The processing of personal data is lawful only if there is a legal basis mentioned in Article 6 of the GDPR. These bases with brief explanations are listed in the general guidelines for data processors (pp 7–8) compiled by the Data Protection Inspectorate.
Depending on the study, the researcher has to choose which legal basis to use.
Consent is the most common legal basis in research. It supports the autonomy of the people involved in the study and ensures that their participation is voluntary. The consent must be informed, so there are various additional requirements for asking for consent (see 2.3).
Task carried out in the public interest is a legal basis for public research institutions, to which this function is assigned by law. For example, the Archives Act has tasked the National Archives with carrying out archival research and publishing it. Consequently, the task in the public interest is a suitable legal basis for the National Archives to conduct research involving personal data.
A task in the public interest is not an appropriate legal basis for private research institutions whose research activities are not subject to specific legislation. However, a private research institution may be commissioned or otherwise authorised by a public authority to do research, the legal basis of which is a task in the public interest.
Legitimate interest is a flexible basis that allows for a needs-based assessment of the importance of different opposing interests. The controller must weigh the legitimate interest against the interests of potential data subjects. Therefore, it is not sufficient that the research institution has a legitimate interest in the research or that the study is in the public interest - the interests must be overriding, and the potential harm to the interests and rights of data subjects must be minimised.
Public authorities can use legitimate interest as a legal basis in very limited circumstances (e.g., employment certificates, photos on the intranet, use of cameras). However, private research institutions or research and development companies can do so.
In addition, the GDPR provides for three other legal bases – compliance with a legal obligation, performing a contract with a data subject and protecting an individual’s vital interests – which are not relevant in the research context. In exceptional cases, however, these bases may prove necessary. For example, according to section 27 of the Child Protection Act, all persons who know of a child in need of assistance are required to report it. Therefore, if the researcher has contact with children or families in the course of the study and has reasonable grounds to suspect that a child needs help (for example, a victim of domestic violence), the researcher must notify the local government. In this case, the legal obligation is the legal basis for disclosing the child’s personal data. Even if, rarely, such a need may arise while carrying out research, it is not the processing of personal data for research.