Data protection in the European Union 2

Published on August 31, 2015   29 min

Other Talks in the Series: Tissue in Research

Please wait while the transcript is being prepared...
FEMALE SPEAKER: With regards to the processing of data, Article 9 has the general provision about the ban on processing of sensitive data however it also, like the directive, provides for several exceptions. And consent is one of these exceptions like in the directive. It is possible to process sensitive data if it's necessary for health purposes, and subject to conditions and safeguards referred to in Article 81, which means safeguards of confidentiality and security of data. And finally importantly for this talk, processing is necessary for scientific research purposes, subject to the conditions and safeguards referred to in Article 83. This is very interesting. I will focus on that, let me just shortly summarize the consent provisions.
The process of genetic data for example, and personal data, health data, is allowed with consent. However this consent has to be explicit, and it is the controller who will bear the burden of proof for data subject consent. So it's not for the individual, the data subject, to prove that they have given their consent, this is for the controller to do that. If there are some competing or cumulative purposes for processing, the purpose requiring consent requirement must be clearly distinguished, which might pose several problems for research which trickles down from other research which is a continuation from other research projects. And also the consent, which is important, shall not provide a legal basis for the processing, where there is significant imbalance between the position of data subject and controller. Which means if the controller has the power over the data subject to ask for the data, and this data subject has really no choice but to keep the data in order to obtain let's say health care or some treatment, consent given by the data subject might be questioned. However, again, ambiguous provisions don't really say much about the situations in which this would be so. I guess we have to say that this would have to be decided by courts on a case by case basis or by data protection authorities in each country.