# EDPB Document on response to the request from the European Commission for clarifications on the consistent application of the GDPR, focusing on health research

- Type: Guidance
- Source: EDPB
- Identifier: edpb-document-on-response-to-the-request-from-the-european-commission-for-en
- Date: 2021-02-02
- Original: https://www.edpb.europa.eu/documents/other-guidance/edpb-document-on-response-to-the-request-from-the-european-commission-for_en
- Canonical: https://overview.legal/posts/126069
- Topics: Health Data, Social Media, Data Controller, Types of Special Categories of Personal Data, Accountability, Corrective Actions and Duty of Information Framework, DPIA, Storage Limitation, Identification, Genetic Data

## Summary

EDPB Document on r esponse to the request from the European Commission for clarifications on the consistent application of the GDPR, focusing on health research Adopted on 2 February 2021 2 Adopted 3 Adopted The European Data Protection Board Having regard to Article 70.1.b of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and…

## Sections (63)

### ¶0

2 February 2021 2 Adopted 3 Adopted The European Data Protection Board Having regard to Article 70.1.b of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter ’GDPR’), Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amende d by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018,

### ¶1

Having regard to Article 22 of its Rules of Procedure, HAS ADOPTED THE FOLL OWING RESPONSE TO A REQUES T BY THE E UROPEAN COMMISSION FOR CLARIFICATION ON THE CONSISTENT APPL ICATION OF TH E GDPR, FOCUSSING ON HEALTH RESEARCH 1 I NTRODUCTION 1 On 8 July 2020 the European Commission (DG Justice and Consumers) submitted to the EDPB under Article 70 of the General Data Protection Regulation a request for clarification on the consistent application of the GDPR, focussing on health research , and provided a list of concrete questions related to data processing for health related research (prepared by DG Research and Innovation).

### ¶2

The following response of the EDPB to the questions of the European Commission should be considered as a first attempt to take away some of the misunderstandings and misinterpretations as to the application of the GDPR to the domain of scientific health re search. Generally speaking, most of these questions call for more time for in - depth analysis and/or a search for examples and best practices and can as yet not be completely answered.

### ¶3

In its guidelines (currently in preparation and due in 2021) on the pro cessing personal data for scientific research purposes, the EDPB will elaborate further on these issues while also aiming to provide a more comprehensive interpretation of the various provisions in the GDPR that are relevant for the processing of personal data for scientific research purposes.

### ¶4

This will also entail a clarification of the extent and scope of the ‘special derogatory regime’ for the processing of personal data for scientific research purposes in the GDPR. It is important that this regime is not perceived as to imply a general exemption to all requirements in the GDPR in case of processing data for scientific research purposes. It should be taken into account that this regime only aims to provide for exceptions to specific requirements in spec ific situations and that the use of such exceptions is made dependent on ‘additional safeguards’ (Article 89(1) GDPR) to be in place. 2 COMPLYING WITH DATA PROTECTION AND ETHIC S OBLIGATIONS: LEGAL BASIS FOR PROC ESSING OF HEALTH - REL ATED DATA FOR SCIENTIFIC R ESEARCH PURPOSES Q1. How to reconcile the ethical principle embedded in the Oviedo Convention and Declaration of Helsinki with the possibility to process health data based on legitimate interest or public interest? 1 References to the “Union” made throughout this d o c u m e n t should be understood as references to “EEA” . 4 Adopted

### ¶5

Ethics standards cannot be interpreted i n such a way that only explicit consent of data subjects can be used to legitimise the processing of health data for scientific research purposes. Article 6 and Article 9 GDPR contain other options for a legal basis and an exemption, that can be relied on for processing health data for scientific research purposes. The requirement of informed consent for participation in a scientific research project can and must be distinguished from explicit consent as a possibility to legitimise the processing of persona l data for scientific research purposes.

