For what purposes may personal data be processed?
Processing of personal data always requires a defined purpose and a lawful basis for processing. This also applies to the secondary use of social and health data.
The data controller applying for a Findata permit must define the purpose and legal basis before submitting the application.
Purpose of processing
Why personal data is being processed
Legal basis for processing
The legal ground on which processing is permitted
Permitted purposes under the Secondary Use Act
Individual-level social and health data may be used under the Secondary Use Act for:
statistics
education
planning and reporting duty of an authority
Findata always grants permits for a predefined purpose. A new purpose requires a new permit.
Legal basis for processing in research
The GDPR sets out the lawful bases for processing. In scientific research, processing is typically based on the performance of a task carried out in the public interest.
▸ Legal bases for processing personal data under the GDPR
- consent of the data subject
- contract
- legal obligation of the controller
- vital interests of the data subject
- task carried out in the public interest or exercise of official authority
- legitimate interests of the controller or a third party
Note that data subject’s consent to participate in research is not the same as consent as a legal basis for processing personal data.