Purpose definition as a crucial step for determining the legal basis under the GDPR: implications for scientific research

被引：5

作者：

Becker, Regina ^{[1
]}

Chokoshvili, Davit ^{[1
]}

Thorogood, Adrian ^{[2
]}

Dove, Edward S. ^{[3
]}

Molnar-Gabor, Fruzsina ^{[4
]}

Ziaka, Alexandra ^{[5
,6
]}

Tzortzatou-Nanopoulou, Olga ^{[7
]}

Comande, Giovanni ^{[8
]}

机构：

[1] Luxembourg Natl Data Serv, L-4362 Esch Sur Alzette, Luxembourg

[2] Terry Fox Res Inst, Vancouver, BC V5Z 1L3, Canada

[3] Univ Edinburgh, Sch Law, Edinburgh EH8 9YL, Scotland

[4] Heidelberg Univ, Fac Law, D-69117 Heidelberg, Germany

[5] Tilburg Univ, Tilburg Inst Law Technol & Soc TILT, NL-5037 DB Tilburg, Netherlands

[6] MPLegal, Athens 15231, Greece

[7] Acad Athens, Legal Dept, Biomed Res Fdn, Athens 11527, Greece

[8] St Anna Sch Adv Studies, I-56127 Pisa, Italy

来源：

JOURNAL OF LAW AND THE BIOSCIENCES | 2024年 / 11卷 / 01期

基金：

欧盟地平线“2020”;

关键词：

data protection; GDPR; lawfulness; legal basis; purpose specification; scientific research;

D O I：

10.1093/jlb/lsae001

中图分类号：

B82 [伦理学（道德学）];

学科分类号：

摘要：

The General Data Protection Regulation (GDPR) of the European Union, which became applicable in 2018, contains a new accountability principle. Under this principle, controllers (ie parties determining the purposes and the means of the processing of personal data) are responsible for ensuring and demonstrating the overall compliance with the GDPR. However, interpretive uncertainties of the GDPR mean that controllers must exercise considerable judgement in designing and implementing an appropriate compliance strategy, making GDPR compliance both complex and resource-intensive. In this article, we provide conceptual clarity around GDPR compliance with respect to one core aspect of the law: the determination and relevance of the purpose of personal data processing. We derive from the GDPR's text concrete requirements for purpose specification, which we subsequently apply to the area of secondary use of personal data for scientific research. We offer guidance for correctly specifying purposes of data processing under different research scenarios. To illustrate the practical necessity of purpose specification for GDPR compliance, we then show how our proposed approach can enable controllers to meet their compliance obligations, using the example of the overarching GDPR principle of lawfulness to highlight the relevance of purpose specification for the identification of a suitable legal basis.

引用

页数：30

共 37 条

[1]

[Anonymous], 2000, European Communities, P1

[2]

[Anonymous], 2016, International ethical guidelines for international ethical guidelines for health-related research involving humans, DOI DOI 10.56759/RGXL7405

[3]

Article 29 Data Protection Working Party, 2014, Opinion 06/2014 on the Notion of Legitimate Interests of the Data Controller under Article 7 of Directive 95/46/EC

[4]

Article 29 Data Protection Working Party, 2017, Guidelines on transparency under Regulation 2016/679

[5] Applying GDPR roles and responsibilities to scientific data sharing [J].

Becker, Regina ;

Thorogood, Adrian ;

Bovenberg, Jasper ;

Mitchell, Colin ;

Hall, Alison .

INTERNATIONAL DATA PRIVACY LAW, 2022, 12 (03) :207-219

[6]

Becker Regina, 2022, EUR. J. HEALTH LAW, P1

[7]

Bentzen Heidi Beate, 2022, Research Handbook on EU Data Protection Law

[8]

Christofidou Maria, 2021, Yearb Med Inform, V30, P226, DOI 10.1055/s-0041-1726512

[9]

Comandè G, 2022, COMMON MKT LAW REV, V59, P739

[10] Can the GDPR make data flow for research easier? Yes it can, by differentiating! A careful reading of the GDPR shows how EU data protection law leaves open some significant flexibilities for data protection-sound research activities [J].

Comande, Giovanni ;

Schneider, Giulia .

COMPUTER LAW & SECURITY REVIEW, 2021, 41

← 1 2 3 4 →