Menu
Two people sitting at a wooden desk work together, reviewing documents with charts and notes. Open laptops are in front of them, and one person holds a pencil, pointing at the papers. The scene suggests a collaborative business or study environment.

EDPB Adopts Guidelines on Personal Data Processing for Scientific Research

, , , , , ,

The European Data Protection Board (EDPB) has issued new guidelines to clarify how personal data can be processed for scientific research under the GDPR. These guidelines aim to help researchers better understand compliance requirements while ensuring individuals’ data protection rights are maintained. The EDPB outlines six key factors to identify scientific research, including a systematic approach, ethical standards, transparency, independence, research objectives, and the potential to advance knowledge. If these criteria are met, research activities are presumed to fall under the GDPR’s definition of scientific research.

The guidelines also address the compatibility of further processing of personal data for research purposes. Controllers do not need to perform a new compatibility test if the data was initially collected for scientific research, but they must ensure the original legal basis remains valid. The EDPB supports the use of broad consent when research purposes are not fully known at the time of data collection, provided ethical safeguards are in place. Dynamic consent, where individuals approve specific projects as they arise, is also encouraged, and a combination of both methods is possible.

The rights of data subjects are carefully considered in the guidelines. Certain rights, like erasure and objection, may be limited when data is processed for scientific research, especially if exercising these rights would seriously impair the research objectives or if processing is necessary for public interest tasks. The EDPB also explains how responsibilities should be allocated among multiple entities involved in data processing, clarifying roles such as controller, joint controller, or processor.

Finally, the guidelines provide advice on technical and organizational measures to protect personal data in research. These include anonymization, pseudonymization, secure environments, privacy-enhancing technologies, and ethical oversight. The EDPB has also formed a dedicated team to finalize guidelines on anonymization by summer. Additionally, the Board approved updated Europrivacy certification criteria as a European Data Protection Seal, extending its scope to non-EU controllers and processors and recognizing its use for international data transfers under GDPR.

  • Save

Related Posts

Share via
Facebook
Twitter
LinkedIn
Mix
Pinterest
Tumblr
Skype
Buffer
Pocket
VKontakte
Parler
Xing
Reddit
Line
Flipboard
MySpace
Delicious
Amazon
Digg
Evernote
Blogger
LiveJournal
Baidu
MeWe
NewsVine
Yummly
Yahoo
WhatsApp
Viber
SMS
Telegram
Facebook Messenger
Like
Email
Print
Copy Link
Copy link
CopyCopied