The Department of Health Technology at the Technical University of Denmark (DTU Health Tech) (in the following called “us” or “we”) hosts and operates an instance of CARP, including an instance of CARP Web Services (CAWS), the CARP Study Portal, and the CARP Study App. The CAWS instance is hosted on Computerome, the Danish National Life Science Supercomputing Center. The CARP Study App is available in Google PLAY and Apple AppStore.
Researchers affiliated with DTU or cooperating with us can use this service for creating CARP-based research projects, like mCardia, MUBS, and DiaFocus. This page explains the terms for using this hosted service.
A. Data Management and GDPR
It is important to stress, that this DTU hosting service is only provided for projects where we (DTU Health Tech) are an active research partner. This implies that we have been part of initiating, securing funding, defining the study protocol, and that we play an active role in the research, including publication and dissemination.
This basic assumption leads to the following terms for using this hosted service. These terms follow from the EU GDPR [1], the Danish Data Protection Act [2], and the “Guideline on Data Protection in Research” [3] from the Danish Data Protection Agency.
- DTU is the data controller of data collected using this DTU-based hosted service. This entails that:
- We (DTU) are responsible for the processing of personal data. DTU is therefore responsible for complying with the General Data Protection Regulation (GDPR) [1] and the Danish Danish Data Protection Act [2].
- We (DTU) will always have full control (and responsibility) of the collected data, including deciding on storage, curation, and deletion.
- This hosted service cannot be subject to a data processor contract with other organizations.
- In rare cases, and only when involved in large funded projects, we may agree on a “Joint Data Controller” setup (Danish: “Fælles Dataansvar”). In this case, we would make an agreement on this, building on the template for a standard agreement from Datatilsynet (only available in Danish).
- The official data controller is thus “Technical University of Denmark, Anker Engelunds Vej 1, DK-2800 Kgs. Lyngby, Denmark“. DTU has appointed a data protection officer who can be contacted at dpo@dtu.dk
- Data management follows the DTU Principles of Research Data Management. This entails that the processing of data is documented and protected according to state-of-the-art security standards.
- All data processing is subject to our privacy policy. We always inform participants about data processing before it is started. This contains information on the purpose of the data collection, the organizations involved, planned processing, and what type of data is being collected. It also informs the participants of his or her rights, including the right of withdrawal.
- DTU will solely process personal data when necessary for the purpose of carrying out statistical or scientific studies of significant importance to society. Therefore the legal basis for DTU’s processing of personal data for scientific and statistical purposes is Article 6(1)(e), Article 9(2)(j), Article 10 of the General Data Protection Regulation (GDPR), and sections 10 and 11(1) of the Danish Data Protection Act.
- This entails that this hosted service cannot be used for other than research purposes, such as in clinical treatment or for commercial services.
- The data collected as part of a study running on this hosted DTU CARP service can be processed or shared with other researchers outside of DTU in three ways:
- All person-identifiable data processing is solely done by DTU and only aggregate, anonymous data is shared. This could be overall statistical figures or tables, or different plots as figures to be added to a publication.
- Selected data items can be disclosed (Danish: “Vidergivet”) to research partners outside DTU. In this case, a small contract is made between DTU and our research partner, which governs how this data can be used and deleted, once not being used anymore.
- Research partners outside of DTU can become Data Processors (Danish: “Databehandler”) of the collected data. In this case, a full data processor agreement needs to be in place between DTU and the outside partner. This agreement is made by DTU and complies with the standard DTU contract.
B. Service Level Agreements (SLA)
We do not provide any service-level agreements (SLAs) or any service guarantees whatsoever.
This hosting service is provided on a best-effort basis. Although we strive to maintain a high level of service, no guarantees are made for system uptime or data integrity.
C. Price Model
Since DTU would normally be part of a project running on this DTU-hosted CARP service, a budget for the development, maintenance, and operation of this service would be included in the project budget.
In smaller projects, we may apply a “pay as you go” price model, which follows the official DTU price model for research (Danish: “Samfinansieret forskning”). This entails that we invoice for the actual cost plus a 44% overhead and include time spent on a monthly basis. In addition, there is a monthly fee for operations and maintenance following the Computerome fee model. Invoicing typically takes place once per year. The table below shows these prices (2024 prices in DKK).
Category | Description | Price pr. month |
Student Assistant (BSc) | A junior part-time employed student. Working 15 hours pr. week. | 16.700 |
Research Assistant (MSc) | A research assistant with an MSc (or similar) degree. | 68.100 |
Researcher (PhD) | A researcher or postdoc with a PhD degree. | 78.000 |
Senior Researcher (PhD) | A senior researcher with extensive experience. | 105.000 |
Hosting & Maintenance | General hosting, maintenance, and operation of studies on CAWS. | 900 pr. study |
D. Cannot Agree to These Terms?
If you cannot agree to these terms, these DTU-hosted CARP services may not be suited for you. But don’t worry – most CARP components are available as open source. This allows you to host your own CAWS service as a data controller, deploy the CARP Study App as you like, and establish suitable SLAs.
References
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR). EUR-Lex – 32016R0679 – EN – EUR-Lex.
- The Danish Data Protection Act (datatilsynet.dk)
- Rollefordeling i forskningsprojekter. Vejledning om databeskyttelse i forskning. Datatilsynet (The Danish Data Protection Agency), July 2023.