This document discusses how the General Data Protection Regulation (GDPR) applies to scientific research. It defines key GDPR concepts, explains how scientific research is defined under the regulation, and discusses the legal bases and purposes that can justify data processing for research. It also addresses how data subject rights may be limited for research purposes, and analyzes several cases involving issues like data sharing, further processing of data, and handling of health and publicly available data in the context of research.

1. Open Science & GDPR
Basic Concepts and Cases
Dr. Prodromos Tsiavos
ARC/ ΟpenAIRE
https://www.athena-innovation.gr/ptsiavos@imis.athena-innovation.gr

2. Open Science and GDPR
1. What is GDPR
2. Key DP structure
3. The setting
4. How is scientific research defined
5. Purpose
6. Legal Basis
7. Exercising data subject rights
8. Cases

3. What is GDPR?
Regulation (EU) 2016/679 of the European Parliament and of the
Council of 27 April 2016 on the protection of natural persons with
regard to the processing of personal data and on the free movement of
such data, and repealing Directive 95/46/EC (General Data Protection
Regulation)
1

4. Key DP structure
Personal Data
Type of processing
Purpose
Legal Basis
Be careful with
special categories
(sensitive) of
personal data
Make sure that the
legal basis covers
purpose and
personal data
2

5. The setting
Research within an RPO: check legal and ethics framework
EU or other collaborative projects:
Ethics and Data Protection Requirements
National Law
3rd countries
Call conditions
Tenders
Are you a data processor or (co)controller)?
Who is the DPO?
Have you passed from an Ethics Committee?
3

6. How is scientific research defined
Sources:
- Recitals: 26, 33, 50, 52, 53, 62, 65, 113, 156, 157, 159, 160, 161, 162
- Relevant articles: 5(1)(b), (e), 89 (1), (2), (3), 9(j), 14(5)(b), 17(3)(d), 21(6), 89
Most important article:
- Art. 89
4

7. Defining Scientific Research I: Definitions
• It falls under the broader public interest legal basis
• Could be a form of further processing
• Need to be subject to appropriate safeguards
• Technical and organizational measures are in place
• Focus on data minimization
• Means: pseudonymization (without affecting research objectives)

8. Defining Scientific Research II: Special Categories
• It falls under the broader public interest legal basis
• In relation to special categories of data (art.9), the processing:
• shall be proportionate to the aim pursued
• needs to respect the right to data protection
• needs to provide suitable and specific measures to safeguard the
fundamental rights and interests of the data subject

9. The purpose
Possible purposes:
Overall: scientific research (art. 89 GDPR)
Specific type of research
Further use/ exploitation
What happens when the purpose changes over time?
Legal basis?
Am I covered by the legal basis?
5

10. Legal Basis
Mostly forms of public interest (regular research)
Contract (tender)
Consent (specific research)
6

11. • Vital Interest
• Public Interest
• Legal Obligation
• Contract
• Consent
• Legitimate Interest
No discretion
discretion
Decision: both parties
Decision: data controller

12. Trace the life cycle
Follow the data
Different types of data processing may have different purposes and legal bases
Always stay within the legal basis

13. Data management plan
(processing/ purposes/ legal basis)
Data collection
- From the data
subject
- From 3rd party
- From publicly
available sources
Data Management
- Read
- Write (update/
improve/ enrich)
- Preservation
- Erasure
- Access
Data Sharing
- 3rd Parties
- Data processor
- Further use
- Subject
- Publishing
Purpose Α
Legal Basis Α
Purpose C
Legal Basis C
Purpose D
Legal Basis D
Purpose Β
Legal basis Β

14. Exercising data subject rights
Limitation of rights of the data subject (arts. 14(5)/17(3)/ 21(6) GDPR))
Scientific research/ statistical purposes/ archiving
Public interest
Technical and organizational measures (mostly pseudonymization)
Condition: “it is likely to render impossible or seriously impair the achievement of
the objectives of that processing”
Notices (proactive data subject information)
7

15. Limitations to data subject’s rights:
(I) information
• Information to be provided where personal data have not been obtained
from the data subject (art. 14(5)(b)
• Researchers are exempt when:
• The provision of such information proves impossible or would involve a
disproportionate effort
• Such obligations would render impossible or seriously impair
achievement of the objectives of scientific research
• The controller takes appropriate measures to protect the data subject’s
legitimate interests

16. Limitations to data subject’s rights:
(II) erasure
• Right to erasure (‘right to be forgotten’) (art. 17(3)(d)
• Researchers are exempt when:
• Such obligations would render impossible or seriously impair
achievement of the objectives of scientific research

17. Limitations to data subject’s rights:
(III) objection
• Right to object (art. 21(6)
• Researchers are exempt when:
• the processing is necessary for the performance of a task carried out
for reasons of public interest.

