Privacy statement, data and information security policy

    The ELTR was created in 1986 with the following objectives:

    • Registry of all liver transplantation (LT) procedures in Europe.
    • Link between European liver transplant centers.
    • Scientific use and publications.

    The ELTR collects data on adult and pediatric LT performed in all Europe with the objective to evaluate the results and outcomes of LT in Europe. ELTR believes that the greatest attention should be given to handling personal data. Therefore, we process, manage, and protect personal information with the utmost care in compliance with the requirements imposed by the General Data Protection Regulation (GDPR) or in France the “Commission Nationale de l’Informatique et des Libertés” (CNIL). As the supervisory authority for the protection of personal data in France, the CNIL is responsible for ensuring the proper application of the GDPR in France. It is also responsible for assisting public and private entities engaged in their efforts to comply with the regulation.

    At all times ELTR respects the privacy aspects defined by the GDPR which came into effect on May 25, 2018. ELTR never provides information allowing patient or center identification or other data that might lead to the identification of a specific donor or patient, except in a specific case with a commitment to respect the GDPR by the obligation of signing the ELTR DPA with the third party (see paragraph 5). For any questions related to the processing of data by ELTR in the framework of the GDPR you can send an e-mail to the ELTR DPO (registration N° N° DPO-95083) Dr. Vincent Karam . For detailed information on the General Data Protection Regulation (GDPR) please visit or

    1. Purpose of the processing of data:

    ELTR processes data exclusively for scientific studies in line with RGPD Article 9.2 (i) and (j) - Article 89 and Recitals 157 and 159. Data from the centers and OSOs are aggregated and analyzed to produce 5 semi-annual reports containing more than 750 statistical figures and tables:

    • Overall data analysis booklet
    • Last 15 years data analysis booklet
    • Adult data analysis booklet
    • Pediatric data analysis booklet
    • Living donor data analysis booklet

    The entire 5 booklet are made available to the contributing centers in a space of the ELTR Server that is password protected. Centers’ identification is necessary for ELTR to allow centers the editing and referral to clinical records when necessary, to resolve any inconsistencies that are detected during data entry or during the statistical analyses. It is also necessary to the communication and exchange of information between the ELTR and its community members. In addition to the 5 booklets, each center receives confidentially its own data analysis report allowing an audit of its experience when compared to the rest of Europe.

    It is important for data privacy to point out the fact that centers’ benchmark is not performed in ELTR studies. ELTR scientific committee considers this task as reserved to national health authorities via their OSOs. Nevertheless, center’s effect is evaluated in ELTR studies by assessing cutoffs of centers’ volume of a given condition that significantly impacts the outcomes. Outcome data are considered as major data since most of routine ELTR figures and thematic studies require calculation of graft and patient survival rates. These are determined by actuarial methods and the statistical significance is determined by the log rank test to compare survival curves. Regression methods are also used to identify risk factors associated with LT.

    The ELTR regularly carries out thematic studies related to the different LT fields. These studies minimize the potential biases, by assessing interactions between confounding factors and identification of independent predictors among all the ELTR variables that can have an impact on the liver graft and/or patient outcome. With its dynamic model of European collaboration, ELTR has helped develop risk models for graft loss and mortality following LT. Owing to the large cohort of patients, the exhaustiveness, the quality and security of the data, and the long-term follow-up provided by the ELTR, the results are really representative of LT in Europe and provide valuable information to the clinicians, the health stakeholders and the patients. There is of course heterogeneity in the policies in the 32 contributing countries.

    The ELTR data summarizes the results as a whole and represents a kind of freeze-frame rather than a generalized statement for Europe. At the same time, the ELTR remains the unique entity capable of providing such statistics, capable of giving a global snapshot of the European experience and helping to identify important trends that may guide further practice. The updated list of ELTR publications is available at

    2. Data collection

    In 2020, 174 centers from 32 countries contribute to ELTR. This encompasses all their patients receiving LT for the treatment of end stage liver disease (ESLD). The registered data is estimated to more than 97% of the overall European LT experience and are regularly updated. There are two sources of ELTR data provision:

    • 76% of data (68% of centers) are shared by the main Organ Sharing Organizations (OSOs) (i) national OSOs: the French ABM -, the Spanish ONT -, the United Kingdom-Ireland NHSBT - and the Dutch NTS - and (ii) international OSOs: Eurotransplant - and Scandiatransplant - Beforehand, a harmonization of OSOs’ metadata was conducted and put in place with each of the OSOs to allow a transfer of data compatible with ELTR. At each biannual ELTR updates, OSOs data are overwritten and ELTR retain maximum two previous versions of data batch in its archives, i.e., with every new transfer of data the data transferred one year before are deleted. The backup of the two previous versions is kept in case we need them for a quality control purpose.
    • 24 % of data are directly entered into the ELTR platform by the concerned 37 centers.

