: CAPTAIN proposals for processing their personal data, CAPTAIN retention periods for that personal data, and who it will be shared with.

2. The Right of Access - Specific mechanism via Data Management Portal will be provided for Data Subject to access their personal data and supplementary information, allowing them allows to be aware of and verify the lawfulness of the processing.

3. The Right to Rectification - Data Subject either directly via Data Management portal or indirectly via CAPTAIN administrator will have an ability to correct data sets, when personal data are found to be inaccurate.

4. The Right to Erasure - With additional stipulations, Data Subject will have an ability to issue a request for all data erasure and, within predefined but non-later that within 40 days after request, CAPTAIN administrator will have an ability to delete all corresponding to Data Subject data sets.

5. The Right to Restrict Processing - With additional stipulations, Data Subject will have an ability to limit the processing of his/her personal data sets, with several rules and exceptions defined during consent processing.

6. The Right to Data Portability - Data Subject will be informed within predefined timeframe if data sets corresponding to him/her is going to be transferred to outside of current Data Centre.

7. The Right to Object - Data Subjects at any time could say they don’t want the personal data processing to be done or going on. Then within predefined timeframe all data sets corresponding to him/her is going to be set on hold and excluded from processing till consent on processing is given back.


18 | P a g e

8. The Right Regarding Automated Decision-Making - CAPTAIN will not base a decision solely on automated means, including profiling, which produces legal or similar effects. All activities regarding Data Objects data sets will get clear and undoubtful consent from him/her.

Data Protection Officers (DPO)

A DPO should be appointed to facilitate the smooth functioning of data protection in certain organisations. These organisations include the Controllers and Processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences. In CAPTAIN consortium DigiFlak is playing the role of DPO.

Cloud data storage practices

Since CAPTAIN is planning to use hybrid cloud data storage, allowing private and public access to pseudonymised and anonymised data, cloud storage established will be equipped with adequate security measures in terms of policies and procedures ensuring Data Subject rights execution.

4.3 INFORMED CONSENT

It is a legal requirement that all studies involving human participants (whether actors or ‘real’) obtain ethical approval to safeguard the rights, safety, dignity and welfare of those involved in research. CAPTAIN involves data capturing of end-users and will require ethical approval from the relevant committee in the countries where the monitoring takes place. Ethics and dementia experts will be consulted on the most appropriate range of mechanisms to acquire informed consent for participation in the studies, based on the legislation within the country of study. Mechanisms to withdraw consent without a need to give a reason will also be provided for the participants.

Consent is the main instrument through which the principle of self-determination is expressed (Directive 95/46/EC). Consent must be considered a prerequisite and an essential provision to any treatment of data, even more when the processing modalities through which it is carried out result in the creation of risks and potential problems to the security and integrity of the data itself. Consent is regulated in partially different ways across the various legal framework, however, its need is consistently acknowledged in all the countries, and must satisfy four criteria:

• consent must be a clear and unambiguous indication of wishes;

• consent must be freely given;

• consent must be specific;

• consent must be informed.

From a technical point of view, consent to the processing of health data must generally be made in writing forms (Directive 95/46/EC art .2). This formality, even if it is easily manageable through traditional paper-based interactions at the time of the first contact between the patient and the health care body that provides the health service, may, however, be a critical point to solve if not properly managed also from a digital point of view.

Most relevantly, the Article 29 of Working Party, which was established under the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 for the protection of individuals with regard to the processing of personal data, published an "Opinion 15/2011 on the definition of consent,


19 | P a g e

adopted on 13 July 2011" [14], states that informed consent has to be taken into account in the wording of any security, privacy and contractual disclaimer.

With GDPR approval by the EU Parliament on 14 April 2016 and enforcement on 25 May 2018, regulation of Informed Consent was evolved. Specifically, processing personal data is generally prohibited, unless it is expressly allowed by law, or the data subject has consented to the processing. While being one of the more well-known legal bases for processing personal data, consent is only one of six bases mentioned in the General Data Protection Regulation (GDPR). The others are: contract, legal obligations, vital interests of the data subject, public interest and legitimate interest as stated in Article 6(1) GDPR.

The basic requirements for the effectiveness of a valid legal consent are defined in Article 7 and specified further in recital 32 of the GDPR. Consent must be freely given, specific, informed and unambiguous. In order to obtain freely given consent, it must be given on a voluntary basis. The element “free” implies a real choice by the data subject.

For consent to be informed and specific, the data subject must at least be notified about the controller’s identity, what kind of data will be processed, how it will be used and the purpose of the processing operations as a safeguard against ‘function creep’. The data subject must also be informed about his or her right to withdraw consent anytime. The withdrawal must be as easy as giving consent. Where relevant, the controller also has to inform about the use of the data for automated decision-making, the possible risks of data transfers due to absence of an adequacy decision or other appropriate safeguards.

