General Data Protection Regulation
Processing personal data for research purposes
When a company is to process personal data for research purposes, the company must comply with specific rules in the GDPR. This applies both to the processing of personal data for scientific or historical research purposes.
Difference between Historical Research Purposes and Scientific Research Purposes
Scientific research purposes: Studies that are methodical and systematic, intended to develop new understanding or knowledge in certain specific areas.
Research and related work intended to understand, preserve, analyse or document historical events, persons, conditions, situations and similar that have occurred in the past.
Take appropriate technical and organisational security measures
Companies must protect the personal data processed by taking appropriate technical and organisational security measures. This also applies when a company processes personal data for research purposes. If it is possible to achieve the same result through anonymous data instead, the personal data should be anonymised.
Examples of technical security measures:
- Pseudonymisation or anonymisation of personal data.
- Two-factor authentication (2FA) when logging in to systems with personal data.
- Antivirus protection in devices and programs that process personal data.
Examples of organisational security measures:
- Confidentiality agreement with staff processing personal data.
- Internal procedures concerning the processing of personal data and specific situations, such as personal data breaches.
- Access control to ensure that only authorised users have access to the personal data processed in a given system.
Commonly to collaborate with joint controllership
In research, it is normal for two or more institutions to collaborate. For example, researchers from an institution from Finland who collaborate with researchers from an institution in England. In such cases, it is important to define the roles between the parties. It is not uncommon for there to be joint responsibility for personal data in research involving several institutions. There may also be an independent controllership for each institution, or there may be a processor relationship between the institutions.
Is consent a common legal basis to use when processing personal data for research purposes?
No, it is a complex legal basis to support the processing. However, it may be appropriate in certain cases, as illustrated below, for sensitive personal data.
Is it permissible to process sensitive personal data for research purposes?
The processing of sensitive personal data is not permitted under the general rule in Article 9 of the GDPR. However, there are exceptions. In order to process sensitive personal data for research purposes, the operator wishing to carry out the processing must find an applicable exception. For example, to obtain explicit consent to the processing of the sensitive personal data from the data subject. In addition, there may be national laws regulating specific exemptions. Please note that the requirements for implementing appropriate technical and organizational security measures are higher when the processing relates to sensitive personal data.
Process the same personal data again for research purposes
Within the GDPR, the main rule is that every new processing requires a new legal basis, even though the company already processes the same personal data. However, there are exceptions. For example, further processing without an additional legal basis is permitted for research purposes. In other words, the same rules apply for archives of public interest, as for further processing for research purposes.
There may be more national laws to be observed when processing for research
Many countries in the EU have complementary national laws regulating the processing of personal data for research purposes. It is therefore important to be aware of the national laws of the country in which the research is carried out, in order to comply with them.
GDPR - General Data Protection Regulation
Processing of personal data in schools
Schools in the EU/EEA area, both private and governmental, process personal data within their operations and thus they are subject to the GDPR. In addition, they usually process personal data belonging to children, which is a group of data subjects extra worthy of protection. It is also common to process sensitive personal data, such as employees’ and students’ possible allergies and sick leave. The appropriate legal basis to use depends on the processing. Consent is usually not appropriate because there is an unequal power relationship between the pupils and the school. Public schools cannot have a legitimate interest in processing personal data, as it is prohibited by the GDPR. However, it may be allowed for private schools, but it is usually inappropriate for them as well.