Creating or gaining access to a database
Home » The GDPR » Main Tools and Actions » Creating or gaining access to a database

Frederic Tronnier (GUF)

This part of The Guidelines was reviewed by Aurélie Pols (DPO) and Iñigo de Miguel Beriain (UPV/EHU).

This part of The Guidelines has been reviewed and validated by Marko Sijan, Senior Advisor Specialist, (HR DPA) 

This section provides guidelines for researchers willing to gain access to an external database or for controllers willing to provide access to their databases in exchange of a compensation. It is built on several fundamental hypothesis:

  • Databases are, in general valuable. This value derives from two different sources:
    • The information they contain
    • The structure and organization they are built upon. A well organized, documented and structured database is much more valuable than a chaotic database.
  • The data involved are personal data. This is:
    • The data involved are not anonymized data. Anonymous data are not personal data and therefore, they fall outside the scope of the GDPR[1], therefore these data can be sold or bought as any other commodity. We are not focusing now in such a data type;
    • Personal data, regardless of whether they have been pseudonymized or not, are protected by the GDPR and must be processed according to this regulation.
    • Data about deceased people are not considered personal data[2]. It generally, does not fall under the obligations laid out by the GDPR (Recital 27) yet possible local interpretations might apply (see the National Reports complementing these Guidelines). Additionally, it is important to keep in mind that if data is obtained from deceased people and are used to gain information about living relatives (genetic data, for instance) this data might be considered as personal data of the relatives.[3]
  • The situation might be totally different if the third party will use the database for research purposes under the umbrella of article 89 of the GDPR or not (see the section about data protection and scientific research). This difference mainly relates to the purpose limitation principle (Article 5(b) of the GDPR).


1Recital26 of the GDPR for additional information.

2See Recital 27 of the GDPR.

3National regulation, however, must be considered. There are huge differences between the different Member States. See our D21, Issues and gaps analysis on informed consent in the context in ICT research and Innovation 

Skip to content