Ethical Code and Updates on
                                         Data Protection


restricted from public access. In the second case it is possible that a person walking or
driving across the demonstration area will be recorded on the footage without giving any prior
consent. Analysing the actions necessary to prevent such situations,             has assessed
that closure of that area, thus restricting freedom of movement is not justified nor in balance
with the need to prevent such. Therefore, as an alternate solution,                  decided to
register a specific         data process according to GDPR Art. 6. (1) point e) and publish it
on its website in order to inform third parties.
In every case that personal data or identifiers of other people (not involved in the demo/test)
are accidentally collected during the simulation, ROBORDER will enforce the incidental
findings policy (see section 3.3) and act accordingly.

4.5 Ethical Code
Taking all the above into serious consideration, ROBORDER can form its ethics policy that is
going to base its research on, in order to be in accordance with H2020 guidelines and EU
regulations.
    • Understand social and ethics challenges
As mentioned above, the Consortium understands the reasons why a surveillance system
may raise concerns among citizens, as it might seem as an intrusion to their privacy. The
Consortium will keep conducting desk-top research and monitoring the situation in order to
have a deeper knowledge of the subject and to be able to successfully handle it.
Experienced security professionals are already involved in the project, who can prove of help
to reassuring citizens and research participants that their involvement in this project will not
cause any harm to them. Responsible partners for demos/operational tests should be
available to communicate with their participants and provide them with all the information
they need.
     • Put high priority on transparency and accountability
The Consortium should always be transparent and open about the procedures they follow
and the data they collect towards the participants. They should state in detail in the
information sheet which activities are going to take place in this specific demo/test and what
will be asked of the participant to do. They should always be explicit and precise. In addition,
they should clearly state what type of data are going to be asked and collected from the
participant during his/her involvement in the research. The participant will of course have
access to his/her data in order to review, edit or delete them upon request from the data
controller.
     • Have a lawful basis
For its research purposes, ROBORDER will have a lawful basis to act as stated above by
fully informing the participants about their involvement in the project and letting them freely
and voluntarily decide whether they would like to participate or not. By no means should
there be any kind of pressure over the participants and they should become aware that they
are free to withdraw at any stage of the research without providing any reason. All this
information will of course be clearly stated in the information sheet they will be provided with.
In addition, in case of a demo/test taking place at the responsible partner’s premises, the
DPO will be aware and will provide his/her consent before commencement of any work. In
case of a demo being conducted outside of a partner’s premises, the UxV operator should
make sure that they notify the National Data Protection Authority and guarantee their consent
and accordance to national legislation before commencement of any work.
Given the fact that ROBORDER will have the participants’ consent to collect and process
their data, the partners will have a lawful basis to act as such, in accordance with GDPR’s
Article 6(1). Additionally, the lawful basis for this processing also applies to the purposes of
the legitimate interests pursued by ROBORDER’s Consortium and the European
Commission based on the signed Grant Agreement between the two.

D8.6_EthicalCode_and_Updates_on_DataProtection                                    Page 31 of 87

Ethical Code and Updates on
                                         Data Protection


