According to Article 6 (e) of the GDPR, processing is lawful if it is necessary for the performance of a task carried out in the public interest. Here, one must keep in mind that “scientific research” is an overly broad term that generally refers to the search for knowledge, through a certain methodology, in any area of human knowledge. Thus, it is quite probably that if controllers are using a scientific methodology and, somehow, searching for knowledge thought the use of data, such processing could be lawful on the basis of the public interest legal ground.
Furthermore, public interest could serve to skip the veto included in Article 9.1 of the GDPR if they are using special categories of data when other legal bases (such as research for instance) are not applicable to the case. However, in this case, the processing shall be based on the law of the EU or a Member State and shall be proportionate to the aim pursued, respect the essence of the right to data protection, and shall provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject[1] ‘(see the “Data protection and scientific research”subsection in the “Main concepts” section of the General Part of these Guidelines).
On the other hand, one must remember that Article 5 (b) GDPR establishes the purpose limitation principle, under which data cannot be processed for purposes other than the specific initial ones. Interestingly, this article provides that certain purposes, which include scientific research, are deemed compatible with the initial purpose, rendering its subsequent processing presumptively lawful. Therefore, where the controller can argue and document that the purpose of the processing is scientific research, secondary uses of personal data are in principle considered compatible with the original purpose of the personal data processing (see the “Purpose limitation principle” subsection in the Principles section of the General Part of these Guidelines).
Moreover, it is quite probable that the social network that originally gathered the data included a clause in the consent by the data subject that allowed it or a third party further processing for research purposes or, at least, informed the data subject that such processing would be considered compatible with its initial consent. If this were the case, processing for research purposes wouldbe legitimate on the same lawful basis that permitted the social network gathering the data.
This assessment, however, needs to be carried out prior to the subsequent processing for secondary purposes and must be based on objective criteria.The legal framework on this issue might change considerably between the EU Member States. Thus, controllers should be aware of the applicable concrete normative framework. Consultation with their DPOs is highly recommended for this purpose[2] as well as the inclusion of an ethical-legal advisor/unit within the given project.
| Checklist: scientific research
☐ The controllers have checked that their project fits well with the concept of scientific research. ☐ The controllers have consulted their DPOs about the use of this exception to the ban on the processing of data of special categories. ☐ The controllers have consulted the national legal framework about this topic. ☐ The controllers have implemented the safeguards and organizational measures devoted to align with article 89 of the GDPR and corresponding national regulation. ☐ The controllers have documented all the information regarding this issue in the DPIA |
References
1See EOSC-Pillar Guidelines ´D4.1: Legal and Policy Framework and Federation Blueprint´ (2021), p. 76-77. At: https://repository.eosc-pillar.eu/index.php/s/tbqe6B7rDycdFCJ#pdfviewer ↑
2See some practical questions and answers on this here: https://www.ru.nl/rdm/gdpr-research/faq-gdpr-research/ ↑