Brussels, 3 April 2025
The objective of this study, published by the European Data Protection Board (EDPB), was to investigate the secondary use of personal data in the context of scientific research (in particular in the medical domain), by providing an overview of international agreements, European Union (EU) and Member State legislation and practices on the principles of purpose limitation and lawfulness, and the application of data subjects’ rights in light of exemptions from the transparency obligation provided in the General Data Protection Regulation (GDPR).
The methodology consisted of desk research (review of scientific literature, reports, position papers), supplemented by questionnaire responses on national laws received from academic researchers with relevant expertise. In total, the study obtained input on 18 of the targeted 30 EU and European Economic Area (EEA) Member States.
The legislation analysed was not limited to the GDPR but included international agreements or documents containing data protection rules (such as Council of Europe Convention 108+) and ethical standards (such as the World Medical Association (WMA)’s Declaration of Helsinki (DH)) and EU sectoral legal frameworks (e.g. on clinical trials, biobanks).
Analysis of these different legal texts and their application within the Member States examined found the following:
-
Two main international frameworks apply to secondary use of personal data for scientific research: data protection rules as they have evolved historically, and ethical standards. A data controller who conducts secondary use of personal data has to consider and apply both consistently. Overlaps, including in terminology (for instance, consent as an ethical requirement versus consent as one of the possible legal bases under the GDPR), make this a challenging task. Further research on the overlap between the two frameworks would be beneficial.
-
The notion of ‘scientific research’ is not explicitly defined in the GDPR, although some elements are provided in its Recitals. Few of the countries examined provide an overarching definition in their national legislation (with the exception of national lex specialis, e.g. for medical research). Based on the commonly accepted characteristics in EU and international legal texts, the concept of scientific research could be described or defined as: any research for a scientific purpose, financed by public authorities or the private sector, carried out in accordance with the established ethical standards and the methodology applicable in the sector concerned by the research. The scientific scope may include the development and demonstration of technologies, basic research, academic or applied research.
-
On the possibility to reuse personal data for scientific research, several uncertainties remain with regard to the lawfulness and purpose limitation data protection principles, and the impact of EU sectoral laws (such as the Clinical Trials Regulation (CTR) and biobank rules) on those principles.
The choice of the possible legal basis (under Article 6 GDPR) and the most appropriate condition that could allow the processing of special categories of data (e.g. health data), pursuant to Article 9 of the GDPR for conducting scientific research, is a challenging task, particularly for transnational research. Member States often have divergent interpretations, with some still requiring consent, despite the European Data Protection Board (EDPB) and the European Commission’s position on clinical trials.
The possibility to ground the secondary use of personal data in ‘broad consent’ (Recital 33 GDPR) is another point of divergence between Member States. ‘Secondary use’ is an established term in EU data protection legislation. It could pertain to either further compatible processing or non-compatible processing. There are different views at institutional, national and scholarly level as to whether a new legal basis is required for the ‘secondary use’ of personal data. The study concluded that a legal basis is required for secondary use for scientific research purposes – this could either be the same as that for primary use or a new legal basis.
Ten of the 18 countries examined had special advice available on the implementation of the presumption of compatibility of secondary use for scientific research. The views presented varied. Finland, for example, recently established a central licensing authority to facilitate secondary processing of health and social data, which is under the custody of several controllers. Such data are now centralised at national level, with a Data Permit Authority deciding on access requests.
-
The secondary use of personal data may impact the application of data subjects’ rights. A key issue here is how the rules on processing of personal data that do not require identification (Article 11 GDPR) fit with the transparency obligation and right to information of data subjects. Few Member States provide guidance on this topic, or on the related application of the exemption to information duty for scientific research in Article 14(5)(b) GDPR. In general, it is recommended that the transparency obligation be complied with via the assistance of the original data controller (through contractual agreements). France and Italy have both adopted a similar procedure, with authorisation required from the Data Protection Authority (DPA) prior to secondary use of personal data (including sensitive data), in cases where the controller (a third party) can rely on Article 14(5) GDPR. The analysis revealed no insights into Article 89(1) GDPR in the majority of the countries, and there is no conclusive answer as to whether or not Member States alone can determine the appropriate safeguards, or whether the data controller can decide.
The results showed no uniform approach or interpretation among Member States on key aspects related to the secondary use of personal data for scientific research. A distinction could be made between challenges caused by a lack of uniformity in the interpretation of key elements of the GDPR and challenges caused by divergences in Member States’ implementation of the GDPR. The study thus recommends encouraging increased dialogue between Member States’ Supervisory Authorities (SAs) and information sharing on national practices and interpretations, as well as improved cooperation between SAs, European institutions and bodies, and key stakeholders. The EDPB and other European institutions and bodies could establish closer exchanges in order to align their advice on the interplay of the GDPR and other sectoral laws. The EDPB could promote the set-up of relevant codes of conduct (as per Article 40 GDPR) and stress the importance of involving all key stakeholders in the creation of such codes. It could also adopt specific guidelines on the secondary use of data for scientific research. The study discusses the main issues that require guidance and proposes how they might be approached. It also emphasises the importance of empirical research to gather the views and experiences of key stakeholders, and the need to investigate the role of ethics committees in data protection matters.
Read the entire Study
Source – EDPS