Regarding people that have not provided the Consortium with their consent to participate but
they are present in the field of the demo/test, the responsible partner should always make
sure that they set up signs or allocate officials in strategic points to make sure they inform
non-involved people that this specific space is being recorded. If that proves inadequate and
an incidental finding of a person not being directly involved in the simulation appears, the
responsible partner should enforce the incidental findings policy and act accordingly, with no
infringement to the person’s privacy.
    • Pay respect to Human Rights
In order to further mitigate any ethical concerns that may arise, ROBORDER will always take
into serious consideration the Human Rights declared in EU’s respective Charter (2021) and
put special focus on the right on liberty and security, the integrity of a person, the protection
of private life and the protection of data. ROBORDER has as a goal the enhancement of the
current border security systems and will attempt to minimize criminality in these areas to the
maximum extent, increasing levels of security among EU citizens. In addition, certain Data
Protection Rules has already been set out (see section 3) and are already followed by the
Consortium in order to protect the data collected and the outcomes of the research.
    • Protect collected data
As mentioned above, the Consortium has established a set of rules in order to properly
collect and process (personal) data during the project’s lifetime. Only basic personal
information (such as name, contact details etc.) is to be collected from the participants in the
stage of the consent form. This is merely because the Consortium used their own existing
contacts, therefore basic personal information is already known. In the information sheet it
should be clearly stated which data will be collected the demo/test (e.g. video footage), how
they are going to be used (only for the detection of the person and not their identification),
where and by whom they are going to be processed.
Additionally, as the technical partners will need the collected information in order to adjust
and modify their technologies, all collected personal data are going to be anonymized, before
being shared with the technical partners. Moreover, in case of an incidental finding that
involves a suspicious person, the data that are going to be shared with the authorities will be
encrypted and secured, in avoidance of a possible breach to the public. In case of an
incidental finding of a person that is by no means involved in this research and there is no
suspicion over them, then the data are going to be immediately deleted from all storage
devices (e.g. UxVs cameras). As a consequence, no personal data are going to be
transferred to the rest of the Consortium.
Only data considered necessary for the successful conduct of the research should be
collected, which are the data that will help ROBORDER’s technologies detect a person in a
certain area and not identify them.
    • Keep monitoring reforms in order to be updated
Since technology and society are constantly evolving, new ethics issues may arise or be
addressed. Therefore, the Consortium should always closely monitor the updates and
reforms all EU Regulations may undergo and make sure that they comply with them. This will
be succeeded by having periodic reviews (before the next demo/test is to be carried out) in
order to make sure that everything is done according to EU/national legislation.




D8.6_EthicalCode_and_Updates_on_DataProtection                                    Page 32 of 87

Ethical Code and Updates on
                                        Data Protection




5 Ethics reports
In this sector, the ethics reports alongside the ethics opinions/approvals from the External
Ethics Advisor (EEA) and the internal Ethics Advisory Board (EAB) are provided.

5.1 External Ethics Advisor’s report and comments
         has taken the submitted EEA report (D9.6 – in Annex III) into serious consideration
and addressed his comments/suggestions in order to compile this deliverable. The updated
input from the ethics deliverables, alongside the updated information provided to         by
all partners involved in the demos/operational tests and the acquisition of all the proposed
ethics approvals have contributed in compiling this new deliverable for the amendment of the
ethics issues that have arisen in these last years of the project’s lifetime.
The first EEA’s report alongside the Ethics Check Report that were taken into consideration
when compiling this deliverable can be found in Annex III and Annex IV, respectively. When
drafting this deliverable, an additional report was requested from the EEA in order to ensure
ROBORDER’s current compliance with the European Regulations. After reviewing the report,
some additional comments were ensured to be addressed, such as the Dual Use section
which can be found above. The complete report may be found below.

5.1.1 Report from                                  EEA

5.1.1.1 Past EEA work
The EEA –besides minor exchanges – performed detailed reviews of the deliverables D9.1 to
D9.6 and proposed a methodology for the systematic evaluation of the outcome under the
aspects of Ethical, Economic, Legal, Political and Societal criteria (EELPS). Seven related
EEA reports (EEA repot #1) were delivered in August 2018. All input has been documented
in D8.6, Annex IV with sub-Annexes.

5.1.1.2 Actual EEA work

5.1.1.2.1 Tasks
In preparing the next ethics-related project steps, the EEA was tasked to review the draft
deliverable D8.6 and to deliver:
   a) "...approval of/opinion on the updated informed consent and information sheet. (D8.6,
      Annex II)
   b) a brief report on how he is being involved in ROBORDER's processes and on how
      ethics issues are dealt with"
Work has been supported by the "Initial Assessment" report, V0.4. The EEA assessment
should also include tracking and assessing of how the earlier EEA recommendations have
been regarded an implemented.

