Considered Background Documents

• GDPR Article 6
  1. Processing shall be lawful only if and to the extent that at least one of the following applies:
     • (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
     • (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
     • (c) processing is necessary for compliance with a legal obligation to which the controller is subject;
     • (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
     • (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
     • (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child\

     Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

• (39) Any processing of personal data should be lawful and fair. 
• (40) In order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis, laid down by law, either in this Regulation or in other Union or Member State law as referred to in this Regulation, including the necessity for compliance with the legal obligation to which the controller is subject or the necessity for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
• (41) Where this Regulation refers to a legal basis or a legislative measure, this does not necessarily require a legislative act adopted by a parliament, without prejudice to requirements pursuant to the constitutional order of the Member State concerned. However, such a legal basis or legislative measure should be clear and precise and its application should be foreseeable to persons subject to it, in accordance with the case-law of the Court of Justice of the European Union (the ‘Court of Justice’) and the European Court of Human Rights.

• Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak
  • (16) Legal bases and applicable derogations for processing health data for the purpose of scientific research are provided for respectively in Article 6 and Article 9. […] It has to be noted that there is no ranking between the legal bases stipulated in the GDPR.
• Guidelines 2/2019 on the processing of personal data under Article 6(1)(b)
  • (17) […] The legal basis must be identified at the outset of processing, and information given to data subjects in line with Articles 13 and 14 must specify the legal basis.
  • (18) It is possible that another lawful basis than Article 6(1)(b) may better match the objective and context of the processing operation in question. The identification of the appropriate lawful basis is tied to principles of fairness and purpose limitation.
  • (24) The starting point is to identify the purpose for the processing, […], there may be a variety of purposes for processing. Those purposes must be clearly specified and communicated to the data subject, in line with the controller’s purpose limitation and transparency obligations.
• Guidelines 4/2019 on Article 25 / Data Protection by Design and by Default
  • (67) The controller must identify a valid legal basis for the processing of personal data.
  • (68) Key design and default elements for lawfulness may include:
    • Relevance – The correct legal basis shall be applied to the processing.
    • Differentiation – The legal basis used for each processing activity shall be differentiated.
    • Specified purpose – The appropriate legal basis must be clearly connected to the specific purpose of processing.

• More than one legal basis may apply to a defined purpose
• For a defined purpose one legal basis has to be chosen before the processing commences
• The most appropriate legal basis has to be identified
• The choice of the most appropriate legal basis needs to be driven by the respective purpose as well as fairness aspects
• Where several purposes apply to the to a complex of processing activities, several legal bases may have to be chosen.
• A single processing activity may take place for different purposes and may therefore take place under different legal bases (e.g. storage of data may take place for several purposes)
• Each processing has to be analysed with respect to its purpose

• (159) For the purposes of this Regulation, the processing of personal data for scientific research purposes should be interpreted in a broad manner including for example technological development and demonstration, fundamental research, applied research and privately funded research. In addition, it should take into account the Union's objective under Article 179(1) TFEU of achieving a European Research Area. Scientific research purposes should also include studies conducted in the public interest in the area of public health. To meet the specificities of processing personal data for scientific research purposes, specific conditions should apply in particular as regards the publication or otherwise disclosure of personal data in the context of scientific research purposes.

• Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak
  • (11) Finally, when talking about “processing of health data for the purpose of scientific research”, there are two types of data usages:
    • Research on personal (health) data which consists in the use of data directly collected for the purpose of scientific studies (“primary use”).
    • Research on personal (health) data which consists of the further processing of data initially collected for another purpose (“secondary use”).
• Opinion 3/2019 Q&A on the interplay between the Clinical Trials Regulation and GDPR
  • (29) The CTR addresses specifically the issue of secondary use […]. It refers solely to situations where the sponsor may want to process the data of the clinical trial subject “outside the scope of the protocol”, but only - and “exclusively” - for scientific purposes.
  • (7) In the context of this Opinion, the EDPB considers that all processing operations related to a specific clinical trial protocol during its whole lifecycle, from the starting of the trial to deletion at the end of the archiving period, shall be understood as primary use of clinical trial data. However, the EDPB considers that not all processing operations relating to such “primary use” of clinical trial data pursue the same purposes and fall within the same legal basis.
  • (9) When discussing the issue of the legal basis for the processing of personal data during the whole lifecycle of a clinical trial, the EDPB considers relevant to distinguish, two main categories of processing activities. In particular, processing operations [purely related to research activities]{.ul} must be distinguished from processing operations related to the purposes of protection [of health]{.ul}, while setting standards of quality and safety for medicinal products by generating reliable and robust data (reliability and safety related purposes); these two main categories of processing activities fall under different legal bases.
• Guidelines on consent under Regulation 2016/679
  • 7.2. Scientific research
    The definition of scientific research purposes has substantial ramifications for the range of data processing activities a controller may undertake. The term ‘scientific research’ is not defined in the GDPR. Recital 159 states “(…) For the purposes of this Regulation, the processing of personal data for scientific research purposes should be interpreted in a broad manner. (…)”, however the WP29 considers the notion may not be stretched beyond its common meaning and understands that ‘scientific research’ in this context means a research project set up in accordance with relevant sector-related methodological and ethical standards, in conformity with good practice.

