Article 89
Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical resear

Official
Texts
Guidelines
& Caselaw
Review of
EU Regulation
Review of
Nat. Regulation
Show the recitals of the Regulation related to article 89 keyboard_arrow_down Hide the recitals of the Regulation related to article 89 keyboard_arrow_up

(56) Where in the course of electoral activities, the operation of the democratic system in a Member State requires that political parties compile personal data on people's political opinions, the processing of such data may be permitted for reasons of public interest, provided that appropriate safeguards are established.

(158) Where personal data are processed for archiving purposes, this Regulation should also apply to that processing, bearing in mind that this Regulation should not apply to deceased persons. Public authorities or public or private bodies that hold records of public interest should be services which, pursuant to Union or Member State law, have a legal obligation to acquire, preserve, appraise, arrange, describe, communicate, promote, disseminate and provide access to records of enduring value for general public interest. Member States should also be authorised to provide for the further processing of personal data for archiving purposes, for example with a view to providing specific information related to the political behaviour under former totalitarian state regimes, genocide, crimes against humanity, in particular the Holocaust, or war crimes.

(159) Where personal data are processed for scientific research purposes, this Regulation should also apply to that processing. For the purposes of this Regulation, the processing of personal data for scientific research purposes should be interpreted in a broad manner including for example technological development and demonstration, fundamental research, applied research and privately funded research. In addition, it should take into account the Union's objective under Article 179(1) TFEU of achieving a European Research Area. Scientific research purposes should also include studies conducted in the public interest in the area of public health. To meet the specificities of processing personal data for scientific research purposes, specific conditions should apply in particular as regards the publication or otherwise disclosure of personal data in the context of scientific research purposes. If the result of scientific research in particular in the health context gives reason for further measures in the interest of the data subject, the general rules of this Regulation should apply in view of those measures.

(160) Where personal data are processed for historical research purposes, this Regulation should also apply to that processing. This should also include historical research and research for genealogical purposes, bearing in mind that this Regulation should not apply to deceased persons.

(161) For the purpose of consenting to the participation in scientific research activities in clinical trials, the relevant provisions of Regulation (EU) No 536/2014 of the European Parliament and of the Council (15) should apply.

(162) Where personal data are processed for statistical purposes, this Regulation should apply to that processing. Union or Member State law should, within the limits of this Regulation, determine statistical content, control of access, specifications for the processing of personal data for statistical purposes and appropriate measures to safeguard the rights and freedoms of the data subject and for ensuring statistical confidentiality. Statistical purposes mean any operation of collection and the processing of personal data necessary for statistical surveys or for the production of statistical results. Those statistical results may further be used for different purposes, including a scientific research purpose. The statistical purpose implies that the result of processing for statistical purposes is not personal data, but aggregate data, and that this result or the personal data are not used in support of measures or decisions regarding any particular natural person.

(163) The confidential information which the Union and national statistical authorities collect for the production of official European and official national statistics should be protected. European statistics should be developed, produced and disseminated in accordance with the statistical principles as set out in Article 338(2) TFEU, while national statistics should also comply with Member State law. Regulation (EC) No 223/2009 of the European Parliament and of the Council (16) provides further specifications on statistical confidentiality for European statistics.

Show the recitals of the Directive related to article 89 keyboard_arrow_down Hide the recitals of the Directive related to article 89 keyboard_arrow_up

(29) Whereas the further processing of personal data for historical, statistical or scientific purposes is not generally to be considered incompatible with the purposes for which the data have previously been collected provided that Member States furnish suitable safeguards; whereas these safeguards must in particular rule out the use of the data in support of measures or decisions regarding any particular individual.

(34) Whereas Member States must also be authorized, when justified by grounds of important public interest, to derogate from the prohibition on processing sensitive categories of data where important reasons of public interest so justify in areas such as public health and social protection - especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system - scientific research and government statistics; whereas it is incumbent on them, however, to provide specific and suitable safeguards so as to protect the fundamental rights and the privacy of individuals;

The GDPR

Article 89 of the Regulation also provides for specific exceptions to certain rules contained in the Regulation for scientific, statistical or historical purposes.  It also extends the scope by adding the purpose of archiving in the public interest.

Unlike the Directive, the exemptions apply regardless of the fact that such purposes have been addressed in the initial data collection or not. They are therefore generally applicable to any further pursuit of such purposes.

The Regulation states that in the pursuit of such purposes as measures for safeguarding the rights and freedoms of the data subject and guaranteeing the compliance with the principle of minimization of data (art. 5 (c)) that only the data necessary for the purpose could be subjected to processing. Therefore, Article 89 evokes the implementation of technical and/or organizational measures such as pseudonymisation (Articles 4 (5)).

