On the collection, acquisition and processing of personal data
What are the principles to be respected in order to establish lawful data collection and processing? The collection and processing of data must meet certain conditions to be considered lawful. These conditions of lawfulness relate to the purpose for which the data is collected and processed, but also to the way in which the data is collected and processed.
Article 5 of the GDPR sets out the principles to be respected regarding the processing of personal data:
- The data must be processed in a transparent manner: this implies that the data subjects are informed of the processing.
- The purpose limitation principle: The purpose of the collection must be specific (i.e. not described in terms that are too broad or too vague), explicit (clarity and precision of the information given in advance and preferably in writing), and legitimate (legal requirement or justified by the research). This principle prohibits the processing of data for purposes that are not compatible with those for which they were originally processed. Specifically for scientific research, Recital 33 of the GDPR provides for the possibility of a more flexible approach to the specificity requirement by providing that individuals may give their consent for certain areas of research or certain parts of the research project in compliance with the ethical standards of scientific research provides when it is not possible to fully identify the purpose of processing personal data for scientific research purposes at the time of collection of the data. In practice this can be a research program comprising several research projects with the same overall aim.
- The data minimisation principle: data must be adequate, relevant and limited to what is necessary for the purpose of the processing.
- The accuracy principle: data must be accurate and kept up to date and corrected if necessary.
- The principle of limited retention: identifying data will only be kept for as long as is necessary for the purpose of the processing operation. However, it is possible to exceed this period for scientific research purposes, provided that technical and organisational measures are implemented to guarantee the rights and freedoms of the data subjects (such as pseudonymisation of data to minimise the risk of identification of the data subjects).
- The principle of integrity and confidentiality: This principle implies the implementation of technical or organisational measures limiting any misuse of data and guaranteeing data security.
Please see also the subentry "Main principles".
Who is responsible for implementing these principles? Article 5 GDPR designates the controller as the person responsible for compliance with these principles.
How to identify the data controller? The data controller is the legal entity or the natural person who determines the purposes and means of the data processing, i.e. the objective and the way to achieve it. In practice and in general it is the legal entity (for example a research institute) embodied by its legal representative. There may be several data controllers if more than one actor is involved in determining the purposes and means of the processing. In this case, these different actors will be jointly responsible for the processing. European Data Protection Board, Guidelines 07/2020 on the concepts of controller and processor in the GDPR .
Practical documentation on the designation of the data controller and data processor.
When should these principles be implemented? According to the principle of Privacy by Design and by Default (foreseen and described in Article 25 GDPR), the controller must implement appropriate technical and organisational measures (such as pseudonymisation) both when determining the means of processing and when carrying out the processing itself, in order to effectively implement the data protection principles (such as data minimisation) and to ensure that the rights and freedoms of data subjects are respected. A certification mechanism (provided for in Article 42 GDPR) can serve as a demonstration of compliance with the requirements of this principle.
How to ensure that the data processing carried out is lawful? As defined in article 5 GDPR, the processing must be lawful, i.e. any processing must be based on one of the legal grounds set out in article 6 GDPR. The legal basis for processing is the first condition for the lawfulness of the processing. It is prohibited to process personal data without a legal basis.
What are the legal bases under the GDPR for processing personal data? Article 6 GDPR requires:
- consent: the person has consented to the processing of his/her data; or
- a contract: the processing is necessary for the performance or preparation of a contract with the data subject; or
- legal obligation: the processing is imposed by legal texts; or
- public interest task: the processing is necessary for the performance of a public interest task; or
- legitimate interest: the processing is necessary for the pursuit of legitimate interests of the body processing the data or of a third party, in strict compliance with the rights and interests of the persons whose data are processed; or
- safeguarding vital interests: the processing is necessary to safeguard the vital interests of the data subject, or of a third party.
Of note, when another legal basis than consent is chosen, data subjects must nevertheless be informed of the data processing and have the right to object to it (opt-out mechanism).
