The data clearing house is a commission formed by the Medical University of Vienna (MedUni Vienna) which should be contacted prior to disclosing personal or anonymised data to third parties. It aids employees and researchers at MedUni Vienna to comply with the strict data protection requirements related to the disclosure to third parties of data for which MedUni Vienna is responsible under the General Data Protection Regulation (GDPR).
The data clearing house ensures that personal data  held by MedUni Vienna (including pseudonymised data  ) meet relevant legal data protection standards, as well as the contractual and internal requirements of MedUni Vienna, prior to authorising the disclosure of these data to third parties. The scope of the tasks performed by the data clearing house also extends to include data obtained from biological materials (e.g. genetic data) but not biological materials (e.g. blood and tissues) per se. Questions relating to the data of students or employees will continue to be handled by the university’s data protection committee and the clearing house in the teaching centre respectively.
The disclosure of anonymised data held by MedUni Vienna to third parties is also subject to authorisation from the data clearing house given that MedUni Vienna is as well responsible for ensuring that the anonymisation processes are correct.
In the interests of ensuring the efficient processing of requests, applicants are recommended to contact the data clearing house before submitting a request. This enables any questions related to the technical requirements and any costs which will be incurred relating to pseudonymisation and/or anonymisation processes to be clarified at an early stage.
In order to assess whether a research project has to be submitted to the data clearing house or not, the data clearing house has drawn up a “Guide for the transmission of personal data from MedUni Vienna to external parties” (available in german).
An application to the data clearing house should be made as early as possible, as the examination can take a few weeks depending on the complexity of the data transfer. It is not necessary to wait for a positive vote from the ethics committee or the signing of a contract. This has the advantage that the examinations run in parallel and, if necessary, data protection improvements can still be incorporated into contracts or into applications to the ethics committee.
Members and the taking of decisions
The data clearing house is made up of members of the Legal Department, the Technology Transfer Office (TTO) and IT-Systems & Communications (ITSC) of MedUni Vienna and reaches decisions based on the principle of unanimity. The members are supported by an advisory board in order to ensure that the specifics of the relevant discipline are taken into account.
The bylaw of the data clearing house was published in the 17th university gazette of the medical university of vienna on 06.02.2018.
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, GDPR)
- Federal Act concerning the Protection of Personal Data (DSG) StF: BGBl. I Nr. 165/1999
 Pursuant to Article 4(1) of the GDPR, personal data means any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
 Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information. This additional information must be kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.