18. Limitations to data subject’s rights:
(IV) Member States Derogations
• Member State derogations in relation to data-subject rights:
• Right of access by the data subject (art.15)
• Right to rectification (art.16)
• Right to restriction of processing (art.18)
• Right to object (art.21)
• In terms of Open content: the re-users are covered by these exceptions only
to the degree they are also engaging in scientific research

19. Some cases
• Harvesting personal data from publicly available sources
• Data sharing with 3rd countries (international collaborations)
• Initial collection for legitimate interest – secondary research use –
notification process - objection process
• Balancing reuse of research data and the GDPR principles of accuracy and
data minimization
• Health data and GDPR protection
8

20. Cases
• Harvesting personal data from publicly available sources
• Data sharing with 3rd countries (international collaborations)
• Initial collection for legitimate interest – secondary research use –
notification process - objection process
• Balancing reuse of research data and the GDPR principles of accuracy and
data minimization
• Health data and GDPR protection
8

21. Cases
• Harvesting personal data from publicly available sources
• Check the original purpose of processing
• Check the original legal basis for processing
• It is a form of allowed further processing (art.5(b))
• Need to provide the following information to the data subject (art.14(1),(2)):
1. the identity and the contact details of the controller and, where applicable, of the controller's
representative
2. the contact details of the data protection officer, where applicable;
3. the purposes of the processing for which the personal data are intended as well as the legal
basis for the processing;
4. The categories of personal data concerned;
5. The recipients or categories of recipients of the personal data, if any;
6. When there is data transfer to 3rd countries, reference to the appropriate or suitable
safeguards and the means to obtain a copy of them or where they have been made available.
7. from which source the personal data originate, and if applicable, whether it came from
publicly accessible sources;
8a

22. Cases
• Conditions for further processing (arts.6(4)) + 13(3) + 14(4) + 89(1)):
1. Legal basis Consent; or
2. Legal obligations (by Member States); or
3. There is a new legal basis; or
4. Examine whether further processing is compatible with the purpose for which the personal
data were original collected:
1. What is the link between original and further processing
2. Context
3. If special categories exist and how they are protected
4. Consequences for the data subjects
5. Safeguards (e.g. encryption and pseudonymization)
5. When information is collected by the data-subject or third party, inform the data subject
regarding the further processing (prior to it) and any other relevant information (art.13(3) and
art.14(4))
6. Pseudonymize (if it is for research) art. 89(1)
8b

23. Cases
Transfers to 3rd countries
• Items:
• Conditions (contract or legal act) art.28
• Notifications and notices (data subject rights information – access ) (arts.13(1)(f), 14(1)(f),
15(1), (2))
• Keep records (art.30)
• Use of Codes of Conduct (art.40)
• Explore certification schemes, seals and marks (art.42(2))
• See entire Chapter V (arts.44-50)
• Adequacy decision
• Appropriate Safeguards
• Binding corporate rules
• Authorization by Union Law
• See EC Standard Contractual Clauses (SCC)
• Standard contractual clauses for data transfers between EU and non-EU countries.
8c

24. Cases
Initial collection for legitimate interest – secondary research use – notification process -
objection process
• Form of further processing
• Need to notify the data subject
• Include all notification principles of art.14
• There needs to be a clear opt-out/ objection process in the notification document:
• URL for automated opt-out
• At least email
• Always documented and confirmed
8d

25. Cases
Further processing and accuracy – minimization
• Adhere to all conditions of further processing
• Remain accurate through notices and notification
• Use only what is needed for the research purpose
• Erase data once the required processing is over (or retain data under archiving purposes)
8e

26. Cases
Health data and GDPR
- Special category of data (art.9)
- Form of Further Processing
- Emphasis on the legal basis
8f

27. q
a
ptsiavos@imis.athena-innovation.gr