### ¶6

It can be argued that ethical statements and bio - ethics conventions primarily aim to protect individuals against being included in medical research projects against their will and/or without their knowledge. Hence, informed consent to participate in the medical research project is a necessary requirement, with some exceptions for situations where consent cannot be given (incapacitated individuals, emergency situations etc.). However, such consent can and should be d istinguished from ‘consent as a legal basis for processing of personal data’ in Article 6(1)(a) of the GDPR. Taking into consideration that Article 6 (1) GDPR provides for legal bases other than consent and Article 9 (2) GDPR provides for exemptions other than explicit consent, it is foreseeable and not incompatible (with ethical standards) that the other legal grounds can be relied on for the processing health data for scientific research purposes.

### ¶7

However, when relying on another legal basis in Article 6 other than consent and one of the other exemptions in Article 9 (2) GDPR, the ‘ethical’ requirement of informed consent for participation in the medical research project will still have to be met. In the GDPR - framework, this can be perceived as one of suc h additional safeguards as foreseen in Article 89(1) GDPR that should be in place when processing personal data for scientific research purposes. Q2. What is the definition of ‘participants not in good health conditions’ and does the explanation given in Opinion 3/2019 exclude the possibility for the data controller to rely on explicit consent as a legal basis for the processing of data from patients and people not hospitalised but diagnosed with certain health conditions?

### ¶8

In Opinion 3/2019 (on the interp lay between the Clinical Trials Regulation and the GDPR) , 2 the EDPB has stated that, for data protection purposes, consent is not an appropriate legal basis in research activities where there is a clear imbalance of power between the data subject and the c ontroller. It is acknowledged that in clinical trials such an imbalance may exist depending on the circumstances, for instance, when the data subject is not in a good health condition and there is no available therapeutic treatment outside the clinical tri al. Therefore it is stated in this Opinion that, if consent is still to be relied upon to process personal data in clinical trials, ‘a particularly thorough assessment’ of the circumstances of the clinical trial must first be carried out to determine if co nsent is appropriate’.

### ¶9

As this Opinion is limited to the specific context of - some - clinical trials, there is room for a different approach depending on the circumstances and the balance of power between the data subject and the controller in other typ es of scientific research.

### ¶10

Therefore, Opinion 3/2019 does not exclude the possibility for the data controller to rely on explicit consent as a legal basis for the processing of data from patients (hospitalised or not). Explicit consent 2 EDPB Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the General Dat a Protection regulation (GDPR); see https://edpb.europa.eu/our - work - tools/our - documents/dictamen - art - 70/opinion - 32019 - concerning - questions - and - answers_en 5 Adopted as a legal basis can still be relied on in medical research projects where it can be established that no imbalance of power between data subjects and researchers exists and the requirements for explicit consent in GDPR can be met. However, this will require a careful asses sment on a case - by - case basis.

### ¶11

It also has to be noted that provisions in Member State (MS) law can also affect the possibilities to use consent as a legal basis for processing health data for scientific research purposes. Q3. Would it be possible to have a heterogeneous/different legal basis for processing health data of different individuals in a single research project by one data controller in several Member States? How should the requirements for fairness (equal treatment of all individuals in one stu dy) be fulfilled?

### ¶12

Under the GDPR, controllers are required to process personal data lawfully. This means that controllers (the persons or organisations processing personal data for scientific research purposes) must process personal data in reliance on a legal ground specified in Article 6 GDPR (consent (a); legal obligation (c); task carried out in the public interest (e); legitimate interests (f)).Where such controllers process health data for scientific research purposes, they also need to satisfy one of the conditions in Article 9 GDPR (explicit consent (a); processing that relates to personal data which are manifestly made public by the data subject (e); necessity for reasons of substantial public interest based on Union of Member State law (g); nece ssity for reasons of public interest in the field of public health based on Union or Member State law (i); necessity for scientific research purposes based on Union or Member State law (j)).

