5 DATA PROTECTION PRINCIPLES
28. The principles relating to processing of personal data pursuant to Article 5 GDPR shall be respected by
the controller and processor, especially considering that a great amount of personal data may be
processed for the purpose of scientific research. Considering the context of the present guidelines, the
most important aspects of these principles are addressed in the following.
5.1 Transparency and information to data subjects
29. The principle of transparency means that personal data shall be processed fairly and in a transparent
manner in relation to the data subject. This principle is strongly connected with the information
obligations pursuant to Article 13 or Article 14 GDPR.
30. In general, a data subject must be individually informed of the existence of the processing operation
and that personal (health) data is being processed for scientific purposes. The information delivered
should contain all the elements stated in Article 13 or Article 14 GDPR.
31. It has to be noted that researchers often process health data that they have not obtained directly from
the data subject, for instance using data from patient records or data from patients in other countries.
Therefore, Article 14 GDPR, which covers information obligations where personal data is not collected
directly from the data subject, will be the focus of this section.
5.1.1 When must the data subject be informed?
32. When personal data have not been obtained from the data subject, Article 14 (3) (a) GDPR stipulates
that the controller shall provide the information “within a reasonable period after obtaining the
personal data, but at the latest within one month, having regard to the specific circumstances in which
the personal data are processed”.
33. In the current context, it has to be particularly noted that according to Article 14 (4) GDPR, where “the
controller intends to further process the personal data for a purpose other than that for which the
personal data were obtained, the controller shall provide the data subject prior to that further
processing with information on that other purpose”.
34. In the case of the further processing of data for scientific purposes and taking into account the
sensitivity of the data processed, an appropriate safeguard according to Article 89 (1) is to deliver the
information to the data subject within a reasonable period of time before the implementation of the
new research project. This allows the data subject to become aware of the research project and
enables the possibility to exercise his/her rights beforehand.
5.1.2 Exemptions
35. However, Article (14) (5) GDPR stipulates four exemptions of the information obligation. In the current
context, the exemption pursuant to Article (14) (5) (b) (“proves impossible or would involve a
disproportionate effort”) and (c) (“obtaining or disclosure is expressly laid down by Union or Member