GDPR responsibilities

Radboudumc is the coordinator of the ERN eUROGEN registry. It has contracted with Castor EDC, a tradename of company Ciwit B.V. to allow the centralized storage of the Study Data. Given the fact that the Provider (the hospital participating in the ERN eUROGEN registry) and Radboudumc jointly developed and determined the purposes and means of the ERN eUROGEN registry, Parties shall be joint Controllers. However, Radboudumc, as the central Party that coordinates the ERN eUROGEN registry, shall be responsible for the storage and the use of the transferred data. Radboudumc shall ensure that appropriate technical and operational measures are in place to safeguard against any unauthorized or unlawful processing of the Study Data and against accidental loss or destruction. Radboudumc shall promptly, and in any event within 48 hours, notify the Provider about any actual or suspected breach of the Data Protection Legislation in relation to any Study Data.

The Provider is responsible to obtain and maintain any required ethical approval or similar necessary for the provision of Study Data to the ERN eUROGEN registry. In addition, the Provider is responsible for obtaining any required informed consent from each Data Subject before enrolling the respective Data Subject into the ERN eUROGEN registry and before transferring any data from that Data Subject. To that regard the Provider shall use the patient information and consent form as approved by its competent ethics committee. The consent shall cover inter alia the transfer of pseudonymized data (i.e. removing all sensitive personal data, including but not limited to patient names, initials, and other personally-identifiable information, and leaving only a coded Data Subject number) to Radboudumc and for use within the ERN eUROGEN registry and in scientific research projects approved in accordance with the Data Access and Sharing Policy;

Notwithstanding the division of responsibilities set out above, the Parties shall be jointly responsible for the compliance to obligations imposed by the Data Protection Legislation (Article 26 of the GDPR), and the Parties shall cooperate to do all necessary things to enable performance of such compliance obligations. Given the fact that Radboudumc will not have the key to the coded Study Data provided by Provider, The Parties agree that the Provider is primarily responsible for managing Data Subject requests exercising their rights under the GDPR and will comply with article 12 of the GDPR in order to respond to such a request. However, the Parties acknowledge that Data Subjects are allowed to exercise their rights under the GDPR against both Parties. If a Data Subject makes a request to Radboudumc, Radboudumc will notify the Provider about the request without undue delay. Radboudumc will assist Provider in complying with its obligation to provide an answer to Data Subject requests.