1. EMBL was established in 1974 as an intergovernmental institution by way of an international treaty now signed by its 29 member states. Like most other International Organisations (e.g. the United Nations, CERN) EMBL enjoys certain privileges and immunities (i.e. exemptions from the applicability of national law) and also may self-regulate its activities (i.e. establish its own institutional legal framework) within the framework of its founding act of 1973, general principles of public international law and conventions signed with its host countries.
2. Mindful of its public mandate and the sensitivity of the data it handles, EMBL has always ensured a high level of data protection in its activities. With the entry into force of the EU General Data Protection Regulation (GDPR) in May 2018, data protection in Europe has evolved – and EMBL has kept pace. Taking advantage of the express reference that the GDPR, for the first time, is making to international organisations, EMBL has self-regulated this area to clarify its status in the framework of the GDPR. By this communication, EMBL wishes to share with the scientific community the motivation for, and results of, its efforts in this respect.
3. Accordingly, EMBL has in the past regulated its research-related personal data processing activities relating to the use of human biological material. Expanding thereon, EMBL adopted, in 2018, a broader framework, namely the EMBL Internal Policy No 68 on General Data Protection, revised in 2025. Adapted to the needs of international scientific research, it reflects the principles of European data protection law while remaining within the boundaries of EMBL’s international legal status.
4. In particular, as regards substantive provisions, the framework defines commonly used terms such as ‘personal data’, ‘processing’, ‘data controller’. It lays down the principle of data quality, according to which controllers must have a legal basis for processing personal data, render the processing transparent, specify the purpose of processing and observe that purpose, minimise the data processed, keep data accurate and up-to-date, ensure security and be able to readily demonstrate their compliance. Data transfers to outsiders are made conditional upon data subjects being protected by the data recipient. Lastly, the fundamental freedom of scientific research is safeguarded through an overarching exception, aligned with the GDPR exceptions for scientific research.
5. As regards formal provisions, the framework requires from controllers to keep records, instruct staff reporting to them, carry out impact assessments and respond to data subjects’ requests for information, correction, erasure, etc.
6. As regards institutional provisions, the framework establishes, firstly, the position of a Data protection officer (DPO). The DPO is independent and reports to the EMBL Director General, advises controllers, processors and data subjects, monitors compliance, and acts as liaison between EMBL and its supervisory authority. The latter, called Data Protection Committee, is equally independent, hears complaints and has investigative and corrective powers. Moreover, the Director General may impose sanctions on controllers, and the Staff Association receives reports from the DPO, and may question the same, on the processing of staff-related data.
7. EMBL places great value in maintaining collaboration with researchers who are subject to the GDPR. For that reason, it is of utmost importance for EMBL to handle data received from those collaborators in a secure and responsible manner. To achieve this, EMBL engaged in extensive consultations with stakeholders.
8. EMBL deems its updated framework on data protection to be ‘adequate’ in the sense of GDPR. As in the past, EMBL welcomes controllers and processors who are subject to the GDPR to validly rely on the derogation of ‘important reasons of public interest’ under Article 49(1)(d) of the GDPR and under its predecessor, Article 26(1)(d) of Directive 95/46/EC, for transferring personal data to EMBL. Data entrusted to EMBL will be subject to adequate technical and organisational security measures. EMBL recalls specifically the mandate of EMBL to conduct world-class basic research and to enable international co-operation, as laid down in its founding act of 1973, ratified by 20 of the 28 member states of the European Union; and the mandate of the European Union under Article 179(2) of the Treaty on the Functioning of the European Union to encourage research centres and universities in their research activities of high quality and to support their free cross-border cooperation as important reasons of public interest.
9. The vast majority of inbound data transfers to EMBL will benefit from this derogation, while sectoral transfers, for example in cases where EMBL hosts scientific conferences, is recruiting staff, etc. may be subject to other derogations, notably explicit consent, or because they are necessary for the performance of a contract or the implementation of pre-contractual measures.
10. The European Data Protection Board has issued its Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679 which also confirm the applicability of Article 49(1)(d) of GDPR (important reasons of public interest) where data transfers are made in relation to objectives and international cooperation under international treaties and conventions.
11. Under Article 50 of the GDPR, EMBL has also engaged and will continue to engage with the European Commission on the role of International Organisations under GDPR in general, and the alignment between EMBL‘s self-regulatory framework and GDPR.
12. Under Article 16 of IP68, data subjects have the following rights:
13. The right to object, rectification and erasure may be restricted when the processing of the data subject’s personal data is necessary:
14. To exercise their rights, data subjects shall write to the process owner (via the email address that was made available to them or by post). If no email address has been provided, they may write to the DPO at dpo@embl.org, who will forward the request to the process owner.
15. It is relevant to highlight that when personal data is processed based on consent, data subjects have the right to withdraw their consent at any time. The withdrawal of consent does not affect the lawfulness of the processing before the withdrawal. In cases where the consent has been withdrawn, the data will be deleted without undue delay.
16. Under Article 25 of IP68, data subjects may complain in writing to the DPO about any legal or material act or omission of a process owner or a data processor. In other words, data subjects may complain:
17. The DPO has 45 days to investigate and report back to the complainant. After the investigation, the DPO may provide recommendations to the process owner. For more information on how the DPO processes personal data when receiving requests or handling complaints, see this privacy notice.
18. If the data subject believes that the response of the DPO is unsatisfactory or if the DPO has failed to respond within three months from receipt of the complaint, they may lodge a complaint in writing with EMBL Data Protection Committee (DPC) via email at dpc@embl.org.
19. The DPC must decide on the complaint within two months of receipt. It may extend that time-limit, if it considers the complaint to rest on complicated facts or legal considerations and gives prior notice to the complainant. The DPC may award appropriate remedies to data subjects, including compensatory measures. For more information on how the DPC processes personal data when handling complaints, see this privacy notice.
20. Finally, the data subject may challenge the decision of the DPC, if they consider that it affects them adversely. They may do so by lodging a request for ad-hoc arbitration, in accordance with the rules set up in Article 26 of IP68, to finally and exclusively settle the matter. The arbitrator may award appropriate remedies to data subjects, including compensatory measures.
21. Under Article 26 of IP68, the following rules shall apply to the arbitration procedure:
22. Any questions regarding matters of data protection at EMBL should please be addressed to EMBL’s Data Protection Office via email at: dpo@embl.org.
Edit