Personal & sensitive data

The current European standard embodied by the RGPD is more "protective" and demanding than that expressed in the Loi vaudoise sur la protection des donnéesées personnelles (LPrD). Article 12 of the LPrD states that: "Where the processing of personal data requires the consent of the person concerned, that person shall not give valid consent unless he or she freely expresses his or her wishes after having been duly informed. In the case of sensitive data and personal profiles, consent must also be explicit.

Article 4 of the GDPR, for its part, defines the consent of the data subject as "any freely given, specific, unambiguous and unequivocal indication of the data subject's wishes";e et univoque par laquelle la personne concernée accepte, par une déclaration ou par un acte positif clair, que des données &eagrave; caractère personnels concernant lui soient l’objet d’un traitement ».

Consent is one of the 6 legal bases set out by the GDPR in order to allow the processing of personal data. The other legal bases are: a contract (the processing is necessary for its conclusion or performance), a legal obligation (the processing is necessary for compliance with a legal obligation), a vital interest (the processing is necessary to safeguard the vital interests of the individual), a public task (the processing is necessary for the performance of a task in the public interest), and a legitimate interest (the processing is necessary for the purposes of the legitimate interests of the controller).

As recalled by the CNIL in France in its document Régime juridique applicable aux traitements poursuivant une finalité de recherche scientifique: ‘The consent of individuals is the first legal basis to be considered in application of the general principle of informal self-determination’.

Consent will only constitute an appropriate legal basis if the person concerned has control and a real choice concerning acceptance or refusal of the conditions proposed or the possibility of refusing them without suffering prejudice. Valid consent can only be obtained before the controller begins to process the data.

A valid consent under European law therefore implies an expression of volition:

• Free: the person must not feel compelled to consent and his or her consent must not be conditional on the granting of an advantage.
• Specifically: consent must be obtained on a purpose-by-purpose basis and not for a set of purposes. This means that if the data controller wishes to process the data for another purpose, it must seek further consent.
• Clear consent: clear consent is closely linked to the principles of transparency and fair processing. This means knowing the identity of the data controller, the purposes of the processing and the legal bases, etc.
• Unambiguous: consent must be given by a clear positive act. Silence or inactivity on the part of the person concerned, as well as the mere fact that he or she continues to use a service, cannot be considered as an active indication of choice.

In addition, the controller must retain proof of consent in the event of a control.

It should be noted that the processing of sensitive data must also be subject to the collection of explicit consent. Oral consent is therefore not sufficient to process sensitive personal data.

Source

The following safeguards should be put in place to ensure the security and confidentiality of data collected in the context of scientific research:

• the principle of relevance and minimisation of the data processed must be respected ;
• data anonymisation or pseudonymisation;
• a system of secure and controlled access must be developed;
• finally, it is highly likely that, in most cases, the processing carried out in this context will require a data protection impact assessment (AIPD ou PIA) to be carried out in accordance with Article 35 of the GDPR. The AIPD must be distinguished from the data management plan.

Source: CNIL - Legal regime applicable to processing for scientific research purposes