In connection with scientific research involving the processing of personal data, the primary question is what can be considered scientific research during the application of the GDPR, and in which cases the specific rules of GDPR can be applied. Although the GDPR refers to "scientific and historical research" in several cases as an activity requiring special data protection rules for processing (see Articles 5 (1) b), e), 9 (2) j), 14 (5) b), 17 (3) d), 21 (6) and 89), the GDPR does not define the notion of "scientific research". The Conference of German Data Protection Commissioners (Datenschutzkonferenz, DSK) is assisting data controllers in this regard in a recent position paper.
1. Why is it necessary to provide for specific rules for scientific research at all?
The position paper of DSK also highlights that the Charter of Fundamental Rights of the European Union guarantees freedom of the arts and sciences as a fundamental right (Article 13), in addition to the protection of personal data (Article 8). For the enforcement of the two fundamental rights, it is necessary that they be harmonised, but at the same time in such a way that the essence of the fundamental rights concerned is not undermined. Accordingly, in the course of scientific research, when it involves the processing of personal data, account must be taken of the protection of personal data, while in the protection of personal data, where the processing of data is related to scientific research, account must be taken of the characteristics of scientific research and of the public interest served by scientific research. However, in order for fundamental rights to be harmonised, it is necessary to define precisely in which cases the fields of application of the two fundamental rights "coincide", when we are talking about data processing for scientific research purposes.
2. How is scientific research defined?
The position paper issued by the DSK highlights the following criteria to be examined when examining on a case-by-case basis whether a given activity can qualify as scientific research and thus be subject to the specific rules of the GDPR:
- methodological and systematic approach,
- acquiring (new) knowledge,
- verifiability,
- independence and autonomy,
- public interest.
At this point, it is worth referring to the preliminary opinion of the European Data Protection Supervisor (EDPS) issued in 2020 on scientific research, which sets out similar criteria for scientific research and concludes that the relevant specific data protection rules can be applied if the following three conditions are met (see point 3, pp. 9-12):
- personal data are processed;
- relevant sectoral standards of methodology and ethics apply, including the notion of informed consent, accountability and oversight;
- the research is carried out with the aim of growing society’s collective knowledge and wellbeing, as opposed to serving primarily one or several private interests.
On a less general level, recital 159 of the GDPR also gives some clues as to what scientific research can encompass (emphasis added):
Where personal data are processed for scientific research purposes, this Regulation should also apply to that processing. For the purposes of this Regulation, the processing of personal data for scientific research purposes should be interpreted in a broad manner including for example technological development and demonstration, fundamental research, applied research and privately funded research. In addition, it should take into account the Union's objective under Article 179(1) TFEU of achieving a European Research Area. Scientific research purposes should also include studies conducted in the public interest in the area of public health. [...]
It can be seen from the above that the scope of scientific research can be wide, in addition to fundamental research, it also includes applied research, and it can also include research financed by the private sector, if the above conditions can be met.
As also pointed out in the position paper (see p. 1, last paragraph), the premaculum of GDPR (159), referring to the objectives set out in Article 179(1) TFEU, namely the promotion of social progress, balanced economic growth, the improvement of quality of life and public service issues, does not in any way exclude the association of economic motives with scientific research, but that the activity must have some social benefit (i.e. the public interest must appear in some way).
3. What should be taken into account in relation to the above criteria?
3.1 Methodological and systematic approach
In this context, subject-specific characteristics and peculiarities must be taken into account in order to determine rational truth. (This is in line with the opinion of the Article 29 Data Protection Working Party on consent, which also emphasized that "scientific research in this context means a research project set up in accordance with relevant sector-related methodological and ethical standards, in conformity with good practice". See WP259 opinion, point 7.2, p. 28. This is also referred to in EDPB Guideline 3/2020 in relation to the concept of scientific research.)
3.2 Acquisition of (new) knowledge
It is also important to have "acqusition of new knowledge" as a goal. It is therefore not enough just to apply knowledge already acquired. Nor does it fall within this concept of scientific research if scientific methods are used, but without the aim of acquiring new knowledge (e.g. for supervision, controlling, etc. purposes).
3.3. Verifiability
Referring to the practice of the German Federal Constitutional Court, the document points out that scientific research is also required to be verifiable. Although there is not necessarily an obligation to publish the results in connection with this, if they strive to keep the results secret or systematically exclude the results from being verifiable by the scientific community, this may lead to the fact that the conditions for scientific research are not met for the application of the GDPR. (Of course, expectations regarding verifiability must be assessed taking into account the legitimate interests related to the protection of trade secrets and confidentiality.)
3.4. Independence and autonomy
The independence and autonomy of the researcher are also essential for the establishment of research activities. This, of course, does not preclude the client from setting expectations or giving instructions to some extent, but these should not result in researchers fundamentally losing their independence in relation to the course of research or control over the results.
3.5 Public interest
Subject to Article 52 of the Charter of Fundamental Rights, it is of paramount importance that a restriction of fundamental rights with regard to the protection of personal data may be justified only if, and to the extent that, scientific research serves the public good and does not serve exclusively commercial or other individual interests.
In the event that, also in accordance with the above criteria, processing is carried out for scientific purposes and the relevant provisions of the GDPR become applicable, the following guidelines may provide further assistance for the proper application of the provisions, among others:
- Guidelines from the Finnish Ombudsman for Data Protection,
- EDPB Document on response to the request from the European Commission for clarifications on the consistent application of the GDPR, focusing on health research (February 2021),
- EDPB Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak (April 2020),
- EDPS: A Preliminary Opinion on data protection and scientific research (January 2020),
- Study on the appropriate safeguards under Article 89(1) GDPR for the processing of personal data for scientific research - Final Report (2021, Milieu Consulting SRL, KU-Leuven),
- ICO (UK) Guideline on scientific research (based on the UK GDPR)
(Based on the EDPB's 2023/24 work plan, specific guidance is also expected. See Pillar 1, p. 2. However, the 2024/27 strategy no longer specifically mentions this topic.)
