Scientific Research across Europe. Does the GDPR ensure an aligned approach?

The GDPR aims to establish a uniform legal framework applicable to the processing of personal data across Europe, while allowing Member States to legislate differently with regard to specific matters. One of those matters is the processing of personal data for scientific research purposes. Does EU Member States law, specific Portuguese law, prevent an aligned approach with regard to the processing of personal data for scientific research?

Now, more than ever, all eyes are set on the health sector. All hopes lie in a vaccine that can only be obtained through several clinical trials.

The fact that the General Data Protection Regulation (“GDPR”) considers health data as a special category of personal data results in the processing of such data being limited to specific situations.

Said limitations do not, however, hinder the fight against COVID-19, as some of the derogations contained in Article 9 of the GDPR concern the development of the necessary processing operations involved in a clinical trial. In particular, the GDPR allows the processing of health data for purposes of scientific research, as long as the requirements of Article 89, based on Union or Member State law, are complied with.

In other words, the GDPR allows European Union (“EU”) Member States to establish a research exemption, as well as further derogations of the data subject’s rights, which, if applied to their full extent, allow dispensing with the data subject’s consent.

In this regard, one should consider the European Data Protection Board (“EDPB”) guidelines on the processing of health data for the purpose of scientific research in the context of the COVID-19 outbreak, which clearly state that Article 6 (1) f GDPR in combination with the enacted derogations under Article 9 (2) (j) or Article 9 (2) (i) GDPR can provide a legal basis for the processing of personal (health) data for scientific research.

Furthermore, the respect for all the principles relating to processing of personal data must also be observed:  including the data minimization principle, the integrity and confidentiality principle, the storage limitation principle, the transparency principle and the accuracy principle.

In summary, a EU Member State is allowed to set the grounds of applicability of the exception stipulated by article 9(2)(i)(j) of the GDPR, i.e. with regard to the applicable safeguards and legal basis, as per article 6 of the GDPR.

With this in mind, one must consider that the efforts to achieve success in clinical trials most often imply the processing of health data in different EU Member States, being said activities affected by the derogation rules not having been fully unified within the EU.

As a matter of fact, where in some EU member states the legislator decided to clearly move away the applicability of consent as legal ground for this purpose and set the measures to safeguard the interests of the data subject, in other cases, the law opted not to take advantage of the possibility granted by article 9(2)(i)(j) and still require consent for the processing of health data for scientific research purposes. This is the case of Portugal. Pursuant to Law 58/2019, of August 8th, the Controller will only be able to process health data for scientific research if the data subject provides his/her consent. Also, we must take in consideration that the measures to safeguard the interests of the data subject vary from EU Member State to EU Member State.

As such, some issues may arise when a clinical trial is carried out in more than one EU Member State, for example between Germany and Portugal, where the legal ground and safeguard measures for the processing differ.

In conclusion, within the context of clinical trials, the EU Member State’s legislation should aim to be aligned and harmonized, in order to ensure that future scientific researches are not geographically limited (within the European Union), contributing to achieve the aimed for European Health Data Space.


Article provided by: Ricardo Henriques (Abreu Advogado, Portugal)

Co-authored by: José Maria Alves Pereira and Sofia Lopes Agostinho



Discover more about INPLP, the INPLP-Members and the GDPR-FINE database

Dr. Tobias Höllwarth (Managing Director INPLP)