### ¶13

Member State and/ or Union law is needed in order to stipulate a legal obligation (c) and/or a task carried out in the public interest (e) under Article 6 GDPR and to stipulate reasons of substantial public interest (g), reasons of public interest in the area of public health (i) and/or scientific research purposes (j) under Article 9 GDPR. This implies that choices made in MS laws can have a considerable impact both on the legal basis (Article 6) and on the exemption for processing of health data (Article 9) that must be relied on when processing personal (health) d ata for scientific research purposes. Therefore choices made in Member States’ law can have a serious impact on the level of harmonisation that can be achieved under GDPR in the domain of processing personal health data for scientific research purposes. I n addition, the possibility foreseen in Article 9(4) GDPR for MS to maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health, should be taken into account.

### ¶14

Eve n though, as yet, there is no complete and detailed overview of relevant MS laws on the processing of health data, it can be observed that in Member State laws considerable differences can be found in legal bases for processing health data for scientific r esearch purposes are either specified, prescribed or excluded and whether an exemption on Article 9(1) based on Article 9(2)(g), (i) or (j) GDPR has been foreseen (with additional requirements) in Member State law.

### ¶15

When conducting a health research proje ct in multiple Member States, it is recommended to use, whenever possible, the same legal basis in the project. However, it is foreseeable that in research projects in multiple MS, there might be need for using a heterogeneous legal basis for processing he alth data of the participants in a single research project in several Member States, due to MS law. The potential negative impact of such a heterogeneous legal basis for processing health data in one research project in multiple Member States can be acknow ledged. However, this potential lack of homogeneity cannot be solved in the EDPB guidelines or by means of Codes of conduct. 6 Adopted

### ¶16

It is advisable that controllers should as far as possible make an effort to limit the consequences of different Member States’ le gal regimes for processing health data for scientific research purposes, for instance by optimising and thus harmonising the rights of data subjects irrespective of the Member State they live in.

### ¶17

As for relevant Union law, until now, only the Clinical Tria l Regulation (CTR) can be identified as Union law in which a uniform legal basis for controllers can be found in the stipulated legal obligation for controllers (Articles 41 - 43 CTR) to process personal data in clinical trials for reliability and safety rel ated purposes. However, this legal obligation for controllers does not cover all (other) purposes for which personal data are processed in a clinical trial. Therefore, the controller will have to rely on another legal basis in Article 6 GDPR for processing personal data for such other research purposes.

### ¶18

In this regard, the EDPB is aware that, in line with its European Data Strategy, the Commission is currently working on the creation of a European Health Data Space (EHDS), with the aim of improving access to and quality of healthcare by helping competent authorities in taking evidence - based policy decisions and in supporting scientific research. The EDPB calls on the Commission to explore whether in the forthcoming legislative proposal on the EHDS, for rese arch projects carried out in multiple member states and meeting specific criteria a common legal basis and/or scientific research regime for the processing of personal health data could be provided. Q4. What are the preconditions to consider when assessi ng if the personal data are manifestly made public by the data subject (art.9(2)(e)) in the case of genomic and other health related research?

### ¶19

A proper response to this question requires further analysis and discussion. The EDPB will elaborate on this issu e in its Guidelines on processing personal data for scientific research purposes (currently in preparation and due in 2021). 3 FURTHER PROCESSING O F PREVIOUSLY COLLECT ED HEALTH DATA Q5. To what extent could health data collected for one specific research project with the consent of the data subjects be re - used in different research projects of the same nature by another controller without the consent of data subjects? Q6. What are the requirements for the lawfulness and transparency of processing of specia l categories of data in cases where the compatibility presumption in Article 5(1)(b) would apply? Furthermore to what extent can the initial legal basis be relied upon for the further processing in such cases?

### ¶20

When relying on the presumption of compatibili ty stipulated in Article 5(1)(b) GDPR for further processing personal data for scientific research purposes in different research projects, it should be taken into account that the presumption of compatibility can only be used under the condition that in s uch further processing for scientific research purposes adequate safeguards as required by Article 89(1) GDPR are respected. Therefore the application of this exception is dependent on a further clarification of what such safeguards should entail.

