- Pursuant to §16 of the Data Protection Act, where data is processed for the purposes of archiving, scientific and historical research, a controller or a processor shall implement specific measures in order to protect the interests of data subjects. While choosing appropriate measures, controllers and processors must take into account the current state, costs of implementation; nature, scope, context and purposes of processing as well as the risks for rights and freedoms of individuals posed by such processing.
Such measures may include:
(a) technical and organisational measures ensuring the fulfilment of the obligation under Article 5(1)(c) of GDPR;
(b) creation of personal data processing records, at least for personal data operations, such as collection, insertion, modification and deletion of personal data, which enable detection and identification of the person performing the operation, and the retention of those records for at least 2 years after the operation;
(c) informing employees and other persons processing personal data about their personal data protection obligations;
(d) appointment of a data protection officer;
(e) specific restrictions on access to personal data;
(f) pseudonymisation of personal data;
(g) encryption of personal data;
(h) measures to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services;
(i) measures to restore the availability of personal data and timely access to such data in the case of incidents;
(j) the process of regular testing, assessment and evaluation of the effectiveness of applied technical and organisational measures to ensure processing safety;
(k) special restrictions on the transfer of personal data to a third country; and
(l) special restrictions on processing personal data for other purposes.
Pursuant to Article 16(3) of the Data Protection Act (unless specified by law otherwise), the controller may limit, in an appropriate manner, certain data subject rights, including right to access, right to object, etc. (Articles 15, 16, 18 or 21 of GDPR) and the application of general GDPR principles (Article 5 GDPR), when the controller processes personal data for the purposes of archiving, scientific and historical research.
Moreover, when the processing is necessary for the purposes of scientific research and the provision of information would result in a disproportionate effort, the controller shall not exercise the right to access (Article 15 GDPR) or apply general GDPR principles (Article 5 GDPR).