Article 89 GDPR: Difference between revisions
Line 206: | Line 206: | ||
==== Archiving Purposes in the Public Interest ==== | ==== Archiving Purposes in the Public Interest ==== | ||
Article 89(3) GDPR permits derogations for “''archiving in the public interest''”. Services covered by this definition are, according to Recital 158, those which have a legal obligation “''to acquire, preserve, appraise, arrange, describe, communicate, promote, disseminate and provide access to records of enduring value for general public interest''”. This means that archives such as personal or family, archives or company records will generally not be covered by Article 89, unless they also fulfil the criteria of being kept in the “''public interest''”.<ref>See, ''Wiese Svanberg,'' in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 89 GDPR, p. 1242 and ss. (Oxford University Press 2020) who also points out that the requirement that archiving "''must take place 'in the public interest' should be regarded as satisfied as long as any individual archiving activity is set out-even | Article 89(3) GDPR permits derogations for “''archiving in the public interest''”. Services covered by this definition are, according to Recital 158, those which have a legal obligation “''to acquire, preserve, appraise, arrange, describe, communicate, promote, disseminate and provide access to records of enduring value for general public interest''”. This means that archives such as personal or family, archives or company records will generally not be covered by Article 89, unless they also fulfil the criteria of being kept in the “''public interest''”.<ref>See, ''Wiese Svanberg,'' in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 89 GDPR, p. 1242 and ss. (Oxford University Press 2020) who also points out that the requirement that archiving "''must take place 'in the public interest' should be regarded as satisfied as long as any individual archiving activity is set out-even broadly in Member State law. Thus, the GDPR does not limit the extent to which Member States can delimit what materials are of sufficient historical interest to warrant subjecting them to archiving rules''”.</ref> | ||
==== Scientific Research Purposes ==== | ==== Scientific Research Purposes ==== | ||
Line 213: | Line 213: | ||
Moreover, following the wording of Recital 159, “''specific conditions should apply in particular as regards the publication or otherwise disclosure of personal data in the context of scientific research purposes''”. | Moreover, following the wording of Recital 159, “''specific conditions should apply in particular as regards the publication or otherwise disclosure of personal data in the context of scientific research purposes''”. | ||
The GDPR as a whole, and Article 89 in particular, do not distinguish between scientific research pursuing public interests and that pursuing private or purely commercial ones. It follows that, if the applicable requirements are met, "''purely private or commercial interests can be pursued through the processing of personal data for scientific research purposes''”.<ref>See, ''Wiese Svanberg,'' in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 89 GDPR, p. 1242 and ss. (Oxford University Press 2020) who also specifies that any other relevant legislation (such as legislation on clinical trials in the case of medical or scientific research) | The GDPR as a whole, and Article 89 in particular, do not distinguish between scientific research pursuing public interests and that pursuing private or purely commercial ones. It follows that, if the applicable requirements are met, "''purely private or commercial interests can be pursued through the processing of personal data for scientific research purposes''”.<ref>See, ''Wiese Svanberg,'' in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 89 GDPR, p. 1242 and ss. (Oxford University Press 2020) who also specifies that any other relevant legislation (such as legislation on clinical trials in the case of medical or scientific research) may also apply.</ref> | ||
==== Historical Research Purposes ==== | ==== Historical Research Purposes ==== | ||
Under Recital 160 “''Where personal data are processed for historical research purposes, this Regulation should also apply to that processing. This should also include historical research and research for genealogical purposes, bearing in mind that this Regulation should not apply to deceased persons''”. In ruling out data of deceased persons, this Recital confirms Recital 27, according to which “''This Regulation does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons''”. It should be noted, however, that genealogy research may relate to living relatives.<ref>''Eichler'', in BeckOK DatenschutzR, Article 89 GDPR, margin number 6a (Beck 2020, 36th ed.) (accessed 11 | Under Recital 160 “''Where personal data are processed for historical research purposes, this Regulation should also apply to that processing. This should also include historical research and research for genealogical purposes, bearing in mind that this Regulation should not apply to deceased persons''”. In ruling out data of deceased persons, this Recital confirms Recital 27, according to which “''This Regulation does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons''”. It should be noted, however, that genealogy research may relate to living relatives.<ref>''Eichler'', in BeckOK DatenschutzR, Article 89 GDPR, margin number 6a (Beck 2020, 36th ed.) (accessed 11 August 2021).</ref> | ||