• EDPS Preliminary Opinion on data protection and scientific research

  The GDPR sets down a regime set out for data processing for ‘journalistic purposes and the purposes of academic, artistic or literary expression’ (Article 85). […] We would argue that the processing of personal data for the purposes of ‘academic expression’ implies:

  1. processing directly linked to the freedom of academics to disseminate information,
  2. their freedom to distribute knowledge and truth without restriction, such as with publications, dissemination of research results, and
  3. the sharing of data and methodologies with peers and exchanges of views and opinions.

  There has been some debate as to the distinction between biomedical research, academic research in the humanities and social sciences, and the Article 85 provisions. The distinction may not be always easy to apply in practice. Some overlaps may occur where scientific research conducted by universities and academic institutions could fall, to some limited extent, within the scope of both regimes. […]
  For the purposes of this Preliminary Opinion, therefore, the special data protection regime for scientific research is understood to apply where each of the three criteria are met:

  1. personal data are processed;
  2. relevant sectoral standards of methodology and ethics apply, including the notion of informed consent, accountability and oversight;
  3. the research is carried out with the aim of growing society’s collective knowledge and wellbeing, as opposed to serving primarily one or several private interests.

• Clinical trials: “protection of health” is substantially different purpose to scientific research
• Do scientific publications fall under “purpose of academic expression”?
• Suggested answer: not necessarily, because…
• Research centres may not fall under “academic expression” and the definition of the scope of research should be independent of the institution performing the research
• “Aim of growing society’s collective knowledge” is suggesting the publication to be an intrinsic part of the scientific research purpose
• The “knowledge” element is also supported by other definitions of research, e.g. OECD
• Research and development services in natural sciences and engineering; social sciences and humanities and interdisciplinary.
• Any creative systematic activity undertaken in order to increase the stock of knowledge, including knowledge of man, culture and society, and the use of this knowledge to devise new applications.
• Recital (159) states that publication fall under scientific research purposes
• Publication is not mentioned as a separate “mission” to research for the research institutions but publications are mentioned as a KPI for research
• Re-analysing data for reproducibility purposes is an intrinsic methodology of scientific research
• Following the EDPB Guidelines on consent: “scientific research’ in this context means a research project set up in accordance with relevant sector-related methodological and ethical standards, in conformity with good practice.”
  ➡️ processing for reproducibility fulfils the criteria of methodological and ethical standards as well as good practice.
• Processing data for demonstration of how research results were achieved is part of the primary purpose

• Opinion 06/2014 on the notion of legitimate interests II. The first five grounds of Article 7 rely on the data subject’s consent, contractual arrangement, legal obligation or other specifically identified rationale as ground for legitimacy. When processing is based on one of these five grounds, it is considered as a priori legitimate and therefore only subject to compliance with other applicable provisions of the law. There is in other words a presumption that the balance between the different rights and interests at stake – including those of the controller and the data subject - is satisfied - assuming, of course, that all other provisions of data protection law are complied with.

Opinion 15/2011 on the definition of consent II. It should be noted that the five other grounds following consent require a “necessity” test, which strictly limits the context in which they can apply.

• (67) The controller must identify a valid legal basis for the processing of personal data.
• (68) Key design and default elements for lawfulness may include:
  • Necessity– Processing must be necessary and unconditional for the purpose to be lawful.
  • Autonomy – The data subject should be granted the highest degree of autonomy as possible with respect to control over personal data within the frames of the legal basis.

• (6) Taking into consideration that Article 6 (1) GDPR provides for legal bases other than consent and Article 9 (2) GDPR provides for exemptions other than explicit consent, it is foreseeable and not incompatible (with ethical standards) that the other legal grounds can be relied on for the processing health data for scientific research purposes.

Guidelines on consent under Regulation 2016/679 7.2 At the same time, the GDPR does not restrict the application of Article 6 to consent alone, with regard to processing data for research purposes. As long as appropriate safeguards are in place, such as the requirements under Article 89(1), and the processing is fair, lawful, transparent and accords with data minimisation standards and individual rights, other lawful bases such as Article 6(1)(e) or (f) may be available. This also applies to special categories of data pursuant to the derogation of Article 9(2)(j)

• (16) Legal bases and applicable derogations for processing health data for the purpose of scientific research are provided for respectively in Article 6 and Article 9. […] It has to be noted that there is no ranking between the legal bases stipulated in the GDPR.

