• Courses
      • Global Series of National Privacy Laws
      • Nederlandse Privacy Academie
    • Resources
    • Join GADPPRO ACADEMY
      • Join GADPPRO Academy as an Official Partner
      • Become an Official GADPPRO Training Entity
      • Join the GADPPRO Business Academy
      • Secretariat & International Training Centre
      • Contact Us
    •  
      • RegisterLog in
    Privacad GADPPRO Academy
      • Courses
        • Global Series of National Privacy Laws
        • Nederlandse Privacy Academie
      • Resources
      • Join GADPPRO ACADEMY
        • Join GADPPRO Academy as an Official Partner
        • Become an Official GADPPRO Training Entity
        • Join the GADPPRO Business Academy
        • Secretariat & International Training Centre
        • Contact Us
      •  
        • RegisterLog in

      Blog

      Privacy Guidelines on Consent under Regulation 2016/679 (GDPR)

      • Categories Blog, Business, Design / Branding, Free Data Protection Resources, Uncategorized
      • Date October 2, 2020

      Guidelines 05/2020 on Consent under Regulation 2016/679 (GDPR)

      Section 7.2  Scientific research 

      153. The definition of scientific research purposes has substantial ramifications for the range of data processing activities a controller may undertake. The term ‘scientific research’ is not defined in the GDPR. Recital 159 states “(…)For the purposes of thisRegulation, the processing of personal data forscientific research purposes should be interpreted in a broad manner.(…)”, however the EDPB considers the notion may not be stretched beyond its common meaning and understands that ‘scientific research’ in this context means a research project set up in accordance with relevant sector-related methodological and ethical standards, in conformity with good practice.

      154. When consent is the legal basis for conducting research in accordance with the GDPR, this consent for the use of personal data should be distinguished from other consent requirements that serve as an ethical standard or procedural obligation. An example of such a procedural obligation, where the processing is based not on consent but on another legal basis, is to be found in the Clinical Trials Regulation. In the context of data protection law, the latter form of consent could be considered as an additional safeguard. At the same time, the GDPR does not restrict the application of Article 6 to consent alone, with regard to processing data for research purposes. As long as appropriate safeguards are in place, such as the requirements under Article 89 (1), and the processing is fair, lawful, transparentand accords with data minimisation standards and individual rights, other lawful bases such as Article 6(1)(e) or (f) may be available. This also applies to special categories of data pursuant to the derogation of Article 9 (2)(j).

      155. Recital 33 seems to bring some flexibility to the degree of specification and granularity of consent in the context of scientific research. Recital 33 states: “It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.”

      156. First, it should be noted that Recital 33 does not disapply the obligations with regard to the requirement of specific consent. This means that, in principle, scientific research projects can only include personal data on the basis of consent if they have a well-described purpose. For the cases where purposes for data processing within a scientific research project cannot be specified at the outset, Recital 33 allows as an exception that the purpose may be described at a more general level.

      157. Considering the strict conditions stated by Article 9 GDPR regarding the processing of special categories of data, the EDPB notes that when special categories of data are processed on the basis of explicit consent, applying the flexible approach of Recital 33 will be subject to a stricter interpretation and requires a high degree of scrutiny.

      158. When regarded as a whole, the GDPR cannot be interpreted to allow for a controller to navigate around the key principle of specifying purposes for which consent of the data subject is asked.

      159. When research purposes cannot be fully specified, a controller must seek other ways to ensure the essence of the consent requirements are served best, for example, to allow data subjects to consent for a research purpose in more general terms and for specific stages of a research project that are already known to take place at the outset. As the research advances, consent for subsequent steps in the project can be obtained before that next stage begins. Yet, such a consent should still be in line with the applicable ethical standards for scientific research.

      160. Moreover, the controller may apply further safeguards in such cases. Article 89(1), for example, highlights the need for safeguards in data processing activities for scientific or historical or statisticalpurposes. These purposes “shall be subject to appropriate safeguards, in accordance with this regulation, for the rights and freedoms of data subject.” Data minimization, anonymisation and data security are mentioned as possible safeguards. Anonymisation is the preferred solution as soon as the purpose of the research can be achieved without the processing of personal data.

      161. Transparency is an additional safeguard when the circumstances of the research do not allow for aspecific consent. A lack of purpose specification may be offset by information on the development of the purpose being provided regularly by controllers as the research project progresses so that, overtime, the consent will be as specific as possible. When doing so, the data subject has at least a basic understanding of the state of play, allowing him/her to assess whether or not to use, for example, the right to withdraw consent pursuant to Article 7(3).

      162. Also, having a comprehensive research plan available for data subjects to take note of, before they consent could help to compensate a lack of purpose specification. This research plan should specify the research questions and working methods envisaged as clearly as possible. The research plan could also contribute to compliance with Article 7(1), as controllers need to show what information was available to data subjects at the time of consent in order to be able to demonstrate that consent isvalid.

      163. It is important to recall that where consent is being used as the lawful basis for processing there mustbe a possibility for a data subject to withdraw that consent.The EDPB notes that withdrawal of consent could undermine types scientific research that require data that can be linked to individuals, however the GDPR is clear that consent can be withdrawn and controllers must act upon this – there is no exemption to this requirement for scientific research. If a controller receives a withdrawal request, it must in principle delete the personal data straight away if it wishes to continue to use the data for the purposes of the research.

       

      • Share:
      author avatar
      Richard V

      Previous post

      Privacy Guidelines on Consent under Regulation 2016/679 (GDPR)
      October 2, 2020

      Next post

      Privacy Guidelines on Consent under Regulation 2016/679 (GDPR)
      October 2, 2020

      You may also like

      Children Safety Encryption www.privacad.com
      Apple’s New Step to Protect Child Abuse via Encryption Feature
      20 August, 2021
      DNA Technology and Privacy www.privacad.com
      DNA Technology Regulation Bill and Violation of Privacy for Minority Groups
      19 August, 2021
      www.privacad.com
      India accuses Twitter of not complying with new IT rules
      18 August, 2021

      Search

      Categories

      • Blog
      • Business
      • Design / Branding
      • Free Data Protection Resources
      • Nederlandse Privacy Academie
      • Uncategorized
      Facebook-f Linkedin-in

      © Privacad 2020

      For all your questions about courses

      students@privacad.com

      For all your questions about Privacad for business

      info@privacad.com

      Links

      • Courses
      • Become a GADPPRO Academy Official Training Entity
      • Resources
      • Free Data Protection Resources
      • Blog
      • Profile
      • Students Stewards Network (SSN)

      Support

      • Privacy Policy
      • Terms of Use
      • FAQs
      • Contact

      © GADPPRO Academy | Privacad 2022

      GADPPRO Academy 2022

      Login with your site account

      Lost your password?

      Not a member yet? Register now

      Register a new account

      Are you a member? Login now