Who defines the legal basis for the processing? The legal basis must be defined by the data controller on a case-by-case basis, in a manner appropriate to the situation. In accordance with the principle of responsibility of the data controller, the choice of the legal basis should be documented in order to attest the regulatory compliance of the data processing. Furthermore, the chosen legal basis should be mentioned in the information letters sent to the data subjects of the data processing. In practice, for research activities, the legal basis chosen is most commonly:
- the public interest (Art.6(1)e) GDPR): used by public organisations or private organisations as long as they pursue a mission of public interest or are endowed with prerogatives of public power; or
- the legitimate interest (Art.6(1)f) GDPR): commonly used by private organisations for processing that do not significantly affect the rights and interests of data subjects; OR
- the consent (Art.6(1)a) GDPR).
Of note, the processing of special categories of data (such as health-related data or genetic data) must comply with a processing purpose foreseen by Article 9 GDPR (as explained below).
What are the specific rules applicable to the collection and processing of health and genetic data? As explained above, the GDPR has provided for a general prohibition principle for the collection and processing of special categories of personal data, including health and genetic data (Article 9(1) GDPR). However, there are several exceptions to this prohibition principle. They allow the collection and processing of data in very limited cases, including the consent of the data subject, the public interest of the processing, and scientific research purposes (Article 9(2) GDPR).
What are the specific rules applicable to the processing of health and genetic data for scientific research purposes? The purpose of scientific research is one of the exceptions provided for by the GDPR (Art.9(2)j) allowing the processing of sensitive personal data in accordance with specific provisions: the processing must be subject to appropriate safeguards for the rights and freedoms of the data subjects such as the implementation of technical and organisational measures, in particular to ensure compliance with the principle of data minimisation (Article 89(1) GDPR). In particular, the technique of pseudonymisation is explicitly referred to in the GDPR.
These required additional measures are justified by the fact that the collection and processing for research purposes benefit from certain exemptions which mainly concern the rights of the data subjects (exemptions to right of access, right of rectification, right to restriction of processing, right to object), insofar as these rights make it impossible or seriously hinder the achievement of the purpose of the research (Article 89(2) GDPR).
Also, as explained previously, some flexibility is provided for as to the delimitation of the research purpose. Indeed, Recital 33 of the GDPR provides that it is not always possible to fully identify the purpose of processing personal data for scientific research purposes at the time of collection of the data. Thus, a flexible understanding of this purpose is allowed at the time of the collection of the data subjects' consent: individuals may give their consent for certain areas of research or certain parts of the research project in compliance with the ethical standards of scientific research. Nevertheless, the description of the research aim must remain precise.
In addition, the GDPR provides for the obligation to carry out a Data Protection Impact Assessment (DPIA) for any processing of data considered to be at risk (Article 35 GDPR). As genetic and health data are considered to be special data due to their sensitivity, their processing will require this impact assessment to be carried out. This impact assessment ensures that the processing will be compliant with the GDPR and will respect the rights of the individuals concerned.
How to carry out a Data Protection Impact Assessment? The Data Protection Impact Assessment (DPIA) must be carried out before the processing operation is set up and must be reviewed during the course of the processing operation, particularly if major changes occur in the way the data are processed. The participants in the conduct of the DPIA are the controller, the Data Protection Officer, any processor(s), IT staff and the data subjects of the processing operation. The DPIA consists of three parts:
- A detailed description of the treatment implemented, including the technical and operational aspects of the treatment;
- An assessment of compliance with the fundamental principles of data protection, namely: an examination of the necessity of the processing and compliance with the proportionality principle (the data collected and processed are strictly necessary for the purpose of the processing) as well as a description of the measures put in place to guarantee the rights of the data subjects.
- A more technical study of the risks to data security (confidentiality, integrity and availability) and their potential impact on privacy. This study must be completed by a description of the technical and organisational measures envisaged to deal with these risks and protect the data.
The CNIL (French data protection supervisory authority) has developed a pedagogical tool for carrying out this DPIA, available in English.
