3 August 2020
Under the GDPR, personal data may only be kept if strictly necessary to fulfil the purpose of processing (Art. 5(1)(e) and Recital 39). Based on Art. 5(1)(b), data can be processed further beyond the initial purpose for research. In accordance with this provision, Art. 5(1)(e) allows also a longer retention beyond the original purpose if data is used exclusively for scientific research. Such retention requires that organisational and technical safeguards be in place in accordance with Art. 89(1). In principle, data used purely for research purposes may be kept indefinitely. (But this position is not unreservedly shared by all data protection authorities.)
The special provisions of the GDPR on data retention for research are, however, not a carte blanche to hang on to all research data. The following conditions need to be complied with:
The continued retention must not conflict with the conditions under which the data were obtained. If data are kept beyond the initial purpose, they should only be used for scientific research. Therefore, a robust framework of technical and organisational measures needs to be in place to prevent any other use that may take place either intentionally or accidentally. The utility of data for research should also be evidenced and linked to the retention policy.
While there is no limitation in the GDPR on the time frame for keeping data for scientific research, the provisions relating to information that must be given to data subjects (Articles 13 and 14; Recital 39) require that criteria must be defined as to how long the data will be kept if no definite period is applied. The Article 29 Working Party’s Guidelines on transparency state that a notice specifying “as long as necessary” is not sufficient. Measurable criteria regarding how long data are useful for research must be established and, where relevant, also for keeping pseudonymisation keys. Potential criteria to be fulfilled are:
Research institutions also need to define a time frame and establish mechanisms to periodically review that the retention criteria are still fulfilled.
In line with the “data protection by design” principle of Article 25, these considerations on data retention must be made upfront before starting the data collection and documented. This also includes a decision (and communication to the data subject) if data will be deleted or anonymised at the end. Data protection by default implies that a defined retention period should be assumed. Therefore, a data retention policy must specify how it is established that data can be kept for a yet undefined timeframe, definition of the relevant retention criteria throughout the data’s life cycle and the corresponding review mechanisms. Following GDPR Article 13/14, the criteria and the related review procedures need to be communicated to the data subjects including notice that this practice may lead to an indefinite retention.
Relevant GDPR Provisions
Regina Becker is an ELSI expert at the ELIXIR-Luxembourg, hosted by the Luxembourg Centre for Systems Biomedicine (LCSB) at the University of Luxembourg.
For a list of previous briefs, please consult here.
Please note that GDPR Briefs neither constitute nor should be relied upon as legal advice. Briefs represent a consensus position among Forum Members regarding the current understanding of the GDPR and its implications for genomic and health-related research. As such, they are no substitute for legal advice from a licensed practitioner in your jurisdiction.