Article 89 GDPR: Difference between revisions

From GDPRhub
m (Pinpointing rendering error)
 
(9 intermediate revisions by 5 users not shown)
Line 185: Line 185:


== Legal Text ==
== Legal Text ==
<br /><center>'''Article 89 - Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes'''</center><span id="1">1.  Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.</span>
<center>'''Article 89 - Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes'''</center>
 
<span id="1">1.  Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.</span>


<span id="2">2.  Where personal data are processed for scientific or historical research purposes or statistical purposes, Union or Member State law may provide for derogations from the rights referred to in Articles 15, 16, 18 and 21 subject to the conditions and safeguards referred to in paragraph 1 of this Article in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes.</span>
<span id="2">2.  Where personal data are processed for scientific or historical research purposes or statistical purposes, Union or Member State law may provide for derogations from the rights referred to in Articles 15, 16, 18 and 21 subject to the conditions and safeguards referred to in paragraph 1 of this Article in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes.</span>
Line 198: Line 200:
== Commentary ==
== Commentary ==


Article 89 GDPR specifically regulates the processing of personal data for four distinct purposes: (i) archiving in the public interest, (ii) scientific research, (iii) historical research and (iii) statistical purposes. In many instances, collecting large quantities of personal data is a key component, if not a prerequisite for achieving such purposes. Clinical trials or political polls, for example, are based on the collection and analysis, on a large scale, of sensitive personal data. Because of the large scope of such processing operations, as well as the risks they entail, the EU legislator has introduced specific safeguards in Article 89(1) GDPR for protecting the rights and freedoms of data subjects.
Article 89 GDPR regulates the processing of personal data for four distinct purposes: (i) archiving in the public interest, (ii) scientific research, (iii) historical research and (iv) statistical purposes. In many instances, collecting large quantities of personal data is a key component, if not a prerequisite, for achieving such purposes. For example, clinical trials or political polls are both based on the large-scale collection and analysis of sensitive personal data. Because of the broad scope of such processing operations, as well as the risks they entail, the EU legislator has introduced specific safeguards in Article 89(1) GDPR to protect the rights and freedoms of data subjects. At the same time, overburdening controllers with legal obligations may ultimately impede research, or even defeat the very purpose of the processing. This, in turn, may become detrimental for society, as many societal advances are based on archiving systems, scientific and historical research, or statistical studies. Hence, Article 89(2) and (3) GDPR also allow for specific derogation to the GDPR for these purposes, as further detailed below.
 
=== (1) Mandatory Appropriate Safeguards for Archiving Purposes in the Public Interest, Scientific or Historical Research Purposes,... ===
Article 89(1) GDPR provides that when processing operations take place for (i) archiving in the public interest, (ii) scientific or historical research or (iii) statistical purposes, appropriate safeguards for the rights and freedoms of the data subject must be implemented. After defining each of these purposes, the safeguards that controllers must be in place will be discussed.
===== Archiving Purposes in the Public Interest =====
According to Recital 158 GDPR, processing for archiving purposes in the public interest can be defined as any operation “''to acquire, preserve, appraise, arrange, describe, communicate, promote, disseminate and provide access to records of enduring value for general public interest''”. This means that personal or family archives, or company records will generally not be covered by Article 89 GDPR, unless they also fulfil the criteria of being kept in the “''public interest''”.<ref>See, ''Wiese Svanberg,'' in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 89 GDPR, p. 1242 and ss. (Oxford University Press 2020) who also points out that the requirement that archiving "''must take place 'in the public interest' should be regarded as satisfied as long as any individual archiving activity is set out-even broadly in Member State law. Thus, the GDPR does not limit the extent to which Member States can delimit what materials are of sufficient historical interest to warrant subjecting them to archiving rules''”.</ref>
 
===== Scientific Research Purposes =====
Recital 159 GDPR states that “''the processing of personal data for scientific research purposes should be interpreted in a broad manner including for example technological development and demonstration, fundamental research, applied research and privately funded research''”. Recital 157 GDPR makes it clear that scientific research also includes processing generating “''new knowledge of great value with regard to widespread medical conditions such as cardiovascular disease, cancer and depression''. […] ''Within social science, research on the basis of registries enables researchers to obtain essential knowledge about the long-term correlation of a number of social conditions such as unemployment and education with other life conditions''”. The GDPR as a whole, and Article 89 GDPR in particular, do not distinguish between scientific research pursuing public interests and that pursuing private or purely commercial ones. It follows that, if the applicable requirements are met, "''purely private or commercial interests can be pursued through the processing of personal data for scientific research purposes''”.<ref>See, ''Wiese Svanberg,'' in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 89 GDPR, p. 1242 and ss. (Oxford University Press 2020) who also specifies that any other relevant legislation (such as legislation on clinical trials in the case of medical or scientific research) may also apply.</ref> Clinical trials conducted by pharmaceutical companies, for example, would therefore fall within the scope of Article 89 GDPR. Similarly, scientific research conducted by a university or a public institution would also fall within the scope of Article 89 GDPR.  


