That legal basis should only be used when no other reason is available, such as a medical emergency. The GDPR requires all controllers and processors to have a valid legal basis for processing personal data. The processing of your personal data is necessary to protect your life. This legal basis can only be used when there is no other way to save a life. For example, you are in immediate danger, but unconscious or mentally incapable of giving consent. Or whether aid needs to be provided immediately in the event of a major disaster. The processing of personal data is necessary for a contract you have with an organization. For example, if your personal data needs to be processed when you work for an organization. In this case, you have a contract with this organization. A contract does not need to be as formal as an employment contract. This legal basis can also be used if you have a prescription for a magazine, an online service, an internet subscription for your mobile phone, etc. You have clearly agreed to process your personal data for a specific purpose.
An organisation may ask for your consent to process your personal data. They must provide you with all the information you need about that specific processing activity. The information must not be ambiguous and it must be clear to you what specific use of your personal data you are consenting to. Of course, you must be able to give your consent freely. The organization must not force or induce you to give your consent. You can revoke your consent at any time. For children, consent must sometimes be given by their parents or guardians. These public interest tasks must have a legal basis (i.e. be defined by law). It is a statutory function in most cases, but it may also constitute other public interest functions that have a constitutional, customary or other non-legislative legal basis.
Vital interests should cover only those interests essential to a person`s life. This legal basis is therefore very limited in scope and generally applies only to matters of life and death. When consent is obtained from research participants, they are usually told how their information will be used. In recent guidance on the interaction between the GDPR and clinical investigation rules, the European Commission[5] and the European Data Protection Board[6] have identified two types of processing relevant for clinical investigations: research activities and activities related to quality and safety monitoring. Section 2. General mandate. “The University. Provide research and consulting services and provide advanced leadership in their areas of expertise. Section 10 Science and technology are crucial to national development and progress. The State shall give priority to research and development, invention, innovation and their application; and education, training and scientific and technological services. It is primarily a legal function, but it may also constitute other public interest functions that have a constitutional, customary or non-statutory legal basis. The Article 29 Working Party (“WP29”), the predecessor of the European Data Protection Board, states: “There is no exception to this requirement for scientific research.
If a controller receives a request for revocation, he must delete the personal data immediately. [4] If it is not possible to withdraw consent or is likely to significantly affect processing, consent is not the appropriate legal basis to invoke. You must be able to explain your legal basis for processing personal data in your privacy policy and when responding to a data access request. It supports adequate and independent national scientific and technological capacities and their application to the country`s production systems and national life. The European Data Protection Board provides two relevant legal bases for the use of sensitive personal data for research purposes: public interest (Article 6(1)(e)) and legitimate interest (Article 6(1)(f)). Where the person conducting the investigation does not have a legal mandate to do so, the legitimate interest should be taken into account. A legitimate interest may not be invoked by authorities generally invoking Article 6(1)(e). Article 6(1)(f) may be invoked where the `fundamental rights and freedoms of the data subject` do not override the legitimate interests of the controller (or a third party). To this end, interest rates must be weighed against each other. Understanding your legal basis for processing personal data is the best starting point for proper data processing.
In the EU, marketing authorisation holders are required to carry out pharmacovigilance activities at national level under both EU law (Regulation 726/2004, Directive 2001/83/EC laying down Implementing Regulation (EU) No 520/2012) and Member State legislation. Accordingly, pharmacovigilance activities carried out in accordance with that requirement may be based on point (i) of Article 9(2) and point (c) of Article 6(1) (`compliance with a legal obligation to which the controller is subject`). In the context of health research, testing scales are tilted in favour of the controller when the interest benefits the wider community (for example, the development of a new drug or a better understanding of a pathology) rather than simply being the commercial interest of the controller. You must determine your legal basis before starting processing and you must document it. The choice of legal basis depends on the purpose of the data processing. Note – this legal basis only applies to these bodies when they perform tasks within their legal competence. You may need to process the same personal data for different purposes. Each of these purposes must have a valid legal basis (not necessarily the same legal basis).