==== Statistical Purposes ==== | ==== Statistical Purposes ==== | ||
According to Recital 162 “''statistical purposes''” include “''any operation of collection and the processing of personal data necessary for statistical surveys or for the production of statistical results''”. | According to Recital 162 “''statistical purposes''” include “''any operation of collection and the processing of personal data necessary for statistical surveys or for the production of statistical results''”. | ||
Recital 162 specifies that “''The statistical purpose implies that the result of processing for statistical purposes is not personal data, but aggregate data, and that this result or the personal data are not used in support of measures or decisions regarding any particular natural person''”. This sentence seems to suggest that aggregated data are never, by definition, personal data, with the concomitant non-application of the GDPR. From a logical point of view, this conclusion seems to be correct. However, the main assumption must be true: in particular, that aggregated data are actually anonymous and therefore not referable to a data subject. In practice, also given the high threshold required by the WP29 to achieve true anonymisation, it seems rather unlikely.<ref>WP29, Opinion 05/2014 on Anonymisation Techniques, 10 | Recital 162 specifies that “''The statistical purpose implies that the result of processing for statistical purposes is not personal data, but aggregate data, and that this result or the personal data are not used in support of measures or decisions regarding any particular natural person''”. This sentence seems to suggest that aggregated data are never, by definition, personal data, with the concomitant non-application of the GDPR. From a logical point of view, this conclusion seems to be correct. However, the main assumption must be true: in particular, that aggregated data are actually anonymous and therefore not referable to a data subject. In practice, also given the high threshold required by the WP29 to achieve true anonymisation, it seems rather unlikely.<ref>WP29, Opinion 05/2014 on Anonymisation Techniques, 10 April 2014 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf here]) (accessed on 12 August 2021).</ref> | ||
The risk of re-identification is indeed inherent to the processing of large amounts of data.<ref>''Rocher | The risk of re-identification is indeed inherent to the processing of large amounts of data.<ref>''Rocher et al.'', Estimating the success of re-identifications in incomplete datasets using generative models. ''Nature Communications'' 10 (2019).</ref> For these reasons, scholars whose conclusions we share, found that “''a better reading of recital 162 is that it is only intended to make clear that data processed for statistical purposes remain personal data (subject to the GDPR) until they are anonymised through aggregation (i.e. until the 'result' of the statistical processing operation is achieved)''”.<ref>''Wiese Svanberg,'' in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 89 GDPR, p. 1250 (Oxford University Press 2020).</ref> | ||
==== Shall be Subject to Appropriate Safeguards ==== | ==== Shall be Subject to Appropriate Safeguards ==== | ||
Under Article 89(1), processing for the above-mentioned purposes shall be subject to “''appropriate safeguards''” which shall ensure “''respect for the principle of data minimisation''” under [[Article 5 GDPR|Article 5(1)(c)]]. The personal data to be collected are to be limited from the outset to what is appropriate, significant and necessary for the purpose of processing. The far-reaching privileges can only be justified under this strictly applicable premise.<ref>''Eichler'', in BeckOK DatenschutzR, Article 89 GDPR, margin number 12-13 (Beck 2020, 36th ed.) (accessed 11 | Under Article 89(1), processing for the above-mentioned purposes shall be subject to “''appropriate safeguards''” which shall ensure “''respect for the principle of data minimisation''” under [[Article 5 GDPR|Article 5(1)(c)]]. The personal data to be collected are to be limited from the outset to what is appropriate, significant and necessary for the purpose of processing. The far-reaching privileges can only be justified under this strictly applicable premise.<ref>''Eichler'', in BeckOK DatenschutzR, Article 89 GDPR, margin number 12-13 (Beck 2020, 36th ed.) (accessed 11 August 2021).</ref> | ||
