Ensuring that personal data are processed in compliance with the EU's General Data Protection Regulation (GDPR) is a significant challenge for research organisations, yet one of the most fundamental requirements, correctly defining the purpose of data processing, remains widely misunderstood. The article "Purpose definition as a crucial step for determining the legal basis under the GDPR: implications for scientific research", co-authored by Davit Chokoshvili, an EPND partner from the Luxembourg National Data Service, in the Journal of Law and the Biosciences, offers practical, actionable guidance to help researchers and data controllers navigate this complexity.

Under the GDPR's accountability principle, data controllers (the parties responsible for determining why and how personal data are processed) must not only ensure compliance but be able to demonstrate it. A correctly specified processing purpose is the essential starting point for this: it informs which data need to be collected, which legal basis applies, how long data may be retained, and how data subject rights must be respected. Despite this central role, neither the GDPR itself, nor guidance from the European Data Protection Board, prescribes how purposes should actually be defined. The authors fill this gap by deriving concrete requirements for purpose specification directly from the GDPR's text, and translating these into a practical four-step iterative framework that researchers can follow.

Applying this framework to scientific research, the authors walk through several common scenarios, including the pursuit of an individual research project, sharing data with an external researcher, and depositing data in a repository or biobank. A key insight is the importance of distinguishing between different types of purposes. Misidentifying these can lead to invalid consent and unlawful data processing, as illustrated by a real case examined by the Italian data protection authority.

The article also demonstrates how purpose specification directly enables controllers to identify the appropriate GDPR legal basis, the misidentification of legal bases being the single most frequently cited issue in GDPR fines across Europe. Using examples such as the publication of research results and pseudonymisation of data, the authors show how the same underlying processing activity may require different legal bases depending on the purpose it serves. The authors conclude with a discussion of how these principles apply to the evolving EU legislative landscape, including the proposed European Health Data Space (EHDS) Regulation, noting that even legislative proposals must take purpose specification seriously if they are to create effective and workable legal frameworks for data reuse.

Access the article on the publisher's website by clicking here.

Download the article: