MICROB-PREDICT (MICROBiome-based biomarkers to PREDICT decompensation of liver cirrhosis and treatment response) is a research project of the European Union’s Horizon 2020 Research and Innovation Programme (Ref. 825694).
The project aims to identify the role of the microbiome in liver disease progression with the aim to identify novel biomarkers and develop biosensors that will promote a more personalized treatment of liver disease patients. The efficacy of these treatments and the response to them will be tested in a clinical trial (the “Clinical Trial”), which will be carried out in a second phase of this Project.
MICROB-PREDICT involves the integration of existing and novel data from patients from different parts of the world (EU, UK, USA and China).
The project unites the expertise from 22 different European partners (hospitals, research foundations and institutes, patient and physician associations, and small-and-medium-sized enterprises, SMEs).
For the MICROB-PREDICT research project, the processing of personal data in a secure, fair, and transparent manner is a priority. Therefore, the Partners of the project process such data in accordance with the European Union’s General Data Protection Regulation 2016/679 of 27 April (hereinafter, the “GDPR“) and in compliance with the principles of the Declaration of Helsinki (2013), the principles of Good Clinical Practices and according to the indications of the study protocol approved by the entitled research ethics committees and the local regulatory authorities at each site/country. Likewise, the research project will be developed in compliance with the international, European, national and local regulations on biomedical research, clinical trials, uses of human biological samples, i.e. Universal Declaration on Bioethics and Human Rights, UNESCO (2015) and Convention on Biomedicine and Human Rights, Council of Europe (1997).
Unless otherwise required by its context, these terms shall have the following meaning:
“We“, “Our“, “Us” or “Partners”: refers to the 22 European partners that are part of the MICROB-PREDICT research consortium.
“Data controller” or “Controller“: Shall have the same meaning as in the GDPR, i.e. the party who determines the purpose and means used for data processing.
“Data Processor” or “Processor“: Shall have the same meaning as in the GDPR, i.e. the party who carries out the processing of data on behalf of a Data Controller.
“Data Hub”: The central web-based database provided by BYOBITE, as Data Processor, where all Personal Data of the MICROB-PREDICT is securely stored and accessed by the different Partners for fulfilling the purposes of the Project.
“You” or “Data Subjects” or “Patients”: Shall mean natural persons, such as patients and volunteers, whose personal data is being processed by Us.
“Joint controller”: Shall have the same meaning as in the GDPR, i.e. where two or more controllers jointly determine the purposes and means of processing.
“Personnel“: Shall refer to persons engaged by Us, as employees or independent contractors, as appropriate to carry out the Project.
“Personal Data“: Shall have the same meaning as in the GDPR, i.e. any data associated with a natural person that allows him/her to be identified or that makes him/her identifiable in the context of the MICROB-PREDICT Project.
“Pseudonymized Data”: The personal data that is processed in such a manner that can no longer be attributed to a specific data subject without the use of additional information. Such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
“Processing” or “Data Processing”: Shall have the same meaning as in the GDPR, inter alia, the following constitute Data Processing: the collection, recording, use, storage, modification, adaptation, disclosure, transfer or transmission, structuring, use, combination and deletion or destruction of personal data.
“Project” or “MICROB-PREDICT Project” is the MICROB-PREDICT research project dedicated to the investigation of the role of the microbiome in liver disease progression with the aim to identify novel biomarkers and to develop biosensors that will promote a more personalized treatment of liver disease patients.
3. Scope and Identification of joint controllers
3.2 Identification of joint controllers
The following entities are joint controllers of your personal data:
The parties are joint controllers for the Personal Data processed under this Project, on the basis that the Partners jointly decide the purpose of the processing and what means are to be used.
You may find more information about the Partners that integrate MICROB-PREDICT by means of the following link.
3.3 Data protection officer
The Data Protection Officer (DPO) of the Coordinator of the Project (EF-CLIF) will be the point of contact for all privacy related aspects of the Project and will be at your disposal for any doubts, queries or issues you may have in relation the processing of your personal data within the scope of the Project.
You may contact the DPO through this email address: dpo[at]efclif.com or this Company’s address: Travessera de Gràcia 11, 7th floor, 08021 Barcelona – Spain.