Last but not least, consent must be unambiguous, which means it requires either a statement or a clear affirmative act. Consent cannot be implied and must always be given through an opt-in, a declaration or an active motion, so that there is no misunderstanding that the data subject has consented to the particular processing.

4.4 NATIONAL LAWS

The legislative aspects of the health care practice in every country, and sometimes in each region depend directly on this interpretation. The project will keep the participants well-informed about any new regulations relevant to CAPTAIN. It will also ensure that the existing ethical rules are met. Already starting from the negotiation phase, the consortium will ensure that all the documents necessary for ethical clearance are collected, including, but not limited to, copies of relevant ethics approvals, informed consent forms, information sheets and any other material required.

4.4.1 Greece

The relevant legislation with regards to CAPTAIN project as carried out in Greece is as follows:

• Law2472/1997: the national regulatory framework related to CAPTAIN studies in Greece are contained within the law 2472/1997 “on the Protection of Individuals with regard to the Processing of Personal Data” as amended by Laws 2819/2000 and 2915/2000. According to article 15, the Personal Data Protection Authority is responsible for the implementation of this law and all other regulations pertaining to the protection of individuals from the processing of personal data;

• Law 3471/2006: protection of personal data and privacy in the electronic telecommunications sector and amendment of law 2472/1997.

Research ethics approval process:


20 | P a g e

The collection and processing of sensitive data requires permission from the Data Protection Authority. More specifically, according to article 7, “The collection and processing of sensitive data is prohibited”. Exceptionally, the collection and processing of sensitive data, as well as the establishment and operation of the relevant file, will be permitted by the Authority, when at least one of several requirements are met, including:

• The data subject has given his/her written consent (article 7.2a);

• Processing is carried out exclusively for research and scientific purposes provided that anonymity is maintained and all necessary measures for the protection of the persons involved are taken (article 7.2f). The Controller must notify the Authority in writing about the establishment and operation of a file or the commencement of data processing (article 7.3).

The Authority will grant a permit for the collection and processing of sensitive data, which will be issued for a specific period of time, depending on the purpose of data processing, and which may be renewed upon request of the Controller, as well as a permit for the establishment and operation of the relevant file (articles 7.3, 7.4).

The permit, a copy of which will be kept by the Authority, will contain information including the name and address of the Controller and the place where the file is established, the categories of personal data which are allowed to be included in the file, the time period for which the permit is granted, the terms and conditions, if any, imposed by the Authority etc.

Any change in the above must be communicated to the Authority and may entail the issuance of a new permit (articles 7.5, 7.6, 7.7). To the best of our knowledge, there are no other legal requirements with regard to the trial approval process by the Data Protection Authority. Non-pharmaceutical clinical studies do not require permission from public authorities such as the National Organization of Medicines and there are no standard protocols for conducting pilot studies. However, prior to the trial’s start, a detailed plan with information regarding the proposed research (protocol, inclusion, exclusion and discontinuation criteria of the study, risks for people participating into the study, etc.) attached with a consent form should be submitted to a local ethics committee (e.g. university’s ethics committee) for approval.

Consent Forms and Voluntary Participation

Informed consent procedures ensure that pilot participants are fully aware of the procedures, benefits and potential risks that may be involved from participating in the CAPTAIN experiments. The Consent Form to be signed by all study participants will include the following:

• Every pilot participant must give his explicit consent to their participation and to the processing of their personal data.

• The Consent Form will clearly state the following: o The purpose and benefits of the research o All possible risks, discomforts, adverse side-effects, if any, resulting from participating in the study o Explanations of confidentiality – personal and data o Who to contact in case the participant chooses to withdraw from the study, and any consequences

that may result from withdrawing o Who to contact for questions about the research


21 | P a g e

4.4.2 Spain

As Member of the European Union, the principal data protection legislative framework in Spain as of 25 May 2018 is Regulation 2016/679 of the European Parliament and the Council (General Data Protection Regulation - GDPR), of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

Apart from other aspects, we consider the following some of the most important articles to consider in the CAPTAIN research:

• article 5 of the GDPR states that personal data should only be collected for processing when such data are adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. Additionally, personal data should be accurate and updated in order to show adequacy to the actual situation;

• regarding the duration of the processing, this same article 5 states that personal data should be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed (storage limitation principle).

Among others, the GDPR includes a specific reference to the following security measures:

• the pseudonymisation and encryption of personal data;

• the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

• the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and

• a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Within the context of Spanish Legal System, the recently approved the Organic Law 3/2018, of Personal Data Protection and Digital Rights Guarantee (LOPD) is the principal national legislative framework related to personal data protection which was developed to adapt and complement the European regulation (GDPR). The most important aspects regulated with this law that should be considered in health research are the following:

• The interested party or, where appropriate, his/her legal representative may grant consent for the use of his/her data for the purposes of health research. Such purposes may cover categories related to general areas related to a medical or research specialty.

