Derogating from the rights of data subjects in the context of scientific or historical research or for statistical purposes

Chapter III of the General Data Protection Regulation provides for the rights of the data subject applied to the processing of personal data. The rights available to the data subject are determined by the basis for processing applied under the GDPR. Subject to certain conditions, it is possible to derogate from fulfilling these rights for the purposes of scientific or historical research or for statistical purposes if there is a valid basis for such derogation in the GDPR or Data Protection Act.

The rights of the data subject can be derogated from

  • by virtue of section 31 of the Data Protection Act,
  • by virtue of Articles 14, 17 and 21 of the GDPR, or
  • by virtue of Article 11 of the GDPR.

Read more about the bases for processing personal data

Derogating from the rights of the data subject by virtue of section 31 of the Data Protection Act

​​​​​​​The following rights of the data subject may be derogated from subject to the conditions provided for in section 31 of the Data Protection Act:

If the controller is processing special categories of personal data or personal data relating to criminal convictions and offences, the controller must conduct the impact assessment referred to in Article 35 o the GDPR or comply with the codes of conduct provided for in Article 40, in which due account has been taken of the derogation from the rights of the data subject.

Derogating from the rights of the data subject by virtue of Articles 14, 17 and 21 of the GDPR

The following rights of the data subject may be derogated from subject to the conditions provided for in Article 14(5)(b), Article 17(3)(d) and Article 21(6) of the GDPR: 

If the rights of the data subject are derogated from solely by virtue of Article 14, 17 and/or 21 of the GDPR, there is no need to carry out and deliver an impact assessment as required in section 31 of the Data Protection Act. However, carrying out an impact assessment may be required under Article 35 of the GDPR.

Derogating from the rights of the data subject by virtue of Article 14 is included in the authority's list of processing operations which require an impact assessment. For example, an impact assessment is required if the processing is large in scale.

Derogating from the rights of the data subject by virtue of Article 11 of the GDPR

Article 11 of the GDPR provides for processing of personal data which does not require identification. The following rights of the data subject may be derogated from subject to the conditions laid down in the provision:

For a controller to be permitted to derogate from the rights, it must be able to demonstrate that it is not in a position to identify the data subject. As a rule, the rights of the data subject must be fulfilled if the data subject, for the purpose of exercising their rights, provides additional information enabling their identification.

If the rights of the data subject are derogated from solely by virtue of Article 11 of the GDPR, there is no need to carry out and deliver an impact assessment under section 31 of the Data Protection Act. However, carrying out an impact assessment may be required under Article 35 of the GDPR.

Informing data subjects about their rights

Data subjects must be informed of the rights available to them and of the restrictions on the exercise of their rights. The obligations for informing the data subjects cannot be derogated from by virtue of section 31 of the Data Protection Act. If the requirement of informing the data subjects is derogated from by virtue of Article 14(5)(b) of the GDPR, the information of the informing must be made publicly available, for example on the controller's website.

Read more about informing the data subject

More information:

Rights of the data subject in scientific research

Scientific research and data protection

Scientific research FAQ