At the same time, overburdening controllers with legal obligations may ultimately impede research, or even defeat the very purpose of the processing. This, in turn, may become detrimental for society, as many societal advances are based on archiving systems, scientific and historical research, or statistical studies. Hence, Article 89(2) and (3) GDPR also allow for specific derogations to the GDPR for these purposes, as further detailed below.
===== Historical Research Purposes =====
Under Recital 160 “[w]''here personal data are processed for historical research purposes, this Regulation should also apply to that processing. This should also include historical research and research for genealogical purposes, bearing in mind that this Regulation should not apply to deceased persons''”. In ruling out data relating to deceased persons, this Recital confirms Recital 27 GDPR, according to which the GDPR “''does not apply to the personal data of deceased persons''”. However, it should be noted that genealogy research may relate to living relatives as well, in which case the GDPR would still apply to protect the rights and freedoms of those individuals.<ref>''Eichler'', in BeckOK DatenschutzR, Article 89 GDPR, margin number 6a (C.H. Beck 2020, 36th edition).</ref>


=== (1) Mandatory Appropriate Safeguards for Archiving Purposes in the Public Interest, Scientific or Historical Research Purposes, or Statistical Purposes ===
===== Statistical Purposes =====
According to Recital 162 GDPR, “''statistical purposes''” include “''any operation of collection and the processing of personal data necessary for statistical surveys or for the production of statistical results''”. Recital 162 GDPR specifies that “''the result of processing for statistical purposes is not personal data, but aggregate data",'' and that ''"this result or the personal data are not used in support of measures or decisions regarding any particular natural person''”. This sentence seems to suggest that aggregated data are never, by definition, personal data, with the concomitant non-application of the GDPR. From a logical point of view, this conclusion seems to be correct. However, the main assumption must be true: in particular, that aggregated data are actually anonymous and therefore not referable to any data subject. In practice however, given the high threshold required by the WP29 to achieve true anonymisation, it seems rather unlikely that all aggregated data would systematically fall outside of the scope of the GDPR.<ref>WP29, Opinion 05/2014 on Anonymisation Techniques, 10 April 2014 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf here]).</ref> The risk of re-identification is indeed inherent to the processing of large amounts of data.<ref>''Rocher et al.'', Estimating the success of re-identifications in incomplete datasets using generative models. ''Nature Communications'' 10 (2019).</ref> For these reasons, scholars have convincingly argued that “''a better reading of recital 162 is that it is only intended to make clear that data processed for statistical purposes remain personal data (subject to the GDPR) until they are anonymised through aggregation (i.e. until the 'result' of the statistical processing operation is achieved)''”.<ref>''Wiese Svanberg,'' in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 89 GDPR, p. 1250 (Oxford University Press 2020).</ref>


==== Obligation to implement appropriate safeguards ====
==== Obligation to implement appropriate safeguards ====
Article 89(1) GDPR provides that when processing operations take place for (i) archiving in the public interest, (ii) scientific or historical research or (iii) statistical purposes, appropriate safeguards for the rights and freedoms of the data subject must be implemented. Those safeguards require, among others, that controllers and processors put in place technical and organisational measures to <span id="1">ensure respect for the principle of data minimisation</span>, as set in [[Article 5 GDPR|Article 5(1)(c) GDPR]]. This means in particular that the collection of personal data should be limited from the outset to what is appropriate, relevant and necessary for the purpose of processing. The far-reaching derogations granted under Article 89 GDPR can only be justified under this strictly applicable premise.<ref>''Eichler'', in BeckOK DatenschutzR, Article 89 GDPR, margin number 12-13 (Beck 2020, 36th ed.) (accessed 11 August 2021).</ref>
According to Article 89(1) GDPR, controllers and processors must implement appropriate safeguards to protect the rights and freedom of data subjects whose personal data are collected and further processed for the aforementioned purposes. More specifically, technical and organisational measures must be implemented to ensure, in particular, respect for the principle of data minimisation, as set in [[Article 5 GDPR|Article 5(1)(c) GDPR]]. This means that the collection of personal data should from the outset be limited to what is appropriate, relevant and necessary for the purpose pursued. The far-reaching derogations granted under Article 89(2) and (3) GDPR can only be justified under this strictly applicable premise.<ref>''Eichler'', in BeckOK DatenschutzR, Article 89 GDPR, margin number 12-13 (C.H. Beck 2020, 36th edition).</ref> Among the organisational and technical measures that controllers or processors should put in place, Article 89(1) GDPR specifically mentions pseudonymisation and anonymisation.<ref>The GDPR uses this wording: “''Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner''”, generally understood as anonymization.</ref> This list is of course non-exhaustive, and there may well be other suitable measures that adequately reduce the risks associated with the processing of personal data in those areas.<ref>For example, use of encryption, employees’ confidentiality obligations, sufficiently specific work instructions and computer access authorizations are to be checked even more strictly in these cases.</ref>
 