5.1.1.2.2 Informed Consent and Information Sheet and Ethics Approval
The document D8.6 ANNEX II contains a brief project status summary, lists the project
partners, describes the principles of handling personal data and privacy, the Data Protection
Officer, and the template of the "Informed Consent Statement".
This has to be confirmed and signed by all participants and individuals of which personal
data issues will be concerned.
EEA Comments:


D8.6_EthicalCode_and_Updates_on_DataProtection                                 Page 33 of 87

Ethical Code and Updates on
                                         Data Protection


   •   It is understood that only very few numbers of partners and individuals will be
       concerned with this issue.
   •   GDPR is the guiding framework.
   •   The Form is considered appropriate for its purpose.
   •   The form will be applied to project partners.
   •   For external participants (e.g. in trials, demos, exercises) it remains somewhat
       unclear how their personal data will be treated.
These comments may be used as Ethics Approval for the informed consent and information
sheet (Annex III of D8.6)

5.1.1.2.3 Cooperation of the EEA
So far, the EEA has communicated with and reported to the coordinators mainly
electronically. No specific personal meetings were held or requested.
There were few earlier telcos with the old and new coordinator persons, but mainly on the
contractual issues.

5.1.1.3 Implementation of Ethical Issues

5.1.1.3.1 General
Time given and resources available allowed only a limited review and assessment of the
project's "ethical" status, including D8.6 and its Annexes. The Coordinator confirmed that the
EEA input of 2018 (EEA Report # 1) were regarded.

5.1.1.3.2 D8.6 Review Process
The Deliverable follows the main functions of the ROBRDER system to perform, including:




and describes the proper handling of the main requirements of ethical impacts in the project
according to the EEA's first report including:
   •   research with humans (requirement #5)
   •   protection of personal data (requirements #6 and #10)
   •   other ethical issues (# 14) and
   •   general ethical requirements including surveillance and "ethical code".
Discussion of Dual Use features (requirement #15) of the ROBORDER results could not be
identified beyond the documentation of the earlier EEA's Dual Use (requirement #15)
comments.
Regarding and implementing the recommendations of the EEA are confirmed but cannot be
assessed in detail here.
It remains unclear how and how far the results of the Internal EAB have been implemented in
D8.6 and possibly in other deliverables.
(Most) references (D8.6, Section. 6) are not referenced in the text.




D8.6_EthicalCode_and_Updates_on_DataProtection                                   Page 34 of 87

Ethical Code and Updates on
                                         Data Protection



5.1.1.4 Evaluations by the EEA

5.1.1.4.1 D8.6 and its Annexes
The ROBORDER team invests considerable effort into the adequate specification to meet
the Ethical requirements of the project (see also Section 5.1.1.3 above).
After reviewing the deliverable, it is understood that most of the EEA’s previous
recommendations have been taken into serious consideration by the Consortium while
drafting D8.6. As this deliverable serves as an update on the previous submitted ethics
deliverables (D9.x), it is assumed that the same applies for these, as well.
Annex I of D8.6 is considered appropriate for the setting up of the pilot use cases (PUC).
Annex II on "Updated information sheet/informed consent" is considered appropriate for
"research with humans" in regard to the information the Consortium will provide the
participants with, the data they will collect and the rights the data subjects have.
In Annex III "EEA Ethics Report", the report #1 of the EEA has been adequately documented
here.
Annexes IV (Ethical Check Report) and V (Data Protection Impact Assessment (DPIA)) are
considered appropriate. However, the EEA could only give them a brad screening.
Generally, and specifically concerning D8.6 and Annex II there, the EEA considers the
ethical issues handled properly in this project. Additional recommendations of this EEA report
should be considered, and these measures documented.

5.1.1.5 Further Findings and Recommendations

5.1.1.5.1 Guidance for Future Users
The "Ethical Code" as described in D8.6 mainly addresses the matters and requirements of
the Project and its partners. It is advised that this valuable work will also be transformed into
an "Ethical Guideline" for future users. Much of D8.6 could be directly used for that, possibly
formulated more general as future use will imply a broader spectrum of scenarios, broader
than those of the ROBORDER project. This Ethical Guide should become part of the D&E
work.

5.1.1.5.2 Dual Use




5.1.1.5.3 Extended socio-political and ethical evaluation
In Annex III, the EEA has also provided in Section 6 – Annex 2 some recommendations on
how to map and evaluate the key elements of the ROBORDER output against the variety of
ethical risks and on assigning responsibilities. It is suggested that these or similar
recommendations will be implemented in WP6.
Also, a method for extended socio-political evaluation has been suggested by the EEA in
Annex III. The suggested EELPS evaluations are discussed. Performing that in great detail
may be somewhat beyond the scope of the project. However, it should be regarded as a
substantial recommendation in the D&E discussions and deliverables as a valuable tool for
future users.