The provision specifically mentions pseudonymisation and anonymisation<ref>The GDPR uses this wording: “''Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner''”, generally understood as anonymization.</ref> as typical safeguards. The list is non-exhaustive and there may well be other suitable safeguards that adequately reduce the risks in the specific case.<ref>For example, use of encryption, employees’ confidentiality obligations, sufficiently specific work instructions and computer access authorizations are to be checked even more strictly in these cases.</ref> | The provision specifically mentions pseudonymisation and anonymisation<ref>The GDPR uses this wording: “''Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner''”, generally understood as anonymization.</ref> as typical safeguards. The list is non-exhaustive and there may well be other suitable safeguards that adequately reduce the risks in the specific case.<ref>For example, use of encryption, employees’ confidentiality obligations, sufficiently specific work instructions and computer access authorizations are to be checked even more strictly in these cases.</ref> | ||
Line 236: | Line 236: | ||
===== Anonymization ===== | ===== Anonymization ===== | ||
Under Article 89(1), where “''those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner''”. Therefore, there is an organisational obligation to carry out anonymization measures as soon as the research purpose allows.<ref>''Eichler'', in BeckOK DatenschutzR, Article 89 GDPR, margin number 15 (Beck 2020, 36th ed.) (accessed 11 | Under Article 89(1), where “''those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner''”. Therefore, there is an organisational obligation to carry out anonymization measures as soon as the research purpose allows.<ref>''Eichler'', in BeckOK DatenschutzR, Article 89 GDPR, margin number 15 (Beck 2020, 36th ed.) (accessed 11 August 2021). See also Recital 156 which states that “''The further processing of personal data for archiving purposes'' […] ''is to be carried out when the controller has assessed the feasibility to fulfil those purposes by processing data which do not permit or no longer permit the identification of data subjects, provided that appropriate safeguards exist''”.</ref> | ||
=== (2) Derogations Possible for Scientific or Historical Research Purposes or Statistical Purposes === | === (2) Derogations Possible for Scientific or Historical Research Purposes or Statistical Purposes === | ||
Line 249: | Line 249: | ||
==== Conditions for the Derogations to Apply ==== | ==== Conditions for the Derogations to Apply ==== | ||
See relevant section under | See relevant section under paragraph 2. | ||
=== (4) Derogations do not | === (4) Derogations do not Extend to Other Purposes that Require the Same Processing === | ||
Article 89(4) makes it clear that these exceptions are only available for processing specified in Article 89 and not for other purposes that may be pursued at the same time on the same dataset. | |||
== Decisions == | == Decisions == |
Revision as of 10:12, 6 September 2021
Legal Text
1. Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.
2. Where personal data are processed for scientific or historical research purposes or statistical purposes, Union or Member State law may provide for derogations from the rights referred to in Articles 15, 16, 18 and 21 subject to the conditions and safeguards referred to in paragraph 1 of this Article in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes.
3. Where personal data are processed for archiving purposes in the public interest, Union or Member State law may provide for derogations from the rights referred to in Articles 15, 16, 18, 19, 20 and 21 subject to the conditions and safeguards referred to in paragraph 1 of this Article in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes.
4. Where processing referred to in paragraphs 2 and 3 serves at the same time another purpose, the derogations shall apply only to processing for the purposes referred to in those paragraphs.
Relevant Recitals
Commentary
Article 89 GDPR regulates three distinct and separate purposes: archiving in the public interest, scientific or historical research purposes and statistical purposes. When these processing operations take place appropriate safeguards for the rights and freedoms of the data subject must be implemented. Further, it provides in paragraphs (2) and (3) for derogations from the rights referred to. Paragraph (4) makes clear that the derogations provided for in paragraphs (2) and (3) only apply to the purposes described in those paragraphs and not to any other purpose.
