Legal bases

On this page: legal basis, legal ground, consent, public interest, legitimate interest, secondary use
Date of last review: 2023-10-02

Many scientific research projects process personal data. According to the GDPR, you can only process personal data if you have a “reason”, or a legal basis, to do so: why is it necessary to use these personal data? For you as a researcher, it is important to know your legal basis for processing personal (research) data, as this not only indicates whether the processing of your research data is lawful, but also determines key actions you should take, such as which information you need to provide to data subjects, and whether you need to ask for consent. There are 6 possible legal bases, which are outlined below. In research, the legal bases “public interest”, “consent”, and to some extent “legitimate interest of the controller or a third party” are usually most suitable.

Legal bases suitable for research

1. Public interest

   Public interest can be used to perform scientific research when the research is shown to clearly benefit the public good or when it fulfills a public task. In essence, public interest can be used for research that is conducted by employees of public institutions, when their research interest has been recognised by an official authority. For example, conducting research at Dutch universities has been officially recognised in the Higher Education and Scientific Research Act to be a public task. Read more on when and how to use public interest.
2. Consent

   Consent is a frequently used legal basis in research. Usually, GDPR-consent (i.e., consent to process personal data) is combined with ethical informed consent (i.e., consent to ascertain that data subjects are informed and participate voluntarily). When using consent, you should be able to demonstrate that the data subject was informed and has given consent, and for which purpose(s) they gave their consent. In all cases, consent has to be freely given, specific, informed and unambiguous. Read more on when and how to use consent.
3. Legitimate interest of the controller or a third party

   Legitimate interest of the controller or a third party is a less often used legal basis to use personal data in scientific research. It is often used by companies to process personal data that are necessary for their company’s functioning. In research, legitimate interest is often used for processing activities that do not directly benefit society in general. Also, research that does not serve a public but a private interest, can be performed on this legal basis. Read more on when and how to use legitimate interest.

Legal bases generally not suitable for reseach

4. Processing is necessary because of a legal obligation of the controller

   This legal basis is rarely suitable for research. As an example, Utrecht University has to share tax data with the Dutch tax administration to comply with tax legislation. Another, research-related, example is the use of Covid-19 related legislation, where data were collected based on a legal obligation, and were consequently used for research on public health (see EDPB, 2020).
5. Processing is necessary for the performance of a contract

   This legal basis is not very common in research. As an example, Utrecht University has contracts with its employees, which require it to manage the employee’ financial data. In research, this legal basis could in some cases be used when participants are recruited using a contract, i.e., they are properly hired to work on the research project. As long as the contract is valid under European law, and the processing is necessary, then this legal basis could be used.
6. Processing is necessary to protect the vital interests of the data subject or someone else

   This legal basis is likely not suitable for research. If processing someone’s personal data is crucial to someone’s health or even life, that processing is allowed under the GDPR.

For different purposes in your research project, a different legal basis may apply.

For example:

• you may use public interest for collecting, storing, analysing and publishing the data, and ask consent to contact data subjects again for a follow-up study.
• you may use consent for making, sharing, distributing and reusing audio or video recordings of an interview, and public interest for transcribing and analysing the interview.

Further processing for research purposes

It may happen that you want to process personal data for other purposes than previously specified (e.g., because you formulated an additional research question), or you want to reuse previously collected personal data in your research. In these cases, it may be possible to apply GDPR article 5(1)(b), which states:

“further processing for […] scientific purposes shall […] not be considered to be incompatible with the initial purposes”.

Basically, this means that personal data that were previously collected for any purpose, can be reused for scientific research, even when the personal data were initially collected for non-scientific research purposes. Using this exemption is only allowed if you (art. 89):

1. put in place sufficient safeguards to protect the personal data
2. inform data subjects about the further processing (if possible), and
3. allow them to exercise their rights.

But you need to do this anyway.

“Further processing” is not a legal basis. Instead, it functions as a way to legitimise - for research purposes - further processing of personal data that were previously collected for a different purpose. At the moment, it is unclear if this further processing exemption for scientific research holds for data that were originally collected based on consent. This is because valid consent should be specific, suggesting that the further processing should fall within the specific boundaries of the original consent (i.e, the purpose of the further processing should be compatible with the original purpose, rec. 50). The European Data Protection Board has announced that it will provide guidelines for reusing personal data for scientific research in the future, which should make this issue more explicit. For the time being, it is better to stay on the safe side and not rely on this derogation when consent was the original legal basis.

---

Data Privacy Handbook

The information presented here is provided as is, with no guarantees of accuracy or completeness. For the most up-to-date information, please refer to your privacy officer, the university website or intranet. We cannot be held responsible for any negative consequences due to incorrect interpretation or use, and inconsistencies with policies/views of other institutions.

Privacy policy | Cite the Data Privacy Handbook