EDPB Adopts Scientific Research Data Processing Guidelines

Brussels, 16 April – During its latest plenary, the EDPB has adopted Guidelines on processing of personal data for scientific research purposes. In addition, the Board has created a team to speed up the finalisation of the guidelines on anonymisation. The EDPB has also adopted two opinions on the two sets of the Europrivacy certification criteria for approval as European Data Protection Seals, one of which to be used as a tool for transfers.

Many areas of scientific research rely on the processing of individuals’ personal data, and this has driven significant scientific breakthroughs that benefit society. The rise of new technologies, such as artificial intelligence, also contributes to scientific progress by enabling researchers to use and analyse data in innovative ways.

The main objective of the EDPB guidelines on scientific research is to provide more clarity for researchers and make GDPR compliance easier, while ensuring the protection of individuals’ fundamental rights.

“Scientific research can drive societal progress and improve our daily lives.
Our guidelines facilitate innovative research by helping researchers to navigate the GDPR.

The EDPB is committed to supporting the scientific community and unlocking the full potential of scientific research in the EU while upholding data protection rights."

EDPB Chair, Anu Talus
In its guidelines, the Board provides clarifications on the concept of ‘scientific research’. To determine if the processing takes place for scientific research purposes in the meaning of the GDPR, the Board provides six key-indicative factors that should be considered, in addition to the nature, scope, context and purposes of processing. These are: 1) methodical and systematic approach, 2) adherence to ethical standard, 3) verifiability and transparency, 4) autonomy and independence, 5) objectives of the research, and 6) potential to contribute to existing scientific knowledge or apply existing knowledge in novel ways. If the research activities meet these six factors, they can be presumed to constitute scientific research. Otherwise, the controller should justify and be able to demonstrate why the activities should be considered scientific research, within the meaning of the GDPR.

Further processing for scientific research purposes is presumed to be compatible with the initial purpose for collecting individuals’ personal data. Therefore, controllers are not obliged to do the purpose compatibility test under the GDPR to determine if the new processing is compatible with the original purpose of collection. However, controllers must still make sure that the legal basis of the initial processing is also suitable for the further processing of personal data for scientific research purposes.

Controllers can rely on “broad consent” where the purposes of research are not fully known at the time of collecting the personal data. In this case, researchers should respect ethical standards for scientific research and put additional safeguards in place to compensate for the lack of purpose specification. Controllers can also ask individuals to consent to different individual research projects separately, as soon as the purposes of those projects become known (dynamic consent). A combination of both broad and dynamic consent is also possible.

In addition, the EDPB clarifies rights of individuals when their personal data are processed for scientific purposes. This includes the rights to erasure and object for which limitations may apply when personal data are processed for scientific research purposes. The Board provides examples to explain when the right to erasure can be considered likely to render impossible or seriously impair the objective of conducting scientific research. The EDPB also explains when controllers may reject an individuals’ objection to the processing of their personal data for scientific research purposes. This can be the case when processing is necessary for the performance of a task carried out for reasons of public interest.

The Board recalls that when several entities are involved in the processing of personal data for scientific research purposes, it is necessary to assess and document how responsibilities are allocated among the entities. In this regard, the Guidelines provide useful examples to clarify in which situations entities can qualify as controller, joint controllers or processor.

Finally, the Board explains how controllers can assess the appropriate technical and organisational measures, such as anonymisation or pseudonymisation, when processing personal data for scientific research purposes. The EDPB provides examples of other safeguards that could be implemented depending on the risks posed by the research activities carried out. These include independent or ethical oversight, secure processing environments, privacy enhancing technologies, protective measures for publication of research results, confidentiality arrangements, and conditions for further use.

The guidelines will be subject to public consultation until 25 June, providing stakeholders with the opportunity to comment and provide feedback.

A “sprint team” to finalise the work on anonymisation

To speed up the finalisation of the upcoming guidelines on anonymisation, the Board created a dedicated "sprint team" that will complete the work by the summer.

Europrivacy opinions

The EDPB adopted an Opinion approving the updated set of Europrivacy certification criteria as European Data Protection Seal * pursuant to Art. 42 (5) GDPR. The Board had first approved the Europrivacy certification criteria on 10 October 2022 as the first European Data Protection Seal through the EDPB Opinion 28/2022. The scope of the Europrivacy certification scheme has been extended to include controllers and processors established outside Europe who are subject to Art. 3(2) GDPR, either because they provide goods or services to individuals in Europe or because they monitor their behaviour.

In addition, for the first time, the Board adopted an Opinion recognising the Europrivacy certification criteria as European Data Protection Seal to be used as a tool for transfers in accordance with Art. 42 and 46 GDPR.  Data importers outside Europe who are not subject to the GDPR can now apply to the Europrivacy certification scheme for the transfers of data they receive. This certification will facilitate the fulfillment of the obligation of the controllers and processors in Europe to demonstrate that they provide appropriate safeguards for personal data transfers to third countries or international organisations.

These approvals bring further light on the GDPR certification mechanisms, confirming their key role as GDPR compliance tool.

Note to editors

*The European Data Protection Seal is a GDPR-certification mechanism recognised all over Europe. The Seal must satisfy specific criteria approved by the EDPB and must be granted by a certification body accredited under Art. 43 GDPR to prove compliance with GDPR standards.