GDPR exemptions

Are there any relevant exemptions?

There are a number of exemptions from specific duties and obligations granted to processing that is carried out for the sole purpose of research. Some of these exemptions are discussed on other pages.

Expand All

 

Whilst under the second data protection principle, the further processing of personal data is stated as only being allowed where it is compatible with the purposes for which it was originally collected, the GDPR provides a presumption that research is compatible with the purposes for which the data was obtained. Care must still be taken to ensure that any further use is compliant with all other relevant obligations under the GDPR eg transparency

 

 

The processing of special category personal data is generally prohibited, unless one of several available conditions is met. Processing which is necessary for research purposes in the public interest is one such condition rendering the processing legal.

 

 

The fifth data protection principle requires that data be kept as identifiable data for no longer than is necessary to meet the purposes for which the data is processed. However, personal data which are processed for research purposes may be kept for ‘longer’. (We are awaiting guidance from the ICO as to how the term ‘longer’ should be interpreted.)

 

 

If personal data processed for research has been collected from a third party and not directly from the individuals concerned, it will not be necessary to provide the prescribed information directly to each individual if doing so would require a disproportionate effort or if it would prevent or seriously impair the achievement of the research objectives. Even so, you must still make the prescribed information publicly available.

 

 

The GDPR grants individuals new or improved rights in relation to their personal data, including the right to access the data, the right to object to processing, the right to request that the data be deleted (the right to be ‘forgotten’), the right to request that the processing of the data be restricted and the right to request the rectification of inaccurate or incomplete data. However, these rights are in any event not absolute; and where personal data is processed solely for the purposes of research, these rights will not apply to the extent that they would prevent or seriously impair the achievement of those purposes.

If researchers receive requests of the kind described above, they should refer them to the Information Compliance Team for action.

 

These exemptions are only available where the processing satisfies the requirement for appropriate safeguards.

Next