Need Help?

Data Protection

1 About the EGA

The European Genome-phenome Archive (EGA) was formally launched in 2008 at the European Bioinformatics Institute (EMBL-EBI), an outstation of the European Molecular Biology Laboratory (EMBL), to address an identified need for archiving and sharing the results of genome-wide association studies from the Wellcome Trust Case Control Consortium. In late 2012, with the signing of a memorandum of understanding (and subsequent formal agreement in 2016) between EMBL-EBI and the Centre for Genomic Regulation (CRG), the EGA formally became a joint project of the two institutes. The two institutes work together to support the EGA services, including supporting submissions, web site, strategic leadership, and data infrastructure developments.


The EGA is co-managed by EMBL-EBI and CRG. EMBL-EBI is an international organisation established by treaty and has certain privileges and immunities (e.g. exemptions from the application of national law) and also may self-regulate its activities (e.g. establish its own institutional legal framework) within the framework of its founding act of 1973. The General Data Protection Regulation (GDPR) is a European Union (EU) regulation that legislates how organisations can share and process personal data of EU citizens. EMBL places great value in maintaining collaboration with researchers who are subject to GDPR. For that reason, it is of utmost importance for EMBL to handle data received from those collaborators in a secure and responsible manner. Mindful of its public mandate and the sensitivity of the data it handles, EMBL has always ensured a high level of data protection in its activities. Since the introduction of GDPR in May 2018, EMBL has established its internal policy on General Data Protection (IP68), exercising its right to self-regulate its operations,., IP 68 establishes a robust personal data protection framework that provides for data protection principles, enforceable data subject rights and oversight and redress mechanisms offering a level of protection comparable with GDPR.


The Centre for Genomic Regulation (CRG) is an international biomedical research institute of excellence, created in July 2000 and mainly participated by the Catalan Government. It is a non-profit foundation and its mission is to discover and advance knowledge for the benefit of society, public health and economic prosperity. The CRG is a CERCA center. CERCA is the collective organisation for all research centres of excellence in Catalonia. CERCA ensures these centres develop successfully by promoting synergies and strategic cooperation improving their visibility and the impact of their research and promoting the dialogue amongst both public and private stakeholders. As a legal entity based in Spain and operating within the EU, the CRG ensures the compliance with the GDPR and the legal regulations on personal data protection applicable at the national level, as well as any other legislation that may replace, modify or supplement the above-mentioned in terms of personal data protection.



4.1 Genetic and phenotypic data

Within GDPR, there are two main actors: data controllers and data processors. Data controllers are persons or entities which determine the purposes and means that the personal data may be processed, e.g. companies, researchers, or universities. For EGA, the data controller is ultimately the data producer and the submitter(s) who submit the data to EGA. The data controller also creates a Data Access Committee (DAC) who will decide on data access permissions at EGA. Data processors are the persons or entities which process the data on behalf of a data controller. With regard to GDPR, EGA is a data processor as it processes data as instructed by the data controller. GDPR applies to any organisation which accesses personal data from an individual within the EU. Under GDPR, personal data is defined as any data that is identifiable, including names and email addresses as well as health-related and genetic data. EGA does not accept personally identifiable data except genetic and phenotypic data, so all other data submitted to EGA, such as names and addresses, must be pseudonymised. GDPR requires that data controllers implement data protection principles, such as data minimisation, to minimise the risk of data leakage, and protect the rights of the data subjects. As a data processor, EGA has a set of security policies that are followed to minimise the risk of unauthorised data access or data loss.

In its role as a data processor, EGA requires all submitters to sign a Data Processing Agreement (DPA) when the submission account is first created. This agreement is only required to be signed once per submitter, and will remain valid for future submissions to EGA.

4.2 Other personal data

The EGA also collects personal data as part of our interactions with submitters, data access committees, and researchers accessing data distributed by EGA.

The below privacy notices explain what personal data is collected by the specific service you are requesting, for what purposes, how it is processed, and how we keep it secure.

Privacy Notices for EGA

Title Version Last Updated
EGA Data Access Committee Account
Privacy Notice for EGA Data Access Committee Account 1.0 February 6, 2019
EGA User Account
Privacy Notice for EGA User Account 1.0 February 6, 2019
EGA Helpdesk Service
Privacy Notice for EGA Helpdesk Service 1.0 February 6, 2019
EGA Website Service
Privacy Notice for EGA Website Service 1.0 February 6, 2019


Title Version Description
EGA Security Overview
Security Document 1.0 The EGA Security Document provides an overview of EGA’s practices in ensuring the security of data stored at EGA.
EGA Data Processing Agreement
Data Processing Agreement 1.3 The Data Processing Agreement must be completed and returned as part of the submission process. Please note that this document is non-negotiable.
Authorised Submitters
Authorised Submitters Formulary 1.0 The Authorised Submitters Form must be completed and returned as part of the submission process. Please list all those that should have access to the submission account in order to submit to the EGA should be detailed here.
EGA GDPR Document
EGA GDPR Document 1.0 The EGA GDPR Document

Dispute Resolution

Any controversy or claim arising out of, or relating to, the DPA (including the enforceability or breach thereof, any question regarding its existence, validity or termination) or relating to the EGA Service shall be resolved using the internal dispute resolution mechanisms of EGA including those related to Data Protection.

The EGA’s internal dispute resolution mechanism has the following procedure:

  1. EGA OPERATIONAL PHASE: Meetings between EGA staff and the Data Controller.
  2. LEGAL MANAGEMENT PHASE: Meetings between legal teams of EMBL, CRG and the Data Controller.
  3. DIRECTION MANAGEMENT PHASE: Negotiation between the legal representatives of EMBL, the CRG and the Data Controller.

    If the internal dispute resolution mechanism doesn’t resolve the controversy or claim the next phase is:
  4. ARBITRATION PHASE: Resolution by arbitration under the WIPO Expedited Arbitration Rules (“Rules”).