5.1.1.5.4 Communications


D8.6_EthicalCode_and_Updates_on_DataProtection                                    Page 35 of 87

Ethical Code and Updates on
                                         Data Protection


There was very little technical discussion and exchange between the project and the EEA. A
direct contact and possible better harmonization of the work of the internal EAB and the EEA
could have possibly improved the work on ethics. Maybe that will still be feasible during the
remaining phases of the project.

5.2 Internal Ethics Advisory Board’s report
         has contacted ROBORDER’s internal EAB in order to assist them in the compilation
of this deliverable. ROBORDER’s EAB is constituted from experienced security professionals
that could provide insightful feedback regarding ethics issues:




An additional report was requested in order to ensure ROBORDER’s compliance with the
European Regulations, in which the Board’s ethics opinion/approval may be found.

5.2.1 Report from

5.2.1.1 Summary
Surveillance by mobile robots is a relatively new technology, especially in the non-military
applications. In addition, there is still no established practice, precedent cases or res iudicata
related to such innovations as surveillance by mobile robots. As ROBORDER is dealing with
such machines and it must be compliant with GDPR during demonstration and testing, Data
Protection Rules had to be elaborated. The Data Protection Rules and the Informed Consent
Sheet is in accordance with GDPR and – considering that there is no established practice in
this aspect yet – it is thorough as possible. Regarding the Hungarian pilot, an internal
workshop was held at            HQ with participation of the appointed DPO in February 2020.
On that workshop, a series of actions have been decided to provide the best possible
coverage regarding information provided to data subjects, including those who became data
subjects due to accidental findings (e.g. entering area under surveillance by the test system).
Taking everything into account, the ROBORDER Consortium had did everything in its
capability and competence to cover the privacy aspect of the project and issues raised in the
initial assessment are addressed as well. The author of this report is a Doctor of Law and
Political Sciences, member of the Europol Data Protection Experts Network with 15 years of
experience in data protection, author of multiple papers on the topic.

5.2.1.2 Methodology
After initial assessment of ethical issues, an internal assessment procedure has been
initiated at the        in order to clarify the position of ROBORDER activities according to
privacy framework. This report was done using the input from the ad-hoc working group
established for this internal assessment procedure. It consisted of experts delegated by the
following entities:




D8.6_EthicalCode_and_Updates_on_DataProtection                                     Page 36 of 87

Ethical Code and Updates on
                                           Data Protection


After preparations and initial discussions over email and teleconferences, the working group
had a workshop in Budapest, on the 25th of February, where positions were discussed, and
the joint opinion was formulated in order to not only envisage but also realize the highest
possible level of privacy without endangering any of the innovations undertaken in the Grant
Agreement signed for this project.

5.2.1.3 Scope of the assessment




5.2.1.4 Opinion on the data process in ROBORDER project
According to the definitions and scope of Police Directive1, innovation activities carried out
during the ROBORDER project are not included in the subject-matter of the directive:
Art. 1. (1) of Police Directive: “This Directive lays down the rules relating to the protection of
natural persons with regard to the processing of personal data by competent authorities for
the purposes of the prevention, investigation, detection or prosecution of criminal offences or
the execution of criminal penalties, including the safeguarding against and the prevention of
threats to public security.”


1 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data by competent authorities
for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the
execution of criminal penalties, and on the free movement of such data, and repealing Council
Framework Decision 2008/977/JHA

D8.6_EthicalCode_and_Updates_on_DataProtection                                          Page 37 of 87

Ethical Code and Updates on
                                         Data Protection


