As far as the legal basis for processing is concerned, it is relevant to distinguish between categories of data:
- Processing of personal data (‘non-sensitive’). The legal bases for the processing are those set out in Article 6 of the GDPR (see “lawfulness, fairness and transparency” subsection in the “Principles” section of the General Part of these Guidelines). This means that every processing of personal data must necessarily rely on any of the legal basis pursuant Article 6(1):
- Consent of the data subject (art. 6.1 a).
- Contract (art. 6.1 b).
- Legal obligation (art. 6.1 c).
- Vital interests (art. 6.1 d).
- Public task or public interest (art. 6.1 e).
- Legitimate interests (art. 6.1 f).
- Processing of special categories of personal data (‘sensitive personal data’). The processing of those categories of data included in Article 9 is forbidden unless a specific legitimate basis from those in Article 9(2) is identified.[1] Article 9 requires further legitimation, added to those in Article 6. Between these legal bases, processing is not banned, if, among other things:
- “the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject”. Article 9(2) letter a).
- it is “necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject”.[2]
In addition, Article 9 (4) reads: “Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.” This possibility does not, however, imply that the content of paragraph (2)(j) of Article 9 should be rendered ineffective. Again, researchers should always ask their DPOs for advice about the applicable national regulatory framework.
References
1EDPB, Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection regulation (GDPR) (Art. 70.1.b)) Adopted on 23 January 2019, pp. 8–9. At: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_opinionctrq_a_final_en.pdf Accessed: 20 May 2020.
This document describes several possibilities that combine Articles 6 and 9: The lawful grounds for processing can be derived from legal obligations of the controller and which fall within the legal basis of Article 6(1)(c) in conjunction with Article 9(1)(i); or the public interest under Article 6(1)(e) in conjunction with Article 9(2), (i) or (j); or the legitimate interests of the controller under Article 6(1)(f) in conjunction with Article 9(2)(j); or under specific circumstances, when all conditions are met, data subject’s explicit consent under Article 6(1)(a) and 9(2)(a). ↑
2Article 9(2)(j). ↑