For more information: Article 29 Data Protection Working Party, Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is "likely to result in a high risk" for the purposes of Regulation 2016/679.
What are the rules on informing data subjects about the processing of their personal data? The data controller must provide information to data subjects on the envisaged processing, in accordance with the principle of transparency. The GDPR distinguishes two situations in this respect:
- Where data are collected directly from the data subject (Article 13 GDPR),
- Where the data have not been obtained from the data subject (Article 14 GDPR).
This information should include in particular:
- the identity and contact details of the controller,
- the purposes of the processing and the legal basis for the processing,
- the recipients of the personal data if applicable,
- information on the individual rights attached to this data processing (Articles 15 to 20 GDPR) and on the procedure to be followed to exercise these rights,
- the intention, if applicable, to carry out a transfer of data to a third country,
- if applicable the intention to carry out further processing of the data for another purpose.
For a complete reading of the requirements related to individual information, please refer to articles 13 or 14 of the GDPR depending on the applicable situation.
As regards the situation where the personal data used have not been obtained from the data subject, article 14(5) GDPR provides for exceptions to this information obligation, such as in cases where :
- the data subject already has this information,
- or the provision of such information would require disproportionate efforts, in particular in the case of processing of data for scientific research purposes
Please refer to Article 14(5) GDPR to see all the exceptions provided for.
If such exceptions are put in place, the controller will have to document and explain the use of such exceptions.
This information to the data subjects should be renewed in case of substantial modification of the processing activities (i.e. concerning the main characteristics of the processing, such as a new purpose, an addition of sensitive data collection, change of controller, etc.) or in case of a specific event related to the data processing (e.g. in case of a data breach).
Is it mandatory to obtain consent from data subjects prior to the collection and processing of their health and genetic data? Consent to the processing of data is not always required. It depends on the legal basis for the processing. If the processing is based on the consent of the data subjects, then the collection of consent prior to the implementation of the processing is mandatory. This consent must comply with the requirements laid down by the GDPR, namely: free, specific (given for one or more purposes), informed (information given to the person about the processing) and unambiguous (given by a clear positive act without ambiguity).
Data subjects may change their mind at any time and withdraw their consent.
In addition to these requirements, in the case of processing of sensitive data (including health and genetic data), the criterion of explicitness is added, i.e. the data subject must expressly declare his/her consent (for example in writing).
The collection of consent must be documented by the data controllers, they must be able to prove that consent in accordance with these requirements has been obtained.
However, in the context of scientific research, often the legal basis of scientific research purposes will be preferred (Art.9(2)j and Art.6(1)e or f) GDPR). Recourse to this legal basis does not require the prior consent of individuals for the processing of their data. However, the obligation to inform must always be respected by allowing data subjects to object to the processing (informed opt-out mechanism and right to object).
Nevertheless, it is necessary to recall that Member States may introduce additional conditions, including limitations, regarding the processing of health and genetic data (Article 9(4) GDPR). Thus, national law may provide that the processing of these categories of data may require consent even if this is not required by the GDPR and regardless of the legal basis chosen for the data processing. The controller will then have to ensure compliance with the national laws in force in the Member States in which the data are collected and/or processed.
What should be considered before choosing consent as the legal basis for processing personal data? All the requirements of the GDPR regarding consent must be respected, namely that the consent is freely given, specific, informed and unambiguous (Article 4 GDPR). In addition to these criteria, the explicit nature of the consent (Article 9(2)a GDPR) must be respected in cases of processing of personal data considered as sensitive (such as health and genetic data). Moreover, as recalled by the European Data Protection Board, particular importance should be attached to the condition of "freely given" consent. Indeed, this implies that the person has made a choice and has real control. If there is a clear imbalance between the data subject and the controller, consent should not be a valid legal basis for processing personal data (Recital 43 of the GDPR). These elements are important in the context of medical research where situations of power imbalance between the sponsor/investigator of the research project may often exist (children, persons in a situation of institutional or hierarchical dependence, economically or socially disadvantaged categories of persons, etc.). The investigator and/or controller should take all these elements into account when choosing the legal basis for the data processing they intend to carry out.