• The use of pseudonymous personal data for the purpose of health research is considered lawful. The use of pseudonymous personal data for research purposes in public and biomedical health will require: o A technical and functional separation between the research team and those who carry out the

pseudonymization and keep the information that makes possible the re-identification. o That pseudonymized data are only accessible to the research team when:

▪ There is an express commitment to confidentiality and not to carry out any re-identification activity.

▪ Specific security measures are adopted to avoid re-identification and access by unauthorized third parties.

The data may be reidentified at the source, when an investigation using pseudonymized data reveals the existence of a real and specific danger to the safety or health of a person or group of people, or a serious threat for your rights or is necessary to guarantee adequate healthcare.


22 | P a g e

• When, according to Article 89 of Regulation (EU) 2016/679, a treatment is carried out for research purposes in public health and, in particular, biomedical research, the following actions will be taken: o Carry out an impact evaluation that determines the risks derived from the treatment in the cases

foreseen in the article 35 of the Regulation (EU) 2016/679 or in those established by the control authority. This evaluation will specifically include the risks of re-identification linked to the anonymization or pseudonymization of the data.

o Subject scientific research to quality standards and, where appropriate, international guidelines on good clinical practice.

o Adopt, where appropriate, measures aimed at ensuring that researchers do not access data identifying the interested parties.

The local DPO is currently investigating the national interpretation of the above-mentioned articles and we are pending on his final assessment.

Besides the Organic Law 3/2018 (LOPD), is necessary to consider other national regulations:

• Ley 14/1986, de 25 de abril, General de Sanidad - General Health Law;

• Ley 41/2002, de 14 de noviembre, básica reguladora de la autonomía del paciente y de derechos y obligaciones en materia de información y documentación clínica - Basic law regulating patient autonomy and rights and obligations in terms of information and clinical documentation;

• Ley 33/2011, de 4 de octubre - General Law of Public Health;

• Real Decreto 1090/2015, de 4 de diciembre, por el que se regulan los ensayos clínicos con medicamentos, los Comités de Ética de la Investigación con medicamentos y el Registro Español de Estudios Clínicos - regulation of clinical trials with medicines, the Research Ethics Committees and the Spanish Registry of Clinical Studies.

Regarding Spanish reference organizations on data protection, all the research work developed within CAPTAIN project will be carried out according to the guidelines of the main Spanish authority in data protection, the Spanish Data Protection Agency (SDPA) [15] which represents all the Spanish Data Protection Authorities in the European Data Protection Board (EDPB).

INTRAS as a partner in the scope of CAPTAIN will conform to the following research standards and good practices:

• Analysis, establishment and monitoring of ethical requirements compliance in all the practices performed;

• Interest to investigate, using natural methods of assessment that allow to obtain more reliable results, and a more pleasant participation of the users, through interventions adjusted to the user, mostly performed in their living context (ecological settings);

• Know-how planning and implementing and a variety of qualitative and quantitative methodologies & approaches for Impact Analysis for: focus group, brainstorming, face-to-face interactions, participatory design, cross learning/training motivational approaches;

• INTRAS will act according to all the regulations detailed above as well as the regional regulations that complement it as: o Ley 8/2003, de 8 de abril, sobre derechos y deberes de las personas en relación con la salud, about

rights and duties of people in relation to health; o Decreto 101/2005, de 22 de diciembre, por el que se regula la historia clínica, which regulates the

clinical record.

• INTRAS has appointed a Data Protection Officer (DPO) and adapted the research processes to the GDPR. To do this, among other things, we have introduced a tool (GlobalSuite) to manage and


23 | P a g e

maintain the General Data Protection Regulation as well as the traceability of the entire data protection management system. This tool allows us to define, classify and evaluate data treatments, perform a risk analysis and also the impact assessment if necessary.

4.4.3 Ireland

4.4.3.1 Irish Data Protection Act

The national legislation applicable to the E-SPACE project is collected under the Irish Data Protection Act 1988, and its amendment performed in year 2003. Some of the most relevant articles of this law in terms of addressing personal data protection within the framework of this project are the following:

Article 2. Collection, processing, keeping, use and disclosure of personal data

A data controller shall, as respects personal data kept by him or her, comply with the following provisions:

• the data or, as the case may be, the information constituting the data shall have been obtained, and the data shall be processed, fairly,

• the data shall be accurate and complete and, where necessary, kept up to date,

• the data:

o shall have been obtained only for one or more specified, explicit and legitimate purposes, o shall not be further processed in a manner incompatible with that purpose or those purposes, o shall be adequate, relevant and not excessive in relation to the purpose or purposes for which

they were collected or are further processed, and o shall not be kept for longer than is necessary for that purpose or those purposes,