    ELTR does not store data for any longer than is necessary for the purpose for which they are being processed or to fulfill legal requirements or registry’s scientific needs. Whether for OSOs or for centers entering data directly into the ELTR platform, ELTR has no contact with patients. Patients are intended to have been asked by their physician/center to express their consent for the use of their data for scientific research or exchange of their data for the same purpose with official partners of whom ELTR is a part.

    The ELTR questionnaire includes data on indications for LT, donors and recipients characteristics, technical aspects of LT and type of graft (reduced, split, domino, live or deceased donors), perioperative data, initial and maintenance regimen of immunosuppression, graft and patient outcomes (morbidity and mortality), and cause of death or graft failure. ELTR also collects data on living liver donors. A full list of ELTR data forms is available in electronic format. The ELTR data dictionary and ELTR dataset specifications describes the structure of the database. This is updated whenever a revised data collection form is produced and whenever coding changes or database modifications are made.

    The ELTR has developed an online application (Electronic Data Capture – EDC) for collecting data A Web-based module was developed with FileMaker Server 19.1.2 technology ( to allow for real-time data entry and analysis. Registered users are requested authentication before access is granted to the system by providing a confidential login and password. Software, questionnaires, validation routines, and statistics are located on a central server, which can be accessed by the participating centers with a standard internet browser. No center has access to data from other centers.

    3. How do we process personal data?

    ELTR processes the personal data in compliance with the GDPR and its derogations applied to scientific registries (Article 9.2 (i) and (j) - Article 89 and Recitals 157 and 159). Personal data is defined as any details that could disclose information about an identified or identifiable natural person. The information we collect is exclusively used for scientific research. We receive personal data of patients and donors from transplant centers and OSOs involved in the process of organ donation and transplantation.

    Personal information does not include very sensible data since ELTR collects few recipients’ and donors’ demographic data (age, gender, weight, height, and blood group). The ELTR also collects the centers’ name. We use personal information in accordance with these terms and conditions. As part of the ELTR data quality control procedures, ELTR has made available in the platform to each center, with protected access, a dynamic list of patients with missing data to allow their identification for completion. No center has access to data from other centers.

    4. Security compliance policy:

    The purpose is description of steps taken to ensure physical, operational, and technological security of the data collected by ELTR.

    ELTR ensures that appropriate technical and organizational measures are in place to prevent the misuse, loss, or unlawful processing of personal data. This means that personal data is encrypted and sent via a secure connection. The 2 ELTR employees (Data Manager & Biostatistician) and the server hosting company who have access to ELTR data are bound by a confidentiality clause. All of them only have access to data if it is necessary for the performance of their duties.

    Security measures: Measures put in place to ensure the security of all collected information include the following:

    Physical Security

    • restricted access to the Paul Brousse Hospital, ELTR office requiring access code
    • paper forms are in locked storage cupboards when archived
    • network data is stored on physically secure and separate servers with protective firewalls
    • access keys, codes, cards and passwords are controlled by defined and enforced security procedures

    Operational Security

    • users as part of their employment contract agree to privacy and confidentially standards
    • procedures are in place for employees leaving the ELTR for logins, password and pass cards etc to be cancelled
    • passwords are changed regularly and must maintain a level of strength to reduce hacks or reproduction

    Technical Security

    • validation of data is performed to ensure integrity and accuracy
    • business continuity is regularly audited and updated
    • system software and licenses are maintained, ensuring certification, authenticity, security, anti-theft, and anti-virus needs are functioning and up to date

    Data Transfer Security

    • email guidelines are in place for the transfer of information; lists maintained; encryption and enforced security engaged for transmitting information

    Disposal and destruction

    • Physical records are destroyed using a secure destructive service
    • Computer records are kept indefinitely, and hardware physically wiped and destroyed when decommissioned

    Data Security Breaches

    • An audit trail tool has been built to track all user activities in accessing the database and entering data. All user activities can be reviewed in the event of a data security breach.
    • An error log is produced that records all potential attempts at fraudulent access to the database and other access errors. This error log is reviewed regularly by the ELTR server hosting company to detect potential security risks.
    • All security breaches and near misses must be reported to the ELTR and dealt with in line with GDPR.