4. Sources and Types of Personal Data processed
4.1 Sources of Personal Data
We obtain and process both information that directly identifies the Data Subject, and information that does not directly identify the Data Subject.
Personal Data are from patients and healthy volunteers collected via:
- Previous studies (cohorts) related to liver diseases, which include the following: PREDICT, GALAXY/MICROB-LIVER, EMBL, RIFYS-RCT, FCRB, DCH-NG, META-HIT, VA-US, CANONIC, QIN, ALBUMIN-PILOT-RCT, LIVERHOPE-RCT and RCT; and
- a new Clinical Trial conducted by the Partners that are part of the MICROB-PREDICT research consortium.
In all cases the research protocols are approved by the entitled Research Ethics Committees.
4.2 Types of Personal Data
- Existing data and samples provided by the Data Subject from previous studies
We use the categories of Personal Data and personal data associated to human biological samples which were obtained for biomedical research purposes in previous studies (cohorts) and will be used in MICROB-PREDICT (as secondary use), as it was authorised by the individuals who participated in the indicated previous studies. This secondary use is in compliance with the ethical and legal standards and regulations in biomedical research applicable at the international, European and local level.
- Data collected via the Clinical Trial
In the case that potential participants (patients and healthy volunteers) agree to participate in the Clinical Trial, they will provide the clinical partners with their Personal Data to identify them and to achieve the goals of the Project. Such data may be:
- Names and surnames of the Data Subjects.
- Health data, such as patient history data and clinical data and genetic information among others.
- Personal characteristics, such as family information, date of birth, place of birth, age, sex, nationality, physical or anthropometric characteristics to the extent necessary to carry out the Project.
- Human biological samples and personal data associated.
The personal identification data of the Data Subjects (such as name and surname) will only be accessed by the Partners that recruited them. The rest of the Partners will have exclusive access to Pseudonymized Data, so that they will not be able to directly identify a particular person.
5. Data processing purposes and Legal Basis
5.1 Purposes of the processing of the Personal Data
All Personal Data will be pseudonymized, which means that each patient will be assigned an alpha-numeric identification code and/or any other kind of pseudonymization technique in order to detach the data from the individual identifying information and thus guarantee the Data Subjects privacy.
Partners of the Project, in their capacity as Joint Controllers, process the Personal Data collected for the following purposes:
- to better understand the role of the microbiome in liver cirrhosis progression;
- to identify microbiome-based biomarkers that can give information on the likelihood of disease progression and the success of treatment options;
- to develop biosensors that can support a more personalized healthcare of liver disease patients;
- test patient’s response to treatment(s) discovered or investigated in MICROB-PREDICT in the Clinical Trial.
Thus, all data generated or gathered in the Project will be used with the objective of better understanding the role of the microbiome in hepatological diseases. The consortium intends to limit the amount of data handling to what is necessary to promote findings and publications in line with the Project’s objectives.
Personal Data may be further used for scientific research purposes, and data and research results of the Project may be published, only if appropriate safeguards are in place. No personal information revealing the identity of participants will be published.
Pseudonymized data may be re-used after the relevant publications, as long as it has been agreed accordingly among the Partners.
5.2 Legal Basis for the processing of the Personal Data
Previous studies (cohorts): The legal basis for the processing of data collected in previous studies (cohorts) is the consent for secondary uses. The patients’ informed consent signed and collected for the previous studies refer to the possibility of using the participants’ Pseudonymized Data, including personal data associated to human biological samples, in future medical research involving the same condition and disease area (cirrhosis and its complications).
In relation to Personal Data collected via the new Clinical Trial carried out by the Partners, the above purposes are based on different legal basis depending on the Partner:
(i) For those Partners which are public entities (e.g. universities and research institutes) the lawful basis for the processing of Personal Data, under GDPR, is ‘the public interest’. The processing of special categories of data in the MICROB-PREDICT Project, such as health data, is generally prohibited. However, it is allowed in this case because it is legitimated for reasons of public interest in the field of public health. The human biological samples are securely stored in biobanks (public and private biobanks located in Barcelona, Spain, following international, European and national regulations).
