September 19, 2024
The concept of scientific research appears in the provisions of the GDPR and benefits from some exceptions and derogations to data protection requirements, such as limitations to data subjects’ rights, legal basis for processing special categories of data, compatibility with the primary purpose of processing, to name a few.
Despite the impact of this concept, the GDPR does not define the concept of scientific research, at least not in Article 4 where most of the terms are collected. While recital 159 provides some insight into the interpretation, stating that it is to be considered in a broad sense; that it is to be balanced with other rights contained in the European Charter of Fundamental Rights (‘ECFR’), which includes the right to freedom of research; the assessment of the application of this concept is, however, to be made on a case-by-case basis.
Recently, the DSK (German Data Protection Conference) released a position paper on the understanding of this concept. These guidelines are based on the case law of the Federal Constitutional Court.
For the DSK, the following criteria must be met for the intended processing activities to be considered as scientific research:
- Research must follow a methodical and systematic approach
- The generation of knowledge through the specific project, as opposed to the mere application of existing knowledge or the use of scientific methods for purely supervisory, control, organisational or advertising purposes
- Verifiability, achieved through the so-called “peer review”, which includes the possibility of verifying the research methodology used and the results obtained (allowing for an open scientific discourse). In this respect, adequate documentation according to scientific standards is necessary, and research that is intended to be kept secret wouldn’t be compatible with this requirement
- Independence and autonomy of the researchers, which is particularly important with regard to the instructions they receive, i.e. they shouldn’t jeopardise the course of the study or the handling of the results obtained
- Research should serve the public interest, i.e. it should provide a social benefit and a common good and not exclusively serve commercial or other individual interests
With these requirements, the DSK seeks to fill the gap in the application of the specific provisions of the GDPR to scientific research, due to the lack of guidance from the European Data Protection Board on the processing of personal data for scientific research purposes (due in 2021).
