Under the old data protection regime, further processing for research was permissible only if EU member states furnished suitable safeguards that “in particular rule out the use of the data in support of measures or decisions regarding any particular individual”. In its opinion on purpose limitation, the Article 29 Working Party found that “‘measures or decisions’ should be interpreted in the broadest sense,” to cover “any relevant impact on particular individuals – either negative or positive.”

The GDPR eliminates this restriction, thereby allowing further processing for research that impacts individuals. However, the GDPR also creates additional safeguards to protect individuals from this type of processing. Thus the GDPR requires controllers to conduct a data protection impact assessment (DPIA) any time “a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.

Profiling is defined as “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”. The GDPR prohibits controllers from subjecting a data subject to a decision “based solely on automated processing, including profiling,” as a result of processing sensitive data, except in limited circumstances.

Thus, while on the one hand the GDPR removes the restriction on research that produces impacts for individuals, on the other hand it introduces stringent safeguards for such processing. Controllers that conduct this type of research may have to conduct a DPIA and they nonetheless may be prohibited from research that impacts individuals on the basis of their sensitive personal data.