The Directive 95/46/EC deal with the argument in the following terms:
- The processing of personal data for scientific research purposes is not considered incompatible with other processing (art. 6)
- For scientific use, personal data may be stored for longer periods (art. 6)
- The provision of information to the data subject may not be given when is impossible or would involve disproportionate efforts (40)
- The data subject’s right may be restricted by legislative measures adopted by each Member State (art. 13)
Now in the GDPR there are much more occurences related to:
- Recital (“whereas”) 33-50-52-53-62-65-113-156-157-159-161-162
- Articles 5-9-14-17-21-89
The article 89 is devoted to this argument.
- Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.
- Where personal data are processed for scientific or historical research purposes or statistical purposes, Union or Member State law may provide for derogations from the rights referred to in Articles 15, 16, 18 and 21 subject to the conditions and safeguards referred to in paragraph 1 of this Article in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes. […]
Therefore, the GDPR facilitates the data processing for scientific research in different ways:
- The derogations already considered by the Directive are essentially taken up in the GDPR (50, 52, 53, art. 5, art. 9, art. 14)
- Scientific research issues are examined when different operations considered in the Regulation are regarded:
- The opportunity to obtain an expressed consent not for a specific scientific research, but for a certain area of research (33)
- The lawfulness of sensitive data processing, especially health data (52)
- Right to erasure and to be forgotten (65, art. 17)
- Transfers (113)
- The need to apply the principle of data minimisation also for scientific research, with pseudonymisation or anonymization techniques where it is possible (156)
- The possibility for Member States to provide specifications and derogations with regard to the rights of data subjects (156)
- The possibility to combine information from different registries, included medical conditions (157)
- Scientific research is interpreted in a broad manner (159)
- To the scientific research it is possible to apply specific conditions, in particular as regards the publication or otherwise disclosure of results (159)
- If the result of scientific research gives reason for further measures in the interest of the data subject, the general rules of this Regulation should apply in view of those measures (159)
- It is necessary to apply specific rules to clinical trials (161)
- However, for particular situations, the data subject shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest (art. 21)
Basically, research groups have to focus on (with the support of DPO and a potential ethical Committee):
- The evaluation whether exclude or not the possibility to use scientific research data for making decision on the single individual: if there were profiling, the GDPR would be applied entirely
- The identification of the minimum data set that will guarantee search results, especially if they can be obtained with anonymous, statistical or pseudo anonymous data.
- Anonymization and pseudonymisation techniques: with regard to these techniques, it is possible to take account of the WP 29’s opinion 05/2014
interessante. solo non capisco cosa vuol dire “Qualora i risultati della ricerca costituiscono motivo di ulteriori misure nell’interesse dell’interessato si dovrebbe applicare il regolamento nella sua generalità” (estratto dal considerandum 159): si riferisce alla eventuale profilazione?