### ¶21

The EDPB will provide further clarification on the requirement of a legal basis for further processing for scientific research purposes by the original or a subsequent controller, also taking into account Recital 50 and Article 6(4) GDPR, in its Guidelines on pro cessing personal data for scientific research purposes (presently under preparation, due in 2021). 7 Adopted Q7. If a health care provider collected health data from patients and wishes to use those data for a scientific research project, to what extent would this be considered compatible further processing?

### ¶22

When further processing of health data for scientific research purposes relies on the presumption of compatible use (Article 5(1)(b) GDPR), the controller will have to take Article 9 GDPR into account as well. I t could very well be that the exemption to the prohibition on the processing of health data the health care provider relied on for the original purpose does not extend to or does not cover the processing of health data for scientific research purposes. For instance, if the exemption in MS law only allows for the processing of health data by the health care provider in order to provide health care of medical treatments (Article 9(2)(h) GDPR), the health care provider would still need to rely on an exemption based on Union or MS law as required in Article 9(2) GDPR for the processing of health data for scientific research purposes. Q9. In what circumstances can health data from social media platforms, activity trackers or publicly available databases (for exa mple) be used for research purposes for creating profiles and what are the conditions to be met for such data processing when the data are not collected directly from the data subjects?

### ¶23

A proper response to this question requires more analysis and discussi on. The EDPB will elaborate on this issue in its Guidelines on the processing of personal data for scientific research purposes (currently in preparation and due in 2021). Q10. What would be a good example illustrating ‘the new situation’ that enables th e data controller to repurpose the data processing and use a legal basis different than the initial one (consent) as per Art. 29 WP Guidelines on consent?

### ¶24

A proper response to this question requires further analysis and discussion. The EDPB will elaborate on this issue in its Guidelines on the processing of personal data for scientific research purposes (currently in preparation and due in 2021). 4 THE NOTION OF BROAD CONSENT Q11. Does the concept of broad consent apply to the processing of special categories of data for scientific research purposes?

### ¶25

The EDPB assumes that by using the phrase ‘broad consent’, the EC is referring to Recital 33 GDPR and considers there is a need to clarify the meaning and scope of this Recital. The phrase ‘broad consent’ cannot be found either in the Recital and/or the GDPR. However, Recital 33 opens up, in certain circumstances, a possibility to mitigate the require ment of specificity of the consent (Article 4(11) GDPR) in order to be valid as a legal basis (Article 6(1)(a) GDPR) and/or as an exemption to the prohibition in Article 9(1) GDPR. In Recital 33 some flexibility is foreseen for situations in which the purp oses for data processing in the scientific research project cannot be specified at the time of data collection but can only be described in a high - level way for instance in terms of (types of) research questions and/or fields of research to be explored. A proper response to questions 11 - 13 will require more analysis and discussions and the EDPB will elaborate on this issue in its forthcoming Guidelines on the processing of personal data for scientific research purposes. 8 Adopted

### ¶26

However, for the time being, the EDP B points out that, as stated in the EDPB G uidelines 05/2020 on consent under regulation 2016/679 (§153 and following), 3 even though, for the cases where purposes for data processing within a scientific research project cannot be specified at the outset, Re cital 33 allows as an exception that the purpose may be described at a more general level, the GDPR cannot be interpreted to allow for a controller to navigate around the key principle of specifying purposes for which consent of the data subject is asked. Therefore, when research purposes cannot be fully specified, a controller must seek other ways to ensure the essence of the consent requirements are served best, for example, to allow data subjects to consent for a research purpose in more general terms an d for specific stages of a research project that are already known to take place at the outset.

### ¶27

In addition , adequate safeguards should be in place to enhance the transparency of the processing during the research project and to ensure that the requiremen ts on specificity of consent are met as best and as soon as reasonably possible. This also implies that for instance adequate procedures should be in place that data subjects can use to withdraw or further specify their consent for the use of their health data for scientific research purposes. In its Guidelines on processing personal data for scientific research purposes (currently in preparation and due in 2021) the EDPB will further elaborate on such safeguards.

