menu MENU
arrow_back Back to the list of all Articles
Change country (Currently : Czechia) language
Contact our local member in Czechia mail_outline
Visit the website of Havlik Svorcik & Partners account_balance

arrow_backPrevious Article
Article 89
Next Articlearrow_forward

Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical resear

Official
Texts Guidelines Caselaw Review of
EU Regulation Review of
Nat. Regulation
Show key term(s) and Article(s) related to article 89 of the Regulation keyboard_arrow_down Hide key term(s) and Article(s) related to article 89 keyboard_arrow_up

Key words related to article 89

Show the recitals of the Regulation related to article 89 keyboard_arrow_down Hide the recitals of the Regulation related to article 89 keyboard_arrow_up

(56) Where in the course of electoral activities, the operation of the democratic system in a Member State requires that political parties compile personal data on people's political opinions, the processing of such data may be permitted for reasons of public interest, provided that appropriate safeguards are established.

(158) Where personal data are processed for archiving purposes, this Regulation should also apply to that processing, bearing in mind that this Regulation should not apply to deceased persons. Public authorities or public or private bodies that hold records of public interest should be services which, pursuant to Union or Member State law, have a legal obligation to acquire, preserve, appraise, arrange, describe, communicate, promote, disseminate and provide access to records of enduring value for general public interest. Member States should also be authorised to provide for the further processing of personal data for archiving purposes, for example with a view to providing specific information related to the political behaviour under former totalitarian state regimes, genocide, crimes against humanity, in particular the Holocaust, or war crimes.

(159) Where personal data are processed for scientific research purposes, this Regulation should also apply to that processing. For the purposes of this Regulation, the processing of personal data for scientific research purposes should be interpreted in a broad manner including for example technological development and demonstration, fundamental research, applied research and privately funded research. In addition, it should take into account the Union's objective under Article 179(1) TFEU of achieving a European Research Area. Scientific research purposes should also include studies conducted in the public interest in the area of public health. To meet the specificities of processing personal data for scientific research purposes, specific conditions should apply in particular as regards the publication or otherwise disclosure of personal data in the context of scientific research purposes. If the result of scientific research in particular in the health context gives reason for further measures in the interest of the data subject, the general rules of this Regulation should apply in view of those measures.

(160) Where personal data are processed for historical research purposes, this Regulation should also apply to that processing. This should also include historical research and research for genealogical purposes, bearing in mind that this Regulation should not apply to deceased persons.

(161) For the purpose of consenting to the participation in scientific research activities in clinical trials, the relevant provisions of Regulation (EU) No 536/2014 of the European Parliament and of the Council (15) should apply.

(162) Where personal data are processed for statistical purposes, this Regulation should apply to that processing. Union or Member State law should, within the limits of this Regulation, determine statistical content, control of access, specifications for the processing of personal data for statistical purposes and appropriate measures to safeguard the rights and freedoms of the data subject and for ensuring statistical confidentiality. Statistical purposes mean any operation of collection and the processing of personal data necessary for statistical surveys or for the production of statistical results. Those statistical results may further be used for different purposes, including a scientific research purpose. The statistical purpose implies that the result of processing for statistical purposes is not personal data, but aggregate data, and that this result or the personal data are not used in support of measures or decisions regarding any particular natural person.

(163) The confidential information which the Union and national statistical authorities collect for the production of official European and official national statistics should be protected. European statistics should be developed, produced and disseminated in accordance with the statistical principles as set out in Article 338(2) TFEU, while national statistics should also comply with Member State law. Regulation (EC) No 223/2009 of the European Parliament and of the Council (16) provides further specifications on statistical confidentiality for European statistics.

Show the recitals of the Directive related to article 89 keyboard_arrow_down Hide the recitals of the Directive related to article 89 keyboard_arrow_up

(29) Whereas the further processing of personal data for historical, statistical or scientific purposes is not generally to be considered incompatible with the purposes for which the data have previously been collected provided that Member States furnish suitable safeguards; whereas these safeguards must in particular rule out the use of the data in support of measures or decisions regarding any particular individual.

(34) Whereas Member States must also be authorized, when justified by grounds of important public interest, to derogate from the prohibition on processing sensitive categories of data where important reasons of public interest so justify in areas such as public health and social protection - especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system - scientific research and government statistics; whereas it is incumbent on them, however, to provide specific and suitable safeguards so as to protect the fundamental rights and the privacy of individuals;

The GDPR

Article 89 of the Regulation also provides for specific exceptions to certain rules contained in the Regulation for scientific, statistical or historical purposes.  It also extends the scope by adding the purpose of archiving in the public interest.

