According to Article 6 (e) of the GDRP, processing is lawful if it is necessary for the performance of a task carried out in the public interest. Furthermore, scientific research could serve well to avoid the veto on special categories of data processing included in article 9.1 of the GDPR. However, in this case, according to Article 9.2(j), the processing shall be based in the law of the EU or a Member State and shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject (see “Data processing for purposes of archiving in the public interest, scientific or historical research purposes or statistical purposes”, “Main Concepts”, Part II of these Guidelines). Nevertheless, IoT developers should always consider that it is not necessarily true that all scientific research involves a public interest. Indeed, “it is difficult at present, if not impossible, to view a ‘substantial public interest’ as a basis for processing sensitive data for scientific research purposes” if a Member State has not produced specific regulation to this purpose. Thus, IoT developers should analyze the legal framework in their concrete country.
On the other hand, one must remember that Article 5 (b) GDPR establishes the purpose limitation principle, under which data cannot be processed for purposes other than the specific initial ones (see “Data protection and scientific research”, in “Main Concepts”, Part II of these Guidelines).
If the development of an IoT system could be considered as scientific research, the Union or Member State law may provide for derogations from the rights referred to in Articles 15 (right of access), 16 (right to rectification), 18 (right to restriction of processing) and 21 GDPR (right to object), always subject to some conditions and safeguards (Article 89(2)).
|Checklist: use of data for scientific research
☐ The controllers have checked that their project fits well with the concept of scientific research.
☐ The controllers have consulted their DPOs about the use of this exception to the ban on the processing of data of special categories.
☐ The controllers have consulted the national legal framework about this topic.
☐ The controllers have implemented the safeguards and organizational measures devoted to align with article 89 of the GDPR and corresponding national regulation.
☐ The controllers have documented all the information regarding this issue.