• appropriate security measures shall be taken against unauthorised access to, or unauthorised alteration, disclosure or destruction of, the data, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Processing of Personal Data

Personal data shall not be processed by a data controller unless section 2 of this Act (as amended by the Act of 2003) is complied with by the data controller and at least one of the following conditions is met:

• the data subject has given his or her consent to the processing or, if the data subject, by reason of his or her physical or mental incapacity or age, is or is likely to be unable to appreciate the nature and effect of such consent, it is given by a parent or guardian or a grandparent, uncle, aunt, brother or sister of the data subject and the giving of such consent is not prohibited by law;

• the processing is necessary: o for the performance of a contract to which the data subject is a party, o in order to take steps at the request of the data subject prior to entering into a contract, o for compliance with a legal obligation to which the data controller is subject other than an

obligation imposed by contract, or o to prevent:

▪ injury or other damage to the health of the data subject, or ▪ serious loss or damage to property of the data subject, or otherwise to protect his or her vital

interests where the seeking of the consent of the data subject or another person referred to in paragraph (a) of this subsection is likely to result in those interests being damaged.


24 | P a g e

4.4.3.2 DCU Data Protection Policy

Dublin City University, as a Data Controller, is required by law to comply with the following Irish legislation relating to the processing of Personal Data: The Data Protection Act 1988 (The Principle Act) and The Data Protection (Amendment) Act 2003. To comply with the law, information (as defined by the Data Protection Acts) must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. To do this, the University must comply with the following eight Data Protection Principles or Obligations: • Obtain and process information fairly. The Data must be obtained and processed fairly and lawfully

and only when certain conditions are met. • Keep it only for one or more specific, explicit and lawful purposes. The Data can only be obtained for

specified, lawful and clearly stated purposes and only processed in accordance with the University’s notification to the Data Protection Commissioner.

• Use and disclose only in ways compatible with these purposes. Processing and Disclosure of personal data should not be incompatible with the specified purpose for which it was obtained.

• Keep it safe and secure. The Data must be kept safe and secure. DCU, as the Data Controller, is responsible for applying adequate security structures to prevent unlawful or inadvertent processing, alteration or loss of the data.

• Keep it accurate, complete and up-to-date. The Data must be kept accurate, complete and where necessary up-to-date.

• Ensure it is adequate, relevant and not excessive. The Data obtained should be adequate, relevant and not excessive.

• Retain for no longer than is necessary. The Data should not be kept for longer than is necessary for the purpose or purposes for which it was obtained.

• Give a copy of his/her personal data to that individual, on request The Data Subject, the person to whom the information relates, has a Right of Access. The Controller must store and maintain the data in such a manner as to be able to respond to a Subject Access Request in a timely manner.

With regards to the use of Personal Data in Research, the DCU Data Protection Policy states that legislation provides certain exemptions for data collected, held and processed for research purposes (including historical and statistical purposes). If the purpose of the data processing is other than to take measures or make decisions that are targeted at particular individuals, and it does not cause substantial distress or damage, it: • can be processed for purposes other than that for which it was collected, provided that it is still only

a research purpose, • can be held indefinitely, and is exempt from the Data Subject’s right of access (where the data is

processed for research purposes only).

The results of the research or statistics derived from the research should not be made available in a form that identifies the individuals concerned. Personal data provided or used for research purposes do not have a blanket exemption from the Data Protection Rules. Researchers wishing to use personal data should be aware that the Data Protection Rules will still apply. Researchers and Project Leaders must ensure that: • employees and students are aware that, while some exemptions are granted for the use of personal

data for research purposes, the majority of the Data Protection Principles must be conformed to, • in all circumstances where personal data is to be used for research purposes, there is an adequate

review in advance of processing, to ensure that the requirements of the Act can be adhered to, • a suitable mechanism is in place to ensure that Data Subjects whose personal data is to be, or has

been processed, can meaningfully exercise their right to object to the processing of that data, on the grounds that it would cause them significant damage or distress, and


25 | P a g e

• particular care is taken when the processing involves sensitive personal data.

4.4.3.3 Maynooth University Data Protection Policy

Maynooth University collects, processes and uses data (in electronic and manual format) for a variety of purposes about its staff, students and other individuals who come in contact with the University.

The General Data Protection Regulation (GDPR) and the Data Protection Acts 1988 to 2018 (“Data Protection Law”) confer rights on individuals regarding their personal data as well as responsibilities on those persons processing personal data.

Principles of Data Protection Law

As a controller, Maynooth University complies with its responsibilities under the legislation in accordance with the following general data protection principles:

• Personal data shall be processed lawfully and fairly.

• Personal data shall be collected for one or more specified, explicit and legitimate purposes and shall not be processed in a manner that is incompatible with such purposes.

• Personal data shall be adequate, relevant and not excessive in relation to the purposes for which they are processed.