What is the difference between consent to process data for research and consent to participate in research? It is necessary to distinguish between informed consent to research and consent to data processing for research. Indeed, participation in research is governed by national laws which may require informed consent under specific conditions. At the European level, Article 28 of the EU Clinical Trials Regulation recalls the mandatory nature of informed consent for any participation in a clinical trial. As the European Data Protection Board pointed out, these provisions are primarily a response to the essential ethical requirements relating to the supervision of research projects involving human beings and which derive from the Helsinki Declaration (European Data Protection Board, Opinion 3/2019 on questions and answers on the interaction between the Clinical Trials Regulation and the General Data Protection Regulation (GDPR) (Article 70(1)(b)) Adopted on 23 January 2019). Informed consent implies the provision of exhaustive, complete and intelligible information on the planned research. In this respect, Article 29 of the Clinical Trials Regulation describes the list of elements that must be provided to the individuals concerned in order for the information to be valid.
Furthermore, it is necessary to recall that informed consent to research is an ethical requirement under the Oviedo Convention, the Declaration of Taipei and the Declaration of Helsinki.
Thus, this informed consent to participate in research is to be distinguished from the consent to the processing of personal data provided for by the GDPR, which can be used as a legal basis for processing and which must meet several criteria (free, informed, unambiguous, specific and explicit for the processing of sensitive data such as health and genetic data). The European Data Protection Board has reiterated this distinction between informed consent under the Clinical Trials Regulation and the notion of consent as a legal basis for processing personal data under the GDPR, in its Opinion 3/2019 on questions and answers on the interaction between the Clinical Trials Regulation and the General Data Protection Regulation.
Beyond the clinical trials situation, this informed consent has been described by the European Data Protection Board as a potential "appropriate safeguard" (provided for in Article 89(1) of the GDPR) to be put in place to safeguard the rights and freedoms of individuals in the context of data processing for scientific research purposes. Thus, even if the legal basis chosen is that of scientific research purposes and there is no legal obligation to obtain consent from data subjects, an ethical approach would require it. This position is also defended by the European project CINECA (Common Infrastructure for National Cohorts in Europe, Canada, and Africa).
More information on the difference between informed consent to participate in a clinical trial and consent as a legal basis for processing personal data under the GDPR: European Data Protection Board, Opinion 3/2019 on questions and answers on the interaction between the Clinical Trials Regulation and the General Data Protection Regulation, 23 January 2019.
Guide on Consent Policy: The Global Alliance for Genomics and Health (GA4GH) Consent Policy aims to guide the international sharing of genomic and health-related data in a way that respects autonomous decision-making while promoting the common good of international data sharing.
How to ensure the protection of the rights of data subjects to the processing of their personal data under the GDPR? The GDPR recognises several rights of data subjects to the processing of their personal data. The controller must take appropriate measures to provide the information referred to in Articles 13 and 14 of the GDPR to data subjects in order to ensure transparent processing of their personal data. This information must explain how to exercise the data subject's rights in order to guarantee their effectiveness. This information must be concise, transparent, comprehensible and easily accessible in simple and clear terms. In addition, the information must be adapted to the target audience, such as children.
These rights are listed in Chapter III of the GDPR and include:
- the right to information: respect of the principle of transparency (Articles 13 and 14),
- the right to access his or her data (Article 15),
- the right to rectify personal data that are inaccurate (Article 16),
- the right to erasure or otherwise known as the right to be forgotten on certain grounds (Article 17),
- the right to restrict processing in certain specified situations (Article 18),
- the right to data portability (Article 20),
- the right to object: at any time to the processing of data (Article 21).
Of note, exceptions are foreseen by GDPR to some of these rights regarding data processing for scientific research purposes. Notably, the right to information, the right to erasure and the right to data portability may be not be applicable (if the exercise of these rights is likely to make it impossible or seriously compromise the achievement of the objectives of research). These exceptions must be justified and documented.