(ii) For those Partners which are not public entities, the lawful basis for processing Personal Data are their legitimate interests in carrying out research projects. The processing of special categories of data in the MICROB-PREDICT Project, such as health data, is legitimated by the biomedical research regulations (the processing is necessary for scientific purposes) and it is performed with all safeguards established by the privacy regulations in place.
Please note that additional information regarding the balancing test carried out in order to verify the existence of a legitimate interest pursued by the Partners can be obtained upon request to the DPO of the Coordinator of the Project (EF-CLIF) at the following email address: dpo[at]efclif.com.
Prior to inclusion in the Clinical Trial performed by Us, potential participants will be provided with all necessary tools (Informed Consent Forms (ICF) and Information Sheets (IS)) to make a rational, free, and voluntary decision. Information will be presented clearly, using short, understandable sentences and technical terms will be avoided to properly understand the implications of their participation and their rights. Participants will be asked to give their fully informed written consent by signing the trial consent form.
Likewise, the informed consent of participants allows to use personal data in future biomedical research about the same condition and disease area (cirrhosis and its complications).
6. Assignments and International Data transfers
In general, we will not communicate your data to third parties outside the MICROB-PREDICT Partners, except if legally required to do so or when required by a public authority, the justice administration, or data protection supervisory authorities in compliance with legal obligations applicable to Us.
We use the services of service providers, (see list below) which need to have limited access to the Personal Data for the provision of their service, acting as Data Processors. In these cases, we guarantee that we signed specific agreements with such service providers as required by law, in which they are required to have the same or a higher level of security to protect the information provided to them.
The following entities act as Data Processors on behalf of the Partners to carry out some activities of the processing:
- Biobyte Solutions GmbH, which will provide integration of the data into the project Data Hub.
- BaseClear B.V., which will provide some of the analysis necessary for the development of the Project.
6.2 International Data transfers
We inform you that some of our Partners are located in Switzerland, which is a country outside the EU but subject of a decision issued by the European Commission according to which it is deemed to have an adequate level of data protection.
Regarding the United Kingdom, where some of our Partners are from, it is considered to be a country with an adequate level of protection in relation to privacy according to the Adequacy Decision issued by the European Commission the 28th of June 2021. On the other hand, EMBL is an intergovernmental organization, so the transfers of data to this Partner rely on Article 49(1)(d) of the GDPR.
7. Information Security
The Personal Data will be securely integrated into the Data Hub and made available to the Partners through controlled and secure access. Strict measures will be taken to ensure that all such data will be pseudonymized and, in sum non-identifiable.
The Data Hub complies with international standards for data protection and information security.
As explained before, all data to be integrated into the Project’s Data Hub will be Pseudonymized Data. The Personal Data that permit the direct identification of the Patients are kept in a password-protected specific file, only accessible for safety purposes or to identify those Patients who want to withdraw their consent to the use of clinical or biological data obtained during the Project. In this way, the Project’s Data Hub will guarantee the pseudonymity and non-identifiability of the Patients.
Personal Data will be exchanged with the consortium Partners as appropriate, but it will not be possible a connection between personal details of Patients and the metadata processed, so it will always be considered as Pseudonymized Data.
All Personnel authorised to process the Personal Data are required to know and observe the policies, rules, procedures, and standards that are applicable to the performance of their duties regarding the Project and the processing of Personal Data. In this context, they have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Privacy and confidentiality will be assured, and research integrity is a priority. All Consortium partners are obliged to comply with the European Code of Conduct for Research Integrity (ALLEA, 2017), to assure research integrity and avoid research misconduct and other questionable practices from the inception and during the whole process of research. MICROB-PREDICT Partners will make the maximum efforts to implement, in the scope of the Project, the necessary and appropriate security measures and procedures to:
- Ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and service;
- Restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- Regularly test, assess, and evaluate the effectiveness of technical and organizational measures to ensure the security level of the processing.
8. Personal Data Retention
The Pseudonymized Data will be uploaded in the MICROB-PREDICT Data Hub, and data generated in the Project will be kept for the full duration of the Project, that is, until approximately March 2025. During the EC-funded project period, EF-CLIF, as Coordinator, and the rest of the Partners are responsible for data management. In particular, the data from the Project included in the Data Hub, managed by Biobyte, will be preserved in EMBL’s secure data storage for a minimum of 10 years after study completion and longer if internal funding is available. The contents of the master file in paper or digital format of the Clinical Trial will be retained for at least 25 years after the end of the Clinical Trial, or for a longer period if other applicable requirements so provide.
