Learn how GA4GH helps expand responsible genomic data use to benefit human health.
Learn how GA4GH helps expand responsible genomic data use to benefit human health.
Our Strategic Road Map defines strategies, standards, and policy frameworks to support responsible global use of genomic and related health data.
Discover how a meeting of 50 leaders in genomics and medicine led to an alliance uniting more than 5,000 individuals and organisations to benefit human health.
GA4GH Inc. is a not-for-profit organisation that supports the global GA4GH community.
To guide our collaborative, globe-spanning alliance, GA4GH relies on a Standards Steering Committee and an Executive Committee.
The Funders Forum brings together organisations that offer both financial support and strategic guidance.
The EDI Advisory Group responds to issues raised in the GA4GH community, finding equitable, inclusive ways to build products that benefit diverse groups.
Distributed across four Host Institutions, our staff team supports the mission and operations of GA4GH.
Curious who we are? Meet the people and organisations across six continents who make up GA4GH.
More than 500 organisations connected to genomics — in healthcare, research, patient advocacy, industry, and beyond — have signed onto the mission and vision of GA4GH as Organisational Members.
These core Organisational Members are genomic data initiatives that have committed resources to guide GA4GH work and pilot our products.
This subset of Organisational Members whose networks or infrastructure align with GA4GH priorities has made a long-term commitment to engaging with our community.
Local and national organisations assign experts to spend at least 30% of their time building GA4GH products.
Anyone working in genomics and related fields is invited to participate in our inclusive community by creating and using new products.
Wondering what GA4GH does? Learn how we find and overcome challenges to expanding responsible genomic data use for the benefit of human health.
Study Groups define needs. Participants survey the landscape of the genomics and health community and determine whether GA4GH can help.
Work Streams create products. Community members join together to develop technical standards, policy frameworks, and policy tools that overcome hurdles to international genomic data use.
GIF solves problems. Organisations in the forum pilot GA4GH products in real-world situations. Along the way, they troubleshoot products, suggest updates, and flag additional needs.
NIF finds challenges and opportunities in genomics at a global scale. National programmes meet to share best practices, avoid incompatabilities, and help translate genomics into benefits for human health.
Communities of Interest find challenges and opportunities in areas such as rare disease, cancer, and infectious disease. Participants pinpoint real-world problems that would benefit from broad data use.
See all our products — always free and open-source. Do you work on cloud genomics, data discovery, user access, data security or regulatory policy and ethics? Need to represent genomic, phenotypic, or clinical data? We’ve got a solution for you.
All GA4GH standards, frameworks, and tools follow the Product Development and Approval Process before being officially adopted.
Learn how other organisations have implemented GA4GH products to solve real-world problems.
Help us transform the future of genomic data use! See how GA4GH can benefit you — whether you’re using our products, writing our standards, subscribing to a newsletter, or more.
Help create new global standards and frameworks for responsible genomic data use.
Align your organisation with the GA4GH mission and vision.
Solve your real-world data problems with support from this valuable network of global institutions.
Work with like-minded groups committed to better data use in areas like rare disease, cancer, and infectious disease.
Share your thoughts on all GA4GH products currently open for public comment.
Solve real problems by aligning your organisation with the world’s genomics standards. We offer software dvelopers both customisable and out-of-the-box solutions to help you get started.
Learn more about upcoming GA4GH events. See reports and recordings from our past events.
Speak directly to the global genomics and health community while supporting GA4GH strategy.
Be the first to hear about the latest GA4GH products, upcoming meetings, new initiatives, and more.
Questions? We would love to hear from you.
Read news, stories, and insights from the forefront of genomic and clinical data use.
Attend an upcoming GA4GH event, or view meeting reports from past events.
See new projects, updates, and calls for support from the Work Streams.
Read academic papers coauthored by GA4GH contributors.
Listen to our podcast OmicsXchange, featuring discussions from leaders in the world of genomics, health, and data sharing.
Check out our videos, then subscribe to our YouTube channel for more content.
View the latest GA4GH updates, Genomics and Health News, Implementation Notes, GDPR Briefs, and more.
Discover all things GA4GH: explore our news, events, videos, podcasts, announcements, publications, and newsletters.
6 Jan 2020
Article 6(1) of the GDPR states that: “Processing shall be lawful only if and to the extent that at least one of the following applies: […]”; 6(1)(a)–(f) present the different bases. Does “at least one” legal basis suggest that a number of bases – could be used at the initial point of gathering personal data, thereby creating greater flexibility when considering the legal basis for further, secondary processing of those data?
Article 6(1) of the GDPR states that: “Processing shall be lawful only if and to the extent that at least one of the following applies: […]”; 6(1)(a)–(f) present the different bases. Does “at least one” legal basis suggest that a number of bases – for example, consent, the (qualified) interests of the data controller, the public interest – could be used at the initial point of gathering personal data, thereby creating greater flexibility when considering the legal basis for further, secondary processing of those data? Could the secondary processing (either in terms of direct inclusion in the stated primary purpose and basis for the processing, or through an argument of compatibility with that stated purpose) appeal to only one of the range of legal bases identified at the outset? Consensus when discussing the draft of this brief suggests that “at least one” does not give such flexibility, but reinforces a conclusion about the need for clarity.
Consistency of language
Article 6(1) is the only place where multiple legal bases is hinted as a possibility. The Recitals relating to legal basis do not address the “at least one” point. Recital 40 indicates that processing should be “on the basis of the consent […] or some other legitimate basis”. Article 13(1)(c) indicates that data subjects should be provided with information including “the purposes of the processing […] as well as the legal basis for the processing” (emphasis added). This would suggest that, whereas multiple legal bases are available, one must choose only one basis. This is reinforced in Recital 50, where the interpretation of further processing for compatible purposes is discussed in relation to the original legal basis.
In its guidance on consent (WP259 rev.01), the Article 29 Working Party states: “The application of one of these six bases must be established prior to the processing activity and in relation to a specific purpose” (p. 23). The Article 29 Working Party Opinion 03/2013 on purpose limitation indicates a similar single legal basis when discussing how to ensure fairness in compatible processing. The recent “Report on Experience Gained in the Implementation of the GDPR” published by the Independent German Federal and State Data Protection Supervisory Authorities also discusses the legal basis in relation to compatible processing.
What can be drawn from this?
The better focus in reading Article 6(1) is “the extent that at least one of the following applies” (emphasis added). Different aspects of personal data processing within a project could each require a different legal basis for processing – some parts consent, other parts public interest – but “the extent that” each “applies”, requires consistency with each particular legal basis for primary processing in any further, compatible processing. Rather than giving greater flexibility for secondary processing of already gathered personal data, Article 6(1) requires that any legal basis selected for each part of the processing must be effectively communicated to the data subjects and the different legal requirements for each basis must be followed.
NOTE: I am particularly grateful to those who gave comments on the draft of this GDPR Brief. Any errors are all mine.
Relevant GDPR Provisions
David Townend is Professor of Law and Legal Philosophy in Health, Medicine and Life Sciences at Maastricht University.
For a list of previous briefs, please consult here.
Please note that GDPR Briefs neither constitute nor should be relied upon as legal advice. Briefs represent a consensus position among Forum Members regarding the current understanding of the GDPR and its implications for genomic and health-related research. As such, they are no substitute for legal advice from a licensed practitioner in your jurisdiction.