Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical resear
(56) Where in the course of electoral activities, the operation of the democratic system in a Member State requires that political parties compile personal data on people's political opinions, the processing of such data may be permitted for reasons of public interest, provided that appropriate safeguards are established.
(158) Where personal data are processed for archiving purposes, this Regulation should also apply to that processing, bearing in mind that this Regulation should not apply to deceased persons. Public authorities or public or private bodies that hold records of public interest should be services which, pursuant to Union or Member State law, have a legal obligation to acquire, preserve, appraise, arrange, describe, communicate, promote, disseminate and provide access to records of enduring value for general public interest. Member States should also be authorised to provide for the further processing of personal data for archiving purposes, for example with a view to providing specific information related to the political behaviour under former totalitarian state regimes, genocide, crimes against humanity, in particular the Holocaust, or war crimes.
(159) Where personal data are processed for scientific research purposes, this Regulation should also apply to that processing. For the purposes of this Regulation, the processing of personal data for scientific research purposes should be interpreted in a broad manner including for example technological development and demonstration, fundamental research, applied research and privately funded research. In addition, it should take into account the Union's objective under Article 179(1) TFEU of achieving a European Research Area. Scientific research purposes should also include studies conducted in the public interest in the area of public health. To meet the specificities of processing personal data for scientific research purposes, specific conditions should apply in particular as regards the publication or otherwise disclosure of personal data in the context of scientific research purposes. If the result of scientific research in particular in the health context gives reason for further measures in the interest of the data subject, the general rules of this Regulation should apply in view of those measures.
(160) Where personal data are processed for historical research purposes, this Regulation should also apply to that processing. This should also include historical research and research for genealogical purposes, bearing in mind that this Regulation should not apply to deceased persons.
(161) For the purpose of consenting to the participation in scientific research activities in clinical trials, the relevant provisions of Regulation (EU) No 536/2014 of the European Parliament and of the Council (15) should apply.
(162) Where personal data are processed for statistical purposes, this Regulation should apply to that processing. Union or Member State law should, within the limits of this Regulation, determine statistical content, control of access, specifications for the processing of personal data for statistical purposes and appropriate measures to safeguard the rights and freedoms of the data subject and for ensuring statistical confidentiality. Statistical purposes mean any operation of collection and the processing of personal data necessary for statistical surveys or for the production of statistical results. Those statistical results may further be used for different purposes, including a scientific research purpose. The statistical purpose implies that the result of processing for statistical purposes is not personal data, but aggregate data, and that this result or the personal data are not used in support of measures or decisions regarding any particular natural person.
(163) The confidential information which the Union and national statistical authorities collect for the production of official European and official national statistics should be protected. European statistics should be developed, produced and disseminated in accordance with the statistical principles as set out in Article 338(2) TFEU, while national statistics should also comply with Member State law. Regulation (EC) No 223/2009 of the European Parliament and of the Council (16) provides further specifications on statistical confidentiality for European statistics.
(29) Whereas the further processing of personal data for historical, statistical or scientific purposes is not generally to be considered incompatible with the purposes for which the data have previously been collected provided that Member States furnish suitable safeguards; whereas these safeguards must in particular rule out the use of the data in support of measures or decisions regarding any particular individual.
(34) Whereas Member States must also be authorized, when justified by grounds of important public interest, to derogate from the prohibition on processing sensitive categories of data where important reasons of public interest so justify in areas such as public health and social protection - especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system - scientific research and government statistics; whereas it is incumbent on them, however, to provide specific and suitable safeguards so as to protect the fundamental rights and the privacy of individuals;
Article 89 of the Regulation also provides for specific exceptions to certain rules contained in the Regulation for scientific, statistical or historical purposes. It also extends the scope by adding the purpose of archiving in the public interest.
Unlike the Directive, the exemptions apply regardless of the fact that such purposes have been addressed in the initial data collection or not. They are therefore generally applicable to any further pursuit of such purposes.
The Regulation states that in the pursuit of such purposes as measures for safeguarding the rights and freedoms of the data subject and guaranteeing the compliance with the principle of minimization of data (art. 5 (c)) that only the data necessary for the purpose could be subjected to processing. Therefore, Article 89 evokes the implementation of technical and/or organizational measures such as pseudonymisation (Articles 4 (5)).
Pseudonymisation is defined in Article 4 (5) as the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. It relates to concealing the identity of the data subject, by replacing an attribute of another in the records in order to mitigate the risk of correlation of a data set with the original identity of the data subject (see in this regard G29, Opinion 04/2007 on the concept of personal data). Encoded data is a classic example of pseudonymisation; G29, WP 216, Opinion 05/2014 on Techniques for anonymization, p. 22).
Article 89 specifies that if allowed in the pursuit of the purposes, the controller must favour subsequent data processing that would not or would no longer allow the identification of the data subjects.