    5. Who do we share raw data with?

    ELTR does not share raw data with third parties without the agreement of the ELTR/ELITA scientific board members. There are two situations where raw data are shared with third parties:

    • Registry’s studies that use only available data: in that case centers are anonymized
    • Registry’s studies that need to request to centers supplementary data necessary to conduct the study: in this case the centers ID is provided to the study leader who takes care of the survey by contacting centers and collecting the required supplementary data.

    In any situation, third parties must be from an ELTR contributing center. In case third parties are accepted to perform a registry study, the ELTR/ELITA board examines the project according to the Regulations for the ELITA /ELTR studies available at and carefully select eligible parties. Thus, ELTR/ELITA and the study leader conclude a Data Processing Agreements (DPA) (see appendix) in which the party is obliged to keep ELTR data confidential and to only process data on behalf of ELTR/ELITA, for the authorized purpose and in compliance with RGPD.

    6. Privacy Policies

    The purpose is to describe the consent process for data collection and how the privacy of patient information collected by ELTR is ensured.

    • Patients are intended to have been entitled by their center and/or OSO to view the information the ELTR holds about them, and request alterations if the data is thought to be inaccurate
    • Only the patient first 3 letters of the names are required in ELTR (a few of the 24% of centers who enter data directly into the ELTR platform enter this information) are not included in the locked analysis data set that is used for reporting and data extraction
    • All ELTR staff are required to sign a confidentiality agreement, confirming that data will only be accessed for purposes related to their work within the ELTR and that identifiable data will only be accessed when essential
    • All ELTR staff are required to be familiar with and act in accordance with GDPR
    • • All ELTR published reports present summary data only in tabular or graphic format.
    • ELTR does not release data identifiable by patient name
    • All data linkage projects with raw data must adhere to GDPR standards that protect patient privacy
    • At the time of data collection each center is asked to certify that they have complied with measures under the relevant privacy measures

    7. Platform technical specifications

    ELTR has developed the platform with FileMaker Server 19.1.2. The location includes a dedicated server located in a professional hosting company OVHcloud in a datacenter, with a complete duplication another server and site, from the Registrar of the domain name to the database. Protected by a firewall, the server is dedicated exclusively to ELTR studies. Monitoring, maintenance, and security updates to this server are carried out by the hosting company. OVHcloud is a certified health data hosting company.

    The server is hosted by a professional of hosting in a data center to allow an optimal security and a quick intervention in case of failure. The accommodation center meets the standards of “Carrier Class” in terms of secure power, air conditioning, security anti-fire, access security...

    ELTR ensures the administration of the server by a remotely management via a tool type “Terminal server”. The transfer of files is done by An FTP protocol. ELTR has available also a reboot remote type APC via internet. The technical characteristics of the servers are:

    • Intel Quad-Core Xeon, 2.4 Mhz processor
    • RAM 64 GB memory
    • 2 Drives 480Go SSD - RAID 1
    • 1 Gbps bandwidth

    The server is also protected vis-a-vis of external intrusion by a firewall.

    Finally, an external backup system is carried out on another server in the hosting company:

    • 4HS - 1 backup every 4 hours between 08:00 and 20:00 (backups kept: 4)
    • HBD - 1 weekly backup every Monday at 04:00 (backups kept: 4)
    • FMS - 1 backup per day at 00:00 (backups kept: 7)

    The weekly backups are transferred via FTP according to the same frequency on a workstation dedicated of ELTR and on external independent hard disk.

    The Web browser or user workstation is any computer with access to the internet that connects to the ELTR platform.

    The server is the heart of the application: it contains all the programs, databases and tools needed for the operation of the application. Each action of the user workstation leads to a query and a response from this server through this platform FileMaker.

    The login and password required for the study are transmitted by email. This procedure allows users to be protected by the internal password of their electronic mail. Logs of user activities, logs of FileMaker platform (internal FileMaker servers), web server and logs of FileMaker program are deleted periodically every 3 months.