• Personal data shall be accurate, and, where necessary, kept up to date, and every reasonable step shall be taken to ensure that data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

• Personal data shall be kept in a form that permits the identification of a data subject for no longer than is necessary for the purposes for which the data are processed.

• Personal data shall be processed in a manner that ensures appropriate security of the data, including, by the implementation of appropriate technical or organisational measures, protection against: (i) unauthorised or unlawful processing, and (ii) accidental loss, destruction or damage.

Data Subject Rights

Data subjects for whom the University holds personal data have the following rights in relation to the processing of their personal data (subject to certain limited exceptions):

• The right to obtain access to personal data. Data subjects have the right to be provided with copies of their personal data along with certain details in relation to the processing of their personal data.

• The right to information. Data subjects have the right to be provided with certain information, generally at the time at which their personal data is obtained. Maynooth University complies with this obligation via its data protection/privacy notices.

• The right to rectification. Data subjects have the right to have inaccurate personal data that a controller holds in relation to them rectified.

• The right to object and restrict processing. Data subjects have the right to require that a controller restricts its processing of their data in some circumstances, and have the right to object to the processing of their personal data in certain circumstances.

• Rights in relation to automated decision making. Data subjects have the right not to be subjected to processing which is wholly automated and which produces legal effects or otherwise which


26 | P a g e

significantly affects them, and which is intended to evaluate certain personal matters, such as creditworthiness or performance at work, unless one of a number of limited exceptions applies.

• The right to request erasure of personal data. Under certain circumstances a data subject has the right to request the erasure of their personal data.

• The right to data portability. Under certain circumstances, Maynooth University may be required to provide a data subject with a copy of their personal data in a structured, commonly used and machine readable format.

Maynooth University is obliged to comply with any requests by a data subject to exercise the above rights within strict timelines imposed under Data Protection Law (20 days).

4.4.4 Italy

Italian Legislation

Italian legislation about data protection has been updated to fully comply with GDPR (EU 679/2016), so same founding principles apply- Previous Legislative Decree n.196 of 30 June 2013 has been amended by Legislative Decree n.101 of 10 august 2018. The Italian Data Protection Authority responsible for monitoring application of the General Data Protection Regulation is “Garante per la protezione dei dati personali” (pursuant to Article 51 of Regulation No. 2016/679). In statistic or scientific research (human related), special ethics rules apply for data protection: art.20, clause 4 of the Italian Legislative Decree n.101 of 19 December 2018. APSS Data Protection Policy

APSS fully complies with Italian Legislation (and so with EU Regulation) and has a Data Protection Officer. Research Protocols must undergo examination from both Ethical Committee and internal Privacy Officer. All the staff is trained about Privacy

4.4.5 Cyprus

Cyprus is a member of the EU. Cyprus partner, Archangelos Michael Elderly People Nursing Home / Rehabilitation Centre for patients with Alzheimer (AMEN) is a non-profit organization (NGO). Implication of AMEN in ethically relevant research is addressed where applicable according to consortium policy described above. Currently in Cyprus there is no specific legal framework in respect to the medical data, and so Cyprus relies on the general health and data protection laws as these are analyzed in the “Overview of the national laws on electronic health records in the EU Member States” report for Cyprus [16]. The main points with regards to the CAPTAIN project of the corresponding legislations are as follows:

Law No. 138(I)/2001(as amended): Processing of Data of Personal Character (Protection of the Individual). The Data Protection Law generally imposes the obligation to seek the patient’s consent before the processing of his/her health data. It is generally prohibited to process, collect or share sensitive personal data. Health Data constitute sensitive personal data and therefore, unless one or more of the exceptions apply, the processing of such data is prohibited.

Law No.1(I)/2005) (as amended): Law on the Consolidation and the Protection of the Rights of Patients of 2004. The Patient Rights Law does not distinguish categories of data and considers all data relating to a patient as confidential. Section 15(3) stipulates that all information and data which may determine the identity of the patient must be protected. In practice, however, there are separate categories of health


27 | P a g e

data with different levels of access based on confidentiality. Doctors, Nurses and other staff have different access rights based on their specialization and there is information which is considered as “more confidential” compared to other information e.g. demographic data is less confidential medical information in relation to a psychological disorder.

4.4.6 France

Nively and HOLOLAMP will pay particular attention to the ethical, legal and privacy concerns that may arise, addressing them in accordance with EU and national laws and regulations. Informed consent, privacy and good clinical practice will be maintained throughout the duration of the CAPTAIN project. Privacy will be ensured by design, based on the seven fundamental principles: proactive, by default, positive sum, lifestyle protection, visibility/transparency and respect for the users. NIVELY and HOLOLAMP will take specific steps to ensure that the privacy of individuals is always respected by anonymising data and only transferring anonymised data between sites. In practice, this means there are legal frameworks and European regulations (GDPR) under which the research project will operate, and this can be divided into legal provisions covering data, medical devices and clinical trials (when and if applicable).