According to the Police Directive, if   , as a law enforcement authority wishes to process
data for innovation purposes, such as ROBORDER, GDPR has to be applied:
Art. 9. of Police Directive: “Personal data collected by competent authorities for the purposes
set out in Article 1(1) shall not be processed for purposes other than those set out in Article
1(1) unless such processing is authorised by Union or Member State law. Where personal
data are processed for such other purposes, Regulation (EU) 2016/679 shall apply unless
the processing is carried out in an activity which falls outside the scope of Union law.”
Therefore, data processing in ROBORDER project has to be carried out according to GDPR,
regardless which partner is carrying out the task.
Security of borders is a public interest and the responsibility of the state as declared in The
Constitution as well as multiple laws and international treaties. In Hungary, the competent
authority responsible for border security is the      The reason for the          to participate
in the project ROBORDER is to better serve this public interest through innovative solutions.
As the achievements of the project are of public interest, the application of GDPR Article 6.
(1) e) is proportional and justified.
Art. 6. (1) e) of GDPR: “[Processing shall be lawful only if and to the extent that at least one
of the following applies:….]
e) processing is necessary for the performance of a task carried out in the public interest or
in the exercise of official authority vested in the controller; […]”
The same article of GDPR allows to have more than one legal ground for data processing. In
order to increase transparency and strengthen the legal ground of data processing where
possible,        concurs with the opinion of the Consortium that the informed consent has to
be acquired (GDPR Art. 6. (1) a)), even where the data process itself is also based on a
contract (in case of contracted experts), covered by GDPR Art. 6. (1) b).




                            herefore will provide extended information on data processing
according to GDPR Art. 30. which will be published on its official website in Hungarian
language due time ahead of the demonstration. The information sheet will be prepared
according to the internal Data Protection Rules of the      Command No. 39/2019 (XI.19.)
of the                                             .




D8.6_EthicalCode_and_Updates_on_DataProtection                                    Page 38 of 87

Ethical Code and Updates on
                                         Data Protection



6 References
Charter of Fundamental Rights of the European Union (2012). Official Journal C326.
26.10.2012.  p. 391–407. [online]     Available at:  https://eur-lex.europa.eu/legal-
content/EN/TXT/?uri=CELEX:12012P/TXT
Commission Decision (EU, Euratom) 2015/444 of 13 March 2015 on the security rules for
protecting EU classified information. Official Journal L72. 17.3.2015. p. 53–88. [online]
Available at: https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32015D0444
Council Regulation (EC) No 428/2009 of 5 May 2009 setting up a Community regime for the
control of exports, transfer, brokering and transit of dual-use items. Official Journal L134.
29.5.2009.    p.     1–269.     [online]   Available    at:    https://eur-lex.europa.eu/legal-
content/EN/TXT/?uri=celex%3A32009R0428
European Commission (2019a). Horizon 2020 Programme - Guidance: How to complete
your        ethics      self-assessment,         v6.1.       [online]    Available       at:
https://ec.europa.eu/research/participants/data/ref/h2020/grants manual/hi/ethics/h2020 hi
ethics-self-assess en.pdf
European Commission (2019b). 6 Commission priorities for 2019-24. [online] Available at:
https://ec.europa.eu/info/strategy/priorities-2019-2024 en
Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on
the protection of natural persons with regard to the processing of personal data by competent
authorities for the purposes of the prevention, investigation, detection or prosecution of
criminal offences or the execution of criminal penalties, and on the free movement of such
data, and repealing Council Framework Decision 2008/977/JHA. Official Journal. L119.
4.5.2016.     p.    89–131.     [online]    Available    at:    https://eur-lex.europa.eu/legal-
content/EN/TXT/?uri=CELEX%3A32016L0680
Regulation (EU) No 1052/2013 of the European Parliament and of the Council of 22 October
2013 establishing the European Border Surveillance System (Eurosur). Official Journal L295.
6.11.2013.    p.    11–26.    [online]  Available    at:   https://eur-lex.europa.eu/legal-
content/EN/TXT/?uri=CELEX%3A32013R1052
Regulation (EU) 2016/399 of the European Parliament and of the Council of 9 March 2016
on a Union Code on the rules governing the movement of persons across borders
(Schengen Borders Code). Official Journal L77, 23.3.2016, p. 1–52. [online] Available at:
https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0399&from=EN
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on
the protection of natural persons with regard to the processing of personal data and on the
free movement of such data, and repealing Directive 95/46/EC (General Data Protection
Regulation). Official Journal L119. p. 1–88.            [online] Available at: https://eur-
lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679
UN General Assembly (2001). United Nations Convention against Transnational Organized
Crime: resolution / adopted by the General Assembly. A/RES/55/25. 8.1.2001. [online]
Available at: https://www.refworld.org/docid/3b00f55b0.html




D8.6_EthicalCode_and_Updates_on_DataProtection                                    Page 40 of 87