Pseudonymisation is defined in Article 4 (5) as the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. It relates to concealing the identity of the data subject, by replacing an attribute of another in the records in order to mitigate the risk of correlation of a data set with the original identity of the data subject (see in this regard G29, Opinion 04/2007 on the concept of personal data). Encoded data is a classic example of pseudonymisation; G29, WP 216, Opinion 05/2014 on Techniques for anonymization, p. 22).

Article 89 specifies that if allowed in the pursuit of the purposes, the controller must favour subsequent data processing that would not or would no longer allow the identification of the data subjects.

Where personal data is processed for archiving in the public interest for scientific or historical research purposes or statistical purposes, the Member States may provide for derogations from the rights recognized to the data subjects, in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and, on the other hand, such derogations are necessary for the fulfilment of those purposes (paragraph 2). However, the nature of the rights from which derogations may be provided depends on the purpose pursued:

- In case of processing for scientific research or historical, or statistical purposes, the Union or the Member State may provide derogations from the rights to access (Art. 15), to rectification (Art. 16), to the restriction to processing (Art. 18) and to the right to object (Art. 21).

- In case of processing for archiving in the public interest, the Union or the Member States may derogate from the rights to access (Art. 15), of rectification (Art. 16), the restriction to processing (Art. 18), the obligations of notification concerning the rectification or the erasure of personal data or the restriction to processing (Art. 19), the right to data portability (Art. 20) and the right to object (Art. 21).

However, if the processing for historical or scientific research purposes or for archiving purposes in the public interest is also pursuing other purposes of processing, the derogations referred to above will only apply for processing for the purposes set out by article 89. Indeed, it should be remembered that the statistical purposes often serve other purposes, in particular when it comes to serve as support for a decision (credit scoring, customer profiling, etc.). The rule then states that the derogations may be applied to a new and different purpose in the future - for example for a statistical purpose, while the purposes operating at the present time remain subject to the full data protection rules. That is what recital 162 seems to mean when it states that the statistical purposes in question cannot be used to support measures or decisions with respect to a specific natural person.

The Directive

The Directive already provided various exemptions from the principles of protection for processing for historical, statistical or scientific purposes. For example, Article 6 already provided that such processing was not deemed incompatible with various initial purposes, subject to safeguards under national law. Under the same condition, the data could also be stored longer than necessary for the initial purpose or even for a purpose deemed to be compatible.

Still with appropriate safeguards, Article 11 (2) provided an exemption from the obligation to notify data subjects about processing for such purposes if the notification to the data person would be impossible or would imply disproportionate effort or if the legislation explicitly provided for data recording or communication.

Subject to adequate legal safeguards, in particular that the data are not used for taking measures or decisions regarding any particular individual, Member States might, where there is clearly no risk of breaching the privacy of the data subject, restrict by a legislative measure the rights provided for in Article 12 when data is processed solely for purposes of scientific research or are kept in a personal form for a period which does not exceed the period necessary for the sole purpose of creating statistics (Article 13 (2)).

Potential issues

Insofar as the provision specifies accepted consequences of the principle of proportionality in the area, the provision only clarifies a regime that is already being enforced.

Additionally, the Regulation does not provide reasons for the possibility of derogation in one area but not another. For instance, why is there the right to portability and the right to be forgotten but not the right to information (Articles 13 and 14)?     

Regulation
1e 2e

Art. 89

1.   Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.

2.   Where personal data are processed for scientific or historical research purposes or statistical purposes, Union or Member State law may provide for derogations from the rights referred to in Articles 15, 16, 18 and 21 subject to the conditions and safeguards referred to in paragraph 1 of this Article in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes.

3.   Where personal data are processed for archiving purposes in the public interest, Union or Member State law may provide for derogations from the rights referred to in Articles 15, 16, 18, 19, 20 and 21 subject to the conditions and safeguards referred to in paragraph 1 of this Article in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes.

4.   Where processing referred to in paragraphs 2 and 3 serves at the same time another purpose, the derogations shall apply only to processing for the purposes referred to in those paragraphs.

1st proposal close

Art. 83

1. Within the limits of this Regulation, personal data may be processed for historical, statistical or scientific research purposes only if:

(a) these purposes cannot be otherwise fulfilled by processing data which does not permit or not any longer permit the identification of the data subject;

(b) data enabling the attribution of information to an identified or identifiable data subject is kept separately from the other information as long as these purposes can be fulfilled in this manner.

2. Bodies conducting historical, statistical or scientific research may publish or otherwise publicly disclose personal data only if:

(a) the data subject has given consent, subject to the conditions laid down in Article 7;

(b) the publication of personal data is necessary to present research findings or to facilitate research insofar as the interests or the fundamental rights or freedoms of the data subject do not override these interests; or

(c) the data subject has made the data public.

3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the processing of personal data for the purposes referred to in paragraph 1 and 2 as well as any necessary limitations on the rights of information to and access by the data subject and detailing the conditions and safeguards for the rights of the data subject under these circumstances.

