Data protection in ELIXIR

What ELIXIR is

ELIXIR is an intergovernmental organisation for life science data and resources (read more in About us page and in the About ELIXIR brochure). 

ELIXIR is organised in a Hub and Nodes model, where the Hub acts as the coordinator of the infrastructure, which is composed of services run by the Nodes. The Hub and the Nodes carry out different functions, and therefore handle different kinds of personal data.

  • The ELIXIR Hub carries out administration and coordinates the ELIXIR infrastructure.
  • An ELIXIR Node is a collection of research institutes within a country that is an ELIXIR member. ELIXIR Nodes run the scientific resources and services that are part of the ELIXIR infrastructure. 

Back to the top

Personal data

What personal data does ELIXIR deal with?

In practice the ELIXIR Hub deals with personal admin data in three different contexts (a,b,c):

Context Personal data collected
a. ELIXIR administration Admin data from our staff and from our governance bodies’ members and delegates, and from the members of operational groups of ELIXIR, which ELIXIR needs to carry out its day-to-day administration and management.
b. Internal projects funded by ELIXIR Admin data (e.g. name, email address, home institute) from the individuals involved in the management of these projects. Read more on our Privacy page.
c. EU projects coordinated by the Hub Admin data (e.g. name, email address, home institute) from the individuals involved in the management of EU Projects coordinated by the ELIXIR Hub. Read more on our EU Projects page.

What personal data does the ELIXIR Hub NOT deal with?

The ELIXIR Hub has no access to the scientific data processed by the Nodes for internal and EU-funded projects.

What personal data do the Nodes deal with?

The Nodes deal with personal admin (e.g. their own staff) and scientific data.

Some EU projects (e.g. B1MG, BY-COVID) do involve personal data like genomic sequences or genotypic and phenotypic data from individuals. Such scientific data is processed by the ELIXIR Nodes or other project beneficiaries. This means that:

  • In ELIXIR Nodes located within the EU, the data is protected by European data protection legislation (GDPR).
  • In ELIXIR Nodes located outside the EU (Israel, Switzerland, and the UK), the data is protected by an essentially equivalent level of protection as that afforded within the EU. This is recognised by the adequacy decisions granted to those countries by the European Commission.
  • Any genetic or health-related data collected during projects is handled by the Nodes and thus protected by the GDPR rules (for Nodes within the EU) or national data protection rules (applicable to extra EU Nodes) on sensitive data.

Is any personal data transferred within ELIXIR (e.g. Hub and Nodes)?

Yes, but only in the following instance and only for certain types of data:

  • The Nodes transfer administrative data to the Hub e.g. contact details of people involved in the management of internal projects.
Data transfer across ELIXIR, showing only admin not scientific data goes to the Hub

Please note: Scientific data, which may include sensitive data, processed in the context of internal projects and EU projects, is never transferred to the Hub.

Back to the top

ELIXIR is a consortium consisting of 21 countries and the European Molecular Biology Laboratory (EMBL). As such, ELIXIR lacks its own legal personality. To overcome this, EMBL has agreed to allow ELIXIR to use its legal personality as an international organisation.

There are two main consequences of this “borrowed” legal personality: 

1. EMBL and ELIXIR are not subject to GDPR

In the context of data protection, EMBL and ELIXIR are not subject to the EU General Data Protection Regulation (GDPR), the data protection law applied by EU countries. With EMBL’s legal personality, ELIXIR also inherits EMBL’s privileges and immunities as an international organisation (IO). The unimpeded functioning of an IO and the achievements of its objectives imply that it is exempt from national data protection law, to ensure its autonomous organisational and administrative sovereignty. 

2. ELIXIR applies EMBL’s data protection rules 

Though the GDPR does not apply, ELIXIR is still subject to data protection rules, involving high standards comparable to those of GDPR. It applies EMBL’s data protection scheme, called Internal Policy 68 (IP68). The IP68 is adapted to the needs of an international scientific research organisation but reflects the principles of European data protection law while remaining within the boundaries of EMBL’s legal status.

You can read more about ELIXIR’s legal model and its relationship with EMBL on ELIXIR Governance FAQs.

See Data Protection framework below for more about ELIXIR’s legal model and data protection.

Back to the top

ELIXIR’s data protection framework

ELIXIR applies EMBL’s Internal Policy 68 as its data protection law.

Why is it called “policy”?

EMBL as an international organisation cannot produce laws as understood within national contexts, where the State emanates rules that are binding on all its citizens. Internal Policies however are effectively internal laws that EMBL (and ELIXIR) are obliged to follow.

The Internal Policy 68 supports the principles of GDPR in a form adapted to the intergovernmental nature of the organisation. It contains e.g. principles to follow for data processing, it lists the legal basis to rely on for lawful processing, lays out the rights of data subjects and provides for the appointment and independence of a Data Protection Officer.

Why does ELIXIR not apply GDPR?

  • GDPR does not apply to international organisations (recognised by the European Data Protection Board in its Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) of 12 November 2019, at page 23). 
  • Principle of functional necessity: international organisations are granted certain privileges and immunities to properly fulfil their tasks entrusted to them by their Member States. The unimpeded functioning of an IO and the achievements of its objectives imply that it is exempt from the application of national and EU data protection law.
  • ELIXIR needs to maintain an open approach with regards to data protection standards because ELIXIR Member States are not all European or part of the EU.

Why applying Internal Policy 68 is adequate in terms of GDPR

Internal Policy 68 adapts GDPR principles to the intergovernmental nature of the organisation, as well as its need for free scientific research that crosses borders and allows for extensive collaboration.

ELIXIR follows and applies fundamental principles of the GDPR – see EMBL data protection framework, section II.

Data flow across ELIXIR

Back to the top

Contacts

ELIXIR Hub’s Data Controller

Niklas Blomberg
ELIXIR Director
EMBL-EBI
Wellcome Genome Campus
CB10 1SD Hinxton
Cambridgeshire, UK
Email: data-protection [at] elixir-europe.org

EMBL Data Protection Officer (DPO)

dpo [at] embl.org

Nodes’ Data Controller(s)

Please contact the Data Protection Officer for each institute.

Back to the top