• (14) Processing operations purely related to research activities in the context of a clinical trial cannot, however, be derived from a legal obligation. Depending on the whole circumstances of the trial and the concrete data processing activity, research related activities may either fall under the data subject’s explicit consent (Article 6(1)(a) in conjunction with Article 9(2)(a)), or a task carried out in the public interest (Article 6(1)(e)), or the legitimate interests of the controller (Article 6(1)(f)) in conjunction with Article 9(2)(i) or (j) of the GDPR.
• (20) However, it must be kept in mind that even though conditions for an informed consent under the CTR are gathered, a clear situation of imbalance of powers between the participant and the sponsor/investigator will imply that the consent is not “freely given” in the meaning of the GDPR. As a matter of example, the EDPB considers that this will be the case when a participant is not in good health conditions, when participants belong to an economically or socially disadvantaged group or in any situation of institutional or hierarchical dependency. Therefore, and as explained in the Guidelines on consent of the Working Party 29, consent will not be the appropriate legal basis in most cases, and other legal bases than consent must be relied upon (see below alternative legal bases).
• (21) Consequently, the EDPB considers that data controllers should conduct a particularly thorough assessment of the circumstances of the clinical trial before relying on individuals’ consent as a legal basis for the processing of personal data for the purposes of the research activities of that trial. 25. The EDPB considers that as an alternative to data subject’s consent, the lawful grounds of processing provided under Article 6(1)(e) or 6(1)(f) are more appropriate.

• The purpose is decisive in the determination of the best legal basis
  (relation to public or legitimate interests; leads the design of the processing)
• The following legal bases are typically not applicable for research
• Art. 6(1)(b) contract
  The research is not pursued based on a contractual relationship with
  the data subject
• Art. 6(1)(c) legal obligation
  A legal obligation is only applicable when a certain processing is mandatory for the controller
• Art. 6(1)(d) vital interest of the data subject
  Research is about generating general knowledge and does not affect directly the individual; where e.g. health research is performed as a “case study”, the primary purpose is healthcare
• The choice of legal bases for scientific research is typically between
  • Art. 6(1)(a) Consent
  • Art. 6(1)(e) Task in the public interest
  • Art. 6(1)(f) legitimate interest
• For public and legitimate interest a necessity analysis is required if there are less invasive means to reach the identified purpose and serve the respective interest

• Article 4 Definitions (11) ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
2. If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

• (32) Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
• (33) It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.
• (42) Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given. In accordance with Council Directive 93/13/EEC (1) a declaration of consent pre- formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. [For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended.]{.ul} Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
• (43) In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.

• Guidelines on consent under Regulation 2016/679 When consent is the legal basis for conducting research in accordance with the GDPR, this consent for the use of personal data should be distinguished from other consent requirements that serve as an ethical standard or procedural obligation. An example of such a procedural obligation, where the processing is based not on consent but on another legal basis, is to be found in the Clinical Trials Regulation. In the context of data protection law, the latter form of consent could be considered as an additional safeguard.

• EDPB Document on response to the request from the European Commission for clarifications on the consistent application of the GDPR, focusing on health research

  • (5) Ethics standards cannot be interpreted in such a way that only explicit consent of data subjects can be used to legitimise the processing of health data for scientific research purposes. […] The requirement of informed consent for participation in a scientific research project can and must be distinguished from explicit consent as a possibility to legitimise the processing of personal data for scientific research purposes.
  • (7) However, when relying on another legal basis in Article 6 other than consent and one of the other exemptions in Article 9 (2) GDPR, the ‘ethical’ requirement of informed consent for participation in the medical research project will still have to be met. In the GDPR-framework, this can be perceived as one of such additional safeguards as foreseen in Article 89(1) GDPR that should be in place when processing personal data for scientific research purposes.

• Guidelines on consent under Regulation 2016/679

  […] at least the following information is required for obtaining valid consent:

  i. the controller's identity,
  ii. the purpose of each of the processing operations for which consent is sought,
  iii. what (type of) data will be collected and used,
  iv. the existence of the right to withdraw consent,
  v. information about the use of the data for automated decision-making in accordance with Article 22 (2)(c) where relevant, and
  vi. on the possible risks of data transfers due to absence of an adequacy decision and of appropriate safeguards as described in Article 46.

  With regard to item (i) and (iii), WP29 notes that in a case where the consent sought is to be relied upon by multiple (joint) controllers or if the data is to be transferred to or processed by other controllers who wish to rely on the original consent, these organisations should all be named. Processors do not need to be named as part of the consent requirements, although to comply with Articles 13 and 14 of the GDPR, controllers will need to provide a full list of recipients or categories of recipients including processors. To conclude, WP29 notes that depending on the circumstances and context of a case, more information may be needed to allow the data subject to genuinely understand the processing operations at hand.

• Guidelines on consent under Regulation 2016/679 Imbalances of power are not limited to public authorities and employers, they may also occur in other situations. As highlighted by WP29 in several Opinions, consent can only be valid if the data subject is able to exercise a real choice, and there is no risk of deception, intimidation, coercion or significant negative consequences (e.g. substantial extra costs) if he/she does not consent. Consent will not be free in cases where there is any element of compulsion, pressure or inability to exercise free will.

