What Is the Legal Basis for Processing Special Categories of Personal Data in Research

Special categories of personal data may be processed under the GDPR in the following cases: In order to comply with this principle, Chapter 6 of the GDPR requires that any organisation that processes personal data has a valid legal basis for such processing of personal data. Think of them as scenarios where it would be legal to process data. The GDPR provides six legal bases for processing: Personal data belonging to special categories may be processed if an exception to the prohibition is provided for in the EU General Data Protection Regulation (GDPR) or, in particular, in Union or national law. It is important to recognise whether the data can be processed under the GDPR or whether the processing requires separate legislation or agreements in addition to the GDPR. Five of the processing requirements are contained exclusively in Article 9 of the UK GDPR. The other five require approval or a basis in UK law, which means you must meet additional requirements set out in the 2018 ODA. In many cases, you will also need an “appropriate policy document” to meet a condition in the UK`s Schedule 1 for processing in the 2018 CCA. The specific regulation for special categories of data remains in Articles 9 and 10 of the GDPR. The shortcomings described above are more than offset by the new obligation to carry out a Data Protection Impact Assessment (DPIA) when a type of processing is likely to result in a high risk to the rights and freedoms of individuals (note that this goes beyond privacy alone), and this is an explicit requirement in the case of large-scale processing of special categories of data (Article 35, paragraph 3(b) GDPR). The legislation also requires research institutions to explicitly indicate which of the new legal bases they are using. According to the new legislation, you will need: Article 9 lists the conditions for processing data of special categories: The GDPR may also allow processing for research purposes as a legitimate interest. Although research is not explicitly mentioned as a legitimate interest, recital 157 mentions the benefits associated with research on personal data, including the possibility of new knowledge about `widespread diseases` and the `long-term correlation of a range of social conditions`. The results of the research can “serve as a basis for the formulation and implementation of knowledge-based policy, improve the quality of life of a number of people and improve the effectiveness of social services”.

In addition, recital 47 expressly provides that `the processing of personal data for direct marketing purposes may be considered to have a legitimate interest`. First, the GDPR encourages Member States to adopt better protection of the processing of sensitive data for health-related purposes. Recital 53 states that, although the Regulation aims to `create harmonised conditions for the processing of special categories of personal data in the health sector, … Union law or the law of the Member States should provide for specific and appropriate measures to protect the fundamental rights and personal data of natural persons. This is particularly the case if the controller processes genetic, biometric or health data. The GDPR creates a large number of rights of data subjects that must be protected by controllers when processing personal data. In line with the exceptions to the principles of purpose limitation and storage limitation for research processing, the Regulation provides for exceptions to the rights of data subjects for processing in the context of research. The exceptions to the right to erasure and the right to object flow directly from the text of the Regulation. In addition, appropriate legislation allows Member States to provide for exceptions to a number of other rights. WP29 takes into account the reason for consent by stipulating that the principles of Article 6 of the Directive are applicable (personal data must be processed fairly and lawfully, and the requirements of necessity and proportionality apply) (Opinion 06/2014, p.

13): The GDPR requires that any organisation processing personal data has a valid legal basis for this processing activity. The law provides six legal bases for processing: consent, performance of a contract, legitimate interest, vital interest, legal obligation and public interest. First, most organizations ask if they need consent to process the data. The answer is, not necessarily. As mentioned earlier, consent is only one of the six legal bases for data processing. If you use consent, you should be aware that consent must be given voluntarily and clearly and that it must be as easy to withdraw your consent as it is to give your consent. You will need to carry out a Data Protection Impact Assessment (DPIA) for any type of processing that may pose a high risk. You should therefore be aware of the risks associated with the processing of data of the special category.

The reason why the legal basis for processing is so important is that the legal basis must be verifiable at all times. .