Legal Q&A: What is Austria’s Research Organisation Act?

BBMRI.at Legal Helpdesk Service answers

The BBMRI.at Legal Helpdesk Service – operated by legal experts from BBMRI.at partner UNIVIE- answers questions on legal and regulatory matters around biobanking and/or using biological samples and data. This service is offered to BBMRI.at partners to support them, as biobanking and research using biological samples and data (e.g. human, animal/veterinary, microbial, etc.) may raise legal questions. Answers provided by UNIVIE to legal questions are published in the BBMRI.at Knowledge Base.

QUESTION:

Legal Q&A: What is Austria’s Research Organisation Act? 

ANSWER:

1. Austria’s Research Organisation Act – overview 

The Austrian Research Organisation Act (Forschungsorganisationsgesetz, or FOG^[1]) is a structural legal instrument, also on matters of data protection in the country, implementing the General Data Protection Regulation (GDPR)^[2], namely providing a legal basis for processing data pursuant to article 89 of the GDPR and thus ‘filling in’ the so-called GDPR ‘opening clauses’ that are granted to European Union (EU) Member States and allow them to implement the GDPR via national legislation with varying degrees of restrictiveness. The FOG is relevant to Biobank stakeholders as it is likely that much of the personal data (article 4(1) of the GDPR) processed (article 4(2) of the GDPR) within these scientific institutions will fall into the scope of “secondary processing” or, in the wording of the GDPR, “further processing”^[3], i.e., processing for purposes other than those for which the personal data were initially collected (recital 50 of the GDPR). It is expected that personal data (and, in particular, data concerning health – article 4(15) of the GDPR) will have been gathered for, for example, the general provision of healthcare services and management of patients’ health status. This further processing must not be incompatible with the purpose that led to the initial data collection (article 5(1)(b) and article 6(4) of the GDPR). Further processing of personal data for scientific research (“for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes”), when carried out in accordance with article 89(1) of the Regulation, is considered compatible under the GDPR (article 5(1)(b); recital 50).

In Austria, §2f of the FOG lists those research materials that may be collected, archived and systematically recorded – by scientific institutions (§2b no. 12) – for purposes pursuant to article 89(1) of the GDPR as well as the data which may be processed for these purposes. ‘Repositories’ who wish to share data with other scientific institutions may also find in §2f(2) of the FOG the conditions in which this is admissible and how these requests should be processed. Also, the FOG sets out the possibility, for biobanks, of unlimited storage periods for relevant data, provided that no other more restrictive storage limitations apply (§2d(5)).

The instances in which personal data may be processed by scientific institutions pursuant to the FOG are quite broad (§2d). §2d(2) states that research organisations may process personal data in the context of big data, personalised medicine, biomedical research, biobanks and transfer to other scientific institutions as long as data is processed in pseudonymised form. Some limitations, nevertheless, apply: for example, the publication of personal identifiers^[1] must not, under any circumstances, take place (§2d(6))^[2].