Research

The GDPR adopts a “broad” definition of research, encompassing the activities of public and private entities alike.

Scientific research is defined “in a broad manner”. The GDPR supplies examples, such as “technological development and demonstration, fundamental research, applied research, and privately funded research,” as well as public health research.

The GDPR cites Article 179(1) of the Treaty on the Functioning of the European Union, which promotes “the objective of strengthening its scientific and technological bases by achieving a European research area in which researchers, scientific knowledge and technology circulate freely.” This suggests that although private research for technological development qualifies as research, there may be a requirement that the research be published or otherwise made available outside the private entity. An important interpretative question concerns the application of the research provisions to corporate contexts such as research for product improvement or marketing purposes, as opposed to “big-r” research in academic institutions, which is geared at publication and contribution to generalizable knowledge.

Additionally, “specific conditions should apply in particular as regards the publication or otherwise disclosure of personal data in the context of scientific research purposes”. Although not expressly stated, these “specific conditions” may refer to “recognized ethical standards for scientific research,” as well as the safeguards.

Historical research includes genealogical research, but the GDPR generally does not apply to deceased persons.

Statistical research is “any operation of collection and the processing of personal data necessary for statistical surveys or for the production of statistical results”. Generally, statistical research “implies that the result of processing for statistical purposes is not personal data, but aggregate data.” While statistical research may be used in support of scientific research, it usually is “not used in support of measures or decisions regarding any particular natural person.” The GDPR specifies that the EU or the member states should legislate around the scope of the statistical research exemptions, including defining the appropriate safeguards for assuring “statistical confidentiality.”