2nd proposal close

Art. 83

1. Where personal data are processed for scientific, statistical or historical purposes Union or Member State law may, subject to appropriate safeguards for the rights and freedoms of the data subject, provide for derogations from Articles 14a(1) and (2), 15, 16, 17, 17a, 17b, 18 and 19, insofar as such derogation is necessary for the fulfilment of the specific purposes.

1a. Where personal data are processed for archiving purposes in the public interest, Union or Member State law may, subject to appropriate safeguards for the rights and freedoms of the data subject, provide for derogations from Articles 14a(1) and (2), 15, 16, 17, 17a, 17b, 18, 19, 23, 32, 33 and 53 (1b)(d) and (e), insofar as such derogation is necessary for the fulfilment of these purposes. 1b. In case a type of processing referred to in paragraphs 1 and 1a serves at the same time another purpose, the derogations allowed for apply only to the processing for the purposes referred to in those paragraphs.

2. The appropriate safeguards referred to in paragraphs 1 and 1a shall be laid down in Union or Member State law and be such to ensure that technological and/or organisational protection measures pursuant to this Regulation are applied to the personal data (…), to minimise the processing of personal data in pursuance of the proportionality and necessity principles, such as pseudonymising the data, unless those measures prevent achieving the purpose of the processing and such purpose cannot be otherwise fulfilled within reasonable means.

3. (…).

Directive close

Art. 6

1. 1. Member States shall provide that personal data must be:

(…)

 Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards;

(…)

e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use. 

(...)

Art. 11

Information where the data have not been obtained from the data subject

1. Where the data have not been obtained from the data subject, Member States shall provide that the controller or his representative must at the time of undertaking the recording of personal data or if a disclosure to a third party is envisaged, no later than the time when the data are first disclosed provide the data subject with at least the following information, except where he already has it:

(a) the identity of the controller and of his representative, if any;

(b) the purposes of the processing;

(c) any further information such as

- the categories of data concerned,

- the recipients or categories of recipients,

- the existence of the right of access to and the right to rectify the data concerning him

in so far as such further information is necessary, having regard to the specific circumstances in which the data are processed, to guarantee fair processing in respect of the data subject.

2. Paragraph 1 shall not apply where, in particular for processing for statistical purposes or for the purposes of historical or scientific research, the provision of such information proves impossible or would involve a disproportionate effort or if recording or disclosure is expressly laid down by law. In these cases Member States shall provide appropriate safeguards.

Art. 13

(…)

2. Subject to adequate legal safeguards, in particular that the data are not used for taking measures or decisions regarding any particular individual, Member States may, where there is clearly no risk of breaching the privacy of the data subject, restrict by a legislative measure the rights provided for in Article 12 when data are processed solely for purposes of scientific research or are kept in personal form for a period which does not exceed the period necessary for the sole purpose of creating statistics.

Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

§ 7 DSG

(1) For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes whose goal is not to obtain results in a form relating to specific data subjects, the controller may process all personal data that

  1. are publicly accessible
  2. the controller has lawfully collected for other research projects or other purposes, or
  3. are pseudonymised personal data for the controller, and the controller cannot establish the identity of the data subject by legal means.

(2) In the case of processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes that do not fall under para. 1, personal data may be processed only

  1. pursuant to specific legal provisions,
  2. with the consent of the data subject, or
  3. with a permit of the Data Protection Authority pursuant to para. 3.

(3) A permit of the Data Protection Authority for the processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall be granted at the request of the controller ordering the research project, if

  1. the consent of the data subject is impossible to obtain because the data subject cannot be reached or the effort would otherwise be unreasonable,
  2. there is a public interest in the processing for which a permit is sought, and
  3. the professional aptitude of the controller has been satisfactorily demonstrated.

If special categories of personal data (Article 9 of the General Data Protection Regulation) are to be collected, an important public interest in the research project must exist; furthermore, it must be ensured that the personal data are processed at the premises of the controller ordering the research project only by persons who are subject to a statutory obligation of confidentiality regarding the subject matter of the research project or whose reliability in this respect is credible. The Data Protection Authority shall issue the permit subject to terms and conditions, insofar as this is necessary to safeguard the data subjects’ interests which deserve protection.

(4) A request according to para. 3 must, however, be accompanied by a statement signed by the person authorised to exercise rights in respect of the data files from which the personal data are to be collected, stating that this person is making the data files available for the research project. Instead of this statement, a writ of enforcement (§ 367 para. 1 of the Enforcement Code, Imperial Law Gazette No 79/1896) replacing this statement may be submitted.