• (8) In Opinion 3/2019 (on the interplay between the Clinical Trials Regulation and the GDPR),2 the EDPB has stated that, for data protection purposes, consent is not an appropriate legal basis in research activities where there is a clear imbalance of power between the data subject and the controller. It is acknowledged that in clinical trials such an imbalance may exist depending on the circumstances, for instance, when the data subject is not in a good health condition and there is no available therapeutic treatment outside the clinical trial. Therefore it is stated in this Opinion that, if consent is still to be relied upon to process personal data in clinical trials, ‘a particularly thorough assessment’ of the circumstances of the clinical trial must first be carried out to determine if consent is appropriate’.
• (10) Explicit consent as a legal basis can still be relied on in medical research projects where it can be established that no imbalance of power between data subjects and researchers exists and the requirements for explicit consent in GDPR can be met. However, this will require a careful assessment on a case-by-case basis. 

• Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak
  • (22) However, researchers should be aware that if consent is used as the lawful basis for processing, there must be a possibility for individuals to withdraw that consent at any time pursuant to Article 7 (3) GDPR. If consent is withdrawn, all data processing operations that were based on consent remain lawful in accordance with the GDPR, but the controller shall stop the processing actions concerned and if there is no other lawful basis justifying the retention for further processing, the data should be deleted by the controller.
• Guidelines on consent under Regulation 2016/679
  • When asking for consent, a controller has the duty to assess whether it will meet all the requirements to obtain valid consent. If obtained in full compliance with the GDPR, consent is a tool that gives data subjects control over whether or not personal data concerning them will be processed. If not, the data subject’s control becomes illusory and consent will be an invalid basis for processing, rendering the processing activity unlawful.

• There is no preference for consent as legal basis under the GDPR or under ethics regime as informed consent as procedural requirement is independent
• A thorough case by case analysis is needed to assess if ALL conditions for consent can be met
• Imbalance
  • Health research and research with vulnerable data subjects (e.g. refugees) have a high likelihood to create a situation of perceived dependency, which needs careful consideration
  • This is in particular the case where clinician scientists and / or treating physicians or social workers are involved in the recruitment
• Withdrawal of consent
  • Depending on the study design or the stage of research, a withdrawal of consent may not be possible
  • Once the results are published, where data cannot be anonymised, continued processing for reproducibility will still be required
    (The situation nowadays is different to research in the last century where anonymisation was achieved more easily and an anonymisation at the end of a project common practice.)

• In case of research, consent is possible for entire areas of scientific research ➡️ Recital (33)
• “Certain areas of research” means there will still be a reduction / subgroup of research specified, i.e. no consenting to scientific research in general is possible ➡️ Recital (33)
• “Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.”, i.e. if a separation between a more specific purpose such as a defined research project and a wider research field is possible, the choice needs to be offered ➡️ Recital (33)

• Consent is a valid legal basis only if the controller is explicitly named in the consent form
  • Recital (42) requires the identity of the controller to be known for a valid informed consent; recital (33) does not lift this requirement
• Consent is a valid legal basis if the data subject consented that data can be shared with the category of controllers
  • Broad consent without allowing categories of recipients makes no sense
  • Neither Art. 3 nor 6 nor 7 require the controller to be specified
  • Different options / purposes should be consented separately
  • Safeguards: chain of controllers must be transparent and reach-through guaranteed
• Consent has a reach-through: any research processing based on broad (GDPR) consent must have consent as legal basis
  • If consent is given for future research project, the reasonable expectation of a data subject is that this provides then the legal basis
  • Changing the legal basis changes the data subjects’ rights
• European level interpretation
  • EDPB did not (yet) address the question in response to the EC questionnaire
  • EU experts do not agree – different approaches pursued
  • IE explicit for research on Art. 10 data: consent given to the controller or another controller
• For Luxembourg: play safe ➡️ avoid building on consent as downstream controller if not explicitly mentioned in consent form

• Article 6 Public interest
  • (2) Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing for compliance with points (c) and (e) of paragraph 1 by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing including for other specific processing situations as provided for in Chapter IX.

  • (3) The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by:

    a. Union law; or

    b. Member State law to which the controller is subject.

    The [purpose]{.ul} of the processing [shall]{.ul} be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis [may]{.ul} contain specific provisions to adapt the application of rules of this Regulation, inter alia: the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations as provided for in Chapter IX. The Union or the Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued.

• Public interest
  • (45) Where processing is carried out in accordance with a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, the processing should have a basis in Union or Member State law. This Regulation does not require a specific law for each individual processing. A law as a basis for several processing operations based on a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority may be sufficient. It [should]{.ul} also be for Union or Member State law to determine the purpose of processing. Furthermore, that law [could]{.ul} specify the general conditions of this Regulation governing the lawfulness of personal data processing, establish specifications for determining the controller, the type of personal data which are subject to the processing, the data subjects concerned, the entities to which the personal data may be disclosed, the purpose limitations, the storage period and other measures to ensure lawful and fair processing. It should also be for Union or Member State law to determine whether the controller performing a task carried out in the public interest or in the exercise of official authority should be a public authority or another natural or legal person governed by public law, or, where it is in the public interest to do so, including for health purposes such as public health and social protection and the management of health care services, by private law, such as a professional association.

• Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation and the GDPR
  • (26) Article 6(3) GDPR further provides that this basis shall be laid down by Union or Member State law and that the purpose of the processing shall be laid down in that legal basis. The processing of personal data in the context of clinical trials can thus be considered as necessary for the performance of a task carried out in the public interest when the conduct of clinical trials directly falls within the mandate, missions and tasks vested in a public or private body by national law
• Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC
  • Article 7(e) covers two situations and is relevant both to the public and the private sector. First, it covers situations where the controller itself has […] a public interest task (but not necessarily also a legal obligation to process data) and the processing is necessary for […] performing that task. 
  • Yet another example could be a local government body, such as a municipal authority, entrusted with the task of running a library service, a school, or a local swimming pool.
  • Unlike in the case of Article 7(c), there is no requirement for the controller to act under a legal obligation.
  • However, the processing must be 'necessary for the performance of a task carried out in the public interest'. […] It is also important to emphasise that this official authority or public task will have been typically attributed in statutory laws or other legal regulations.

• EU Copyright Directive 2019/790 Despite different legal forms and structures, research organisations in the Member States generally have in common that they act either on a not-for-profit basis or in the context of a public-interest mission recognised by the State. Such a public-interest mission could, for example, be reflected through public funding or through provisions in national laws or public contracts.

• Personuppgiftsbehandling för forskningsändamål
  (“Personal data processing for research purposes”; a legal analysis by the Swedish government)
  If no national legislative measures are taken, the provisions of the Regulation mean that public research actors predominantly have to use tasks carried out in the public interest, under Article 6(1)(e) when processing personal data for research purposes. Private research actors predominantly have to use consent, under Article 6(1)(a), or weighing up interests under Article 6(1)(f) when processing personal data for the same purposes.

• Public and private bodies are able to operate under public interest
• The purpose needs to be defined by law and a clear mandate given to the respective institution or type of institution
  [See also critique of the Data Governance Act by EDPB]
• Where a body is set up by law, processing to pursue its mission given by law fulfils the condition for a task in the public interest
• It is not required that the processing is described in more detail as such specification is optional rather than mandatory
• It is not appropriate for a research mission to limit the processing with respect to data subjects, data types, potential data recipients etc. as these depend on the specific research question
• A research stakeholder needs to do a case by case analysis for their research projects if they fall into the scope of the research to fulfil the mission
• Public funding for research may also be an indication for the pursuit of a task in the public interest [??]
• In addition, the project needs to fulfil the requirements being proportionate to the aim pursued, of data minimisation and purpose limitation (no other purposes should be pursued)

• (47) The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks. The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

• Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation and the GDPR
  • (27) For all other situations where the conduct of clinical trials cannot be considered as necessary for the performance of the public interest tasks vested in the controller by law, the EDPB will consider that the processing of personal data could be “necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject” following Article 6(1)(f) GDPR.

• Opinion 06/2014 on the notion of legitimate interests […]

  • […] requires a balancing of the legitimate interests of the controller, or any third parties to whom the data are disclosed, against the interests or fundamental rights of the data subject.
  • In order to be relevant under Article 7(f), a ‘legitimate interest’ must therefore:
    • be lawful (i.e. in accordance with applicable EU and national law); 
    • be sufficiently clearly articulated to allow the balancing test to be carried out against the interests and fundamental rights of the data subject (i.e. sufficiently specific); 
    • represent a real and present interest (i.e. not be speculative). 
    • The nature of the interest may vary. Some interests may be compelling and beneficial to society at large, such as the interest of the press to publish information about government corruption or the interest in carrying out scientific research (subject to appropriate safeguards).
    • Another important context where disclosure in the legitimate interests of third parties may be relevant is historical or other kinds of scientific research, particularly where access is
      required to certain databases.
• Quick guide / balancing test
  (Opinion 06/2014 on the notion of legitimate interests)
  • Step 1: Assessing which legal ground may potentially apply under Article 7(a)-(f)
  • Step 2: Qualifying an interest as 'legitimate' or ‘illegitimate’
  • Is the interest lawful, sufficiently clearly articulated and represent a real and present interest
    (at the time of the processing)?
  • Step 3: Determining whether the processing is necessary to achieve the interest pursued
  • Are other less invasive means to reach the identified purpose of the processing and serve the legitimate interest
  • Step 4: Establishing a provisional balance by assessing whether the data controller’s interest is overridden by the fundamental rights or interests of the data subjects
  • Consider the nature of the interest of the controller (fundamental right, public interest, other?) and consider the effect of actual processing on particular individuals, taking into account nature of the data, status of data subject, how the data are processed, how the data subject could be impacted, and the data subject’s reasonable expectations  
  • Step 5: Establishing a final balance by taking into account additional safeguards
  • Data minimisation, TOMs, privacy enhancing technologies, transparency
  • Step 6: Demonstrate compliance and ensure transparency
  • Draw a blueprint of steps 1 to 5 to justify the processing before its launch and keep it
  • Step 7: What if the data subject exercises his/her right to object?
  • Appropriate and user-friendly mechanism is in place to re-assess the balance as for the individual concerned in case of qualified opt-out mechanism and respecting choice without additional steps for unconditional opt-out right

