Article 89(1) requires that “appropriate safeguards” be applied to the processing of personal data for scientific or historical research or statistical purposes, no matter what the legal basis for processing might be. The purpose of these safeguards is to ensure respect for the principle of minimization of personal data (see “Minimization principle” subsection in the “Principles” section of the General Part of these Guidelines. Thus, the first parameter to be analyzed is whether the very conditions for the processing of personal data are met, i.e., the processing of personal data must be necessary to carry out that particular research. Article 89(1) provides that appropriate safeguards “must be reflected in technical and organizational measures”, such as pseudonymization. Pseudonymization must be accompanied by other provisions, depending on the risks involved in each project. Controllers should always ensure the implementation of adequate technical and organizational measures aimed at ensuring the protection of data subjects’ rights and freedoms. The following are some possible examples of such measures or safeguards:
- Control of access to databases in a manner that such access is only allowed to authorized persons, for approved research, with justified scientific interest, and implemented software solution that allows auditable control access log files.
- Signing of a legally binding commitment between the parties, which includes the conditions of the processing: commitment to confidentiality and non-identification of the data subjects, and use of the data for the specific authorized purpose.
- Implementing security measures for ensuring protection of transfer and storing of data at recipient.
- Ensure transparency of the information provided to the participants.
- Continuous monitoring of the processing conditions over time, which could take the form of transparency measures (publication and accessibility of data management policies) and long-term forecasts (identification of the obligations of the data controller). In relation to this last point, the need to establish clear commitments to monitor the management/handling of personal data by the institution which conducts the research and which could be more specifically entrusted to the corresponding Research Ethics Committee (REC) must be stressed.
- Establishment of a control system external to the investigator that could fall within the competence of the corresponding REC or the management of the research center, which should be involved in the above-mentioned agreement.
Furthermore, researchers should bear in mind that there are other mechanisms provided for in the general GDPR regime that also introduce appropriate measures to the processing of data for research purposes in the sense of Article 89(1), such as the DPIAs or the intervention of the DPOs. Finally, it is interesting to mention that there are initiatives to promote international codes of conduct and certification mechanisms that may harmonize these safeguards.