At the end of the research activity, the researchers might decide to disseminatetheir work. If the dissemination does not include the personal data processed during the research, the work can be disseminated to other interested parties. If the dissemination does include the data processed during the research (e.g., make the data available to the scientific community for peer-review), then additional steps should be taken. The dissemination of personal data constitutes a processing operation as per Article 4.2 GDPR and – as described above – any processing operation involving biometric data shall be prohibited unless exemptions apply. Therefore, researchers should repeat the steps already described in “Identify the data collection approach” before proceeding with the dissemination. In particular, if the data controller relies on the ‘scientific research’ legal basis, and if all the requirements for adopting such legal basis are satisfied (see section “Identify the most appropriate legal basis”), it is possible to further distinguish two scenarios. In the first one, the research team (Team A) has completed the research activity and intends to disseminate the data for the benefits of other research teams (Team B). In such a scenario, the dissemination is not a necessary operation for achieving the research purposes of Team A, but might be necessary for the research purposes of Team B. Therefore, Team A cannot rely on the ‘scientific research’ legal basis. It follows that Team A does not have any legal ground to share the data with Team B, or any other recipient unless a different legal basis is found (for instance, Team A can collect explicit consent for the purpose of sharing data with Team B). In the second scenario, Team A realizes, after the collection of the personal data, that it does not have adequate capability (e.g., technical) to process the data and continue with the research. Therefore, Team A decides to rely on the capability of Team B to process the data. In this situation, the dissemination of data to Team B is a necessary step for achieving the research purposes of Team A, and Team B needs to be nominated as ‘data processor’ following the provisions of Article 28 GDPR. Article 4.8 GDPR defines a data processor as “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”. The designation and roles of the data processor shall be communicated to data subject prior to the transfer, and shall be governed by a contract or by Union or Member State law, which shall contain at least subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller (see the “Main Actors” section of these Guidelines).
In case personal data need to be transfer outside the European Economic Area[1], and provided that such transfer is not subject to one or more of the derogations listed in Article 49 GDPR[2], additional steps should be taken (see the “Transfer of data to third countries” subsection in the “Main Tools and Actions” section of the General Part of these Guidelines).The GDPR envisages a number of instruments for international data transfer. However, not all of them are currently applicable, as relevant authority are still working to formalize some of them.
| International data transfer | |
| Pursuing an adequacy decision | Applicable |
| Pursuing standard data protection clauses | Applicable |
| Pursuing binding corporate rules | Applicable |
| Pursuing codes of conduct | Planned |
| Pursuing certification mechanisms | Planned |
| Pursuing legally binding instrument between public authorities or bodies | Planned[3] |
In the first case (pursuing adequacy decision), the data can be transferred to extra EU states if there is an adequacy decision by the European Commission. An adequacy decision can be adopted if the other stateoffers a level of data protection adequate to the European Standard[4]. In the second case, (pursuing standard data protection clauses), the data can be transferred if there is an agreement between the data exporter and the data importer and if such agreements contain a number of standard clauses regarding data protection that have been pre-approved by the European Commission[5]. In the third case, if the extra-territorial transfer is occurring within the same entity (e.g., a transfer between two branches of an international group), the data can be transferred if there are corporate binding rules that offer data protection safeguards as per Article 47 of the GDPR and are approved by competent data protection supervisory authority.
References
1Which includes all EU Member States and Iceland, Liechtenstein, and Norway. ↑
2For more information, see also European Data Protection Board, ‘Guidelines 2/2018 on Derogations of Article 49 under Regulation 2016/679’, May 2018. ↑
3As of July 2021, these three options for international data transfer have been planned but not implemented yet. ↑
4The list of countries recognised through an adequacy decision can be accessed at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en. ↑
5The most up-to-date version of the standard clauses can be found in European Commission, ‘Implementing Decision 2021/914 on Standard Contractual Clauses for the Transfer of Personal Data to Third Countries Pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council’ (2021), https://doi.org/10.5040/9781782258674. ↑