### ¶28

It should also be noted that, considering the strict conditions stated by Article 9 GDPR regarding the processing of special categories of data, the EDPB has already indicated that, when special categories of data are processed on the basis of explicit consent, applying the flexible approach of R ecital 33 will be subject to a stricter interpretation and requires a high degree of scrutiny. 4 In its Preliminary Opinion on data protection and scientific research, the EDPS has also indicated that Recital 33 does not take precedence over the conditions for consent set out in Articles 4(11), 6(1)(a), 7 and 9(2)(a) of the GDPR. In the situation envisioned in Recital 33, the controller is required to carefully evaluate the rights of the data subject, the sensitivity of the data, the nature and purpose of th e research and the relevant ethical standards. Therefore, when research purposes cannot be fully specified, a controller would be expected to do more to ensure the essence of the data subject’s rights to valid consent are served, including through as much transparency as possible and through other safeguards pursuant to Article 89(1) GDPR . 5 Q12. Recital 33 GDPR provides that consent may be given to ‘certain areas’ of scientific research. What should the formulation of these ‘certain areas’ look like in th e course of obtaining a participants/data subjects consent, in particular as concerns future research projects which cannot be determined at the point of collection of the data (e.g. consent for ‘cancer research’ or consent for ‘breast cancer research’).

### ¶29

Even though Recital 33 GDPR offers some room for flexibility in describing the research purposes for which consent is obtained from the data subject, the requirements in Article 5 GDPR still have to be met in order for the processing to be lawful, fair and transparent. It is therefore imperative that the 3 EDPB Guidelines 05/2020 on consent under Regulation 2016/679 ; see https://edpb.europa.eu/our - work - tools/our - documents/guidelines/guidelines - 052020 - consent - under - regulation - 2016679_en 4 EDPB Guidelines 05/2020 , p ar . 157 . 5 EDPS, Preliminary Opinion on data protection and scientific research, p. 19 ; see https://edps.europa.eu/sites/edp/files/publication/20 - 01 - 06_opinion_research_e n.pdf 9 Adopted research areas are narrowed down, there is an obvious link to the context in which the personal data are collected and reasonable expectations of the data subjects are taken into account.

### ¶30

It will also be n ecessary to take into account any provisions in MS law as allowed for in Article 9(4) GDPR containing further conditions pertaining to processing of health data, since those provisions in MS law could also impact (enable, facilitate or impede) the usabilit y of ‘broad consent’ in that MS. Q13. Can the concept of broad consent also be applied to further research projects of the same controller or to different controller as well?

### ¶31

Since Recital 33 GDPR requires that the scope of the research purposes for which the health data will be used is narrowed down (e.g. by areas and types of research questions). Therefore ‘broad consent’ cannot be asked and relied on for processing health data for ‘any kind of - unspecified - future research purposes’. However the conc ept of broad consent could be relied on for different research projects that fall within the scope of that broad consent and that meet certain additional safeguards that will be elaborated on in the EDPB guidelines on processing personal data for scientifi c research purposes (currently in preparation and due in 2021). 5 TRANSPARENCY OF DATA PROCESSING: INFORMA TION TO BE PROVIDED TO THE DATA SUBJECT AND STORAGE LIMITATION Q14. When further processing personal data for research purposes, can the data controll er who initially collected the data directly from the data subjects benefit from the exception provided in Article 14(5)(b), if the data subjects are no longer reachable, very difficult to reach and/or when this will require disproportionate effort? If not , what should be best practice examples to comply with Article 13?

### ¶32

First of all, it must be noted that the information obligation for the controller in Articles 13/14 GDPR is a key element of the principle of transparency. Any exception to these obligation s should be interpreted in a restricted way.

### ¶33

It also has to be recognised that even though Article 13 GDPR applies to situations in which data are obtained from the data subject and Article 14 GDPR applies to situations in which data are not obtained from the data subject, the information obligations for the controller to a great extent are the same. Any additions and exceptions foreseen in Article 14 GDPR must been seen as specifically tailored to the situation where data have not been obtained data from the data subject.

