The CARAMEL project is an EU- funded research initiative that studies how heart disease develops in women, especially around menopause. The goal is to improve prevention and care through a better understanding of risk factors and the development of new digital and clinical tools. To achieve this, researchers collect and analyse different types of health data from study participants and existing health records, authorised by the competent health authority. These data are handled under strict ethical and legal safeguards and provided to the researchers in pseudonymised form.

This notice provides information on how personal data from patients whose health records originate from the Andalusian public health system are reused for research within the CARAMEL project even though the project team cannot contact these individuals directly.

Because these data come from existing hospital and health records and are not collected directly from the individuals, this information is made publicly available here, on the CARAMEL website, in line with Articles 14 of the General Data Protection Regulation (GDPR). Publishing this notice ensures transparency towards patients whose data is reused and fulfils the legal obligation to inform data subjects when direct communication is not possible.

The reuse of retrospective health data for CARAMEL is carried out under the responsibility of the Andalusian public health authority (Servicio Andaluz de Salud – SAS), which acts as the controller of the original medical records and authorises their use for research purposes in accordance with national law. For questions about the reuse of these data or to exercise data protection rights, individuals may contact the Data Protection Officer of the Andalusian health authority: Juan Díaz García at dpd.sspa@juntadeandalucia.es.

For questions about the CARAMEL project or how your data are used in research, you may also contact the CARAMEL Project Coordinator – VICOM at dpd@vicomtech.org.

Before any data are shared with the research team, they are pseudonymised, meaning that any direct personal identifiers such as names, ID numbers or contact details are removed and replaced with codes so that individuals cannot be directly identified. Only authorised staff of the health authority, not the research team, can perform this step.

For the part of the project based on existing Andalusian health records, CARAMEL may use pseudonymised information extracted from hospital and primary care records. This may include: 

• Demographic and social information such as age, sex, ethnicity, level of education, and employment status.
• Medical history covering past diagnoses, family history of cardiovascular diseases, medical visits, treatments, and medications.
• Lifestyle and behavioural recorded in medical files, such as smoking, alcohol or drug use, diet, and physical activity.
• Physiological and cardiovascular data such as blood pressure, heart rate, and other vital data
• Imaging and diagnostic data (e.g. X-rays, cardiac MRIs, or other scans that help assess heart and body function).
• Laboratory results such as blood tests, cholesterol levels, and other biological markers.
• Sex-specific and reproductive health data, where relevant to cardiovascular risk (e.g. pregnancy losses, menopause status, breastfeeding, or treatments related to reproductive health).
• All of this information helps researchers understand how different factors combine to affect women’s cardiovascular health, and to develop tools that could help predict and prevent disease in the future. 

The reuse of the above data is legally permitted for research purposes and is subject to oversight by research ethics committees.

According to the GDPR, the further use of retrospective health data for scientific research is compatible with the original purpose for which the data were collected in the healthcare context. The processing therefore relies on the same lawful basis as the original collection, and appropriate safeguards under Article 89 of the GDPR, such as pseudonymisation, data minimisation, secure environments, and strict access control, are applied at all stages. The possibility to ask for the consent of the individuals was examined but obtaining it would involve disproportionate effort given the number of records and the fact that researchers  have no contact with the patients.

The reuse of pseudonymised health data for biomedical research in Spain is governed by Ley Orgánica 3/2018 on Data Protection and Digital Rights. This provision operationalises Articles 9(2)(j) and 89(1) GDPR by permitting the secondary use of health data without consent, provided that specific safeguards are applied.

Protecting privacy is central to CARAMEL. Every partner involved in the project must follow the General Data Protection Regulation (GDPR) and national data protection laws.

Several layers of protection are in place:

• Pseudonymisation and anonymisation: personal identifiers are removed or replaced with codes. Where full anonymisation is not possible, strict controls limit access.
• Encryption: data are encrypted when stored and when transmitted between systems.
• Access control: only authorised researchers can view the data necessary for their specific study tasks.
• Data minimisation: only the information needed to achieve the research aims is used.
• Accountability and auditing: every organisation must document how data are processed and comply with ethical and legal requirements.
• Retention limits: data are kept only for as long as necessary for the research and are then securely deleted or anonymised.

These safeguards ensure that the handling of personal data is responsible, transparent, and in line with European research ethics standards.

The pseudonymised data are shared only with authorised CARAMEL research partners for the purposes described above. Most partners are located within the European Union. 

Data may also be shared with the CARAMEL partner in Israel, which has been recognised by the European Commission as providing an adequate level of data protection equivalent to that ensured under the GDPR. 

Each partner acts under a specific data protection agreement (i.e. a Joint Controllership Arrangement) defining their respective roles and responsibilities. The essence of this arrangement is available upon request. 

All partners are bound by strict confidentiality and security obligations.

Patients whose data originate from the Andalusian Electronic Health Record retain their rights under the GDPR and Spanish data protection laws, insofar as the data remain identifiable. This includes the right to:

• Access their personal data
• Request correction of inaccurate data.
• Request erasure of their data, unless continued use is necessary for scientific research in accordance with legal safeguards.
• Restrict the processing of their personal data 

Requests to exercise these rights can be made through the Data Protection Officer of the Andalusian Health Authority (Servicio Andaluz de Salud – SAS). You may also contact the CARAMEL Project Coordinator (VICOM), who will liaise with the SAS DPO to ensure your request is handled appropriately. Each request is handled transparently and in accordance with applicable data protection law.

There is no automated individual decision-making in CARAMEL. The project uses AI models for cardiovascular risk assessment and personalized prevention. These models do not autonomously make decisions that have legal or similarly significant effects on individuals, such as granting or denying access to healthcare, insurance, or employment.

If you believe that your data protection rights have been infringed, you may lodge a complaint with the Spanish Data Protection Authority (Agencia Española de Protección de Datos, www.aepd.es) or with your local data protection supervisory authority.

CARAMEL treats all personal data with care and respect. Every action – from data collection to analysis – follows the principles of lawfulness, fairness, transparency, and accountability. 

By publishing this notice, the project ensures transparency towards patients, whose data are reused, and reaffirms its commitment to advancing scientific knowledge in a way that benefits society while protecting individual rights.