This project involves gathering, storing, analysing and transferring data about individuals, therefore CAPTAIN will be required to comply with the EU General Data Protection Regulation (GDPR) on the protection of individuals with regard to the collection, controlling and processing of personal data. The applicable legislation in France, is ``Loi informatique et libertés'', 1978 (Act n°78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties amended by the Act of 6 August 2004, relating to the protection of individuals with regard to the processing of personal data). If needed, agreement will be sought from a representative committee of the French Comités de protection des personnes (CPP – Individual Protection Committees). CPPs represent the French equivalent to the Ethical Research.

4.4.7 Germany

The transposition from the EU Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such took place in several national legislations like the Federal Data Protection Act and the specific state laws of each Federal state like the Lower Saxony Data Protection Act for public bodies. Additional rules for the use of telemedia (e.g. online services) are set in the German Telemedia Act [17], which specifies the general rules from the Federal Data Protection Act [18].

The Federal Data Protection Act within section 4, defines the admissibility of data processing and use. In particular, processing and use of personal data shall be admissible only with a legal provision permits or prescribes them or if the data subject has consented. When consent is obtained from the data subject, he/she shall be informed of the purpose of storage and of any envisaged communication of his/her data and, at his/her request, of the consequences of withholding consent. Consent shall be given in writing unless special circumstances warrant any other form. If consent is to be given together with other written declarations, the declaration of consent shall be made distinguishable in its appearance.

In the field of scientific research, a special circumstance shall also be deemed to exist where the defined purpose of research would be impaired considerably if consent were obtained in writing. In such case the information and the reasons from which considerable impairment of the defined purpose of research would arise shall be recorded in writing.


28 | P a g e

Persons employed in data processing shall not process or use personal data without authorization (confidentiality). On taking up their duties such persons, in so far as they work for private bodies, shall be required to give an undertaking to maintain such confidentiality. This undertaking shall continue to be valid after termination of their activity. If the data of the data subject are stored in a data file, which several bodies are entitled to store and if the data subject is unable to ascertain the controller of the data file, he may approach any of these bodies. Such body is obliged to forward the request of the data subject to the controller of the data file. The data subject shall be informed of the forwarding of the request and of the controller of the data file. Where a public body causes harm to the data subject through automated processing of his personal data that is inadmissible or incorrect, such body is obliged to compensate the data subject for the harm thus caused, irrespective of any fault. In grave cases of violation of privacy, the data subject shall receive adequate pecuniary compensation for the immaterial harm caused. If a data subject asserts a claim against a private body for compensation because of automated data processing that is inadmissible or incorrect and if it is disputed whether the harm caused results from a circumstance for which the controller of the data file is responsible, the burden of proof shall rest with the controller of the data file. Public and private bodies processing personal data either on their own behalf or on behalf of others shall take the technical and necessary organizational measures. Where other bodies are commissioned to process or use personal data, responsibility for legal compliance data protection provisions shall rest with the principal.

The collection of personal data shall be admissible if knowledge of them is needed to perform the duties of the bodies collecting them. Personal data shall be collected from the data subject. They may be collected without his participation only if:

• a legal provision prescribes or peremptorily presupposes such collection, or

• the nature of the administrative duty to be performed necessitates collection of the data from other persons or bodies, or

• collection of the data from the data subject would necessitate disproportionate effort and there are no indications that overriding legitimate interests of the data subject are impaired.

If personal data are collected from the data subject with her/his knowledge, she/he shall be informed of the purpose of collection. If they are collected from the data subject pursuant to a legal provision, which makes the supply of particulars obligatory or if such supply is the prerequisite for the granting of legal benefits, the data subject shall be informed that such supply is obligatory or voluntary, as the case may be. At his request he shall be informed of the legal provision and of the consequences of withholding particulars.

Where personal data are collected from a private body and not from the data subject, such body shall be informed of the legal provision requiring the supply of particulars or that such supply is voluntary, as the case may be.

The storage, modification or use of personal data shall be admissible where it is necessary for the performance of the duties of the controller of the data file and if it serves the purposes for which the data were collected. If there has been no preceding collection, the data may be modified or used only for the purposes for which they were stored. Storage, modification or use for other purposes shall be admissible only if:

• a legal provision prescribes or peremptorily presupposes this,

• the data subject has consented,

• it is evident that this is in the interest of the data subject and there is no reason to assume that he would withhold consent if he knew of such other purpose,


29 | P a g e

• details supplied by the data subject have to be checked because there are actual indications that they are incorrect,

• the data can be taken from generally accessible sources or the controller of the data file would be entitled to publish them, unless the data subject clearly has an overriding legitimate interest in excluding the change of purpose,

• it is necessary for the conduct of scientific research, scientific interest in conduct of the research project substantially outweighs the interest of the data subject in excluding the change of purpose, and the research purpose cannot be attained by other means or can be attained thus only with disproportionate effort.