### ¶34

In both situations the controller, prior to further processing the personal data for another purpose should provide the data subject with information on that other purpose and wi th any relevant further information Article 13(3) and Article 14(4) GDPR). An exception to this information obligation in case of further processing for another purpose personal data not obtained from the data subject, is foreseen in Article 14(5)(b) GDPR for , i nter a lia, scientific research.

### ¶35

Since no such exception is foreseen in Article 13 GDPR, it is recommended that if a controller intends to use data obtained from data subjects also for other purposes, this controller should at the time of collection of the data take appropriate measures in order to be able to meet the information obligations pertaining to such further processing. 10 Adopted

### ¶36

In order to avoid situations in which an exception such as foreseen in Article 14(5)(b) GDPR is needed, controllers could also consider the implementation of more dynamic ways of informing data subjects of the (further) processing of their data.

### ¶37

The EDPB will further address questions on the proper application of Article 13 and 14 GDPR and solutions for such issues in the Guidelines on the processing of personal data for research purposes (currently in preparation and due in 2021) Q15. In case of a change to the legal basis (e.g. withdrawal of consent and subsequent processing based on a law in the public interest/legitim ate interest in conjunction with a law under Article 9(2)(j) GDPR), can the data controller enact the research derogation contained in Article 14(5)(b) and continue processing the health data based on a different legal basis without notifying the data subj ects? How should the potential ethical implications of such a decision be reconciled with the provision?

### ¶38

Article 13(1)(c) and Article 14(1)(c)) GDPR specifically require the controller to inform the data subject on the legal basis for the processing. Provi ded that a change in the legal basis during the processing of data for a specific purpose can be considered appropriate, the controller should inform the data subjects about this change in the legal basis so as to explain the likely impact of this change in legal basis (i.a. on the rights of the data subject) and not deceive the reasonable expectations of the data subject (fairness and accountability principle).

### ¶39

Also in cases of further processing Article 13(3) and Article 14(4) GDPR require providing inf ormation on the legal basis for such further processing. Only in situations where personal data are not obtained from the data subject the research exception of Article 14(5)(b) GDPR can be applied.

### ¶40

Further clarifications on the issue of a change to the l egal basis for (further) processing personal (health) data for scientific research purposes in connection with the information obligation of the controller under Article 13 and Article 14 GDPR, will be provided in the EDPB Guidelines on the processing of p ersonal data for scientific research purposes (currently under preparation, due in 2021). Q.16 What could be the criteria used to determine the data retention time, in particular as concerns further processing of health data for scientific research purpose s?

### ¶41

As a rule the data retention period should be based on the necessity of the data storage for the purpose for which the personal data are being processed (Article 5(1)(e) GDPR), but this provision allows for a longer storage period (then necessary for th e initial purpose insofar as the personal data will be processed solely for […] scientific research purposes. On the conditions that this scientific research is performed in accordance with Article 89(1) GDPR and appropriate technical and organisational me asures are implemented in order to safeguard the rights and freedoms of the data subject.

### ¶42

The scope of this research exception and the safeguards under Article 89(1) GDPR will need further clarification, which cannot be provided as yet. Such further cla rification will be provided in the EDPB Guidelines on processing personal data for scientific research purposes (presently under preparation, due in 2021). 11 Adopted 6 ANONYMISATION, PSEUD ONYMISATION AND OTHE R SAFEGUARDS UNDER ARTICLE 89(1) GDPR Q17. Should the data , which does not contain the key/code for re - identifying the individuals in the dataset, be considered anonymised or pseudonymised data (with the respective obligations for the data controllers) for the party which receives it?

### ¶43

First of all the EDPB point s out that, since the process of anonymising personal data constitutes the processing of personal data under the GDPR, such processing must be conducted in a manner that complies with the GDPR and adheres to the principles of data protection.

