Contemporary biomedical research heavily relies on secondary use of personal health data that were obtained in a different clinical or research setting. Under the European Union’s General Data Protection Regulation (GDPR), data controllers processing personal data must comply with the principle of purpose limitation, which restricts further processing of personal data beyond the purpose for which the data were initially collected. However, “further processing” is not explicitly defined, resulting in considerable interpretive ambiguities as to whether “secondary use” of data by researchers constitutes “further processing” under the GDPR. This ambiguity is problematic as it exposes researchers to potential non-compliance risks. In this article, we analyse the term “further processing” within the meaning of the GDPR, elucidate important aspects in which it differs from “secondary use”, and discuss the implications for data controllers’ GDPR compliance obligations. Subsequently, we contextualise this analysis within a broader discussion of regulating scientific research under the GDPR.

Secondary Use of Personal Health Data: When Is It “Further Processing” Under the GDPR, and What Are the Implications for Data Controllers?

Comande Giovanni
2022-01-01

Abstract

Contemporary biomedical research heavily relies on secondary use of personal health data that were obtained in a different clinical or research setting. Under the European Union’s General Data Protection Regulation (GDPR), data controllers processing personal data must comply with the principle of purpose limitation, which restricts further processing of personal data beyond the purpose for which the data were initially collected. However, “further processing” is not explicitly defined, resulting in considerable interpretive ambiguities as to whether “secondary use” of data by researchers constitutes “further processing” under the GDPR. This ambiguity is problematic as it exposes researchers to potential non-compliance risks. In this article, we analyse the term “further processing” within the meaning of the GDPR, elucidate important aspects in which it differs from “secondary use”, and discuss the implications for data controllers’ GDPR compliance obligations. Subsequently, we contextualise this analysis within a broader discussion of regulating scientific research under the GDPR.
2022
File in questo prodotto:
File Dimensione Formato  
15718093_030_02_s001_text.pdf

accesso aperto

Tipologia: Documento in Post-print/Accepted manuscript
Licenza: Creative commons (selezionare)
Dimensione 1.87 MB
Formato Adobe PDF
1.87 MB Adobe PDF Visualizza/Apri

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11382/548991
 Attenzione

Attenzione! I dati visualizzati non sono stati sottoposti a validazione da parte dell'ateneo

Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus ND
social impact