Possible derogations
Data processing carried out for the purpose of scientific research benefits from derogations and adjustments to certain data protection obligations (e.g. in relation to individuals’ rights or retention periods).
The controller must always define the purpose of the research and processing of data implemented. However, in the field of scientific research, it can be accepted that the degree of precision of this objective is lower or that the research purposes are not specified in their entirety, given the difficulties researchers may have in identifying it entirely from the beginning of their work. It will then be possible to provide information to clarify the objective as the project progresses.
As a reminder, any processing of data for scientific research purposes must be subject to appropriate safeguards for the rights and freedoms of the data subject, such as anonymisation or pseudonymisation (referred to in Article 89 GDPR).
What is ‘scientific research’ within the meaning of the GDPR?
The notion of ‘scientific research’ is to be understood broadly in the GDPR. In summary, the aim of the research is to produce new knowledge in all areas in which the scientific method is applicable.
In order to assist controllers in determining whether they can benefit from the provisions on scientific research, the CNIL proposes a set of criteria to assist the controller in determining whether the processing which pursues a research purpose falls within the scope of scientific research:
- In some cases, it will be possible to assume the creation of datasets for AI pursues a scientific research purpose due to the nature of the organisation (e.g. a university or a public research centre) or the type of funding (e.g. funding from the French National Research Agency, ANR).
- Otherwise, the following criteria (based on the OECD Frascati Manual and its definition of R & D) should be considered together. As these criteria are cumulative, the controller will in principle have to demonstrate that they are all fulfilled in order for the processing to be considered scientific research within the meaning of the GDPR. Otherwise, a case-by-case analysis is necessary to qualify the processing.
- The novelty: the processing should be aimed at achieving new results. The purpose of the research can help in the qualification of scientific research. In this respect, the publication of articles in a peer-reviewed journal or the grant of a patent makes it possible to meet the criterion of novelty.
- Creativity: this criterion is based on original and non-obvious notions and hypotheses – the contribution of the work to scientific knowledge or the state of the art. The development of collective knowledge that not only benefits the moral entity that supports the research project is a strong indication to qualify it as a scientific research.
- Uncertainty: the processing must be uncertain as to the final outcome.
- Systematicity: the processing must be part of planning and budgeting, implement a scientific methodology. Adhesion to relevant industry standards of methodology and ethics is a strong indicator to qualify as scientific research.
- Transferability/reproducibility: the processing should lead to results that can be replicated or transferred to a wider field. For example, the publication of the study carried out and the presentation of the research methodology adopted is a strong indication to highlight the willingness of the project leader(s) to share the results of their research.
The proposed definition of scientific research within the meaning of the GDPR is included in a guide more broadly dedicated to the reuse of publicly available data, currently subject to public consultation. It is possible to participate by following this link.
Find out more: