Use of personal data in research
In general, research occupies a privileged position within the General Data Protection Regulation (GDPR). Organisations that process personal data for research purposes may avoid restrictions on secondary processing and on processing sensitive categories of data. As long as they implement appropriate safeguards, these organisations also may override a data subject’s right to object to processing and to seek the erasure of personal data.
Additionally, the GDPR may permit organisations to process personal data for research purposes (as a primary purpose) without the data subject’s consent. In isolated cases, these organisations may be able to transfer personal data to third countries for research purposes, without any other transfer mechanism in place.