What are the rules to be respected when an artificial intelligence system is used in the context of health data processing? The use of these systems in the context of personal data processing is subject to the rules of the GDPR, namely :
- define a purpose,
- respecting the principle of transparency: which translates here into informing data subjects of the use of artificial intelligence in the processing of their personal data, but also by the explicability of AI, i.e. that individuals should be able to understand the results and conclusions created by the algorithm.
- Respect the principle of data minimisation: use only the data necessary for the training and operation of the AI system in relation to the purpose of the processing.
- Ensuring the exercise of individuals' rights with regard to the processing of their personal data: First of all, it is important to note that Article 22 of the GDPR provides that the data subject of a decision-making system based exclusively on automated processing which produces legal effects concerning him/her or significantly affects him/her in a similar way, has the right not to be subject to that decision. Furthermore, the rights of individuals in relation to the protection of personal data apply throughout the life cycle of the AI system using the personal data of the data subjects. The exercise of these rights concerns both the data contained in the databases used for training the system and the data processed, which also involves the data produced by the system. If AI is used for scientific research purposes, the exceptions to the individual rights provided for in the GDPR may also apply, provided that they are justified and documented.
Thus, the controller must be aware of all these requirements which must be respected (privacy by design, ethics by design). Furthermore, it is important that these systems are supervised and monitored on an ongoing basis, particularly in the case of machine learning, due to the highly evolving nature of these systems. It is the idea of human oversight that is part of the European Commission's guidelines for trusted AI.
On the re-use/secondary use/further processing of personal data
Is it possible to reuse data for a different purpose than the one for which it was collected? Often referred to as "further processing" or "reuse of data", these practices consist of processing data for a purpose other than that for which it was initially collected. Health research today is largely based on the reuse of health data.
The GDPR does not explicitly address this issue but provides for the possibility of further processing of data for compatible purposes (Article 5(1)b). In order to verify whether the envisaged processing is compatible with the original purposes of processing, the controller must carry out a compatibility test if the further processing of the data is not based on the consent of the individual or on EU law.
Is it necessary to have a separate legal basis for further processing of health data? Recital 50 of the GDPR provides that if the purposes of the initial collection and further processing are compatible, a new legal basis separate from the one on which the data were collected is not necessary.
What is the compatibility test? The test consists of a case-by-case analysis of the context of the initial data collection and processing to ensure the compatibility of the further processing of the data, taking into account the legitimate expectations of the data subjects.
In order to carry out this test, the controller must take into account (Article 6(4) GDPR):
- whether there is a link between the original and intended purposes,
- the context in which the data were collected and the relationship between the data subjects and the controller,
- the nature of the data and in particular whether the data belong to the special categories of data (thus including health data and genetic data),
- the possible consequences of further processing for the data subjects,
- and the existence of appropriate safeguards for the preservation of the rights and freedoms of the individuals concerned, including for example pseudonymisation.
What is the framework for the further use/re-use of data for scientific research? As explained above, scientific research today relies heavily on the re-use of data. Thus, specific provisions are foreseen for scientific research: further processing of data for scientific research purposes is not considered to be incompatible with the initial purposes (presumption of compatibility). That is, the processing will be considered a priori compatible with the initial purposes of the processing provided that appropriate safeguards for the rights and freedoms of data subjects are put in place (implementation of technical and organisational measures to respect the principle of data minimisation, including pseudonymisation - Article 89(2) GDPR). However, as the European Data Protection Supervisor recalls, this presumption is not a general authorisation for further use of data for all cases of research purposes, each case must be considered according to its context.
Data subjects will have to be informed of this further processing before it is carried out unless one of the exceptions to the right of information under Article 14(5)b GDPR applies.
The rights of the data subjects shall be guaranteed unless one of the exceptions provided for in Article 89(2) of the GDPR is applicable.
What specific rules apply to the secondary use of clinical trial data outside the clinical trial protocol for scientific purposes? The Clinical Trials Regulation specifically addresses this issue in Article 28(2). This article focuses in particular on consent. The situations covered are those where the sponsor wishes to process the data of a clinical trial participant outside the planned protocol but only and exclusively for scientific purposes. According to this article, the sponsor must seek consent for this specific purpose of processing (secondary use outside the protocol) from the data subject or his/her legal representative at the time when informed consent to participate in the clinical trial is sought.
However, as explained above, consent under Article 28(2) of the Clinical Trials Regulation must be distinguished from consent as a legal basis for the processing of personal data as provided for by the GDPR. Thus, the sponsor or investigator wishing to subsequently use personal data collected for scientific purposes different from those foreseen by the clinical trial protocol, will have to establish a legal basis which may not be consent (as understood under the GDPR). Moreover, as explained above, the presumption of compatibility provided for in Article 5(1)b. of the GDPR may apply, subject to compliance with the conditions laid down in Article 89 of the GDPR (appropriate safeguards for the rights and freedoms of the data subjects).
In any case, the rules on the processing of personal data as set out in the GDPR shall apply.
On monitoring compliance with the legal framework for the protection of personal data
Who is responsible for the compliance of the collection and processing of personal data? The GDPR has been designed according to a logic of accountability of the actors (articles 5 and 24 GDPR), i.e. apart from the procedures put in place in each country concerning the use or reuse of health data (for example, opinion of an ethical and scientific committee, specific authorisation of a competent authority in the matter), the data controller is obliged to implement data protection measures, which he/she will update if necessary, and must be able to prove the compliance of the data processing he/she has implemented with the applicable regulatory framework. This compliance work can be done in relation to the data protection officer (Article 37 GDPR). A data protection officer will have to be appointed by the controller and the processor when the activities implemented by the latter consist of large-scale processing of special categories of data, including health data and genetic data.
This documentation should include:
- The record of the processing activities carried out,
- the DPIAs of processing activities likely to result in high risks to the rights and freedoms of individuals,
- the supervision of the data transfers carried out,
- the information given to individuals on the use of their data (and, where appropriate, a description of the reasons for not informing individuals),
- consent forms if applicable,
- the measures in place to guarantee the rights of individuals,
- and contracts with subcontractors for example, if applicable.
What should the record of processing activities contain? The controller(s) must keep a record of the processing activities carried out under their responsibility in written form. Article 30(1) of the GDPR details all the information that must be included in the record in order to be able to attest to the compliance of the processing activities. For example, the contact details of the controller, joint controllers and the data protection officer, if applicable, should be described; the purposes of the processing operation; a description of the categories of data subjects and personal data, etc. In practice, it is the DPO who keeps and updates the record of processing activities.
Also, each processor will have to keep a record of the processing activities carried out on behalf of the controller. Article 30(2) of the GDPR details the information that must be included.
The supervisory authorities may ask the DPO, controller and/or processor to make this record available in order to certify the compliance of the processing activities carried out.
What are the personal data security rules to be respected? Article 32 of the GDPR designates the controller and the processor as being responsible for implementing appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Among these measures, we find:
- pseudonymisation and encryption of personal data,
- the means to guarantee the confidentiality of the data,
- the means to restore access to data in the event of a physical or technical incident,
- a procedure to regularly assess the effectiveness of the security measures put in place to ensure the security of the processing.
In order to best assess the security measures to be put in place, the controller and the processor must take into account the risks that the processing operation poses to the rights and freedoms of data subjects, in particular with regard to the potential destruction, loss, disclosure or unauthorised access of personal data.
In order to demonstrate compliance with these security requirements, an approved code of conduct (Article 40 GDPR) or an approved certification scheme (Article 42 GDPR) can be used to demonstrate compliance with the security requirements of the GDPR.
Code of conducts can be used as a tool for data transfers for ensuring appropriate safeguards to data transfers to third countries or international organisations. See European Data Protection Board Guidelines 04/2021 on Code of Conduct as tools for transfers.