Among the organisational and technical measures that controllers or processors should put in place, the provision specifically mentions pseudonymisation and anonymisation.<ref>The GDPR uses this wording: “''Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner''”, generally understood as anonymization.</ref> This list is of course non-exhaustive and there may well be other suitable measures that adequately reduce the risks associated with the processing of personal data in those areas.<ref>For example, use of encryption, employees’ confidentiality obligations, sufficiently specific work instructions and computer access authorizations are to be checked even more strictly in these cases.</ref>
===== Pseudonymisation =====
===== Pseudonymisation =====
Under [[Article 4 GDPR|Article 4(5) GDPR,]] pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately. Pseudonymised data are thus personal data, since the individuals to whom they relate remain identifiable (Recital 26). Through pseudonimisation, controllers are therefore not exempted from complying with the GDPR, but are simply reducing the overall risks linked to the processing of personal data.
Under [[Article 4 GDPR|Article 4(5) GDPR,]] pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately. Pseudonymised data are thus personal data, since the individuals to whom they relate remain identifiable (Recital 26 GDPR). Through pseudonymisation, controllers are therefore not exempted from complying with the GDPR, but are simply reducing the overall risks linked to the processing of personal data.  


===== Anonymisation =====
===== Anonymisation =====
According to Recital 26 of the GDPR, anonymisation is the process of rendering personal data anonymous, in the sense that the data subject is no longer identified or identifiable. The anonymisation process must be robust enough to prevent any risk of reidentification. Hence, the technical requirements of anonymisation may vary from one case to another depending on the data available, and may become increasingly difficult to achieve as re-identification techniques are evolving in parallel.<ref>WP29, Opinion 05/2014 on Anonymisation Techniques, 0829/14/EN, 10 April 2014.</ref>
According to Recital 26 GDPR, anonymisation is the process of rendering personal data anonymous, in the sense that the data subject is no longer identified or identifiable. The anonymisation process must be robust enough to prevent any risk of reidentification. Hence, the technical requirements of anonymisation may vary from one case to another depending on the data available, and may become increasingly difficult to achieve as re-identification techniques evolve in parallel.<ref>WP29, Opinion 05/2014 on Anonymisation Techniques, 0829/14/EN, 10 April 2014, p. 4, 8 and in general throughout the Opinion (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf here]).</ref> While Article 89(1) GDPR states that pseudonymisation "''may''" be used as a technical measure, anonymisation becomes mandatory when it does not prevent or defeat the purpose of the processing. For example, if a public authority orders a statistical survey on water consumption to improve water management in a specific city, the study should be based on anonymised data if identifying the respondents is not necessary to reach valid findings. By contrast, conducting a clinical trial may require the collection and monitoring of personal data of identified patients. In that case, anonymisation would therefore neither be possible, nor required under Article 89(1) GDPR. All in all, it can be concluded that anonymisation only becomes a mandatory technical measure if the research purpose allows for it.<ref>''Eichler'', in BeckOK DatenschutzR, Article 89 GDPR, margin number 15 (C.H. Beck 2020, 36th ed.). See also Recital 156 which states that “''The further processing of personal data for archiving purposes'' […] ''is to be carried out when the controller has assessed the feasibility to fulfil those purposes by processing data which do not permit or no longer permit the identification of data subjects, provided that appropriate safeguards exist''”.</ref>
 
While Article 89(1) GDPR states that pseudonymisation "''may''" be used as a technical measure, anonymisation, for its part, becomes mandatory when it does not prevent or defeat the purpose of the processing. For example, if a public authority orders a statistical survey on household water consumption to improve water management in a specific region, such study should be based on anonymised data, since identifying the respondents is not necessary to reach valid findings. By contrast, clinical trials may require the collection and monitoring of personal data of identified patients while being conducted, including for legal reasons. In that case, anonymisation would therefore not be required. All in all, it can therefore be concluded that anonymization only becomes a mandatory technical measure if the research purpose allows for it.<ref>''Eichler'', in BeckOK DatenschutzR, Article 89 GDPR, margin number 15 (Beck 2020, 36th ed.) (accessed 11 August 2021). See also Recital 156 which states that “''The further processing of personal data for archiving purposes'' […] ''is to be carried out when the controller has assessed the feasibility to fulfil those purposes by processing data which do not permit or no longer permit the identification of data subjects, provided that appropriate safeguards exist''”.</ref>
==== Archiving Purposes in the Public Interest ====
According to Recital 158 of the GDPR, processing for archiving purposes in the public interest can be defined as any operation “''to acquire, preserve, appraise, arrange, describe, communicate, promote, disseminate and provide access to records of enduring value for general public interest''”. This means that archives such as personal or family archives, or company records will generally not be covered by Article 89 GDPR, unless they also fulfil the criteria of being kept in the “''public interest''”.<ref>See, ''Wiese Svanberg,'' in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 89 GDPR, p. 1242 and ss. (Oxford University Press 2020) who also points out that the requirement that archiving "''must take place 'in the public interest' should be regarded as satisfied as long as any individual archiving activity is set out-even broadly in Member State law. Thus, the GDPR does not limit the extent to which Member States can delimit what materials are of sufficient historical interest to warrant subjecting them to archiving rules''”.</ref>
 
==== Scientific Research Purposes ====
Recital 159 states that “''the processing of personal data for scientific research purposes should be interpreted in a broad manner including for example technological development and demonstration, fundamental research, applied research and privately funded research''”. Recital 157 makes it clear that scientific research also includes processing generating “''new knowledge of great value with regard to widespread medical conditions such as cardiovascular disease, cancer and depression''. […] ''Within social science, research on the basis of registries enables researchers to obtain essential knowledge about the long-term correlation of a number of social conditions such as unemployment and education with other life conditions''”.
 