Unlike the Directive, the exemptions apply regardless of the fact that such purposes have been addressed in the initial data collection or not. They are therefore generally applicable to any further pursuit of such purposes.

The Regulation states that in the pursuit of such purposes as measures for safeguarding the rights and freedoms of the data subject and guaranteeing the compliance with the principle of minimization of data (art. 5 (c)) that only the data necessary for the purpose could be subjected to processing. Therefore, Article 89 evokes the implementation of technical and/or organizational measures such as pseudonymisation (Articles 4 (5)).

Pseudonymisation is defined in Article 4 (5) as the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. It relates to concealing the identity of the data subject, by replacing an attribute of another in the records in order to mitigate the risk of correlation of a data set with the original identity of the data subject (see in this regard G29, Opinion 04/2007 on the concept of personal data). Encoded data is a classic example of pseudonymisation; G29, WP 216, Opinion 05/2014 on Techniques for anonymization, p. 22).

Article 89 specifies that if allowed in the pursuit of the purposes, the controller must favour subsequent data processing that would not or would no longer allow the identification of the data subjects.

Where personal data is processed for archiving in the public interest for scientific or historical research purposes or statistical purposes, the Member States may provide for derogations from the rights recognized to the data subjects, in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and, on the other hand, such derogations are necessary for the fulfilment of those purposes (paragraph 2). However, the nature of the rights from which derogations may be provided depends on the purpose pursued:

- In case of processing for scientific research or historical, or statistical purposes, the Union or the Member State may provide derogations from the rights to access (Art. 15), to rectification (Art. 16), to the restriction to processing (Art. 18) and to the right to object (Art. 21).

- In case of processing for archiving in the public interest, the Union or the Member States may derogate from the rights to access (Art. 15), of rectification (Art. 16), the restriction to processing (Art. 18), the obligations of notification concerning the rectification or the erasure of personal data or the restriction to processing (Art. 19), the right to data portability (Art. 20) and the right to object (Art. 21).

However, if the processing for historical or scientific research purposes or for archiving purposes in the public interest is also pursuing other purposes of processing, the derogations referred to above will only apply for processing for the purposes set out by article 89. Indeed, it should be remembered that the statistical purposes often serve other purposes, in particular when it comes to serve as support for a decision (credit scoring, customer profiling, etc.). The rule then states that the derogations may be applied to a new and different purpose in the future - for example for a statistical purpose, while the purposes operating at the present time remain subject to the full data protection rules. That is what recital 162 seems to mean when it states that the statistical purposes in question cannot be used to support measures or decisions with respect to a specific natural person.

The Directive

The Directive already provided various exemptions from the principles of protection for processing for historical, statistical or scientific purposes. For example, Article 6 already provided that such processing was not deemed incompatible with various initial purposes, subject to safeguards under national law. Under the same condition, the data could also be stored longer than necessary for the initial purpose or even for a purpose deemed to be compatible.

Still with appropriate safeguards, Article 11 (2) provided an exemption from the obligation to notify data subjects about processing for such purposes if the notification to the data person would be impossible or would imply disproportionate effort or if the legislation explicitly provided for data recording or communication.

Subject to adequate legal safeguards, in particular that the data are not used for taking measures or decisions regarding any particular individual, Member States might, where there is clearly no risk of breaching the privacy of the data subject, restrict by a legislative measure the rights provided for in Article 12 when data is processed solely for purposes of scientific research or are kept in a personal form for a period which does not exceed the period necessary for the sole purpose of creating statistics (Article 13 (2)).

Potential issues

Insofar as the provision specifies accepted consequences of the principle of proportionality in the area, the provision only clarifies a regime that is already being enforced.

Additionally, the Regulation does not provide reasons for the possibility of derogation in one area but not another. For instance, why is there the right to portability and the right to be forgotten but not the right to information (Articles 13 and 14)?     

arrow_back Previous ArticleArticle 89Next Article arrow_forward
arrow_back Previous ArticleArticle 89 Next Article arrow_forward

Summary

European Union

European Union

European data protection board (EDPB)

Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak (21 April 2020)

Due to the COVID-19 pandemic, there are currently great scientific research efforts in the fight against the SARS-CoV-2 in order to produce research results as fast as possible.