### ¶44

The EDPB als o points out that that the impact of using/applying techniques for anonymization or pseudonymisation of data on the legal status of such data under the GDPR differs. When techniques for pseudonymisation of data have been applied, these data are still consi dered personal data under the GDPR (see Article 4(5) GDPR). In Article 89(1) GDPR pseudonymisation is considered to be as an additional safeguard which should be employed in the context of scientific research to ensure respect for the principle of data mi nimisation. Anonymised data are considered not to be in/under the scope of the GDPR (see Recital 26). Therefore, the concepts of anonymization or pseudonymisation of data should be clearly distinguished.

### ¶45

The determination of whether information is anonymo us must be made by the application of the test of identifiability outlined in Recital 26 GDPR: “To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by th e controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.”

### ¶46

All of the factors outlined in Recital 26 GDPR must be considered in making an assessment as t o the reasonable likelihood of identifiability. Also, the WP29 Opinion 05/2014 on Anonymisation techniques should be taken into account. Any such assessment should be made along the lines suggested by the CJEU in Breyer, which refers to Recital 26 of Dire ctive 95/46/EC, looking at the legal and practical means by which re - identification may be effected by the use of additional data in the hands of third parties.

### ¶47

It should be taken into account that anonymisation of personal data can be difficult to achiev e (and upheld) due also to ongoing advancements in available technological means, and progress made in the field of re - identification. For this reason, the anonymisation of personal data should be approached with caution in the context of scientific resear ch. Those parties which consider that they are using anonymous information in research should be in a position to satisfy themselves – and when questioned also the competent SA - on an ongoing basis that this continues to be the case, and that they have n ot inadvertently become data controllers of personal data for the purposes of the Regulation.

### ¶48

The forthcoming EDPB guidelines on processing of personal data for scientific research purposes will consider any further work of the EDPB regarding the topic of anonymisation and pseudonymisation. 12 Adopted

### ¶49

Further, the use of pseudonymisation or anonymisation should not be viewed in isolation from any other regulatory or ethical frameworks that may apply to the conduct of scientific research, and should not be seen as obv iating any responsibilities that such frameworks impose. Q18. To what extent, if at all, can genetic data be considered anonymised where the controller carries out reasonable efforts and uses technically available means in order to prevent re - identificati on of the individuals?

### ¶50

The EDPB points out that the possibility to anonymise genetic data remains an unresolved issue. As yet, it remains open to be demonstrated whether any combination of technical and organisational means can be effectively employed to r emove genetic information from the material scope of the GDPR.

### ¶51

However, in the interests of protecting the rights and freedoms of individual data subjects, it is strongly advised that such genetic data is treated as personal data and that the processing thereof is conducted with the implementation of appropriate technical and organisational measures to ensure compliance with the Regulation. Q19. What types of measures/procedures shall be considered a good practice for setting up ‘appropriate safeguards’ in relation to Article 89(1) of the GDPR? Examples of both technical and organisational measures will be highly appreciated.

### ¶52

The EDPB recognises the importance of this question, but also underlines its complexity. Therefore, a thorough reply will have to be postponed.

### ¶53

However, the EDPB would like to make some preliminary remarks on the importance of Article 89(1) GDPR and the relevance of a further clarification of what could or should be expected i n terms of additional safeguards. Thus acknowledging that the present lack of specification on what could or should be considered adequate safeguards under Article 89(1) GDPR that need to be in place when personal data are processed for scientific researc h purposes, can be considered a serious impediment for the proper use of the exceptions foreseen in the GDPR for processing personal data for scientific research purposes.

### ¶54

First of all, the EDPB points out that Article 89(1) GDPR requires additional safeg uards to be in place in all situations in which personal data are processed for scientific research purposes. It should also be noted that meeting the requirement of additional safeguards when processing personal data for scientific research purposes, as such, does not relieve the controller of such obligations under the GDPR as to have a legal basis (Article 6) and an exemption to the prohibition on processing health data (Article 9).

