Research exemptions of GDPR

Before I dig further into the research exemptions of GDPR, its implementation in specific Member States and the impact of data subject rights – let’s recap what I touched upon in my previous article.

What does GDPR say?

One of the main rules of GDPR is purpose limitation. Data controllers must clearly define the purposes of data processing at the time of collection and avoid processing such data in a manner that is incompatible with those initially established purposes.

In practice, however, it can be hard to implement as very often the scope of personal data processing in the context of scientific research is not known yet at the time of data collection. Even the legislator acknowledged this in Recital 33 of GDPR that “[i]t is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of collection”.

That is precisely why the Regulation includes an exemption from the general prohibition of further processing of personal data in Article 5(1)(b) which states that “further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes.” Art. 89(1) GDPR further establishes the conditions that must be fulfilled for such use of data to be lawful.

Derogations from data subject rights in the context of research exemptions of GPDR

In addition to the above-mentioned exemption, the Regulation provides certain derogations from data subject rights that in principle allow the processing of personal data for research purposes.

Let’s start with Article 14(5) of GDPR – the requirement to inform data subjects about processing when their personal data were collected from other sources. It states that if providing such information would be impossible or would involve disproportionate effort then the controller might not have to provide the data subjects with it. It applies particularly to the processing of personal data for research purposes – of course subject to the conditions from Article 89(1) of GDPR. Still, in such cases, the controller will have to take appropriate protective measures, including making the information publicly available.

Article 17 GDPR grants data subjects the so-called ‘right to be forgotten’. However, if we look at Section 3 of that same article it is clearly stated that when the processing is necessary for research purposes, the conditions for the enforcement of this right shall not apply; else, complying with this right would render the processing of personal data for research impossible. The above must always be read in the context of the safeguards of Article 89(1) of GDPR.

Even if the controller can invoke the research exemption of GDPR, the processing for research purposes could be hindered as the data subject retains the right to object to processing (‘right to object’) of Article 21 of GDPR. This right could only be overridden when performing a task carried out for reasons of public interest. This task must be established by Member State or EU law for it to be valid.

Article 20 in GDPR is also worth mentioning here – it provides individuals with data portability rights. However, it only applies where the data subject provided the personal data on the basis of his or her consent or the processing was necessary for the performance of a contract. Therefore, in case research would take place based on another legal basis then this right would not be available to data subjects either.

Local implementation

In Article 89(2) the GDPR grants Member States some discretion in terms of providing derogations from some of the data subjects’ rights (e.g. right of access, rectification, restriction of processing or the right to object – despite the wording of Article 21 mentioned above).

It must be noted that even if Member States decide to implement these derogations in their national legislation, a certain threshold must be met before these rights are waived. This threshold encompasses two elements:

1. Derogation from data subject rights must be necessary for the fulfilment of the purpose (for instance, research), and
2. Allowing data subjects to exercise their rights would likely render impossible or seriously impair the achievement of the specific purposes.

So now the question is whether Member States actually implemented legal instruments waiving data subjects’ rights. The answer is – it depends.

To provide a founded answer, I looked into UK, Denmark, Finland, Estonia and Poland national data protection legislation and assessed how they decided to implement these provisions. Each of them has taken a slightly different approach.

Denmark

The Danish legislator has opted for a very pragmatic approach. In the Danish Data Protection Act, Article 22(5), it is clearly stated that Articles 15, 16, 18 and 21 GDPR do not apply if the processing of data takes place exclusively for scientific or statistical purposes. Nothing else is mentioned but it is self-explanatory that these derogations can only be applied when it is impossible to conduct a research should these rights be exercised.

The United Kingdom

The UK has taken a similar legislative approach as Denmark. Relevant provisions may be found in its Data Protection Act 2018, Article 15(2)(f), as well as Schedule 2, Part 6. Basically, the rights enshrined in Articles 15, 16, 18 and 21 GDPR can be subject to derogation as long as personal data are processed considering the technical and organisational measures mentioned in Article 89(1) of GDPR. However, in addition to that, the results of the research or any resulting statistics are not made available in a form that identifies or allows the identification a data subject.

Estonia

Estonia has taken a rather interesting approach to managing derogations from data subjects’ rights. First of all, where personal data are processed for the purpose of research, the controller or processor may restrict the rights of data subjects provided for in Articles 15, 16, 18 and 21 GDPR insofar as the exercise of these rights is likely to make the achievement of the objectives of the research impossible or impedes it to a significant extent.

Further, Article 6 of the Estonian Data Protection Act clearly makes preference for processing personal data in pseudonymised form (or in a format that would provide a similar level of protection) for research purposes.

In theory de-pseudonymisation is permitted but only for the needs of additional scientific research or official statistics. What is interesting, however, is that if a company wants to process such non-pseudonymised data they must designate one person (identified by name) who will have access to information that would allow the re-identification.

Processing data that identify data subjects in only possible when:

1. It would be impossible to achieve the results with pseudonymised data,
2. There is an overriding public interest, and
3. When data subject rights are not excessively damaged.

Finland

The Finnish Data Protection Act also provides some derogations from data subjects rights in the context of research. 3 conditions must be met before these rights can be waived:

1. the processing is based on an appropriate research plan;
2. a person or group responsible for the research has been designated; and
3. the personal data are used and disclosed only for scientific or historical research purposes or for other compatible purposes, and the procedure followed is also otherwise such that data concerning a given individual are not revealed to outsiders.

Poland

Poland decided not to provide further derogations for data subjects’ rights in the context of research. There are some derogations available for controllers performing public tasks when exercising rights by data subjects would make fulfilment of the task impossible. This applies to right to information (Art. 13(3), the above-mentioned Art. 14(5)), and the right to access personal data provided in Article 15. Given the public task angle here the scope of these derogations is rather limited from data controller point of view but on the other hand goes beyond processing in the context of research. In Poland, you consequently will have to solely rely on the research exemptions of GDPR.

What does the research exemptions of GDPR mean for companies?

From the point of view of businesses and scientists, at first glance it may seem that GDPR may be an obstacle to conducting research given its strict requirements and wide applicability. If one digs deeper, though, the conclusion is rather the opposite.

The wide range of possible data subject rights derogations and the sole existence of the so-called research exemption of GDPR proves that the Regulations’s intention was not to block research but on the contrary – to enable it. Member States seem to share this view considering that 4 out of the 5 (and probably more) that I mentioned above – restricted data subject rights even further to enable scientific research.

Still, companies need to ensure that all data processing related to research does not infringe individuals’ privacy or cause high and unnecessary risk to their rights and freedoms. As long as appropriate measures are taken, personal data are well secured and processed in compliance with the main GDPR principles – no company would be sanctioned for processing data for research purposes.

It’s worthwhile to do a country-by-country assessment given that this is one of the few areas of the GDPR where there is diverging legislation depending on each Member States. The scope of the rights that may be derogated from clearly differs and each local DPA might take a slightly different approach to this matter.

Conducting a DPIA for each research-related data processing would also be recommended. Irrespective of whether or not it would be actually required in each case. It is always good practice to do a balancing test between the interests of data subjects and those of the data controller, and also to assess risks but also to demonstrate the controller’s accountability. It must be kept in mind that the burden of proof always lies with the data controller. It is on the controller to provide a convincing answer to the questions ‘why the data processed for research are necessary to achieve its purpose’, ‘why pseudonymization is used or not’, and ‘why data subject rights are not observed’ etc.