04 July 2023 


Chiara D’Elia – Stefano Tramacere 



Consent is the first legal basis for the processing of special categories of data, including health data, and must be free, specific, informed, and unambiguous. This concept is quite different from the informed consent to participate in a study.  

Statistics and scientific research purposes, however, are promoted under article 9, §2, sub j) and article 89 GDPR, as data processing activities are considered lawful ones per se, if specific conditions are met (e.g. pseudonymization and encryption of data flows). 

Regarding the secondary use for scientific purposes, an interpretative issue may arise, considering that: to inform the data subject is in any case a pillar of the research compliance activities. Moreover, article 5 GDPR states that scientific research is per se a compatible purpose of secondary use of data under the conditions stated in article 89 GDPR. 

  • Is the consent of the data subject required to allow secondary use of the data collected and processed for a purpose different from the initial one?  
  • For instance, if a clinical center collects data for healthcare purposes, may a research center reuse those data for scientific research? Which are the conditions to lawfully process data? 


According to an EU law interpretation by the European Data Protection Board (EDPB), the mere consent is not an appropriate legal basis for the processing of data relating to scientific research when there is a power imbalance between the data subject and the data controller, as indicated in EDPB Opinion 3/2019, CTR & GDPR. Furthermore, these interpretative perspectives are also supported by EDPB Guidelines 05/2020, which emphasize that the GDPR does not allow data controllers to ignore the crucial principle of explicitly stating the purposes for which the data subject’s consent is required. Therefore, in cases where data processing is performed for scientific research, consent to data processing cannot be fully specified, data controllers must seek alternative approaches to ensure the core requirements of consent (listed above) are effectively fulfilled. 


The IDPA recently issued a significant opinion on consent and secondary use of health data. The case concerned a hospital that had considered secondary use to be lawful based on the initial consent, deeming it compatible with the initial purpose and therefore legitimate, only receiving subsequent approval from the ethics committee. Indeed, the Italian Privacy Code provides that data processing activities for scientific research purposes may be carried out without the consent of all the patients in two cases. The first case is when, for special reasons of an objective nature, it would be impossible to ask for consent. The second case is when this operation (meaning asking for the data subjects’ consent) would involve a disproportionate effort or would risk making it impossible or seriously undermine the attainment of the research aims. However, under article 110 of the Italian Privacy Code this situation may occur under certain conditions:  

  1. the research project must be subject to a favorable decision of the competent ethics committee; 
  2. the data controller has taken appropriate measures to protect the rights, freedoms and legitimate interests of the data subject; or has submitted a DPIA prior consultation with the authority pursuant to article 36 of the GDPR. Pursuant to article 110 bis, the reuse of data for research purposes may follow an IDPA authorization, unless the data controller is an IRCSS (Istituti di Ricoveri e Cura a Carattere Scientifico which translates loosely to ‘Scientific Hospitals and Care Institutions’). 

In this regard, concerning sensitive data processing, such as health data, the IDPA stated that if a healthcare institution or research institute intended to carry out a study in which individually inform and obtain consent from all patients due to organizational constraints would not be feasible, it would be nevertheless obliged to make reasonable efforts to contact them (e.g., by verifying their status, consulting clinical records, etc.). Additionally, the data controller must initiate a special procedure with the IDPA as per Article 36 of the GDPR and expect feedback within a maximum of 14 weeks, a deadline which may be further extended. Additionally, the IDPA explicitly ruled out the compatibility of this case’s secondary use purpose with the original one. It stated that data subjects should have the ability to grant consent only within specific areas of research, in accordance with the intended purpose. The principle of consent’s specificity and granularity cannot be bypassed or compromised. On this subject, the IDPA has emphasized the importance of defined purposes for any further processing. This ensures that a solid legal basis for the processing of data for scientific research purposes can be progressively established. Hence, the need to develop a new concept of consent that moves in a dynamic perspective, which aims to simplify existing obligations in data processing. 


  • Instead of contacting individual data subjects separately, the data controller could create legally valid and comprehensive information templates applicable to various purposes 
  • The controller would only need to contact users again if the subsequent data processing deviates from the general guidelines specified in the initial information notice.  
  • In the case of a data controller being a public entity responsible for personal care, specialized channels for data reuse could be established for scientific research purposes. This would allow individual users to observe how their data are processed for research on dedicated websites, using specific digitized systems to track the complex flow of their data.