### ¶55

The EDPB also underlines that in most of the provisions in the GDPR in which an exception to certain requirements of the GDPR are foreseen in case of processing personal data for scientific research purposes the use of such exceptions is made conditional on having in place additional safeguards as required by Article 89(1) GDPR. Therefore , it could be argued that without such – yet to be clarified – additional safeguards the use of such research exceptions would not be legitimate.

### ¶56

Furthermore, the EDPB points out that Article 9(2)(j) GDPR in addition to requiring adherenc e to Article 89(1) GDPR when processing health data for scientific research purposes, also calls for MS or Union 13 Adopted law to provide for ‘suitable and specific measures to safeguard the fundamental rights and the interests of the data subject’. 7 GENERAL QUESTI ONS: PROCESSING OF S PECIAL CATEGORIES OF DATA ON A LARGE SCAL E AND INTERNATIONAL COOPERATION Q20. Which will be the determining factor( - s) for deciding whether special categories of data are processed on a large scale within a scientific research project?

### ¶57

First of all, the EDPB notes that, in determining whether a DPIA is mandatory, a controller, prior to the processing of health data for scientific research purposes, should not solely focus on Article 35 (2)(b) GDPR (requiring a DPIA to be carried out prio r to the processing on a large scale of special categories of data referred to in Article 9(1) GDPR), but should take Article 35 GDPR as a whole into account.

### ¶58

It is not sufficient to only assess whether in a certain scientific research project a - still to be specified – standard for ‘processing on a large scale’ is reached. The most important criterion being whether or not there is a high likelihood of risk to the rights and freedoms of the data subjects and this should be the key focus of the assessmen t. Processing of personal data may result in such risks, even when the processing of data is not on a large scale.

### ¶59

Is important to note that point a - c of Article 35 can only be considered to be – non - exhaustive - illustrations/examples of types of proc essing that are likely to result in a high risk to the rights and freedoms of natural persons. Moreover, according to Article 35 (1) GDPR , a DPIA is mandatory in all types of processing that have such a likelihood of such high risks.

### ¶60

In the Guidelines on DPIA and determining whether processing is ‘likely to result in a high risk’ fo r the purpose of Reg. 2016/679, 6 a set of criteria and some examples are provided that can be used in the assessment. The Article 29 Working Party also indicated that a processi ng meeting two criteria out of the list would require a DPIA and that , in some cases , a controller can consider that a processing meeting only one of the criteria requires a DPIA.

### ¶61

It is also important to point out that – to a certain extent – variations i n the types of processing that warrant a DPIA to be carried out, can exist between MS. Even though Article 35(6) GDPR requires the application of the consistency mechanism by SA’s. These variations can exist in:  the supplementary listing by SA’s of the ki nd of processing operations that warrant a DPIA (Article 35 (4) GDPR)  the listing by SA’s of the kind of processing operations for which no DPIA is required (Article 35(5) GDPR)  the implementation of Article 35 (10) GDPR: Where processing pursuant to point (c) or (e) of Article 6(1) has a legal basis in Union or MS law and that law regulated the specific processing operation or set of operations in question and a DPIA has already been carried out as part of a general impact assessment in the context of the adoption of that legal basis, paragraphs 1 - 7 6 G29 WP248 rev.1, 4 October 2017, Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is "likely to result in a high risk" for the purposes of Regulation 2016/679 - endorsed by the EDPB: https://ec.europa.eu/newsroom/article29/item - detail.cfm?item_id=611236 14 Adopted shall not apply unless MS deem it to be necessary to carry out such an assessment prior to processing activities. Q21. In what situations can the data controller rely on the derogation of legitimate interest in Article 49(1)(g) GDPR in the context of scientific research when transferring special categories of data to third countries?

### ¶62

A proper response to this question requires further analysis and discussion. The EDPB will elaborate on this issue in its Guidelin es on the processing of personal data for scientific research purposes (currently under preparation, due in 2021). For the European Data Protection Board The Chair (Andrea Jelinek)

---
Generated by overview.legal · https://overview.legal/posts/126069 · 2026-07-17
