Patient Personal Data Protection Statement
The European Society for Blood and Marrow Transplantation (EBMT) maintains an international medical database known as the EBMT Registry. The Registry goes back to the beginning of the 1970’s and contains clinical data including aspects of the diagnosis, first line treatments, haematopoietic stem cell transplant (HSCT) or cell therapy associated procedures, complications and outcome.
The European Society for Blood and Marrow Transplantation (EBMT) is committed to safeguarding patient data in compliance with the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679). This statement outlines the EBMT's practices for collecting, processing, storing, and protecting personal data, ensuring transparency and accountability at all stages. There is also information on how to contact the registry and the rights of individual data subjects. It was generated in response to new legislation, the General Data Protection Regulation (Regulation (EU) 2016/679, hereafter “GDPR”).
A registry is considered a separate type of data collection by privacy authorities. The importance for “coupling information from registries” in order to obtain “new knowledge of great value” is explicitly recognized (consideration 157 GDPR). The GDPR applies to usage of personal data for research and calls for interpreting the research purpose in a broad manner including for instance applied research (consideration 159 GDPR).
Why is Patient Data collected?
EBMT collects patient data to conduct scientific research aimed at advancing haematopoietic stem cell transplantation, cell therapies, and related procedures. This processing is based on GDPR provisions for scientific research (Art. 6(1)(f) and Art. 9(2)(j)), with informed consent obtained to ensure compliance with EU/EEA laws..
You can find the information of all EBMT studies in which your personal data might be used, by visiting our website on the following page: https://www.ebmt.org/research/studies
How is personal data obtained?
The EBMT works in partnership with local healthcare providers to collect data on patients undergoing bone marrow or stem cell transplantation, cell therapies, and immunosuppressive treatments for any disease in compliance with GDPR and national laws. Informed consent is mandatory for submitting data, and EBMT conducts regular reviews to ensure healthcare providers maintain appropriate consent practices
Following the GDPR, and to ensure the maximum accordance with the law of all EU/EEA nations, personal data of patients residing in EU member countries shall only be used for research through EBMT when appropriate informed consent is ensured. This has been common practice for many years already.
The informed consent is collected by the individual centres or donor registries submitting data to the EBMT to make certain that the respective national laws are followed. EBMT makes patient consent a prerequisite for submitting the data and provides all necessary information about usages of the data, to ensure appropriate consent is obtained in all cases.
What personal data is sent to the EBMT Registry?
Personal data sent to the EBMT Registry is limited to the Unique Patient Number (UPN), initials, date of birth, and gender. To ensure privacy, identifiable data is pseudonymized, replacing direct identifiers with a unique database number. This process, aligned with GDPR standards, ensures patient privacy during research while maintaining data accuracy
How is personal data processed?
The EBMT ensures that all personal data under its responsibility is processed according to the GDPR:
- Processed lawfully, fairly and in a transparent manner in relation to the data subject;
- Collected for scientific research legitimate purposes;
- Processed adequately, relevantly and limited to what is necessary in relation to the purposes for which they are collected and/or further processed;
- Accurate and up to date;
- Kept for an unlimited period in a form which permits identification of data subjects for no other purpose than historical, statistical or scientific research purposes;
- Processed in a manner that ensures appropriate security of the personal data through technical and organisational measures.
EBMT upholds GDPR compliance through regular Data Protection Impact Assessments (DPIAs), annual audits, and staff training programs. These measures ensure continuous improvement in data protection practices.
Where is the Personal Data Stored?
Data is stored within secure facilities in GDPR-compliant countries. The EBMT implements disaster recovery plans, encrypted backups, and breach notification procedures to ensure data availability and security in all scenarios.
The data will only be accessible by the EBMT employees for the performance of their job following a stringent access control policy
Personal Data Transfers
The EBMT works with many researchers on international collaborations across scientific or clinical institutions and so, under previously gathered consent, the patient pseudonymised personal data may be sent to countries outside the EEA that are provided with the same level of protection for privacy.
Data transfers outside the EEA occur only under GDPR-approved mechanisms, such as adequacy decisions or Standard Contractual Clauses (SCCs). Pseudonymized data, identified solely by a Unique Identity Code, ensures privacy during international collaborations
EBMT will not sell, distribute or lease personal data to third parties unless the data subject has provided EBMT with his or her consent or it is allowed by law.
What the Rights of the Data Subjects?
The Data Subject has the right to the following information about its personal data being processed:
- Confirmation as to whether data related to him or her are being processed;
- Information about the purposes of the processing operations, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed;
- Communication of the data undergoing processing.
The Data Subject shall have the rights listed below:
- Access to information on his or her processed personal data;
- Rectification of any inaccurate or incomplete personal data;
- Withdraw consent and the personal data will no longer be made available for future research;
- Request that his or her personal data be completely erased from the EBMT Registry database and from databases to which the data has been exported;
- Any other right granted to the Data Subject with regard to his personal data, under his or her respective local legislation.
If as a Data Subject you wish to exercise any of the rights listed above. Please send an email to Data.Protection@ebmt.org or use the postal address below.
The Data Protection Officer
EBMT Executive Office
Aticco Med Fórum
Passeig de Garcia Fària, 49
08019 Barcelona, Spain
The Data Subject also has the right to lodge a complaint with a supervisory authority.
Comments or questions
For comments or questions, contact Data.Protection@ebmt.org. If unresolved, you may escalate concerns to your national data protection supervisory authority.