The data clearing house is a commission formed by the Medical University of Vienna (MedUni Vienna) which should be contacted prior to disclosing personal or anonymised data to third parties. It aids employees and researchers at MedUni Vienna to comply with the strict data protection requirements related to the disclosure to third parties of data for which MedUni Vienna is responsible under the General Data Protection Regulation (GDPR).
The data clearing house ensures that personal data  held by MedUni Vienna (including pseudonymised data  ) meet relevant legal data protection standards, as well as the contractual and internal requirements of MedUni Vienna, prior to authorising the disclosure of these data to third parties. The scope of the tasks performed by the data clearing house also extends to include data obtained from biological materials (e.g. genetic data) but not biological materials (e.g. blood and tissues) per se. Questions relating to the data of students or employees will continue to be handled by the university’s data protection committee and the clearing house in the teaching centre respectively.
The disclosure of anonymised data held by MedUni Vienna to third parties is also subject to authorisation from the data clearing house given that MedUni Vienna is as well responsible for ensuring that the anonymisation processes are correct.
In the interests of ensuring the efficient processing of requests, applicants are recommended to contact the data clearing house before submitting a request. This enables any questions related to the technical requirements and any costs which will be incurred relating to pseudonymisation and/or anonymisation processes to be clarified at an early stage.
Meetings of the data clearing house take place at least once per month. The following meetings have been scheduled:
Every request is to be submitted electronically by means of a form sent via mail✉. The provision of representative test data is a precondition for the processing of a request by the data clearing house.
All requests which are complete (including meaningful test data) and which are submitted at least two weeks prior to a meeting will be addressed at the meeting scheduled for the respective month. Requests which are submitted later will be put on the agenda of the meeting the following month.
Whenever possible, the data clearing house will reach a decision within six weeks of the relevant meeting during which the request was discussed.
Members and the taking of decisions
The data clearing house is made up of members of the Legal Department, the Technology Transfer Office (TTO) and IT-Systems & Communications (ITSC) of MedUni Vienna and reaches decisions based on the principle of unanimity. The members are supported by an advisory board in order to ensure that the specifics of the relevant discipline are taken into account.
The bylaw of the data clearing house was published in the 17th university gazette of the medical university of vienna on 06.02.2018.
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, GDPR, effective from 25 May 2018)
- Federal act through which the Austrian Data Protection Act 2000 is to be amended (Austrian Data Protection Amendment Act 2018), published in the Federal Law Gazette (BGBl. I, Nr. 120/2017; German)
 Pursuant to Article 4(1) of the GDPR, personal data means any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
 Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information. This additional information must be kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.