The GDPR as a whole, and Article 89 in particular, do not distinguish between scientific research pursuing public interests and that pursuing private or purely commercial ones. It follows that, if the applicable requirements are met, "''purely private or commercial interests can be pursued through the processing of personal data for scientific research purposes''”.<ref>See, ''Wiese Svanberg,'' in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 89 GDPR, p. 1242 and ss. (Oxford University Press 2020) who also specifies that any other relevant legislation (such as legislation on clinical trials in the case of medical or scientific research) may also apply.</ref>
 
==== Historical Research Purposes ====
Under Recital 160 “''Where personal data are processed for historical research purposes, this Regulation should also apply to that processing. This should also include historical research and research for genealogical purposes, bearing in mind that this Regulation should not apply to deceased persons''”. In ruling out data of deceased persons, this Recital confirms Recital 27, according to which “''This Regulation does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons''”. It should be noted, however, that genealogy research may relate to living relatives.<ref>''Eichler'', in BeckOK DatenschutzR, Article 89 GDPR, margin number 6a (Beck 2020, 36th ed.) (accessed 11 August 2021).</ref>
 
==== Statistical Purposes ====
According to Recital 162 “''statistical purposes''” include “''any operation of collection and the processing of personal data necessary for statistical surveys or for the production of statistical results''”.


Recital 162 specifies that “''The statistical purpose implies that the result of processing for statistical purposes is not personal data, but aggregate data, and that this result or the personal data are not used in support of measures or decisions regarding any particular natural person''”. This sentence seems to suggest that aggregated data are never, by definition, personal data, with the concomitant non-application of the GDPR. From a logical point of view, this conclusion seems to be correct. However, the main assumption must be true: in particular, that aggregated data are actually anonymous and therefore not referable to a data subject. In practice, also given the high threshold required by the WP29 to achieve true anonymisation, it seems rather unlikely.<ref>WP29, Opinion 05/2014 on Anonymisation Techniques, 10 April 2014 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf here]) (accessed on 12 August 2021).</ref>
===== Other measures =====
As previously said, anonymisation and pseudonymisation are only two examples of technical measures that can be put in place by the controllers or processors when conducting research for scientific, historical or statistical purpose. Other measures and safeguards should also be considered. At the national level, Member States have sometimes established more specific obligations in that respect.  


The risk of re-identification is indeed inherent to the processing of large amounts of data.<ref>''Rocher et al.'', Estimating the success of re-identifications in incomplete datasets using generative models. ''Nature Communications'' 10 (2019).</ref> For these reasons, scholars whose conclusions we share, found that “''a better reading of recital 162 is that it is only intended to make clear that data processed for statistical purposes remain personal data (subject to the GDPR) until they are anonymised through aggregation (i.e. until the 'result' of the statistical processing operation is achieved)''”.<ref>''Wiese Svanberg,'' in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 89 GDPR, p. 1250 (Oxford University Press 2020).</ref>
In Luxembourg, for example, Article 65 of the Act of 1st October 2018 on the processing of personal data specifically requires controllers to put in place twelve organisational or technical measures, including anonymisation and pseudonymisation, when processing personal data for scientific or historical research, archiving purposes or statistical purposes. Among the other measures listed in that article, one may for example find the appointment of a Data Protection Officer (DPO) to supervise the processing of the personal data, the obligation to conduct a Data Protection Impact Assessment (DPIA), the encryption of the personal data with state-of-the-art key management, restrictions on data access within the organisation of the controller, or raising the awareness of the staff with respect to professional secrecy and personal data protection. The same article further specifies that the controller must document and justify for each project the exclusion, where applicable, of one or more of the measures listed in that article.  


Other Member States have adopted similar provisions. Thus, besides the minimum requirements set in Article 89(1) GDPR, controllers involved in the processing of personal data for scientific or historical research, archiving purposes or statistical purposes should also pay due attention to possible additional requirements under national legislation.
=== (2) Derogations Possible for Scientific or Historical Research Purposes or Statistical Purposes ===
=== (2) Derogations Possible for Scientific or Historical Research Purposes or Statistical Purposes ===
Under Article 89(2), where personal data are processed for statistical purposes, Union or Member State law may provide for derogations from the rights referred to in [[Article 15 GDPR|Articles 15]] (right of access by the data subject), [[Article 16 GDPR|16]] (right to rectification), [[Article 18 GDPR|18]] (right to restriction of processing) and [[Article 21 GDPR|21]] (right to object) GDPR.  
Under Article 89(2) GDPR, where personal data are processed for statistical purposes, Union or Member State law may provide for derogations from the rights referred to in [[Article 15 GDPR|Articles 15]] (right of access by the data subject), [[Article 16 GDPR|16]] (right to rectification), [[Article 18 GDPR|18]] (right to restriction of processing) and [[Article 21 GDPR|21]] GDPR (right to object). Such derogations nonetheless remain subject to the conditions and safeguards referred to in Article 89(1) GDPR. Furthermore, two other requirements have to be simultaneously met in order for these derogations to apply: first, the exercise of the data subjects’ rights would render impossible or seriously impair the achievement of the specific purposes; second, such derogations must be necessary for the fulfilment of those purposes. It therefore follows that derogations only apply when strictly necessary for achieving the purpose of the processing.  
 