• Legitimate interest is not available to public authorities in the exercise of their tasks; however, these should then be covered by a “public interest” legal basis
• To be on the safe side, public bodies should only use legitimate interest when they act **outside their mission **[public bodies / public authorities not formally defined in Lux law]
• Where appropriate safeguards are chosen, the legitimate interest for scientific research is compelling
• Legitimate interest is a good basis for processing in data repositories and/or of data in biobanks where task is not part of the mission by law [Interesting discussion: ELIXIR-LU versus IBBL]
• Nevertheless, a balancing test will always apply also for scientific research
• Necessity, proportionality, transparency, purpose limitation and data minimisation are important elements
• Opt-in or clearly communicated and efficient opt-out procedures are an important safeguard
• Ethics approval is an good instrument to support the balancing test

• Article 9 Processing of special categories of personal data
  • (1) Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.

  • (2)  Paragraph 1 shall not apply if one of the following applies:

    a. the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;

    b. processing relates to personal data which are manifestly made public by the data subject;

    c. processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;

    d. processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;

    e. processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

• (51) Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Those personal data should include personal data revealing racial or ethnic origin, whereby the use of the term ‘racial origin’ in this Regulation does not imply an acceptance by the Union of theories which attempt to determine the existence of separate human races. […] Such personal data should not be processed, unless processing is allowed in specific cases set out in this Regulation, taking into account that Member States law may lay down specific provisions on data protection in order to adapt the application of the rules of this Regulation for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. [In addition]{.ul} to the specific requirements for such processing, [the general principles and other rules of this Regulation should apply]{.ul}, in particular as regards the conditions for lawful processing. Derogations from the general prohibition for processing such special categories of personal data should be explicitly provided, inter alia, where the data subject gives his or her explicit consent or in respect of specific needs in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.
• (52) Derogating from the prohibition on processing special categories of personal data should also be allowed when provided for in Union or Member State law and subject to suitable safeguards, so as to protect personal data and other fundamental rights, where it is in the public interest to do so, in particular processing personal data in the field of employment law, social protection law including pensions and for health security, monitoring and alert purposes, the prevention or control of communicable diseases and other serious threats to health. Such a derogation may be made for health purposes, including public health and the management of health-care services, especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. 
• (53) Special categories of personal data which merit higher protection should be processed for health-related purposes only where necessary to achieve those purposes for the benefit of natural persons and society as a whole, in particular in the context of the management of health or social care services and systems, including processing by the management and central national health authorities of such data for the purpose of quality control, management information and the general national and local supervision of the health or social care system, and ensuring continuity of health or social care and cross-border healthcare or health security, monitoring and alert purposes, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, based on Union or Member State law which has to meet an objective of public interest, as well as for studies conducted in the public interest in the area of public health. Therefore, this Regulation should provide for harmonised conditions for the processing of special categories of personal data concerning health, in respect of specific needs, in particular where the processing of such data is carried out for certain health-related purposes  by persons subject to a legal obligation of professional secrecy. Union or Member State law should provide for specific and suitable measures so as to protect the fundamental rights and the personal data of natural persons. Member States should be allowed to maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health. However, this should not hamper the free flow of personal data within the Union when those conditions apply to cross-border processing of such data.
• (54) The processing of special categories of personal data may be necessary for reasons of public interest in the areas of public health without consent of the data subject. Such processing should be subject to suitable and specific measures so as to protect the rights and freedoms of natural persons. In that context, ‘public health’ should be interpreted as defined in Regulation (EC) No 1338/2008 of the European Parliament and of the Council (1), namely all elements related to health, namely health status, including morbidity and disability, the determinants having an effect on that health status, health care needs, resources allocated to health care, the provision of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality.

• Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak
  4 LEGAL BASIS FOR THE PROCESSING
  • (15) All processing of personal data concerning health must comply with the principles relating to processing set out in Article 5 GDPR and with one of the legal grounds and the specific derogations listed respectively in Article 6 and Article 9 GDPR for the lawful processing of this special category of personal data.
  • (16) Legal bases and applicable derogations for processing health data for the purpose of scientific research are provided for respectively in Article 6 and Article 9.

• The Act of 1 August 2018 on the organisation of the National Data Protection Commission, implementing Regulation (EU) 2016/679
  Chapter 2 – Processing for the purposes of scientific or historical research or statistical purposes Art. 64.
  The processing of special categories of personal data as defined in Article 9, paragraph 1 of Regulation (EU) 2016/679, may be carried out for the purposes referred to in Article 9 paragraph 2, point j) of this same regulation, if the controller meets the requirements set out in Article 65. Art. 65.
  Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller of processing carried out for scientific or historical research purposes or statistical purposes, must implement the following additional appropriate measures:  
  [….]
  For each project for scientific or historical research purposes or statistical purposes, the controller must document and justify any exclusion of one or several of the measures listed in this article.

