...
- For research purposes only: the derogation is granted for research purposes only and should not be used for the unlimited retention of personal data for other purposes which are of a private or commercial nature. A derogation is also made for archiving in the public interest and for statistics, which means that personal data of archival value or relevant for statistical purposes may also be kept for a longer period. It is not always easy to draw a clear dividing line between research, archiving and statistics, so that both derogations may cover research.
- Technical and organisational measures: longer retention requires the secure storage of personal data. While during research, data availability is important, during storage, availability becomes less important and more secure storage solutions may be considered. For example, access to personal data by members of the research group may be restricted.
- Data anonymisation should be considered. Anonymised data could be stored indefinitely and also shared in an open data repository. However, anonymisation for storage purposes should be agreed upon at an early stage, and this intention should be clearly stated in the data management plan and in the information provided to research participants. If anonymisation is not possible, personal data should be pseudonymised, but in this case, the GDPR applies.
- Only valuable data should be retained. Data should be stored in accordance with the principle of minimisation, i.e. only the most relevant data should be retained, where it is necessary and justified to keep them in a personalised form for a long time. Since the research-related derogation always requires a balancing of different interests and needs, it may be helpful to delimit the data to be retained within the dataset, either to those of high long-term scientific value or those necessary for the validation of results. The GDPR does not allow storing data ‘just in case’.
- Storage must be transparent and fair. Reliance on the derogation for the storage of personal data should be known already at the planning stage of the study. It would not be transparent and fair if only at the end of the study the research team decides to retain certain personal data for a longer period. The promises made to the data subject must also be respected: if the person is told that the data will be destroyed after the end of the study, it is not allowed to retain them. A difficult situation arises when, in the course of the research, it turns out that the data collected are much more valuable than expected, but the plan was to destroy all the data. Further use of personal data in new research and longer retention is possible under the GDPR, but the change to the original decision must be fair and transparent for the people.
- Wherever possible, the storage of personal data should be considered as a separate purpose. An appropriate legal basis for the new purpose must be found in this case.
4.1. In what form may personal data be disclosed?
Disclosure is defined as making personal data accessible to an unrestricted number of people, either on a public website, in a public database or elsewhere. Disclosure is only possible if the confidentiality of the data does not need to be guaranteed. As the security principle generally requires that the confidentiality of personal data must also be protected, derogation concerning the publication of personal data is possible in the case of research.
Disclosure does not concern situations where the person requests a copy of their data or where data are shared between research institutions.