Such derogations are still subject to the conditions and safeguards referred to in Article 89(1).
 
Furthermore, other two requirements have to be simultaneously met in order for them to be applicable in the specific case. First, the data subjects’ rights are likely to render impossible or seriously impair the achievement of the specific purposes. Second, such derogations are necessary for the fulfilment of those purposes. It follows that the scope of the exceptions must be limited to what is necessary.


=== (3) Derogations are Possible for Archiving Purposes in the Public Interest ===
=== (3) Derogations are Possible for Archiving Purposes in the Public Interest ===
Under Article 89(3) GDPR, where personal data are processed for archiving purposes in the public interest, Union or Member State law may provide for derogations from the rights referred to in [[Article 15 GDPR|Articles 15]] (right of access by the data subject), [[Article 16 GDPR|16]] (right to rectification), [[Article 18 GDPR|18]] (right to restriction of processing), [[Article 19 GDPR|19]] (notification obligation regarding rectification or erasure of personal data or restriction of processing), [[Article 20 GDPR|20]] (right to data portability) and [[Article 21 GDPR|21]] (right to object) GDPR.
Under Article 89(3) GDPR, where personal data are processed for archiving purposes in the public interest, Union or Member State law may provide for derogations from the rights referred to in [[Article 15 GDPR|Articles 15]] (right of access by the data subject), [[Article 16 GDPR|16]] (right to rectification), [[Article 18 GDPR|18]] (right to restriction of processing), [[Article 19 GDPR|19]] (notification obligation regarding rectification or erasure of personal data or restriction of processing), [[Article 20 GDPR|20]] (right to data portability) and [[Article 21 GDPR|21]] (right to object) GDPR. The same conditions as provided under Article 89(2) GDPR also applies to these derogations. In other words, these derogations are only allowed when necessary for achieving the archiving purpose at stake, and when the exercise of the data subject's rights would render impossible or seriously impair the achievement of that purpose.
 
==== Conditions for the Derogations to Apply ====
See relevant section under paragraph 2.


=== (4) Derogations do not Extend to Other Purposes that Require the Same Processing ===
=== (4) Derogations do not Extend to Other Purposes that Require the Same Processing ===
Article 89(4) makes it clear that these exceptions are only available for processing specified in Article 89 and not for other purposes that may be pursued at the same time on the same dataset.
Article 89(4) GDPR makes it clear that the derogations to the GDPR are only available for processing specified in Article 89 GDPR, and not for any other purposes that may be pursued at the same time on the same dataset.


== Decisions ==
== Decisions ==
Line 255: Line 245:
<references />
<references />


[[Category:Article 89 GDPR]] [[Category:GDPR]]
[[Category:Article 89 GDPR]] [[Category:GDPR Articles]]

Latest revision as of 13:44, 21 March 2024

Article 89 - Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text

Article 89 - Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

1. Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.

2. Where personal data are processed for scientific or historical research purposes or statistical purposes, Union or Member State law may provide for derogations from the rights referred to in Articles 15, 16, 18 and 21 subject to the conditions and safeguards referred to in paragraph 1 of this Article in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes.

3. Where personal data are processed for archiving purposes in the public interest, Union or Member State law may provide for derogations from the rights referred to in Articles 15, 16, 18, 19, 20 and 21 subject to the conditions and safeguards referred to in paragraph 1 of this Article in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes.

4. Where processing referred to in paragraphs 2 and 3 serves at the same time another purpose, the derogations shall apply only to processing for the purposes referred to in those paragraphs.

Relevant Recitals

Recital 27: Not Applicable to Deceased Persons
This Regulation does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons.

Recital 33: Consent for Scientific Research
It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.

Recital 156: Processing of Personal Data for Archiving Purposes in the Public Interest, Scientific, Historical Research or Statistical Purposes
The processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be subject to appropriate safeguards for the rights and freedoms of the data subject pursuant to this Regulation. Those safeguards should ensure that technical and organisational measures are in place in order to ensure, in particular, the principle of data minimisation. The further processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is to be carried out when the controller has assessed the feasibility to fulfil those purposes by processing data which do not permit or no longer permit the identification of data subjects, provided that appropriate safeguards exist (such as, for instance, pseudonymisation of the data). Member States should provide for appropriate safeguards for the processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. Member States should be authorised to provide, under specific conditions and subject to appropriate safeguards for data subjects, specifications and derogations with regard to the information requirements and rights to rectification, to erasure, to be forgotten, to restriction of processing, to data portability, and to object when processing personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. The conditions and safeguards in question may entail specific procedures for data subjects to exercise those rights if this is appropriate in the light of the purposes sought by the specific processing along with technical and organisational measures aimed at minimising the processing of personal data in pursuance of the proportionality and necessity principles. The processing of personal data for scientific purposes should also comply with other relevant legislation such as on clinical trials.

