The GDPR includes some concepts of particular relevance. One cannot adequately meet the requirements of this standard if one does not handle them properly. Five are discussed in this section: personal data; processing; data protection by design and by default; identification, pseudonymization and anonymization; data protection and scientific research. Two of them are particularly complex and/or relevant for the purpose of these Guidelines.
Data protection and scientific research
As the European Data Protection Supervisor (EDPS) highlighted, “the European Commission has defined the objectives of the EU’s research and innovation policies to be ‘opening up the innovation process to people with experience in fields other than academia and science’, ‘spreading knowledge as soon as it is available using digital and collaborative technology’ and ‘promoting international cooperation in the research community’”. These purposes are not in conflict with data protection. Indeed, data protection rules should not be an obstacle to freedom of science pursuant to Article 13 of the Charter of Fundamental Rights of the EU (CFREU). Rather, these rights and freedoms must be carefully assessed and balanced, resulting in an outcome which respects the essence of both. This section of the Guidelines is intended to help ICT researchers achieve that balance.
Identification, pseudonymization and anonymization
One of the most complex issues to be faced when we have to process personal data is to determine whether such data allows us to identify a data subject. This often involves considering whether or not anonymization of the data has been achieved. Other times the data cannot be anonymized, but must remain linked to the data subject. On these occasions, pseudonymization is the most relevant option. Unfortunately, it is not always easy to know which scenario we are in. Pseudonymization and anonymization are related concepts. In particular, they are both defined in terms of identification. For this reason, both topics are discussed in a single section and the first subsection analyses the concrete technical meaning of identification.
1EDPS, A Preliminary Opinion on data protection and scientific research, 2020, p. 10. At: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202003_healthdatascientificresearchcovid19_en.pdf Accessed: 15 January 2020. ↑