TY - JOUR
T1 - Purpose definition as a crucial step for determining the legal basis under the GDPR
T2 - Implications for scientific research
AU - Becker, Regina
AU - Chokoshvili, Davit
AU - Thorogood, Adrian
AU - Dove, Edward S.
AU - Molnar-Gabor, Fruzsina
AU - Ziaka, Alexandra
AU - Tzortzatou-Nanopoulou, Olga
AU - Comande, Giovanni
PY - 2024/2/1
Y1 - 2024/2/1
N2 - The General Data Protection Regulation (GDPR) of the European Union, which became applicable in 2018, contains a new accountability principle. Under this principle, controllers (ie parties determining the purposes and the means of the processing of personal data) are responsible for ensuring and demonstrating the overall compliance with the GDPR. However, interpretive uncertainties of the GDPR mean that controllers must exercise considerable judgement in designing and implementing an appropriate compliance strategy, making GDPR compliance both complex and resource-intensive. In this article, we provide conceptual clarity around GDPR compliance with respect to one core aspect of the law: the determination and relevance of the purpose of personal data processing. We derive from the GDPR's text concrete requirements for purpose specification, which we subsequently apply to the area of secondary use of personal data for scientific research. We offer guidance for correctly specifying purposes of data processing under different research scenarios. To illustrate the practical necessity of purpose specification for GDPR compliance, we then show how our proposed approach can enable controllers to meet their compliance obligations, using the example of the overarching GDPR principle of lawfulness to highlight the relevance of purpose specification for the identification of a suitable legal basis.
AB - The General Data Protection Regulation (GDPR) of the European Union, which became applicable in 2018, contains a new accountability principle. Under this principle, controllers (ie parties determining the purposes and the means of the processing of personal data) are responsible for ensuring and demonstrating the overall compliance with the GDPR. However, interpretive uncertainties of the GDPR mean that controllers must exercise considerable judgement in designing and implementing an appropriate compliance strategy, making GDPR compliance both complex and resource-intensive. In this article, we provide conceptual clarity around GDPR compliance with respect to one core aspect of the law: the determination and relevance of the purpose of personal data processing. We derive from the GDPR's text concrete requirements for purpose specification, which we subsequently apply to the area of secondary use of personal data for scientific research. We offer guidance for correctly specifying purposes of data processing under different research scenarios. To illustrate the practical necessity of purpose specification for GDPR compliance, we then show how our proposed approach can enable controllers to meet their compliance obligations, using the example of the overarching GDPR principle of lawfulness to highlight the relevance of purpose specification for the identification of a suitable legal basis.
KW - Gdpr
KW - Data protection
KW - Lawfulness
KW - Legal basis
KW - Purpose specification
KW - Scientific research
UR - https://www.webofscience.com/api/gateway?GWVersion=2&SrcApp=wosstart_imp_pure20230417&SrcAuth=WosAPI&KeyUT=WOS:001155719300001&DestLinkType=FullRecord&DestApp=WOS_CPL
U2 - 10.1093/jlb/lsae001
DO - 10.1093/jlb/lsae001
M3 - Article
C2 - 38313429
SN - 2053-9711
VL - 11
JO - Journal of Law and the Biosciences
JF - Journal of Law and the Biosciences
IS - 1
M1 - lsae001
ER -