The processing of personal data in research is lawful if it has a legal basis and complies with the requirements of the GDPR, the Estonian Personal Data Protection Act and the data protection principles arising from them. Further recommendations can be found in the European Data Protection Board’s guidelines 4/2019 on Article 25 of the GDPR, “Data protection by design and by default”. The guidance below explains how to comply with the principle of lawfulness in research.
2.5.1. The legal basis is determined before the processing of personal data starts
The main question in research is whether personal data are processed with or without the person’s consent. Processing personal data without consent always requires justification and an appropriate legal basis, such as a contract, legal obligation, or performance of a task carried out in the public interest (see also 1.6).
Example A researcher studies the public material people have posted about themselves on social media. The researcher does not plan to seek people’s consent knowing that it is not common practice when analysing material published on the media. Later, when the data have been collected, the researcher discovers that the people are identifiable from their comments, which can be found by text search. Even if the researcher does not publish the collected material, it has still been a case of collecting and analysing personal data without consent, which would require a legal basis. While the researcher may find that it is a public interest task, this should have been ascertained before starting the data collection. |
2.5.2. Most appropriate legal basis must be determined
As the GDPR allows for a certain degree of flexibility regarding the legal basis, the possible and appropriate legal basis for the specific study may sometimes be unclear. The legal basis must be clearly formulated, and it must not be misleading. People must not be given the impression that they have been asked for their consent when actually their consent is not the legal basis for processing personal data. If an individual withdraws their consent, the research institution must not process their data for the same purpose on other grounds claiming, for example, that the research is a task carried out in the public interest and the data may therefore be processed without consent.
Example A researcher requests data for his research from a public database. The public institution holding the data gives the researcher a pseudonymised dataset where identifiers, i.e. the information allowing direct or indirect identification of an individual, are encrypted. The researcher understands that these are pseudonymised data, and their processing requires a legal basis. Since in this specific public database, every Estonian citizen can determine their preference for the release of data for other purposes, including research purposes, the researcher considers consent to be the legal basis because the release of data is based on the person’s free will. This assessment, however, is incorrect. The choice indicated in the dataset is necessary for the public institution to be entitled to release data for research purposes. However, such consent does not meet the conditions of the GDPR – for example, it is not clear how a person can withdraw the consent. Moreover, the researcher has not given people the necessary information to obtain their consent. |
2.5.3. Related activities that may need a separate legal basis should be distinguished
Each processing activity should be clearly distinguished based on the purpose and legal basis. While a small-scale study only has one purpose (the anticipated result of the research) and one legal basis (consent), it is easy to comply with this recommendation. A large, long-term research project, however, may have more purposes and in that case, each purpose must be linked with a legal basis. If, in the same research, the intention is to collect data directly from people and combine them with previously collected data that may be located elsewhere, a separate legal basis should be assigned to each operation even if they serve the same purpose.
Example A research project uses personal data that cannot be anonymised without compromising their quality. Researchers still want to store them in a scientific data repository and make them available to other researchers. While open science is important, sharing personal data with other researchers is not necessary to achieve the goals of a particular research study. That is an independent purpose. One possible solution is to seek extra consent from the survey participants. In this case, they choose whether to allow using their data only for the specific study or future research. |
2.5.4. People are given as much freedom of choice as possible
When planning research, researchers should give data subjects the opportunity to choose how they want to participate in the study and how their data will be used. It depends on the specific research how much autonomy and freedom to make their own decisions can be given to people. For example, in the case of an interview with an expert, it is possible to determine how or what they say is presented in the published text: whether the expert’s name or a pseudonym is used, or a reference is made to the institution where they work. Where it is possible to choose between several legal bases, consent should be preferred. In cases where asking for consent is impossible or would hinder the fulfilment of the research objectives, other legal grounds may be considered. However, even then, the controller should ensure as much autonomy as possible for the individual – for example, a choice to prohibit using their data for other purposes.4
4 For example, in the e-population register, individuals can restrict the disclosure of their address to private companies, even though the disclosure is not based on consent.