Purpose Definition as a Crucial Step for Determining the Legal Basis Under the GDPR in Research
47 Pages Posted: 21 Jun 2023
Date Written: June 9, 2023
Abstract
The General Data Protection Regulation (GDPR) of the European Union came into force in 2018, replacing the Data Protection Directive 95/46/EC. Under the new Accountability Principle of the GDPR, controllers (i.e., parties determining the purposes and the means of the processing of personal data) are responsible for ensuring and demonstrating the overall compliance with the Regulation. However, interpretive uncertainties inherent in the GDPR means that controllers must exercise considerable judgement in designing and implementing an appropriate compliance strategy, making GDPR compliance both complex and resource-intensive. In this article, we seek to provide conceptual clarity around GDPR compliance, focusing our analysis on organizations routinely using personal data for scientific research, such as biomedical or health research reliant on pseudonymized data. Our analysis is centred on the critical importance of purpose specification: i.e., delineating and describing, in appropriate level of detail, the purposes for which the researcher intends to process personal data. We offer actionable guidance for correctly specifying purposes of data processing under different research scenarios. To illustrate the practical usefulness of purpose specification, we subsequently show how our proposed approach can enable controllers to meet their compliance obligations, using the example of compliance with the overarching GDPR principle of lawfulness.
Keywords: data protection, GDPR, lawfulness, legal basis, purpose specification, special categories of personal data
Suggested Citation: Suggested Citation