Implementing Regulation of PDPL Article 30 outlines the conditions under which Controllers may collect and process personal data without consent, specifically for scientific, research, or statistical purposes. The emphasis is on minimal use, purpose specification, data protection, and minimizing risks to individuals.
When collecting or Processing Personal Data for scientific, research, or statistical purposes without Data Subject’s consent, the Controller shall commit to the following:
Implementing Regulation of PDPL Article 30 (1)
Purpose Must Be Recorded
Clearly and accurately specify the scientific, research, or statistical purposes in the records of Personal Data Processing activities
Implementing Regulation of PDPL Article 30 (2)
Minimize Collected Data
Take the necessary measures to ensure that only minimal Personal Data necessary to achieve the specified purposes is collected.
Implementing Regulation of PDPL Article 30 (3)
Apply Pseudonymisation
Pseudonymise Personal Data that is being processed, in cases where this does not impact the achievement of the Processing purpose.
Implementing Regulation of PDPL Article 30 (4)
Avoid Negative Impact
Take the necessary measures to ensure that the Processing does not have any negative impact on the rights and interests of the Data Subject.
Explanation of Implementing Regulation of PDPL Article 30
Specify and document:
Implementing Regulation of PDPL Article 30 (1) says, the Controller must record the exact scientific, research, or statistical purpose for which personal data is being used in the processing records.
Limit to necessity:
Implementing Regulation of PDPL Article 30 (2) says, only the data strictly needed to fulfill the scientific or statistical purpose can be collected. Unnecessary data collection is prohibited.
If goal still achievable:
Implementing Regulation of PDPL Article 30 (3) says, where it doesn’t affect the research outcomes, the Controller should pseudonymize the personal data to enhance privacy and reduce identifiability.
Protect individuals’ rights:
Implementing Regulation of PDPL Article 30 (4) says, the processing must not adversely affect the rights, freedoms, or interests of the data subjects. Risk assessments and safeguards are essential.