(5) Even in cases where the processing of personal data for scientific research purposes or statistical purposes is permitted in a form which allows the identification of data subjects, the data shall be coded without delay so that the data subjects are no longer identifiable if specific phases of scientific or statistical work can be performed with personal data pursuant to para. 1 subpara. 3. Unless otherwise expressly provided for by law, data in a form which allows the identification of data subjects shall be rendered unidentifiable as soon as it is no longer necessary for scientific or statistical work to keep them identifiable.

(6) Legal restrictions on the right to use personal data for other reasons, in particular for copyright reasons, shall not be affected.


Lex specialis for data processing by scientific institutions within the meaning of § 2b No 12 FOG (Federal Act on Research Organisations"Forschungsorganisationsgesetz")

§ 2d FOG

(2) [...] For the purpose of the FOG, in particular based on Article 9 para 2 lit g, i and j GDPR, scientific institutions ( § 2b No 12 FOG) may

  1. process all personal data in any case, especially in the context of Big data, personalized medicine, biomedical research, biobanks and the transmission to other scientific institutions and Processors, if (a) instead of the name, bPK or other unique identifiers are used for identification; or (b) the processing takes place in a pseudonymised form (Article 4 No 5 GDPR); or (c) publications/ disclosure to the public are made (aa) not at all; (bb) only in an anonymous or pseudonymous form; or (cc) without name, home address or photo; or (d) the processing is done exclusively for the purpose of anonymization or pseudonymisation and there is no disclosure of personal data directly to third parties (Article 4 No 10 GDPR);
  2. [...]
  3. obtain from controllers, which are keeping statutory registers – except for registers kept by jurisdiction, lawyers and notaries within their statutory field of action and criminal records as well as – regarding ELGA ( Electronic health record) – from the ELGA ombudsman service, (personal) data from those registers , whereas the name must be replaced by bPKs, unless the name is necessary for the accomplishment of purposes according to Article 89 (1) GDPR, in electronic format within the time mentioned in Article 12 (3) GDPR and against appropriate remuneration if (a) the processing serves only purposes of life and social sciences; (b) the register is listed in an ordinance according to § 38b FOG [Ordinance by the Minister of Education, Science and Research listing all the registers that are open for “registry research”]; (c) the applicant is a scientific institution listed in § 2c (1) FOG or was explicitly entitled to use specific bPKs by the Minister of Transport, Innovation and Technology by notice in accordance with § 2c (2) FOG; (d) the costs of the data provision are reimbursed; and (e) in case the application includes the matching with available data, the application for data provision provides the specific bPKs according to § 13 (2) E-GovG of the data subjects.

Old law close

In force until May 25, 2018:


Scientific Research and Statistics

§ 46 DSG 2000

(1) For the purpose of scientific or statistical research projects whose goal is not to obtain results in a form relating to specific data subjects, the controller shall have the right to use all data that

1. are accessible in public or

2. he has lawfully collected for other research projects or other purposes or

3. are only indirectly personal for him/her.

Other data shall only be used under the conditions specified in para. 2 sub-paras. 1 to 3.

(2) In case of the use of data for purposes of scientific research or statistics that do not fall under para. 1 shall be used only

1. pursuant to specific legal provisions or

2. with the consent of the data subject or

3. with a permit of the Data Protection Authority pursuant to para. 3.

(3) A permit of the Data Protection Authority for the use of data for purposes of scientific research or statistics shall be granted upon request of the controller ordering the research project, if

1. the consent of the data subjects is impossible to obtain because they cannot be reached or the effort would otherwise be unreasonable and

2. there is a public interest in the use of data for which a permit is sought and

3. the professional aptitude of the applicant has satisfactorily been demonstrated.

If sensitive data are to be collected an important public interest in the research must exist; furthermore, it must be ensured that the data at the controller ordering the research project the data shall only be used by persons who are subject to a statutory duty to confidentiality or whose reliability in this respect is otherwise credible. The Data Protection Authority may issue its permit subject to terms and conditions insofar as this is necessary to safeguard the data subjects’ interests deserving protection, in particular, with regard to the use of sensitive data.

(3a) An application according to para. 3 must, however, be accompanied by a statement signed by the person authorized to dispose of the collection of information from which the data shall be collected or by another authorized person that he/she makes available the collection of information for the research. Such statement may be replaced by a writ of execution (§ 367 para. 1 Foreclosure Act, RGBl. No. 79/1896) replacing such statement.

(4) Legal restrictions on the right to make use of data for other reasons, in particular copyright, shall not be affected.

(5) Even in those cases where the use of data in a form which permits identification of data subjects is legal for purposes of scientific research or statistics, the data shall be coded without delay so that the data subjects are no longer identifiable if specific phases of scientific or statistic work can be performed with indirectly personal data only. Unless expressly laid down otherwise, data in a form which permits identification of data subjects shall be rendered unidentifiable as soon as it is no longer necessary for scientific or statistic work to keep them identifiable.

close