 At the same time, legal questions concerning the use of health data pursuant to Article 4 (15) GDPR for such research purposes keep arising. The present guidelines aim to shed light on the most urgent of these questions such as the legal basis, the implementation of adequate safeguards for such processing of health data and the exercise of the data subject rights.

Please note that the development of a further and more detailed guidance for the processing of health data for the purpose of scientific research is part of the annual work plan of the EDPB. Also, please note that the current guidelines do not revolve around the processing of personal data for epidemiological surveillance.

Link

Retour au sommaire
arrow_back Previous Article Article 89 Next Article arrow_forward
Retour au sommaire
arrow_back Previous Article Article 89 Next Article arrow_forward
Regulation
1e 2e

Art. 89

1.   Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.

2.   Where personal data are processed for scientific or historical research purposes or statistical purposes, Union or Member State law may provide for derogations from the rights referred to in Articles 15, 16, 18 and 21 subject to the conditions and safeguards referred to in paragraph 1 of this Article in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes.

3.   Where personal data are processed for archiving purposes in the public interest, Union or Member State law may provide for derogations from the rights referred to in Articles 15, 16, 18, 19, 20 and 21 subject to the conditions and safeguards referred to in paragraph 1 of this Article in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes.

4.   Where processing referred to in paragraphs 2 and 3 serves at the same time another purpose, the derogations shall apply only to processing for the purposes referred to in those paragraphs.
1st proposal close

Art. 83

1. Within the limits of this Regulation, personal data may be processed for historical, statistical or scientific research purposes only if:

(a) these purposes cannot be otherwise fulfilled by processing data which does not permit or not any longer permit the identification of the data subject;

(b) data enabling the attribution of information to an identified or identifiable data subject is kept separately from the other information as long as these purposes can be fulfilled in this manner.

2. Bodies conducting historical, statistical or scientific research may publish or otherwise publicly disclose personal data only if:

(a) the data subject has given consent, subject to the conditions laid down in Article 7;

(b) the publication of personal data is necessary to present research findings or to facilitate research insofar as the interests or the fundamental rights or freedoms of the data subject do not override these interests; or

(c) the data subject has made the data public.

3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the processing of personal data for the purposes referred to in paragraph 1 and 2 as well as any necessary limitations on the rights of information to and access by the data subject and detailing the conditions and safeguards for the rights of the data subject under these circumstances.
2nd proposal close

Art. 83

1. Where personal data are processed for scientific, statistical or historical purposes Union or Member State law may, subject to appropriate safeguards for the rights and freedoms of the data subject, provide for derogations from Articles 14a(1) and (2), 15, 16, 17, 17a, 17b, 18 and 19, insofar as such derogation is necessary for the fulfilment of the specific purposes.

1a. Where personal data are processed for archiving purposes in the public interest, Union or Member State law may, subject to appropriate safeguards for the rights and freedoms of the data subject, provide for derogations from Articles 14a(1) and (2), 15, 16, 17, 17a, 17b, 18, 19, 23, 32, 33 and 53 (1b)(d) and (e), insofar as such derogation is necessary for the fulfilment of these purposes. 1b. In case a type of processing referred to in paragraphs 1 and 1a serves at the same time another purpose, the derogations allowed for apply only to the processing for the purposes referred to in those paragraphs.

2. The appropriate safeguards referred to in paragraphs 1 and 1a shall be laid down in Union or Member State law and be such to ensure that technological and/or organisational protection measures pursuant to this Regulation are applied to the personal data (…), to minimise the processing of personal data in pursuance of the proportionality and necessity principles, such as pseudonymising the data, unless those measures prevent achieving the purpose of the processing and such purpose cannot be otherwise fulfilled within reasonable means.

3. (…).
Directive close

Art. 6

1. 1. Member States shall provide that personal data must be:

(…)

 Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards;

(…)

e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use. 

(...)

Art. 11

Information where the data have not been obtained from the data subject

1. Where the data have not been obtained from the data subject, Member States shall provide that the controller or his representative must at the time of undertaking the recording of personal data or if a disclosure to a third party is envisaged, no later than the time when the data are first disclosed provide the data subject with at least the following information, except where he already has it:

(a) the identity of the controller and of his representative, if any;

(b) the purposes of the processing;

(c) any further information such as

- the categories of data concerned,

- the recipients or categories of recipients,

- the existence of the right of access to and the right to rectify the data concerning him

in so far as such further information is necessary, having regard to the specific circumstances in which the data are processed, to guarantee fair processing in respect of the data subject.

