German DPAs Publish Resolution On Concept Of ‘Broad Consent' And The Interpretation Of 'Certain Areas Of Scientific Research'

Author:Mr Arne Senger and Sven Schonhofen LL.M.
Profession:Reed Smith (Worldwide)

On 3 April 2019, the Conference of German Data Protection Authorities ('German DPAs') published a resolution on the interpretation of "certain areas of scientific research" in Recital 33 of the GDPR and the concept of 'broad consent' ('Resolution').

According to Recital 33 of the GDPR, it "is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research." This is considered the concept of 'broad consent'.

Consent as defined in Article 4 (11) GDPR must be "specific". This requirement is closely related to the principle of purpose limitation. The German DPAs point out in the Resolution that the term "certain areas of scientific research" is closely linked to the principle of purpose limitation. The term has to be distinguished from the broadly understood term of "scientific research" in Article 89 GDPR and interpreted rather narrowly.

The German DPAs state that such a broad consent can only come into play in exceptional cases, where at the beginning of a scientific research project, it is not possible to fully identify the purpose of the data processing at the time of data collection. However, according to the German DPAs, the broad consent does not exempt the controller from determining certain mechanisms, which limit the collection of personal data in a comprehensible manner. It accordingly should not be sufficient to just refer to a research area, as informed consent at least requires further specifications about the respective research project.Hence, the German DPAs conclude that whenever broad consent is unavoidable to achieve the research purpose, the following or similar measures should be considered to compensate for the abstract definition of the research purposes. These measures shall support transparency, building trust, and data security:

i. Additional safeguards to ensure transparency

Utilisation of usage regulations or research plans that illustrate the...

To continue reading