In addition, the data will be destroyed at the request of the participants. Although from that moment, the Patient’s Personal Data will no longer be processed, the knowledge acquired through the previous processing will not be affected by the withdrawal. From that moment, the human biological samples and associated Personal Data will be eliminated from the storage facilities and the data base of the selected biobanks.
9. Data protection rights
9.1 Data protection rights
You can exercise the following rights that the law guarantees you in relation to the processing of your Personal Data.
Any claim we receive will be resolved as soon as possible, always in compliance with the deadlines established by law. In some cases, it may be necessary to ask for a copy of your identity document or other identifying document if it is necessary to verify your identity.
- Right of access
You have the right to know which data are being processed, if any, and, if so, to obtain a copy of them, as well as to obtain information concerning: the origin and recipients of the data; the purposes for which they are processed; the categories of personal data processed; whether there is an automated decision-making process, including profiling; the period of data retention; and the rights provided by law.
- Right of rectification
You have the right to obtain the rectification of your Personal Data or to complete them when they are incomplete.
- Right to erasure
You have the right to request the deletion of your Personal Data if it is no longer necessary for the purpose for which they were collected or if We are no longer authorised to process them.
- Right to data portability
You have the right to request data portability in the case the processing of your data is based on your consent or the execution of a contract, as well as when the processing is carried out by automated means. If You exercise this right, you will receive your personal data in a structured format, commonly used and readable by any electronic device. However, you can also request, where possible, that your data be transmitted directly to another Data Controller.
- Right to restriction of processing of your personal data
You have the right to restrict the processing of your data in the following cases:
- When You have requested the rectification of your personal data during the period in which We verify their accuracy.
- When You consider that it is no longer necessary for Us to continue processing your data and You want us to keep them for the purposes of exercising or defending claims.
- When You consider that We are not authorized to process your data. In that case, you can ask Us to limit their use instead of requesting their deletion.
- In cases where there is processing based on our legitimate interest and You have exercised your right to object, you may ask Us to limit the use of your data during verification of the prevalence of such interests over yours.
- Right to object
You have the right to object at any time to the processing of your personal data based on our legitimate interest, including profiling.
- Right to withdraw consent given
You can withdraw your consent in connection with all processing based on it. However, we remind You that the withdrawal of consent will not affect the lawfulness of processing based on consent prior to withdrawal. Therefore, although from the moment of withdrawal, the Patient’s Personal Data will no longer be processed, the knowledge acquired through the previous processing will not be affected by the withdrawal.
- Right to file a complaint with the Supervisory Authority
Remember that, at any time, and in case You consider that We have violated your right to the protection of your data, you will be able to complain with the corresponding Authority in Data Protection, in the case of Spain, the Spanish Data Protection Agency (www.aepd.es).
9.2 Channels for the exercise of rights
You may exercise your rights at any time and free of charge by sending an e-mail to the Data Protection Officer of the Coordinator of the Project: EUROPEAN FOUNDATION FOR THE STUDY OF CHRONIC LIVER FAILURE (EF-CLIF) , which will be the point of contact for the exercise of data subject rights for the MICROB-PREDICT Project, in the following e-mail address: dpo[at]efclif.com or EF-CLIF’s postal address: Travessera de Gràcia 11, 7th floor 08021 Barcelona – Spain.
Depending on the Partner who collected your data or the study from which it was obtained, your request may be forwarded to the appropriate persons of the Partners affected.
Notwithstanding the foregoing, you can exercise your data protection rights in respect of and before each Partner.
11. Joint Controllership Agreement
The Consortium Partners have signed a JOINT CONTROLLERSHIP AGREEMENT where their respective responsibilities for compliance with the obligations under the GDPR are established and it is reflected the key principles of the GDPR, specifically the principles of transparency, purpose limitation and data minimization, accuracy, quality control, storage limitation, and data integrity and security.
According to the GDPR, the essence of the arrangement shall be made available to the Data Subject. Therefore, more detailed information can be obtained upon request contacting the Coordinator of the Project, EF-CLIF, through the following electronic address: dpo[at]efclif.com.