Purpose Definition as a Crucial Step for Determining the Legal Basis Under the GDPR in Research

47 Pages Posted: 21 Jun 2023

See all articles by Regina Becker

Regina Becker

Luxembourg National Data Service (PNED G.I.E.); University of Luxembourg

Davit Chokoshvili

Universite du Luxembourg

Adrian Thorogood

Universite du Luxembourg - Luxembourg Centre for Systems Biomedicine

Edward Dove

National University of Ireland, Maynooth (NUI Maynooth) - Faculty of Law

Fruzsina Molnar-Gabor

Heidelberg Academy of Sciences and Humanities

Alexandra Ziaka

MPlegal law firm

Olga Tzortzatou-Nanopoulou

Academy of Athens - Biomedical Research Foundation

Giovanni Comandé

LIDER-Lab, Scuola Superiore Sant'Anna

Date Written: June 9, 2023

Abstract

The General Data Protection Regulation (GDPR) of the European Union came into force in 2018, replacing the Data Protection Directive 95/46/EC. Under the new Accountability Principle of the GDPR, controllers (i.e., parties determining the purposes and the means of the processing of personal data) are responsible for ensuring and demonstrating the overall compliance with the Regulation. However, interpretive uncertainties inherent in the GDPR means that controllers must exercise considerable judgement in designing and implementing an appropriate compliance strategy, making GDPR compliance both complex and resource-intensive. In this article, we seek to provide conceptual clarity around GDPR compliance, focusing our analysis on organizations routinely using personal data for scientific research, such as biomedical or health research reliant on pseudonymized data. Our analysis is centred on the critical importance of purpose specification: i.e., delineating and describing, in appropriate level of detail, the purposes for which the researcher intends to process personal data. We offer actionable guidance for correctly specifying purposes of data processing under different research scenarios. To illustrate the practical usefulness of purpose specification, we subsequently show how our proposed approach can enable controllers to meet their compliance obligations, using the example of compliance with the overarching GDPR principle of lawfulness.

Keywords: data protection, GDPR, lawfulness, legal basis, purpose specification, special categories of personal data

Suggested Citation

Becker, Regina and Chokoshvili, Davit and Thorogood, Adrian and Dove, Edward and Molnar-Gabor, Fruzsina and Ziaka, Alexandra and Tzortzatou-Nanopoulou, Olga and Comandé, Giovanni, Purpose Definition as a Crucial Step for Determining the Legal Basis Under the GDPR in Research (June 9, 2023). Available at SSRN: https://ssrn.com/abstract=4474344 or http://dx.doi.org/10.2139/ssrn.4474344

Regina Becker (Contact Author)

Luxembourg National Data Service (PNED G.I.E.) ( email )

Av. des Hauts-Fourneaux 6
Esch-sur-Alzette, 4362
Luxembourg

University of Luxembourg ( email )

CAMPUS BELVAL / House of Biomedicine II
6, avenue du Swing
Belvaux, 4367
Luxembourg

Davit Chokoshvili

Universite du Luxembourg ( email )

L-1511 Luxembourg
Luxembourg

Adrian Thorogood

Universite du Luxembourg - Luxembourg Centre for Systems Biomedicine ( email )

2 Avenue de l'Université
Esch-sur-Alzette
Luxembourg

Edward Dove

National University of Ireland, Maynooth (NUI Maynooth) - Faculty of Law ( email )

Maynooth, County Kildare
Ireland

Fruzsina Molnar-Gabor

Heidelberg Academy of Sciences and Humanities ( email )

Alexandra Ziaka

MPlegal law firm ( email )

Ethnikis Antistaseos 84B
Athens, 15231
Greece

Olga Tzortzatou-Nanopoulou

Academy of Athens - Biomedical Research Foundation ( email )

Giovanni Comandé

LIDER-Lab, Scuola Superiore Sant'Anna ( email )

Piazza dei Martiri della Liberta 33
56127 Pisa, 56100
Italy

HOME PAGE: http://www.lider-lab.eu

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
115
Abstract Views
416
Rank
475,144
PlumX Metrics