ANNEX II
Granting access to pseudonymised data for research purposes referred to in Article 6
1. General principles
The Commission may grant access for research purposes to pseudonymised data held by the Commission for the purposes referred to in Article 1 of Regulation (EC) No 1217/2009, provided that the following conditions are satisfied:
(a)
the research data use complies with the purposes referred to in Article 1 of Regulation (EC) No 1217/2009;
(b)
the research data access, use and handling respect the protection of the pseudonymised data and the individual data from which these were derived, as required by Articles 16 and 16a of Regulation (EC) No 1217/2009, and by the provisions of Regulations (EU) 2016/679 and (EU) 2018/1725;
(c)
access shall be given only to data that are strictly necessary for the purposes of the research in question;
(d)
the entity requesting access to the data is recognised in the field of research, studies or analysis;
(e)
the data are required for a project of public interest the results of which be made publicly available;
(f)
the physical, technical and administrative security measures to protect the pseudonymised data are adequate for the protection of the requested pseudonymised data. The proposed measures shall be specified by the requesting entity;
(g)
the pseudonymised data are only used for the authorised time period. Any extension of the use of the data shall require authorisation by the Commission;
(h)
a pseudonymised data access request is presented to the Commission, demonstrating the compliance of the proposed research data access and use with the conditions listed in points (a) to (g).
In granting access, the Commission shall respect the principles of subsidiarity, proportionality and precaution as relevant in this context, in accordance with Articles 16 and 16a of Regulation (EC) No 1217/2009 and the provisions of Regulations (EU) 2016/679 and (EU) 2018/1725:
—
Subsidiarity principle: the data use should be relevant for the Union dimension or for several Member States. In case a request is related to a single country, the request should be submitted to the relevant Member State,
—
Proportionality principle: access is granted only in time and scope strictly necessary for the analysis,
—
Precautionary principle: risks of data misuse are minimised.
2. Request for pseudonymised data access
The data access request for a research purpose shall indicate:
(a)
the individual or the entity requesting access;
(b)
the location of the requesting individual or entity, indicating if within or outside the territory of the Union;
(c)
the legitimate purpose of the research, its financing source and the ownership of the research results;
(d)
the explanation of why this purpose requires the use of the requested pseudonymised data and why this purpose cannot be achieved by using anonymous data;
(e)
how the data access, handling and use complies with the data purpose and with data safeguards required by Regulation (EC) No 1217/2009 as well as the general principles mentioned in point 1. The requesting individual or entity should indicate the risks they identify and the mitigating action that they plan to put in place;
(f)
the individuals who will have access to the data;
(g)
the access facilities to be used;
(h)
the data sets to be accessed, the methods of analysing them;
(i)
the period of data access;
(j)
the intended results of the research to be published or otherwise disseminated; and
(k)
any other information relevant for the request justification.
The access request shall be accompanied by individual confidentiality declarations signed by all individuals who will have access to the data.
The Commission shall assess whether the request complies with the general principles mentioned in point 1 and decide whether to approve or reject the request. If compliant with Regulation (EC) No 1217/2009, the requests may be approved. The request shall be rejected if the intended use of the pseudonymised data does not comply with Regulations (EU) 2016/679 and (EU) 2018/1725 or, in any case, does not guarantee equivalent protection in the event of international transfers.
In assessing the access request, the Commission shall also take into account the need for the protection of individual data and, in particular, the compliance with the rules for data transfers to recipients located outside the territory of the Union as set out in Chapter V of Regulation (EU) 2016/679 and Chapter V of Regulation (EU) 2018/1725.