(1) Mandatory Appropriate Safeguards for Archiving Purposes in the Public Interest, Scientific or Historical Research Purposes, or Statistical Purposes
Under Article 89(1) GDPR, safeguards must be used whenever personal data are processed for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. In particular, the provision requires the use of technical and organisational measures to achieve data minimisation, which is defined in Article 5(1)(c) GDPR as personal data being processed in a way that is 'adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed'.
Archiving Purposes in the Public Interest
Article 89(3) GDPR permits derogations for “archiving in the public interest”. Services covered by this definition are, according to Recital 158, those which have a legal obligation “to acquire, preserve, appraise, arrange, describe, communicate, promote, disseminate and provide access to records of enduring value for general public interest”. This means that archives such as personal or family, archives or company records will generally not be covered by Article 89, unless they also fulfil the criteria of being kept in the “public interest”.[1]
Scientific Research Purposes
Recital 159 states that “the processing of personal data for scientific research purposes should be interpreted in a broad manner including for example technological development and demonstration, fundamental research, applied research and privately funded research”. Recital 157 makes it clear that “scientific research” includes processing generating “new knowledge of great value with regard to widespread medical conditions such as cardiovascular disease, cancer and depression. […] Within social science, research on the basis of registries enables researchers to obtain essential knowledge about the long-term correlation of a number of social conditions such as unemployment and education with other life conditions”.
Moreover, following the wording of Recital 159, “specific conditions should apply in particular as regards the publication or otherwise disclosure of personal data in the context of scientific research purposes”.
The GDPR as a whole, and Article 89 in particular, do not distinguish between scientific research pursuing public interests and that pursuing private or purely commercial ones. It follows that, if the applicable requirements are met, "purely private or commercial interests can be pursued through the processing of personal data for scientific research purposes”.[2]
Historical Research Purposes
Under Recital 160 “Where personal data are processed for historical research purposes, this Regulation should also apply to that processing. This should also include historical research and research for genealogical purposes, bearing in mind that this Regulation should not apply to deceased persons”. In ruling out data of deceased persons, this Recital confirms Recital 27, according to which “This Regulation does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons”. It should be noted, however, that genealogy research may relate to living relatives.[3]
Statistical Purposes
According to Recital 162 “statistical purposes” include “any operation of collection and the processing of personal data necessary for statistical surveys or for the production of statistical results”.
Recital 162 specifies that “The statistical purpose implies that the result of processing for statistical purposes is not personal data, but aggregate data, and that this result or the personal data are not used in support of measures or decisions regarding any particular natural person”. This sentence seems to suggest that aggregated data are never, by definition, personal data, with the concomitant non-application of the GDPR. From a logical point of view, this conclusion seems to be correct. However, the main assumption must be true: in particular, that aggregated data are actually anonymous and therefore not referable to a data subject. In practice, also given the high threshold required by the WP29 to achieve true anonymisation, it seems rather unlikely.[4]
The risk of re-identification is indeed inherent to the processing of large amounts of data.[5] For these reasons, scholars whose conclusions we share, found that “a better reading of recital 162 is that it is only intended to make clear that data processed for statistical purposes remain personal data (subject to the GDPR) until they are anonymised through aggregation (i.e. until the 'result' of the statistical processing operation is achieved)”.[6]
Shall be Subject to Appropriate Safeguards
Under Article 89(1), processing for the above-mentioned purposes shall be subject to “appropriate safeguards” which shall ensure “respect for the principle of data minimisation” under Article 5(1)(c). The personal data to be collected are to be limited from the outset to what is appropriate, significant and necessary for the purpose of processing. The far-reaching privileges can only be justified under this strictly applicable premise.[7]
The provision specifically mentions pseudonymisation and anonymisation[8] as typical safeguards. The list is non-exhaustive and there may well be other suitable safeguards that adequately reduce the risks in the specific case.[9]
Such safeguards are mandatory to processing in these areas and are a pre-requisite should a controller want to take advantage of the derogations set forth in following paragraphs 2 and 3 which both require that derogations may be used “subject to the conditions and safeguards referred to in paragraph 1 of this Article”.
Pseudonymization
Under Article 4(5) pseudonymization means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. Pseudonymized data continue to represent information about an identifiable person (Recital 26).
Anonymization
Under Article 89(1), where “those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner”. Therefore, there is an organisational obligation to carry out anonymization measures as soon as the research purpose allows.[10]
(2) Derogations Possible for Scientific or Historical Research Purposes or Statistical Purposes
Under Article 89(2), where personal data are processed for statistical purposes, Union or Member State law may provide for derogations from the rights referred to in Articles 15 (right of access by the data subject), 16 (right to rectification), 18 (right to restriction of processing) and 21 (right to object) GDPR.
Such derogations are still subject to the conditions and safeguards referred to in Article 89(1).
Furthermore, other two requirements have to be simultaneously met in order for them to be applicable in the specific case. First, the data subjects’ rights are likely to render impossible or seriously impair the achievement of the specific purposes. Second, such derogations are necessary for the fulfilment of those purposes. It follows that the scope of the exceptions must be limited to what is necessary.
(3) Derogations are Possible for Archiving Purposes in the Public Interest
Under Article 89(3) GDPR, where personal data are processed for archiving purposes in the public interest, Union or Member State law may provide for derogations from the rights referred to in Articles 15 (right of access by the data subject), 16 (right to rectification), 18 (right to restriction of processing), 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing), 20 (right to data portability) and 21 (right to object) GDPR.
Conditions for the Derogations to Apply
See relevant section under paragraph 2.
(4) Derogations do not Extend to Other Purposes that Require the Same Processing
Article 89(4) makes it clear that these exceptions are only available for processing specified in Article 89 and not for other purposes that may be pursued at the same time on the same dataset.
Decisions
→ You can find all related decisions in Category:Article 89 GDPR
References
- ↑ See, Wiese Svanberg, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 89 GDPR, p. 1242 and ss. (Oxford University Press 2020) who also points out that the requirement that archiving "must take place 'in the public interest' should be regarded as satisfied as long as any individual archiving activity is set out-even broadly in Member State law. Thus, the GDPR does not limit the extent to which Member States can delimit what materials are of sufficient historical interest to warrant subjecting them to archiving rules”.
- ↑ See, Wiese Svanberg, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 89 GDPR, p. 1242 and ss. (Oxford University Press 2020) who also specifies that any other relevant legislation (such as legislation on clinical trials in the case of medical or scientific research) may also apply.
- ↑ Eichler, in BeckOK DatenschutzR, Article 89 GDPR, margin number 6a (Beck 2020, 36th ed.) (accessed 11 August 2021).
- ↑ WP29, Opinion 05/2014 on Anonymisation Techniques, 10 April 2014 (available here) (accessed on 12 August 2021).
- ↑ Rocher et al., Estimating the success of re-identifications in incomplete datasets using generative models. Nature Communications 10 (2019).
- ↑ Wiese Svanberg, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 89 GDPR, p. 1250 (Oxford University Press 2020).
- ↑ Eichler, in BeckOK DatenschutzR, Article 89 GDPR, margin number 12-13 (Beck 2020, 36th ed.) (accessed 11 August 2021).
- ↑ The GDPR uses this wording: “Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner”, generally understood as anonymization.
- ↑ For example, use of encryption, employees’ confidentiality obligations, sufficiently specific work instructions and computer access authorizations are to be checked even more strictly in these cases.
- ↑ Eichler, in BeckOK DatenschutzR, Article 89 GDPR, margin number 15 (Beck 2020, 36th ed.) (accessed 11 August 2021). See also Recital 156 which states that “The further processing of personal data for archiving purposes […] is to be carried out when the controller has assessed the feasibility to fulfil those purposes by processing data which do not permit or no longer permit the identification of data subjects, provided that appropriate safeguards exist”.