Processing or use for other purposes shall not be deemed to occur if this serves the exercise of powers of supervision or control, the execution of auditing or the conduct of organizational studies for the controller of the data file. This shall also apply to processing or use for training and examination purposes by the controller of the data file, unless the data subject has overriding legitimate interests. Personal data stored exclusively for the purpose of monitoring data protection, safeguarding data or ensuring proper operation of a data processing system may be used exclusively for such purposes. Personal data collected or stored for scientific research purposes may be processed or used only for such purposes. The communication of personal data to other than public bodies for scientific research purposes shall be admissible only if these undertake not to process or use the communicated data for other purposes and to comply with the following provisions. The personal data shall be anonymised as soon as the research purpose permits this. Until such time the characteristics enabling information concerning personal or material circumstances to be attributed to an identified or identifiable individual shall be stored separately. They may be combined with the information only to the extent required by the research purpose.

The GDPR raises multiple issues for companies active in the domain of eCare1. In terms of security, the GDPR requires the implementation of technical and organisational measures to ensure a high level of security. It provides that "taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing"2.

4.4.8 Estonia

For the pilots and tests run in the territory of Estonia the CAPTAIN project will protect personal data in correspondence with fully respect and follow the Personal Data Protection Act [19].

Fundamental principles for personal data protection are granted by the Constitution of 1992: right to privacy (§ 26), right to free self-realisation (§ 19) and data subject’s right to request information about him-/herself (§ 44 (3)). Estonia has ratified the Council of Europe Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data and its Additional Protocol by acts of the Riigikogu [Parliament = State Assembly], entered into force 1.3.2002 and 1.11.2009.

1 Each Member State has its own legislation, which implies implementation issues specific to each country. 2 In accordance with: Dumortier F., La sécurité des traitements de données à caractère personnel, Le Règlement général sur la protection des données (RGPD / GDPR), Collection du Crids, 2018, pp. 141-252.


30 | P a g e

The Personal Data Protection Act [Isikuandmete kaitse seadus] was adopted at 12.6.1996. It was replaced by new versions at 12.2.2003 and 15.2.2007. The current version is the forth one; it was adopted 12.12.2018 and entered into force 15.01.2019. The Act follows the rules established by Convention 108 and its Additional Protocol, the Directive 95/46/EC of the European Parliament and of the Council, and the GDPR EU 2016/679.

The Personal Data Protection Act (PDPA) is applicable to personal data processing in all sectors of society. Estonia has implemented the principles of the Directive also in the police work. The PDPA applies to criminal proceedings and court procedures with the specifications provided by procedural law (PDPA, § 2).

The Personal Data Protection Act defines main requirements for personal data processing in Estonia including:

Personal data processing requirements

In the processing of personal data, the controllers and processors are required to:

• rectify inaccurate personal data;

• erase personal data, if processing of the personal data is not permitted pursuant to law or this does not conform to the principles of processing of personal data;

• notify the recipient if the personal data have been transmitted illegally or if inaccurate personal data have been transmitted;

• co-operate with the Estonian Data Protection Inspectorate.

Organisational, physical and information technology security measures for protection of personal data

The controller and the processor are required to take and implement organizational and technical security measures to the protect personal data in order to:

• prohibit access of unauthorised persons to data processing equipment used for processing of personal data;

• prevent unauthorized reading, copying, modification and removal of storage media;

• prevent unauthorised input of personal data and unauthorised inspection, modification or deletion of retained personal data;

• prevent deletion of data processing systems by unauthorised persons by means of data communication equipment;

• ensure access by users who hold an authorisation for the use of automated data processing systems only to such personal data which are covered by the access authorisation of the users;

• ensure an opportunity to verify and establish to which agencies personal data have been or may be transmitted or made available using data communication equipment;

• ensure an opportunity to verify and establish what personal data have been input into automated data processing systems and when and by whom the data were input;

• prevent unauthorised reading, copying, modification or deletion of personal data during transmissions of personal data or during transportation of storage media;

• ensure an opportunity to restore installed data processing systems in the case of interruptions;

• ensure functioning of data processing systems and notification of any faults in the functions thereof;

• prevent misrepresentation of personal data as a result of system malfunctions.


31 | P a g e

Principles of processing personal data

The following principles have to be complied with upon processing of personal data:

• legality and fairness: personal data are processed legally and fairly;

• purposefulness: personal data are collected for specified, explicit and legitimate purposes and they shall not be processed in any manner which is incompatible with these purposes;

• quality: personal data must be adequate and appropriate and must not be excessive given the purposes of the data processing;

• accuracy: personal data must be accurate and, if necessary, kept up to date; reasonable measures are taken to ensure that any personal data which are inaccurate with respect to the purpose of data processing shall be erased or rectified without delay;

• retention: personal data are retained in the format which enables to identify the data subject only until this is necessary for achievement of the purpose for which the personal data is processed;

• security: personal data are processed in a manner that ensures appropriate security thereof, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, by means of implementing appropriate technical or organisational measures.

