Do processors have a responsibility to check whether controllers are GDPR compliant?
No. The responsibility flows the other way. Data controllers must ensure that data processors are compliant with the GDPR. Processors are responsible for ensuring their own legal compliance and that of sub-processors.
When can data be transferred to a country outside of the EEA or to an international organisation?
Data can be transferred to a country outside of the EEA (known as third country) or to an international organisation without specific authorisation, provided it has been assessed by the European Commission as having an adequate level of protection (referred to as an adequacy decision).
So far, the Commission has recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (limited to the Privacy Shield framework) as adequate. Adequacy talks are ongoing with Japan and South Korea.
For more on adequacy decisions see the European Commission website.
Data can still be transferred to a country outside of the EEA or to an international organisation where there is no adequacy decision, if the data controller or processor has appropriate safeguards and enforceable data subject rights, and effective legal remedies are available.
Data can still be transferred to a country outside of the EEA or to an international organisation where there is no adequacy decision, appropriate safeguards or binding corporate rules, under specific conditions. In the context of health and care research, the relevant condition is explicit consent from the data subject.
Anonymised data does not count as data under the GDPR so can be transferred outside of the UK without being subject to any of the requirements here.
Does ‘scientific research’ in the GDPR include social care research?
It could be argued that ‘scientific research’ does not include research into social care research. However, we believe that the drafting of the GDPR suggests that ‘scientific research’ includes social care research.
The regulation states that the processing of personal data for scientific research purposes should be interpreted in a broad manner including, for example, technological development and demonstration, fundamental research, applied research and privately funded research. It also states that scientific research purposes include studies conducted in the area of public health. The fact that these are given as examples shows this list is not exhaustive.
The regulation also discusses research using registries:
- within social science, research on the basis of registries enables researchers to obtain essential knowledge about the long-term correlation of a number of social conditions such as unemployment and education with other life conditions.
- research results obtained through registries provide solid, high-quality knowledge which can provide the basis for the formulation and implementation of knowledge-based policy, improve the quality of life for a number of people and improve the efficiency of social services.
This demonstrates that social research is within the remit of research in the GDPR and social care research is therefore subject to the same requirements as medical research.
Can there be joint controllers?
The GDPR provides for joint controllers where two or more controllers jointly determine the purposes and means of processing. The same responsibilities apply but they have room to make agreements regarding who will be responsible for complying with obligations under the regulation. Joint controllers must do this in a manner which is transparent and respects data subjects’ rights.
In the health and care research context it is expected that the sponsor will be a controller. In some cases, another organisation will be delegated significant decision-making responsibilities in relation to the data, for example where a clinical trial unit hosted by one organisation is responsible for designing a study and analysing the data for a separate sponsor. In such cases, a joint controller arrangement may be appropriate.
Does the GDPR mean that every contract needs to be varied?
We do not yet have clarity about whether the GDPR means that all contracts in a research setting need to be varied. We are awaiting guidance about standard contract clauses from the Information Commissioner’s Office.
For their current position on standard contractual clauses, please refer to the ICO website.