The Spanish Data Protection Agency’s legal department considers that the adoption of the General Data Protection Regulation on 25 May 2018 not only respects the existing regulatory framework in the field of biomedical research, but it also adapts the consent requirements to the specificities of the scientific research sector.

The concerns raised by the adoption of the General Data Protection Regulation (“GDPR“) are increasing in different activity sectors, particularly when using sensitive data, such as health data, and using new technologies when processing such data that are not under the control of the entities responsible for scientific investigations.

In light of the concern raised by the scientific society, the Spanish Data Protection Agency’s (“AEPD“) legal department has issued a report to clear certain interpretational doubts related to the concept of consent regulated in the GDPR as it affects the health data processing in the field of biomedical research.

After a comparative analysis between the GDPR, Draft of Organic Law on Protection of Personal Data, the regulation still applicable in the field of data protection (Organic Law 15/1999, of 13 December, on Protection of Personal Data and implementing regulations – Royal Decree 1720/2007, of 21 December–) and the regulations in the field of biomedical research (Law 14/2007, of 3 July, on Biomedical Research), the AEPD concludes that the legal basis to process personal data in the field of biomedical research is the express consent of the individuals, with the exception of:

  • the subject’s identification being anonymized by prior expert opinion of the Research Ethics Committee, or
  • the research intended to carry out is related and consistent with the initial investigation to which the individuals gave consent.

The AEPD declares that even without altering the existing legal framework in the field of biomedical research, the GDPR modulates the “specificity” and “unambiguous character” requirements that are mandatory for consent. Such modulation will likely cause that in the balancing of the interests at stake (the data protection of the individual and the benefits obtained by the scientific research), it will be considered that the risk to the rights and freedoms of the individuals is residual in comparison with the scientific advances resulting from the investigation.

Thus, the European legislator has sought to highlight in successive recitals of the GDPR that the scientific research sector is in constant evolution, that the concept of scientific purposes should be interpreted broadly and that precisely in this sector is where the characteristics of the consent in terms of specificity and unambiguous character must be interpreted in a more lax way.

Conscious of the difficulty in knowing, at the moment of data collection, the purpose of concrete and specific biomedical research for the data to be processed, the legislator opts to permit interested parties to facilitate their consent in certain areas or research fields without going into the detail of what they should be. It is precisely in this aspect where the AEPD adds that it is not necessary to give consent for a delimited branch of a particular research (for example, mentioning the type of cancer), but that it would be enough to include a wider branch of the investigation or even broader contexts.

This legal report constitutes a key factor in the efforts that the various data protection authorities are making to interpret the GDPR in key activity sectors so that adoption of the regulation on 25 May 2018 is as clear as possible for the different agents involved.