Recital 158: Processing for Archiving Purposes
Where personal data are processed for archiving purposes, this Regulation should also apply to that processing, bearing in mind that this Regulation should not apply to deceased persons. Public authorities or public or private bodies that hold records of public interest should be services which, pursuant to Union or Member State law, have a legal obligation to acquire, preserve, appraise, arrange, describe, communicate, promote, disseminate and provide access to records of enduring value for general public interest. Member States should also be authorised to provide for the further processing of personal data for archiving purposes, for example with a view to providing specific information related to the political behaviour under former totalitarian state regimes, genocide, crimes against humanity, in particular the Holocaust, or war crimes.

Recital 159: Processing for Scientific Research Purposes
Where personal data are processed for scientific research purposes, this Regulation should also apply to that processing. For the purposes of this Regulation, the processing of personal data for scientific research purposes should be interpreted in a broad manner including for example technological development and demonstration, fundamental research, applied research and privately funded research. In addition, it should take into account the Union's objective under Article 179(1) TFEU of achieving a European Research Area. Scientific research purposes should also include studies conducted in the public interest in the area of public health. To meet the specificities of processing personal data for scientific research purposes, specific conditions should apply in particular as regards the publication or otherwise disclosure of personal data in the context of scientific research purposes. If the result of scientific research in particular in the health context gives reason for further measures in the interest of the data subject, the general rules of this Regulation should apply in view of those measures.

Recital 161: Consenting to the Participation in Clinical Trials
For the purpose of consenting to the participation in scientific research activities in clinical trials, the relevant provisions of Regulation (EU) No 536/2014 of the European Parliament and of the Council<ref>Regulation (EU) No 536/2014 of the European Parliament and of the Council of 16 April 2014 on clinical trials on medicinal products for human use, and repealing Directive 2001/20/EC should apply.

Recital 162: Processing for Statistical Purposes
Where personal data are processed for statistical purposes, this Regulation should apply to that processing. Union or Member State law should, within the limits of this Regulation, determine statistical content, control of access, specifications for the processing of personal data for statistical purposes and appropriate measures to safeguard the rights and freedoms of the data subject and for ensuring statistical confidentiality. Statistical purposes mean any operation of collection and the processing of personal data necessary for statistical surveys or for the production of statistical results. Those statistical results may further be used for different purposes, including a scientific research purpose. The statistical purpose implies that the result of processing for statistical purposes is not personal data, but aggregate data, and that this result or the personal data are not used in support of measures or decisions regarding any particular natural person.

Recital 163: Production of Official European and Official National Statistics
The confidential information which the Union and national statistical authorities collect for the production of official European and official national statistics should be protected. European statistics should be developed, produced and disseminated in accordance with the statistical principles as set out in Article 338(2) TFEU, while national statistics should also comply with Member State law. Regulation (EC) No 223/2009 of the European Parliament and of the Council <ref>Regulation (EC) No 223/2009 of the European Parliament and of the Council of 11 March 2009 on European statistics and repealing Regulation (EC, Euratom) No 1101/2008 of the European Parliament and of the Council on the transmission of data subject to statistical confidentiality to the Statistical Office of the European Communities, Council Regulation (EC) No 322/97 on Community Statistics, and Council Decision 89/382/EEC, Euratom establishing a Committee on the Statistical Programmes of the European Communities provides further specifications on statistical confidentiality for European statistics.

Commentary

Article 89 GDPR regulates the processing of personal data for four distinct purposes: (i) archiving in the public interest, (ii) scientific research, (iii) historical research and (iv) statistical purposes. In many instances, collecting large quantities of personal data is a key component, if not a prerequisite, for achieving such purposes. For example, clinical trials or political polls are both based on the large-scale collection and analysis of sensitive personal data. Because of the broad scope of such processing operations, as well as the risks they entail, the EU legislator has introduced specific safeguards in Article 89(1) GDPR to protect the rights and freedoms of data subjects. At the same time, overburdening controllers with legal obligations may ultimately impede research, or even defeat the very purpose of the processing. This, in turn, may become detrimental for society, as many societal advances are based on archiving systems, scientific and historical research, or statistical studies. Hence, Article 89(2) and (3) GDPR also allow for specific derogation to the GDPR for these purposes, as further detailed below.

(1) Mandatory Appropriate Safeguards for Archiving Purposes in the Public Interest, Scientific or Historical Research Purposes,...

Article 89(1) GDPR provides that when processing operations take place for (i) archiving in the public interest, (ii) scientific or historical research or (iii) statistical purposes, appropriate safeguards for the rights and freedoms of the data subject must be implemented. After defining each of these purposes, the safeguards that controllers must be in place will be discussed.