The PDPA regulates also position, tasks and legal competence of the independent supervisor – Estonian Data Protection Inspectorate [Andmekaitse Inspektsioon].

Relevant procedural law for the data protection authority is covered by Administrative Procedure Act, Substitutive Enforcement and Penalty Payment Act and Code of Misdemeanour Procedure. Electronic Communications Act covers among other aspects also direct electronic marketing: opt-in-principle for natural persons, opt-out-principle for legal persons. Estonian Data Protection Inspectorate (EDPI) is a supervisory authority referred to in Article 28 of the EU Data Protection Directive 95/46/EC. EDPI is also supervisory authority for freedom of information matters (Public Information Act) and for direct e-marketing (Electronic Communications Act).

5 CONCLUSION

This document details all the European, national and local legislations regarding ethics, security and privacy which are relevant for the collection and analysis of data during the CAPTAIN project. The iterative nature of the agile methodology used within the project constitutes a challenge. Nevertheless, all precautionary measures were taken to ensure maximum compliance with all legislations.

All the information related to privacy and security have already been taken into consideration in the D1.5 Data Management Plan. Likewise, all the procedures that will be followed in the CAPTAIN project to ensure compliance with ethical aspects have already been documented in D1.2 First version of Ethics and Safety Manual, D.10.1, H – Requirement No. 1 and D10.2 PODP – Requirement No. 2.


32 | P a g e

6 REFERENCES

[1] Additional Information on Ethics related to undertaking ICT research in FP7, Cordis 2007, available online at: http://cordis.europa.eu/fp7/ethics-ict_en.html

[2] Mulder, I, Velthausz, D. & Krien, M. (2008), “The Living Labs Harmonization Cube: Communicating Living Labs’ Essentials”. The Electronic Journal for Virtual Organizations and Networks 10. Special Issue on Living Labs.

[3] Lofman, P., Pelkonen, M. & Pietila, A-M. (2004), “Ethical issues in participatory action research”. Scand J Caring Science 18, 333-340.

[4] Courtney, K. L. (2008), “Privacy and senior willingness to adopt smart home information technology in residential care facilities”. Methods Inf Med. 47(1), 76-81.

[5] Manders-Huits, N. (2010), “What values in design? The challenge of incorporating moral values into design”. Science and Engineering Ethics, 17, 271–328.

[6] Sainz, F. Ramon L. Emerging Ethical Issues in Living Labs. Journal of Applied Ethics; Barcelona 3 (2012): 47- 62.

[7] World Medical Association Declaration of Helsinki. Ethical Principles for Medical Research Involving Human Subjects. Available online at: https://www.wma.net/policies-post/wma-declaration-of-helsinki-ethical-principles-for-medical-research-involving-human-subjects/

[8] Directive 2001/20/EC of the European Parliament and of the Council of 4 April 2001. Available online at: https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2001:121:0034:0044:en:PDF

[9] General Data Protection Regulation, 2018. Available online at: https://gdpr-info.eu

[10] Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of the Council of Europe of 1 January 1981, Strasbourg. Available online at: https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/108

[11] Directive 95/46/EC. Available online at: eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML

[12] Directive 2002/58/EC. Available online at: eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:en:HTML

[13] Data Protection, Information Privacy, and Security Measures: an essay on the European and the Italian Legal Frameworks, Paolo Guarda. Available online at: eprints.biblio.unitn.it/1524/1/DataProtection_SecurityMeasures_Guarda.pdf

[14] Available online at: ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp187_en.pdf

[15] Additional information on Spanish Data Protection Agency available online at: https://www.aepd.es

[16] Overview of the national laws on electronic health records in the EU Member States, National Report for Cyprus available at: http://ec.europa.eu/health/ehealth/docs/laws_cyprus_en.pdf

[17] Available online at: https://wipolex.wipo.int/en/text/325144: Act on Telemedia (of February 26, 2007, as amended by the law of May 31, 2010)

[18] Available online at: https://www.gesetze-im-internet.de/englisch_bdsg/englisch_bdsg.pdf: German Federal Data Protection Act (of 30 June 2017 (Federal Law Gazette I p. 2097))

[19] Additional information on the Personal Data Protection Act available online at: https://www.riigiteataja.ee/en/eli/523012019001/consolide

https://wipolex.wipo.int/en/text/325144

D.2.3. Summary of Pilot-related regulatory requirements

Documents

Transcript of D.2.3. Summary of Pilot-related regulatory requirements