Where personal data is processed for archiving in the public interest for scientific or historical research purposes or statistical purposes, the Member States may provide for derogations from the rights recognized to the data subjects, in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and, on the other hand, such derogations are necessary for the fulfilment of those purposes (paragraph 2). However, the nature of the rights from which derogations may be provided depends on the purpose pursued:
- In case of processing for scientific research or historical, or statistical purposes, the Union or the Member State may provide derogations from the rights to access (Art. 15), to rectification (Art. 16), to the restriction to processing (Art. 18) and to the right to object (Art. 21).
- In case of processing for archiving in the public interest, the Union or the Member States may derogate from the rights to access (Art. 15), of rectification (Art. 16), the restriction to processing (Art. 18), the obligations of notification concerning the rectification or the erasure of personal data or the restriction to processing (Art. 19), the right to data portability (Art. 20) and the right to object (Art. 21).
However, if the processing for historical or scientific research purposes or for archiving purposes in the public interest is also pursuing other purposes of processing, the derogations referred to above will only apply for processing for the purposes set out by article 89. Indeed, it should be remembered that the statistical purposes often serve other purposes, in particular when it comes to serve as support for a decision (credit scoring, customer profiling, etc.). The rule then states that the derogations may be applied to a new and different purpose in the future - for example for a statistical purpose, while the purposes operating at the present time remain subject to the full data protection rules. That is what recital 162 seems to mean when it states that the statistical purposes in question cannot be used to support measures or decisions with respect to a specific natural person.
The Directive already provided various exemptions from the principles of protection for processing for historical, statistical or scientific purposes. For example, Article 6 already provided that such processing was not deemed incompatible with various initial purposes, subject to safeguards under national law. Under the same condition, the data could also be stored longer than necessary for the initial purpose or even for a purpose deemed to be compatible.
Still with appropriate safeguards, Article 11 (2) provided an exemption from the obligation to notify data subjects about processing for such purposes if the notification to the data person would be impossible or would imply disproportionate effort or if the legislation explicitly provided for data recording or communication.
Subject to adequate legal safeguards, in particular that the data are not used for taking measures or decisions regarding any particular individual, Member States might, where there is clearly no risk of breaching the privacy of the data subject, restrict by a legislative measure the rights provided for in Article 12 when data is processed solely for purposes of scientific research or are kept in a personal form for a period which does not exceed the period necessary for the sole purpose of creating statistics (Article 13 (2)).
Insofar as the provision specifies accepted consequences of the principle of proportionality in the area, the provision only clarifies a regime that is already being enforced.
Additionally, the Regulation does not provide reasons for the possibility of derogation in one area but not another. For instance, why is there the right to portability and the right to be forgotten but not the right to information (Articles 13 and 14)?
European data protection board (EDPB)
Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak (21 April 2020)
Due to the COVID-19 pandemic, there are currently great scientific research efforts in the fight against the SARS-CoV-2 in order to produce research results as fast as possible.
At the same time, legal questions concerning the use of health data pursuant to Article 4 (15) GDPR for such research purposes keep arising. The present guidelines aim to shed light on the most urgent of these questions such as the legal basis, the implementation of adequate safeguards for such processing of health data and the exercise of the data subject rights.
Please note that the development of a further and more detailed guidance for the processing of health data for the purpose of scientific research is part of the annual work plan of the EDPB. Also, please note that the current guidelines do not revolve around the processing of personal data for epidemiological surveillance.
1. Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.
2. Where personal data are processed for scientific or historical research purposes or statistical purposes, Union or Member State law may provide for derogations from the rights referred to in Articles 15, 16, 18 and 21 subject to the conditions and safeguards referred to in paragraph 1 of this Article in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes.
3. Where personal data are processed for archiving purposes in the public interest, Union or Member State law may provide for derogations from the rights referred to in Articles 15, 16, 18, 19, 20 and 21 subject to the conditions and safeguards referred to in paragraph 1 of this Article in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes.
4. Where processing referred to in paragraphs 2 and 3 serves at the same time another purpose, the derogations shall apply only to processing for the purposes referred to in those paragraphs.
1st proposal close
1. Within the limits of this Regulation, personal data may be processed for historical, statistical or scientific research purposes only if:
(a) these purposes cannot be otherwise fulfilled by processing data which does not permit or not any longer permit the identification of the data subject;
(b) data enabling the attribution of information to an identified or identifiable data subject is kept separately from the other information as long as these purposes can be fulfilled in this manner.
2. Bodies conducting historical, statistical or scientific research may publish or otherwise publicly disclose personal data only if:
(a) the data subject has given consent, subject to the conditions laid down in Article 7;
(b) the publication of personal data is necessary to present research findings or to facilitate research insofar as the interests or the fundamental rights or freedoms of the data subject do not override these interests; or
(c) the data subject has made the data public.
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the processing of personal data for the purposes referred to in paragraph 1 and 2 as well as any necessary limitations on the rights of information to and access by the data subject and detailing the conditions and safeguards for the rights of the data subject under these circumstances.
2nd proposal close
1. Where personal data are processed for scientific, statistical or historical purposes Union or Member State law may, subject to appropriate safeguards for the rights and freedoms of the data subject, provide for derogations from Articles 14a(1) and (2), 15, 16, 17, 17a, 17b, 18 and 19, insofar as such derogation is necessary for the fulfilment of the specific purposes.
