LogoLogo

GDPR — General Data Protection Regulation

Overview

The General Data Protection Regulation (Regulation (EU) 2016/679, GDPR) is the EU’s primary legal framework governing the collection, processing, storage, and transfer of personal data relating to individuals in the European Union and European Economic Area. Adopted by the European Parliament and Council on 27 April 2016 and entering into application on 25 May 2018, it replaced Directive 95/46/EC and introduced a single harmonised legal framework across all EU member states, with direct applicability in national law without further transposition. It applies to any organisation processing the personal data of EU residents regardless of where the organisation is located. Its significance for neuroscience research is substantial: clinical records, genetic and genomic data, and neuroimaging data from identifiable participants are all personal data under GDPR, with health data and genetic data further designated as special categories under Article 9, requiring a stronger legal basis and additional safeguards.

Article 5 of GDPR establishes seven principles governing all personal data processing:

  1. Lawfulness, fairness, and transparency
  2. Purpose limitation
  3. Data minimisation
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality
  7. Accountability

Processing requires a lawful basis under Article 6, the most relevant for research being public task (Article 6(1)(e)) and, for special category data, explicit consent or the scientific research derogation. In French academic research, consent (Article 6(1)(a)) and public task (Article 6(1)(e)) are the two main lawful bases applied under national health research frameworks.

Special Categories and the Research Derogation

Health data, genetic data, and biometric data are special categories under Article 9 and are prohibited from processing except under specific derogations. For scientific research, Article 9(2)(j) permits processing of special category data for scientific research purposes subject to appropriate safeguards under Article 89. Article 89 requires that technical and organisational measures ensure the data minimisation principle is respected, in particular through pseudonymisation. Where research purposes can be fulfilled without identifying individuals, they must be. These provisions form the legal foundation on which French research frameworks are built, including the Code de la Santé Publique access regime, CNIL reference methodologies, and the Health Data Hub Datalab.

Data Protection Officer

Article 37 requires organisations whose core activities involve large-scale processing of special category data to designate a Data Protection Officer (DPO). This applies to most academic research institutions, hospitals, and biobanks. The DPO advises on GDPR compliance, monitors processing activities, and serves as the contact point for the national supervisory authority.

French Implementation

In France, GDPR is given effect through the Loi Informatique et Libertés (loi n° 78-17 of 6 January 1978, as substantially amended by loi n° 2018-493 of 20 June 2018). CNIL is France’s designated national supervisory authority under Article 51, responsible for authorising health and genomic research data processing and issuing reference methodologies that allow qualifying studies to proceed without individual authorisation. Sanctions under GDPR reach up to €20 million or 4% of global annual turnover for the most serious infringements, enforced nationally by the supervisory authority and coordinated across member states through the European Data Protection Board (EDPB).

Connections

  • French supervisory authority: CNIL
  • Sectoral implementation: EHDS (European Health Data Space builds on GDPR for health data secondary use)
  • French research framework: Code de la Sante Publique

Resources

Graph View

Tags

Backlinks