2. Paragraph 1 shall not apply where, in particular for processing for statistical purposes or for the purposes of historical or scientific research, the provision of such information proves impossible or would involve a disproportionate effort or if recording or disclosure is expressly laid down by law. In these cases Member States shall provide appropriate safeguards.

Art. 13

(…)

2. Subject to adequate legal safeguards, in particular that the data are not used for taking measures or decisions regarding any particular individual, Member States may, where there is clearly no risk of breaching the privacy of the data subject, restrict by a legislative measure the rights provided for in Article 12 when data are processed solely for purposes of scientific research or are kept in personal form for a period which does not exceed the period necessary for the sole purpose of creating statistics.
Czechia
compare_arrows
visibility Old law

Act No. 110/2019 Coll., on the Processing of Personal Data, as amended

Art. 16

Processing of Personal Data for the Purposes of Scientific or Historical Research or for Statistical Purposes

(1) When processing personal data for scientific or historical research purposes or for statistical purposes, the controller or processor shall ensure that specific measures are taken to protect the interests of the data subject, which are appropriate to the state of the technology, the costs of implementation, the nature, scope, context, and purposes of the processing, as well as the varying likelihood and severity of the risks to the rights and freedoms of natural persons. Such measures may include, in particular:

(a) technical and organizational measures aimed at the consistent application of the obligation under Article 5(1)(c) of Regulation (EU) 2016/679 of the European Parliament and of the Council,

(b) maintaining records of at least all operations involving the collection, entry, modification, and erasure of personal data, which will enable the identification and verification of the person performing the operation, and retaining such records for at least 2 years following the performance of the operation,

(c) informing persons processing personal data of their obligations regarding the protection of personal data,

(d) appointing a data protection officer,

(e) specific restrictions on access to personal data within the controller or processor,

(f) pseudonymization of personal data,

(g) encryption of personal data,

(h) measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services,

(i) measures enabling the restoration of the availability of personal data and timely access to such data in the event of incidents,

(j) a process for regularly testing, assessing, and evaluating the effectiveness of the technical and organizational measures implemented to ensure the security of processing,

(k) specific restrictions on the transfer of personal data to a third country, or

(l) specific restrictions on the processing of personal data for other purposes.

(2) Where this enables the purpose referred to in paragraph 1 to be achieved, the controller or processor shall further process the personal data referred to in Article 9(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council in a form that does not permit the identification of the data subject, unless the legitimate interests of the data subject prevent this.

(3) Unless otherwise provided by another legal regulation, Articles 15, 16, 18, and 21, and to the corresponding extent also Article 5 of Regulation (EU) 2016/679 of the European Parliament and of the Council (EU) 2016/679 shall apply mutatis mutandis, or the fulfillment of the controller’s or processor’s obligations or the exercise of the data subject’s rights set forth in those articles shall be deferred, if necessary and to the extent proportionate to the fulfillment of the purpose of processing referred to in paragraph 1. Article 15 and, to the extent applicable, Article 5 of Regulation (EU) 2016/679 of the European Parliament and of the Council shall not apply where the processing is necessary for the purposes of scientific research and the provision of information would require disproportionate effort.

Act No. 499/2004 Coll., Act on Archives and Records Management and on Amendments to Certain Acts, as amended

Art. 78

(1) An archive is required to perform the tasks assigned to the controller of personal data under a special legal regulation.

(2) The processing of personal data for archival purposes, including the conditions for inspecting archival records and making copies, extracts, and duplicates thereof, shall be governed by a special legal regulation in cases not covered by this Act.

(3) The archive is not required to verify whether the data contained in archival records and in the metadata of archival records in digital form under its care are accurate or true.

(4) The data subject’s right of access to personal data contained in archival records pursuant to Article 15 and, to the corresponding extent, Article 5 of the directly applicable European Union regulation governing the protection of personal data, shall be exercised solely through inspection of the archival records in accordance with this Act.

(5) The provisions of Article 16 and Articles 18 through 21, and to the corresponding extent Article 5 of the directly applicable European Union regulation governing the protection of personal data, shall not apply to the processing of personal data for archival purposes.

Art. 13

(…)

(3) The consent of a natural person is not required under a special legal regulation for the selection of archival records from documents containing personal data and for their permanent preservation.

(…)

Art. 37

(1) Unless otherwise specified below, only records older than thirty years and all published records are available for inspection in the archives.