• For special categories of data such as health data, ethnic origin and biometric data used for identification an additional legitimation is required to make data processing legal on top of the general requirement to have a legal basis under Art. 6(1).
• Explicit consent is one of the options available for research
• Additional legitimations may be provided by Union or Member State law (related to important public interest, public health or scientific research directly)
• For Luxembourg, Art. 64 of the data protection act provides the legitimation to process special categories of data for scientific research directly based on Art. 9(2)(j)
• The legitimation is subject to the condition that either the safeguards listed in Art. 65 of the same law are being implemented or a satisfactory justification for the omission is provided
• Where other national laws apply to the processing, additional conditions may have to be considered (relevant e.g. for Portugal, France)

• Article 5
  • 1. Personal data shall be:
       (a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
• Data protection principles of Art. 5
  • (b) Purpose limitation
  • (c) Data minimisation
  • (d) Accuracy
  • (e) Storage limitation
  • (f) Integrity and confidentiality
    
    

• Article 13 (2)
  • In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing: […]
• Article 14 (2)
  • In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject:  […]
    
    

• Article 6
  • (2) Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing for compliance with points (c) and (e) of paragraph 1 by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing including for other specific processing situations as provided for in Chapter IX.
  • (3) […] That legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia: […]
    processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations as provided for in Chapter IX. The Union or the Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued. 
• Article 40 (2)
  • Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of his Regulation, such as with regard to: (a) fair and transparent processing; 

• Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. […]
• The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed.
• This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum.
• […]
• Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.
  
  

• The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes. The controller should provide the data subject with any further information necessary to ensure fair and transparent processing taking into account the specific circumstances and context in which the personal data are processed.
• Furthermore, the data subject should be informed of the existence of profiling and the consequences of such profiling.
  
  

Question: how relevant is profiling in research for the fairness principle?

Our conclusion: Profiling applies but has usually no direct consequences

• Fairness is an overarching principle which requires that personal data shall not be processed in a way that is
  • detrimental,
  • discriminatory,
  • unexpected or
  • misleading
• to the data subject.

• Personal data shall be […]
  kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
  
  

• (a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

• This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review.
  
  

Recital (65) – context of right to be forgotten

• The GDPR permits ‘storage for longer periods’ if the sole purpose is scientific research (or archiving in the public interest, historical research or statistical purposes).
• The intention of the lawmaker appears to have been to dissuade unlimited storage even in this special regime, and guards against scientific research as a pretext for longer storage for other, private, purposes.
• If in doubt, the controller should consider whether a new legal basis is appropriate. 

• Controller shall not be obliged to maintain, acquire or process *additional information in order to identify the data subject for the sole purpose of complying with this Regulation.
• If controller is able to demonstrate that it is not in a position to identify the data subject, the controller shall inform the data subject accordingly.
• Art.15-20 shall not apply except where the data subject provides additional information enabling his or her identification.
  
  

• Provide information in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child.
• Information on action to be taken on a request under Articles 15 to 22 is to be provided without undue delay, at latest within 1 months of receipt of request; may be extended by another 2 months in case of complexity and/or number of requests. Delay and justification to be communicated within 1 month.
• Where no action is taken, information within a month on the reasons for not taking action.
• Additional information may be requested where necessary to confirm the identity of the data subject
  
  

• The controller shall, at the time when personal data are obtained, provide the data subject with all of the following information
  • identity and the contact details of the controller and, where applicable, of the controller's representative
  • contact details of the data protection officer
  • purposes of the processing and the legal basis for the processing
  • If processing is based Article 6(1)f, the legitimate interests pursued by the controller or by a third party
  • recipients or categories of recipients of the personal data
  • where applicable, the intention to transfer personal data to a third country or international organisation, existence of an adequacy decision, or reference to the appropriate safeguards and how to see / access these
  • Period for which data is stored or criteria to determine the period
  • Rights of data subject
  • Existence of automated decision making and consequences for data subject
• In case of further processing, information on that new purpose and any relevant further information according to 13(2)
  
  

• Same information as required under Art. 13(1) and 13(2)
• Additional information to be provided source(s) of the data
  • Categories of data concerned
  • Sources of the data
• Information to be provided
  • Within reasonable period, 1 month the latest
  • If used for communication with data subject, at the latest at time of first communication
  • If disclosure is envisaged, at the latest when personal data are first disclosed
• In case of further processing for other reason than the data was obtained: prior information similar to 13(3)
• 14(1)-14(4) do not apply if
  • in particular for processing for scientific research purposes or statistical purposes
  • provision of such information are impossible or involve a disproportionate effort
  • provision is likely to render impossible or seriously impair the processing
  • subject to the conditions and safeguards referred to in Article 89(1)  
    
    

• The data subject has the right to access to the data as well as the following information:
  • the purposes of the processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipient, in particular recipients in third countries or international organisations;
  • Period for which data is stored or criteria to determine the period
  • Rights of data subject
  • If the personal data are not collected from the data subject, any available information as to their source of the data;
  • Existence of automated decision-making, including profiling, information about the logic involved, the significance and the envisaged consequences
• In case of international transfer, information on appropriate safeguards
• Copy of the personal data undergoing processing in in a commonly used electronic form if the data subject makes the request by electronic means
• The right to obtain a copy shall not adversely affect the rights and freedoms of others.
  
