Derogating from the rights of data subjects in the context of scientific or historical research or for statistical purposes

As a rule, data subjects involved in scientific and historical research have rights under the General Data Protection Regulation (GDPR). Pursuant to Section 31 of the Finnish Data Protection Act, the rights of data subjects in respect of accessing their data, requesting corrections to their data, restricting the processing of their data and objecting to the processing of their data may, if necessary, be derogated from if

  1. the processing is based on a legitimate research plan;
  2. the study is run by a coordinator or a coordination team; and
  3. personal data are only used and disclosed for the purposes of historical or scientific research or for a compatible purpose and procedures are otherwise in place that ensure that data pertaining to specific individuals are not disclosed to third parties.

The need for derogations must be evaluated on a case-by-case basis. The rights of data subjects may only be derogated from in so far as

  1. the rights in question are likely to render impossible or seriously impair the achievement of the specific purposes of the processing; and
  2. the derogations are necessary for the fulfilment of those purposes.

Controllers must evaluate, on a case-by-case basis, whether derogations are necessary and duly justified. The provision of safeguards does therefore not, on its own, justify derogating from data subjects’ rights.

Where special categories of personal data or personal data relating to criminal convictions and offences are processed, the controller must, in addition to the aforementioned obligations, carry out a data protection impact assessment pursuant to Article 35 of the General Data Protection Regulation and submit a written report of the same to the Data Protection Ombudsman prior to processing activities. No impact assessment report need be submitted if there are no plans to derogate from data subjects’ rights.

Derogations are also possible where the controller follows a code of conduct within the meaning of Article 40 of the General Data Protection Regulation, in which the aforementioned derogations from the rights of data subjects are duly taken into account.

Information to be submitted to the Data Protection Ombudsman

If you intend to derogate from the rights of data subjects and process special categories of personal data or personal data relating to criminal convictions and offences for scientific or historical research purposes, you must provide the Data Protection Ombudsman with the following information:

  1. Name and contact details of the controller
  2. Name of the research project
  3. Legal basis for the processing of personal data (GDPR, Art 6 and Art 9; Data Protection Act, Sections 4 and 6)
  4. Details of how the aforementioned rights of data subjects are likely to render impossible or seriously impair the achievement of the scientific or historical research purposes or statistical purposes.
  5. Details of why the derogations are necessary for the fulfilment of the scientific or historical research purposes or statistical purposes.
  6. Impact assessment report as an attachment.

Please send the information to the Office of the Data Protection Ombudsman using the Finnish Ministry of Justice’s secure e-mail service. The subject line of your message should read, for example, as follows:

Derogations from the rights of data subjects (Data Protection Act, Section 31) – [name of your organisation]