Examples
Worked examples
- Is an instance
A European university hosting a longitudinal cohort identifies Article 6(1)(e) public task and Article 9(2)(j) scientific-research processing as the lawful bases for processing health data, supported by Article 89 safeguards.
- Is an instance
A US university running a clinical study with EU-resident participants applies the GDPR to that processing and signs Standard Contractual Clauses with its EU partner for the transatlantic transfer.
Counter-examples
Looks similar, but isn't
- Not an instance
Processing of fully anonymous data that cannot be reidentified by any reasonably likely means is outside the scope of the GDPR.
- Not an instance
Purely personal or household processing (e.g. a researcher's private address book) falls within the household exemption in Article 2(2)(c).
Editorial commentary
The GDPR applies to any processing of personal data in the context of an establishment in the EU and to processing by non-EU controllers that offer goods or services to or monitor data subjects in the EU. Research processing benefits from specific safeguards and derogations under Article 89 where appropriate technical and organisational measures (notably pseudonymisation and data minimisation) are in place. Controllers must satisfy core principles (lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, accountability) and maintain documentation including records of processing activities, data-protection impact assessments where required, and appropriate international-transfer mechanisms.
References
- GDPR Regulation (EU) 2016/679
- UK GDPR and Data Protection Act 2018
- European Data Protection Board Guidelines on processing of personal data for scientific research purposes
- Article 29 Working Party / EDPB Guidelines on consent under Regulation 2016/679
Also known as
GDPR · Regulation (EU) 2016/679 · EU General Data Protection Regulation
Machine-readable encodings
Use in your systems
<role vocab="credit"
vocab-identifier="https://casrai.org/dictionary/"
vocab-term="GDPR (General Data Protection Regulation)"
vocab-term-identifier="https://casrai.org/dictionary/term/gdpr-general-data-protection-regulation" />{
"@context": "https://schema.org",
"@type": "DefinedTerm",
"name": "GDPR (General Data Protection Regulation)",
"identifier": "https://casrai.org/dictionary/term/gdpr-general-data-protection-regulation",
"description": "The European Union regulation that governs the processing of personal data of individuals in the EU, requiring a lawful basis for processing, transparency to data subjects, data-minimisation, security, and accountability, with extraterritorial application where data subjects in the EU are targeted or monitored.",
"inDefinedTermSet": "https://casrai.org/dictionary/domain/compliance-and-regulatory/",
"url": "https://casrai.org/dictionary/term/gdpr-general-data-protection-regulation",
"sameAs": [
"GDPR",
"Regulation (EU) 2016/679",
"EU General Data Protection Regulation"
],
"license": "https://creativecommons.org/licenses/by/4.0/"
}