  

1. In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions: (a) the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;

• Natural persons should be made aware of risks, rules, safeguards in relation to the processing of personal data and how to exercise their rights in relation to such processing
  
  

• Modalities should be provided for facilitating the exercise of the data subject's rights under this Regulation, including mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object. The controller should also provide means for requests to be made electronically, especially where personal data are processed by electronic means.
  
  

• Where the origin of the personal data cannot be provided to the data subject because various sources have been used, general information should be provided.
  
  

• However, it is not necessary to impose the obligation to provide information where the data subject already possesses the information, where the recording or disclosure of the personal data is expressly laid down by law or where the provision of information to the data subject proves to be impossible or would involve a disproportionate effort. The latter could in particular be the case where processing is carried out for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. In that regard, the number of data subjects, the age of the data and any appropriate safeguards adopted should be taken into consideration.

• Transparency requirements in the GDPR apply irrespective of the legal basis for processing and throughout the life cycle of processing.
• Communicate in advance what the scope and consequences of the processing entails; data subject should not be taken by surprise at a later point about the ways in which their personal data has been used.
• Language qualifiers such as “may”, “might”, “some”, “often” and “possible” should be avoided.
• Where data controllers opt to use indefinite language, they should be able to demonstrate why the use of such language could not be avoided and how it does not undermine the fairness of processing.
• Data controllers should present the information/ communication efficiently and succinctly in order to avoid information fatigue. This information should be clearly differentiated from other non-privacy related information
  
  

• A reasonable period should occur between the notification and the processing commencing rather than an immediate start to the processing upon notification being received by the data subject.
• Principle of fairness requires that the more intrusive (or less expected) the further processing, the longer the period should be.
• Accountability requires that data controllers be able to demonstrate how the determinations they have made as regards the timing for the provision of this information are justified in the circumstances and how the timing overall is fair to data subjects.
  
  

• “proves impossible” / “disproportionate effort”
  • Demonstrate the factors that actually prevent from providing the information
  • If factors that caused the “impossibility” no longer exist, the data controller should immediately provide the information
  • The impossibility or disproportionate effort must be directly connected to the fact that the personal data was obtained other than from the data subject.
  • Controller should carry out a balancing exercise to assess the effort involved for the data controller to provide the information to the data subject against the impact and effects on the data subject if he or she was not provided with the information.
• “seriously impair”
  • Data controllers must demonstrate that the provision of the information set out in Article 14.1 alone would nullify the objectives of the processing.
  • Appropriate measures
  • undertaking a DPIA; pseudonymisation; minimising the data collected and the storage period; technical and organisational measures to ensure a high level of security.
    
    

• The specific interest in question must be identified for the benefit of the data subject.
• The controller can also provide the data subject with the information from the balancing test, which must be carried out to allow reliance on Article 6.1(f) as a lawful basis for processing;
  
  

• Other data controllers, joint controllers and processors to whom data is transferred or disclosed are covered by the term “recipient” in addition to information on third party recipients.
• If controllers provide the categories of recipients, the information should be as specific as possible by indicating the type of recipient (i.e. by reference to the activities it carries out), the industry, sector and sub-sector and the location of the recipients.
  
  

• The specific source of the data should be provided unless it is not possible
• If the specific source is not named then information provided should include: the nature of the sources (i.e. publicly / privately held sources) and the types of organisation / industry / sector.
  
  

• General information
  • The relevant GDPR article permitting the transfer and the corresponding mechanism (e.g. adequacy decision under Article 45/ binding corporate rules under Article 47/ etc.) should be specified.
  • Information on where and how the relevant document may be accessed or obtained should also be provided e.g. by providing a link
• Risk specification where transfers are based on consent
  • Risk specification may be standardised, such as:
  • Might be no supervisory authority
  • Data processing principles might not be provided for
  • Data subject’s rights might not be provided for
    
    

• It is not sufficient for the data controller to generically state that personal data will be kept as long as necessary for the legitimate purposes of the processing.
• Should be phrased in a way that allows the data subject to assess, on the basis of his or her own situation, what the retention period will be for specific data/ purposes.
• Where relevant, the different storage periods should be stipulated for different categories of personal data and/or different processing purposes, including where appropriate, archiving periods.
  
  

• Information must be…
  • Specific to the processing scenario and
  • Include a summary of what the right involves
  • How the data subject can take steps to exercise it and any limitations on the right.
  • In particular, the right to object to processing must be explicitly brought to the data subject’s attention at the latest at the time of first communication with the data subject
  • Must be presented clearly and separately from any other information
• Where processing is based on consent
  • Information should include how consent may be withdrawn, taking into account that it should be as easy for a data subject to withdraw consent as to give it.