D8.5 Recommendations for a GDPR Code of Conduct for SSH

Background: The General Data Protection Regulation (EU) 2016/679 (hereinafter GDPR) has given EU/EEA countries an opportunity to harmonise their legal framework for data protection, and to improve the conditions for processing personal data in research and data sharing. Although this was one of the rationales behind the GDPR, it has not necessarily been achieved [1-3].

Main aim: To facilitate harmonisation across the EU/EEA and sectors, the European Union Commission (hereinafter EC) has highlighted the creation and use of Codes of Conduct [4]. A Social Science and Humanities (hereinafter SSH) GDPR Code of Conduct may lead to such a harmonised practice within the SSH environment [1]. This report intends to give a set of recommendations for how an SSH GDPR Code of Conduct can be created [1].

Methodology: This report is developed as a result of the input from SSHOC WP5, Innovations in Data Access (T5.3 Legal Issues of innovative data access). The report “Draft SSH GDPR Code of Conduct” started the initiative of creating an SSH GDPR Code of Conduct draft. This report intends to further this initiative. This is done by elaborating on the conditions that must be met in order to have a Code of Conduct approved, which are set up in The GDPR Article 40 and 41 [5, 6]. Some of these conditions may be particularly important to address early in the process when initiating a Code of Conduct. In addition, partners/stakeholders have been consulted.

Main outcome: The creation of an SSH GDPR Code of Conduct requires several terms to be fulfilled, before it will be approved. Building on the report “Draft SSH GDPR Code of Conduct”, this report describes these terms, suggests how they can be fulfilled and presents input from consulted partners. In sum, the report identifies the following terms that must be fulfilled in order to make a Code of Conduct draft admissible: it must be determined which organization(s) have the mandate to draft the Code; specific explanatory statements and supporting documents must be gathered, the territorial and processing scope of the Code must be determined. Further, it must be determined which supervisory authority is competent to assess and approve the Code draft; which monitoring body is appropriate for the Code and which mechanisms will enable that monitoring body to perform its task. In addition, consultation with stakeholders must be performed; and the draft Code must be in compliance with relevant national legislation and the content and language of the Code must be determined. This report presents recommendations on how the initial steps/terms can be fulfilled to get an SSH GDPR Code of Conduct draft created and admissible.

The report presents a suggested framework for the initial steps of consulting the sector to identify and document its needs, to find and agree on an organization or body that can represent the SSH Environment and to determine the potential processing and territorial scope of the SSH GDPR Code of Conduct. The initiative is a first step in specifying what remains of further work. These factors may facilitate the continuation of the work of realizing an SSH GDPR Code of Conduct, which will be of great benefit to EOSC, the research environment, data sharing and society at large.

Conclusion: A draft Code must document that relevant stakeholders have been adequately consulted on the need for a draft Code, its scope and its content. The report contains input from partners and one supervisory authority. Many of the elements that need to be decided on further along in the process are contingent upon elements on which the SSH research environment must voice their opinions. In order to effectively progress with the work on a draft Code, it will be essential that the stakeholders are involved. This report furthers the suggestions addressed in the report “Draft SSH GDPR Code of Conduct” on what an SSH GDPR Code of Conduct can regulate [1].