1a. Where personal data are processed for archiving purposes in the public interest, Union or Member State law may, subject to appropriate safeguards for the rights and freedoms of the data subject, provide for derogations from Articles 14a(1) and (2), 15, 16, 17, 17a, 17b, 18, 19, 23, 32, 33 and 53 (1b)(d) and (e), insofar as such derogation is necessary for the fulfilment of these purposes. 1b. In case a type of processing referred to in paragraphs 1 and 1a serves at the same time another purpose, the derogations allowed for apply only to the processing for the purposes referred to in those paragraphs.
2. The appropriate safeguards referred to in paragraphs 1 and 1a shall be laid down in Union or Member State law and be such to ensure that technological and/or organisational protection measures pursuant to this Regulation are applied to the personal data (…), to minimise the processing of personal data in pursuance of the proportionality and necessity principles, such as pseudonymising the data, unless those measures prevent achieving the purpose of the processing and such purpose cannot be otherwise fulfilled within reasonable means.
1. 1. Member States shall provide that personal data must be:
Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards;
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.
Information where the data have not been obtained from the data subject
1. Where the data have not been obtained from the data subject, Member States shall provide that the controller or his representative must at the time of undertaking the recording of personal data or if a disclosure to a third party is envisaged, no later than the time when the data are first disclosed provide the data subject with at least the following information, except where he already has it:
(a) the identity of the controller and of his representative, if any;
(b) the purposes of the processing;
(c) any further information such as
- the categories of data concerned,
- the recipients or categories of recipients,
- the existence of the right of access to and the right to rectify the data concerning him
in so far as such further information is necessary, having regard to the specific circumstances in which the data are processed, to guarantee fair processing in respect of the data subject.
2. Paragraph 1 shall not apply where, in particular for processing for statistical purposes or for the purposes of historical or scientific research, the provision of such information proves impossible or would involve a disproportionate effort or if recording or disclosure is expressly laid down by law. In these cases Member States shall provide appropriate safeguards.
2. Subject to adequate legal safeguards, in particular that the data are not used for taking measures or decisions regarding any particular individual, Member States may, where there is clearly no risk of breaching the privacy of the data subject, restrict by a legislative measure the rights provided for in Article 12 when data are processed solely for purposes of scientific research or are kept in personal form for a period which does not exceed the period necessary for the sole purpose of creating statistics.
MADDE 28 - (1) Bu Kanun hükümleri aşağıdaki hâllerde uygulanmaz:
a) Kişisel verilerin, üçüncü kişilere verilmemek ve veri güvenliğine ilişkin yükümlülüklere uyulmak kaydıyla gerçek kişiler tarafından tamamen kendisiyle veya aynı konutta yaşayan aile fertleriyle ilgili faaliyetler kapsamında işlenmesi.
b) Kişisel verilerin resmi istatistik ile anonim hâle getirilmek suretiyle araştırma, planlama ve istatistik gibi amaçlarla işlenmesi.
c) Kişisel verilerin millî savunmayı, millî güvenliği, kamu güvenliğini, kamu düzenini, ekonomik güvenliği, özel hayatın gizliliğini veya kişilik haklarını ihlal etmemek ya da suç teşkil etmemek kaydıyla, sanat, tarih, edebiyat veya bilimsel amaçlarla ya da ifade özgürlüğü kapsamında işlenmesi,
ç) Kişisel verilerin millî savunmayı, millî güvenliği, kamu güvenliğini, kamu düzenini veya ekonomik güvenliği sağlamaya yönelik olarak kanunla görev ve yetki verilmiş kamu kurum ve kuruluşları tarafından yürütülen önleyici, koruyucu ve istihbari faaliyetler kapsamında işlenmesi.
d) Kişisel verilerin soruşturma, kovuşturma, yargılama veya infaz işlemlerine ilişkin olarak yargı makamları veya infaz mercileri tarafından işlenmesi.
(2) Bu Kanunun amacına ve temel ilkelerine uygun ve orantılı olmak kaydıyla veri sorumlusunun aydınlatma yükümlülüğünü düzenleyen 10 uncu, zararın giderilmesini talep etme hakkı hariç, ilgili kişinin haklarını düzenleyen 11 inci ve Veri Sorumluları Siciline kayıt yükümlülüğünü düzenleyen 16 ncı maddeleri aşağıdaki hâllerde uygulanmaz:
a) Kişisel veri işlemenin suç işlenmesinin önlenmesi veya suç soruşturması için gerekli olması.
b) İlgili kişinin kendisi tarafından alenileştirilmiş kişisel verilerin işlenmesi.
c) Kişisel veri işlemenin kanunun verdiği yetkiye dayanılarak görevli ve yetkili kamu kurum ve kuruluşları ile kamu kurumu niteliğindeki meslek kuruluşlarınca, denetleme veya düzenleme görevlerinin yürütülmesi ile disiplin soruşturma veya kovuşturması için gerekli olması.
ç) Kişisel veri işlemenin bütçe, vergi ve mali konulara ilişkin olarak Devletin ekonomik ve mali çıkarlarının korunması için gerekli olması.