Frederic Tronnier (GUF)
This part of The Guidelines was reviewed by Aurélie Pols (DPO) and Iñigo de Miguel Beriain (UPV/EHU).
This part of The Guidelines has been reviewed and validated by Marko Sijan, Senior Advisor Specialist, (HR DPA)
This part of the Guidelines provides advice for researchers who want to share processed data with other researchers or research organizations after having accomplished your original research task. The sharing of data with other researchers is likely to be considered a form of ‘dissemination’ or of making data ‘available’ to other researchers. Accordingly, it would be considered a different (further) processing than the original one, which involved data being ‘used’ to tackle a research question (see the subsection on ‘Gaining access to a database’ in the “Main actions” section of the General Part of these Guidelines).
Proceeding on the assumption that no expressed consent has been obtained by the data subjects (otherwise the lawfulness requirement would be easier to meet under Art. 6(1)(a), there are various scenarios demanding different legal evaluations (See “Identification, pseudonymization and anonymization” subsection in the “Concepts” Section of the General Part of these Guidelines):
- If the data have been pseudonymized or appropriate safeguards against re-identification have been put in place, it may be easier for the ‘sharing’ of data to be found legal under Art. 6(4).
- Even if the data have not been pseudonymized, as long as the dissemination of data is considered necessary for scientific or historical research purposes (e.g. it is not meant to satisfy the morbid curiosity of other researchers, but to genuinely assist them in progressing in their field), then the processing is still likely to be considered to be compatible lawful processing operations (Recital 50), although it is still highly advised to obtain consent by the data subjects for the further processing. Recital 159 and 33 introduce the notion of broad consent for scientific research, meaning that the exact processing must not be fully specified in advance. Data subjects should however be given the option to give consent to specific areas of research and to withdraw consent for other parts of the research objective.
In any case, controllers will have to satisfy the fairness/transparency principle (see “lawfulness, fairness and transparency” subsection in the “Principles” section of the General Part of these Guidelines) again, making the data-subjects aware of their rights as to this further purpose (Art. 14(4)). All the other principles of the GDPR will have to be complied with in relation to this further processing as well.
As with sale of the personal data, be aware that you maybe in a joint controllership with the recipient of the data and that you are still responsible for the database, i.e. liable if infringements are made by the recipient of the data (see the “Main Actors” section in the General Part of these Guidelines). Therefore, as with all transactions, contracts between you and the recipient of the database are necessary and advised in order to provide all parties with clarity on the legal obligations and rights of every party involved. Contracts should specify the purpose of the recipient with the data as well as how the rights of data subjects will be protected and by whom.
1EDPS, 2020. A Preliminary Opinion on data protection and scientific research. Available at: https://edps.europa.eu/sites/edp/files/publication/20-01-06_opinion_research_en.pdf ↑