ARTICLE
23 April 2025

European Data Protection Board Publishes Study On Secondary Use Of Personal Health Data For Scientific Research

AP
Arnold & Porter

Contributor

Arnold & Porter logo
Arnold & Porter is a firm of more than 1,000 lawyers, providing sophisticated litigation and transactional capabilities, renowned regulatory experience and market-leading multidisciplinary practices in the life sciences and financial services industries. Our global reach, experience and deep knowledge allow us to work across geographic, cultural, technological and ideological borders.
Explore Firm Details
The European Data Protection Body (EDPB) has published a study on how personal health data is and/or can be reused for scientific research in the EU under the EU General Data Protection Regulation (GDPR).
France Privacy
Alexander Roussanov,Ana González-Lamuño, and Camille Vermosen
Your Author LinkedIn Connections

The European Data Protection Body (EDPB) has published a  study on how personal health data is and/or can be reused for scientific research in the EU under the EU General Data Protection Regulation (GDPR). The study highlights the related practical challenges due to divergent interpretations of the GDPR and national rules across EU Member States.

The key conclusions of the study are set out below:

  1. Select the legal basis for the primary use of personal data on a case-by-case basis, avoid selecting consent by default:

When selecting the legal basis, it is essential to consider the research type and national legal requirements.

The study analyses the suitability of the legal bases below:

  • Explicit consent: Generally not recommended for clinical trials or large-scale studies, as it may not meet the GDPR standard of being truly “freely given”.
  • Broad consent: Recital 33 of the GDPR allows for broad consent in specific cases (When consent is given by individuals to process their data in a general area of scientific research, even if the specific purposes are not fully defined). However, broad consent is not accepted in many EU Member States and particularly in the context of clinical research.
  • Public interest: Identified in the study as a more suitable legal basis for scientific research. It may apply when the research serves a recognised public interest or legal mandate; however public interest definitions and requirements vary across EU Member States.
  • Legitimate interest: Identified in the study as a potentially suitable legal basis for private scientific research. This, however, requires a balancing test to ensure that the legitimate interest pursued is not overridden by the rights and freedoms of data subjects.

When processing special categories of personal data such as health data, in addition to selecting a legal basis under Article 6 of the GDPR, it is important to identify a legal basis under Article 9.2 of the GDPR (see our recommendations below).

2. Assess whether a new legal basis is required for secondary use of personal data:

  • “Secondary use” refers to the processing of personal health data for purposes other than those for which it was initially collected, in this case, for scientific research.
  • There is no unified position among EU authorities and EU Member States on whether a new legal basis is required for “secondary use”, or whether the initial legal basis may be relied on.
  • There is no EU-wide consistent interpretation of “secondary use”. Some EU Member States treat any new purpose (e.g. analytics or AI model training) as requiring a new legal basis, while others apply narrower interpretations.
  • The study notes that “secondary use” in the strict sense (i.e. where the new purpose is not compatible with the initial purpose) always requires a new legal basis.
  • By contrast, if the reuse of the data qualifies as further processing that is compatible with the original purpose, a new legal basis may not be required.
  • However, there is not a consistent interpretation of “compatibility” across the EU, which adds further legal uncertainty.

3. Plan how data subjects will be informed of the reuse of their data and, if not necessary, prepare for the applicable national obligations to justify the exemption:

  • Data subjects must be informed about the secondary processing of their data, unless doing so would involve disproportionate effort (GDPR exemption).
  • Controllers should consider cooperating with the original data controller (e.g. hospital) to comply with transparency requirements.
  • Some EU Member States impose legal obligations when relying on the GDPR exemption (e.g. requiring prior authorisation and a detailed justification, as in France and Italy).

4. Clearly document how your project qualifies as “scientific research”:

  • The GDPR does not define “scientific research” clearly, and interpretations vary across EU Member States, some providing no definition.
  • This lack of harmonisation complicates the application of the GDPR research exemption and presumption of compatibility for further processing (i.e. that further processing for scientific research is compatible with the initial purpose).

5. Implement safeguards, even though standards vary across the EU:

  • Secondary use of sensitive data is allowed only with appropriate safeguards (e.g. pseudonymisation, encryption).
  • However, there is no EU-wide consistency on what safeguards should be implemented, who determines them, or how terms like “appropriate” or “anonymisation” are understood.

Our recommendations

  • If the secondary use involves special categories of personal data (e.g. health data), identify a legal basis under Article 9.2 of the GDPR (e.g. consent, public health interest, scientific research).
  • Conduct an assessment of the legal framework of the EU Member States involved in the research project, particularly around legal bases and transparency (i.e. do not assume that GDPR compliance ensures national compliance).
  • When there is no EU harmonised definition, as in the case of scientific research, we suggest to document the rationale of the decisions internally (e.g. document the scientific nature of a research project to demonstrate that it qualifies as scientific research).
  • Monitor the implementation of the European Health Data Space (EHDS) Regulation, which will harmonise rules on secondary use of health data. Upcoming implementing acts and guidance are expected to further support its implementation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Alexander Roussanov
Alexander Roussanov
Photo of Ana González-Lamuño
Ana González-Lamuño
Photo of Camille Vermosen
Camille Vermosen
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More