Overview
This article ensures that processing of personal data for archiving in the public interest, scientific or historical research, or statistical purposes is subject to appropriate safeguards, such as data minimization and pseudonymisation. Certain derogations from data subject rights may apply where necessary, provided safeguards are implemented to protect individuals’ rights and freedoms.
Key Principles
Purpose Limitation: Processing is restricted to archiving, research, or statistical objectives.
Safeguards: Employ data minimization, pseudonymisation, and other technical and organizational measures.
Rights Derogations: Some data subject rights may be limited when necessary for the stated purposes.
Compliance: Processing must align with GDPR while protecting individuals’ rights.
Accountability: Controllers and processors must document safeguards and derogations applied.
Organizational Applicability
This article applies to:
Public authorities and research institutions processing personal data for archiving, scientific, historical, or statistical purposes.
Supervisory authorities overseeing compliance with GDPR safeguards and derogations.
Controllers and processors implementing technical and organizational safeguards.
Legal and compliance teams monitoring research and archiving projects.
Implementation Requirements
Apply technical and organizational safeguards, including pseudonymisation and data minimization.
Restrict processing to archiving, research, or statistical purposes.
Document any derogations from data subject rights and ensure they are justified.
Maintain records demonstrating compliance with safeguards and purpose limitations.
Implementation Guidance
Establish internal procedures for research or archival data processing with safeguards.
Train staff on application of pseudonymisation, data minimization, and legal derogations.
Review and update safeguards periodically to ensure ongoing compliance.
Ensure supervisory authorities can audit and verify proper implementation of safeguards and derogations.
Periodic Review
Frequency: Annually or when new research, archiving, or statistical projects commence.
Responsible Role: Compliance Team, Data Protection Officer (DPO), or Legal.
Outcome: Ensure lawful, ethical, and safeguarded processing for archiving, research, and statistical purposes.
Non-Compliance Risks
Fines: Up to €20 million or 4% of global annual turnover for GDPR violations.
Legal Exposure: Challenges from improper derogations or failure to implement safeguards.
Reputational Damage: Loss of trust in research, archival, or statistical activities.
Operational Risk: Inadequate safeguards may compromise data subjects’ rights and regulatory compliance.