Archiving Purposes in the Public Interest

According to Recital 158 GDPR, processing for archiving purposes in the public interest can be defined as any operation “to acquire, preserve, appraise, arrange, describe, communicate, promote, disseminate and provide access to records of enduring value for general public interest”. This means that personal or family archives, or company records will generally not be covered by Article 89 GDPR, unless they also fulfil the criteria of being kept in the “public interest”.[1]

Scientific Research Purposes

Recital 159 GDPR states that “the processing of personal data for scientific research purposes should be interpreted in a broad manner including for example technological development and demonstration, fundamental research, applied research and privately funded research”. Recital 157 GDPR makes it clear that scientific research also includes processing generating “new knowledge of great value with regard to widespread medical conditions such as cardiovascular disease, cancer and depression. […] Within social science, research on the basis of registries enables researchers to obtain essential knowledge about the long-term correlation of a number of social conditions such as unemployment and education with other life conditions”. The GDPR as a whole, and Article 89 GDPR in particular, do not distinguish between scientific research pursuing public interests and that pursuing private or purely commercial ones. It follows that, if the applicable requirements are met, "purely private or commercial interests can be pursued through the processing of personal data for scientific research purposes”.[2] Clinical trials conducted by pharmaceutical companies, for example, would therefore fall within the scope of Article 89 GDPR. Similarly, scientific research conducted by a university or a public institution would also fall within the scope of Article 89 GDPR.

Historical Research Purposes

Under Recital 160 “[w]here personal data are processed for historical research purposes, this Regulation should also apply to that processing. This should also include historical research and research for genealogical purposes, bearing in mind that this Regulation should not apply to deceased persons”. In ruling out data relating to deceased persons, this Recital confirms Recital 27 GDPR, according to which the GDPR “does not apply to the personal data of deceased persons”. However, it should be noted that genealogy research may relate to living relatives as well, in which case the GDPR would still apply to protect the rights and freedoms of those individuals.[3]

Statistical Purposes

According to Recital 162 GDPR, “statistical purposes” include “any operation of collection and the processing of personal data necessary for statistical surveys or for the production of statistical results”. Recital 162 GDPR specifies that “the result of processing for statistical purposes is not personal data, but aggregate data", and that "this result or the personal data are not used in support of measures or decisions regarding any particular natural person”. This sentence seems to suggest that aggregated data are never, by definition, personal data, with the concomitant non-application of the GDPR. From a logical point of view, this conclusion seems to be correct. However, the main assumption must be true: in particular, that aggregated data are actually anonymous and therefore not referable to any data subject. In practice however, given the high threshold required by the WP29 to achieve true anonymisation, it seems rather unlikely that all aggregated data would systematically fall outside of the scope of the GDPR.[4] The risk of re-identification is indeed inherent to the processing of large amounts of data.[5] For these reasons, scholars have convincingly argued that “a better reading of recital 162 is that it is only intended to make clear that data processed for statistical purposes remain personal data (subject to the GDPR) until they are anonymised through aggregation (i.e. until the 'result' of the statistical processing operation is achieved)”.[6]

Obligation to implement appropriate safeguards

According to Article 89(1) GDPR, controllers and processors must implement appropriate safeguards to protect the rights and freedom of data subjects whose personal data are collected and further processed for the aforementioned purposes. More specifically, technical and organisational measures must be implemented to ensure, in particular, respect for the principle of data minimisation, as set in Article 5(1)(c) GDPR. This means that the collection of personal data should from the outset be limited to what is appropriate, relevant and necessary for the purpose pursued. The far-reaching derogations granted under Article 89(2) and (3) GDPR can only be justified under this strictly applicable premise.[7] Among the organisational and technical measures that controllers or processors should put in place, Article 89(1) GDPR specifically mentions pseudonymisation and anonymisation.[8] This list is of course non-exhaustive, and there may well be other suitable measures that adequately reduce the risks associated with the processing of personal data in those areas.[9]

Pseudonymisation

Under Article 4(5) GDPR, pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately. Pseudonymised data are thus personal data, since the individuals to whom they relate remain identifiable (Recital 26 GDPR). Through pseudonymisation, controllers are therefore not exempted from complying with the GDPR, but are simply reducing the overall risks linked to the processing of personal data.

Anonymisation

According to Recital 26 GDPR, anonymisation is the process of rendering personal data anonymous, in the sense that the data subject is no longer identified or identifiable. The anonymisation process must be robust enough to prevent any risk of reidentification. Hence, the technical requirements of anonymisation may vary from one case to another depending on the data available, and may become increasingly difficult to achieve as re-identification techniques evolve in parallel.[10] While Article 89(1) GDPR states that pseudonymisation "may" be used as a technical measure, anonymisation becomes mandatory when it does not prevent or defeat the purpose of the processing. For example, if a public authority orders a statistical survey on water consumption to improve water management in a specific city, the study should be based on anonymised data if identifying the respondents is not necessary to reach valid findings. By contrast, conducting a clinical trial may require the collection and monitoring of personal data of identified patients. In that case, anonymisation would therefore neither be possible, nor required under Article 89(1) GDPR. All in all, it can be concluded that anonymisation only becomes a mandatory technical measure if the research purpose allows for it.[11]

Other measures

As previously said, anonymisation and pseudonymisation are only two examples of technical measures that can be put in place by the controllers or processors when conducting research for scientific, historical or statistical purpose. Other measures and safeguards should also be considered. At the national level, Member States have sometimes established more specific obligations in that respect.

