Choosing the processing basis and ensuring its lawfulness in scientific research
As a rule, the controller is free to choose the basis for processing that is most applicable to the implementation of the study. The processing of special categories of personal data requires a specific basis.
Specific legislation applying to the controller (such as state research institutes) or research project (e.g. clinical trials) can restrict the choice of processing basis.
You should take the rights of the data subject into consideration when choosing the right processing basis, since they vary according to the basis. For example, the chosen basis for processing can make it easier to recruit subjects for the study if the subjects’ confidence in the appropriate processing of their personal data is secured through transparency and opportunities to influence the processing. You should also be aware that flexibility in the definition of the purpose of the research is only possible if the basis for processing personal data is consent.
The GDPR permits the processing of personal data for purposes of scientific research on the basis of:
1. The data subject’s freely given, specific, informed and unambiguous consent.
- The processing of personal data for scientific research cannot be based on consent if the research subjects are in a vulnerable position, for example due to their illness or age.
- In research, consent is not necessarily related to the basis for processing personal data. Consent can be related to
- the study’s ethical requirements (e.g. consent for participating in the study);
- another protected interest (e.g. infringing on the research subject’s physical integrity such as by taking a blood sample, generally requires consent); or
2. Pursuing the controller’s legitimate interests if permitted by the results of a balance test.
EU or national legislation can also permit processing on the basis of:
- In clinical drug trials, for example, controllers have a statutory obligation to archive the trial’s database for 25 years. This statement by the Data Protection Board (on EDPB's website) reviews the processing bases related to clinical drug trials in more detail.
- The Data Protection Act permits the processing of personal data for scientific or historical research purposes or statistical purposes if it is necessary and proportionate to the aim of public interest pursued (Data Protection Act, section 4). The controller is obligated to demonstrate the necessary and proportionate nature of the processing. Particular attention must be paid to data minimisation and the principle of storage limitation in this regard.
In certain situations, the processing of personal data for the purposes of scientific and historical research can be considered compatible with the original purpose if the appropriate technical and organisational safeguards are implemented in the processing. The controller’s processing of personal data for compatible purposes can be based on the same processing basis as the original processing, in which case a new basis is not required. The processing must also be lawful from the perspective of other data protection regulations; a compatible purpose does not justify non-compliance with other data protection regulations. When a controller intends to process personal data for purposes other than the original purpose of processing, it must notify the data subjects of this before starting processing.
Processing of special categories of personal data for research purposes
As a rule, the processing of special categories of personal data is prohibited. Data such as health information and genetic data belong to special categories of personal data. Special categories of personal data can only be processed for research purposes when an exception to the processing prohibition has been provided for.
If special categories of personal data are processed in the study,
- the consent to the processing must be explicit in addition to meeting the other requirements for consent; or
- another legal basis must be found for processing the personal data
- The Data Protection Act permits the processing of special categories of personal data for scientific or historical research purposes or for statistical purposes if the data subject’s rights are protected in an appropriate manner (Data Protection Act, section 6(1), paragraph 7)
- Specific legislation permits certain national research institutions to process special categories of personal data for their statutory research duties.
The processing of special categories of personal data also requires the controller and processor to implement suitable and specific safeguards to protect the rights of the data subject. An essential requirement for the safeguards is to lower the risk related to the processing of personal data to an acceptable level. Suitable safeguards must be tailored to specific situations.
Examples of safeguards
- Collection and monitoring of log data
- Data protection training for personnel
- Designation of a data protection officer
- The controller’s and processor’s internal measure for restricting access to the personal data
- Pseudonymisation of the personal data
- Encryption of the personal data
- Measures guaranteeing the constant reliability, integrity, availability and fault tolerance (including the ability to restore data availability and access to them in the event of a physical or technical fault) of the processing systems and services related to the processing
- Regular testing and evaluation of the efficiency of technical and organisational measures
- Special procedural regulations designed to ensure compliance with data protection regulations when transferring personal data or changing the purpose of processing
- A data protection impact assessment provided for in Article 35 of the GDPR
The processing of personal data relating to criminal convictions and offences is also provided for in the Data Protection Act (section 7(1), paragraph 2). The processing of such data requires enhanced safeguards designed to protect the rights of the data subjects.
Ensuring lawfulness in other respects
The controller must make sure that the data for the study is obtained in a lawful manner. Factors such as the research subject’s consent, grounds for confidentiality or licence terms can significantly restrict the processing of the data.
Other specific legislation applying to the processing also needs to be taken into consideration. For example, specific legislation has been passed on medical research, clinical drug trials and the secondary use of social welfare and health information.