(2) Records containing personal data of a living person may be inspected unless that person has raised objections in writing. The archive shall notify the person in writing of the submitted request to inspect the archival records; if the notification concerns at least thirty persons, it may be delivered by public notice posted on the archive’s official bulletin board, and if the archive does not maintain an official bulletin board, on the official bulletin board of the state regional archive in whose district the archive is located. The notice shall include the information specified in Article 35(1)(a) through (c), the personal data of the person to be disclosed, the period during which the archival records will be inspected, and instructions regarding the legal consequences of filing or failing to file an objection within the prescribed time limit. An objection to the inspection of the archival records pursuant to the first sentence may be raised by the person within 30 days of the date of delivery of the notice. The objection must clearly specify which personal data it concerns. If the person does not raise an objection within the time limit specified in the fourth sentence, it is deemed that they consent to the inspection of the archival records. Part Two of the Administrative Procedure Code applies to the delivery of notices and the calculation of time limits.

(3) Archival records relating to a living natural person that contain sensitive personal data may be inspected only with the prior written consent of that person. The archive shall request the consent of the person concerned to inspect such archival records. The request shall include the information specified in Article 35(1)(a) through (c), the sensitive personal data of the person to be disclosed, and the period during which the archival records will be inspected.

(4) The provisions of paragraph 1 do not apply to archival records created prior to January 1, 1990, from the activities of state authorities.

(5) The provisions of paragraphs 1 through 3 do not apply to archival records created before January 1, 1990, from the activities of military courts and public prosecutors’ offices at all levels, security agencies pursuant to the Act on the Institute for the Study of Totalitarian Regimes and on the Archive of Security Agencies, as well as extraordinary people’s courts, the State Court, the National Court, and social organizations and political parties affiliated with the National Front; to archival records created by the activities of the German occupation administration in the territory ceded to the Reich and in the Protectorate of Bohemia and Moravia between 1938 and 1945; to archival records that were already publicly accessible prior to the submission of a request for access to them, as well as to archival records that were publicly accessible as documents prior to being designated as archival records.

(6) The provisions of paragraphs 1 through 3 do not apply to archival records containing statistical data sets obtained through demographic and statistical surveys, provided that the personal data contained in such records can be anonymized prior to inspection. Upon request, the archive shall anonymize the records within a reasonable time, taking into account the archive’s tasks and the significance of the records. After anonymizing the personal data contained in the requested records, the archive shall immediately notify the requester of this fact, provided the requester has stipulated this in writing in advance.

(7) The provisions of paragraphs 1 through 3 do not apply to the creators of the archival records; these entities may inspect the archival records of which they are the creators without restriction. The provision of the first sentence shall apply mutatis mutandis to the legal successors of the creators of the archival records. Furthermore, the provisions of paragraphs 1 through 3 do not apply to the entities listed in Article 38(5); these entities may inspect the archival records created by the state or a local government unit without restriction.

Art. 38

(1) Access to records stored in the archives shall be denied if

(…)

(c) a natural person has objected to access to records containing their personal data; this does not apply to records under Article 37(5) and (6),

(d) a natural person does not consent to the inspection of archival records containing their sensitive personal data,

(…).

Art. 39

(1) Archival records may be exhibited only if their condition permits and under conditions that ensure their protection and care in accordance with this Act and the protection of personal data in accordance with a separate legal regulation.

(…)
Old law close

Act No. 101/2000 Coll., on the Protection of Personal Data and on Amendments to Certain Acts, as amended - repealed as of April 24, 2019

Art. 5

(1)

(...)

(e) store personal data only for a period necessary for the purpose of their processing. After expiry of this period, personal data may be retained only for purposes of the state statistical service, and for scientific and archival needs. When using personal data for these purposes, it is necessary to respect the right to protection of private and personal lives of the data subject from unauthorised interference and to make personal data anonymous as soon as possible;

Art. 11

(...)

(3) The controller shall not be obliged to provide the information and instruction pursuant to paragraph 1 in cases where the personal data were not obtained from the data subject, if

(a) he is processing personal data exclusively for the purposes of state statistical service, scientific or archival purposes and the provision of such information would involve a disproportionate effort or inadequately high costs; or if storage on data carriers or disclosure is expressly provided by a special Act. In these cases the controller shall be obliged to take all necessary measures against unauthorised interference with the data subject's private and personal lives.

(...)
arrow_back Previous ArticleArticle 89 Next Article arrow_forward
close

2016 - www.itiplaw.eu.