In Luxembourg, for example, Article 65 of the Act of 1st October 2018 on the processing of personal data specifically requires controllers to put in place twelve organisational or technical measures, including anonymisation and pseudonymisation, when processing personal data for scientific or historical research, archiving purposes or statistical purposes. Among the other measures listed in that article, one may for example find the appointment of a Data Protection Officer (DPO) to supervise the processing of the personal data, the obligation to conduct a Data Protection Impact Assessment (DPIA), the encryption of the personal data with state-of-the-art key management, restrictions on data access within the organisation of the controller, or raising the awareness of the staff with respect to professional secrecy and personal data protection. The same article further specifies that the controller must document and justify for each project the exclusion, where applicable, of one or more of the measures listed in that article.

Other Member States have adopted similar provisions. Thus, besides the minimum requirements set in Article 89(1) GDPR, controllers involved in the processing of personal data for scientific or historical research, archiving purposes or statistical purposes should also pay due attention to possible additional requirements under national legislation.

(2) Derogations Possible for Scientific or Historical Research Purposes or Statistical Purposes

Under Article 89(2) GDPR, where personal data are processed for statistical purposes, Union or Member State law may provide for derogations from the rights referred to in Articles 15 (right of access by the data subject), 16 (right to rectification), 18 (right to restriction of processing) and 21 GDPR (right to object). Such derogations nonetheless remain subject to the conditions and safeguards referred to in Article 89(1) GDPR. Furthermore, two other requirements have to be simultaneously met in order for these derogations to apply: first, the exercise of the data subjects’ rights would render impossible or seriously impair the achievement of the specific purposes; second, such derogations must be necessary for the fulfilment of those purposes. It therefore follows that derogations only apply when strictly necessary for achieving the purpose of the processing.

(3) Derogations are Possible for Archiving Purposes in the Public Interest

Under Article 89(3) GDPR, where personal data are processed for archiving purposes in the public interest, Union or Member State law may provide for derogations from the rights referred to in Articles 15 (right of access by the data subject), 16 (right to rectification), 18 (right to restriction of processing), 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing), 20 (right to data portability) and 21 (right to object) GDPR. The same conditions as provided under Article 89(2) GDPR also applies to these derogations. In other words, these derogations are only allowed when necessary for achieving the archiving purpose at stake, and when the exercise of the data subject's rights would render impossible or seriously impair the achievement of that purpose.

(4) Derogations do not Extend to Other Purposes that Require the Same Processing

Article 89(4) GDPR makes it clear that the derogations to the GDPR are only available for processing specified in Article 89 GDPR, and not for any other purposes that may be pursued at the same time on the same dataset.

Decisions

→ You can find all related decisions in Category:Article 89 GDPR

References

  1. See, Wiese Svanberg, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 89 GDPR, p. 1242 and ss. (Oxford University Press 2020) who also points out that the requirement that archiving "must take place 'in the public interest' should be regarded as satisfied as long as any individual archiving activity is set out-even broadly in Member State law. Thus, the GDPR does not limit the extent to which Member States can delimit what materials are of sufficient historical interest to warrant subjecting them to archiving rules”.
  2. See, Wiese Svanberg, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 89 GDPR, p. 1242 and ss. (Oxford University Press 2020) who also specifies that any other relevant legislation (such as legislation on clinical trials in the case of medical or scientific research) may also apply.
  3. Eichler, in BeckOK DatenschutzR, Article 89 GDPR, margin number 6a (C.H. Beck 2020, 36th edition).
  4. WP29, Opinion 05/2014 on Anonymisation Techniques, 10 April 2014 (available here).
  5. Rocher et al., Estimating the success of re-identifications in incomplete datasets using generative models. Nature Communications 10 (2019).
  6. Wiese Svanberg, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 89 GDPR, p. 1250 (Oxford University Press 2020).
  7. Eichler, in BeckOK DatenschutzR, Article 89 GDPR, margin number 12-13 (C.H. Beck 2020, 36th edition).
  8. The GDPR uses this wording: “Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner”, generally understood as anonymization.
  9. For example, use of encryption, employees’ confidentiality obligations, sufficiently specific work instructions and computer access authorizations are to be checked even more strictly in these cases.
  10. WP29, Opinion 05/2014 on Anonymisation Techniques, 0829/14/EN, 10 April 2014, p. 4, 8 and in general throughout the Opinion (available here).
  11. Eichler, in BeckOK DatenschutzR, Article 89 GDPR, margin number 15 (C.H. Beck 2020, 36th ed.). See also Recital 156 which states that “The further processing of personal data for archiving purposes […] is to be carried out when the controller has assessed the feasibility to fulfil those purposes by processing data which do not permit or no longer permit the identification of data subjects, provided that appropriate safeguards exist”.