University of Bordeaux – Violation Found (France, 2023)

The University of Bordeaux, the data controller, applied for authorisation to undertake automated processing of personal data from the French DPA under Article 36 GDPR. The controller aimed to carry out the processing for a study comparing health trajectories leading to cardio-metabolic diseases on a national scale in order to evaluate the interoperability of European health data. The project was selected by the European Commission as part of a 'European Health Data Area' pilot. Hence, the DPAs from Denmark, Finland, Norway and Hungary will also need to authorise similar studies to compare the aggregated results. The French DPA authorised the project by the data controller on the basis that it met a number of obligations imposed by the GDPR. Firstly, that the purpose of processing was determined, explicit and legitimate in accordance with Article 5(1)(b) GDPR when considering the project's objectives. Secondly, the processing of health data was lawful as it was necessary for the execution of a task carried out in the public interest, per Article 6(1)(e) GDPR, and was also necessary for scientific research purposes under Article 9(2)(j) GDPR. Thirdly, that the data was adequate, relevant and limited to what was necessary for the purposes of processing under Article 5(1)(c) GDPR, as the data was scientifically justified in the data controller's application and further filtering would be carried out before being transmitted to the hosting [https://www.health-data-hub.fr/page/faq-english Health Data Platform;] a French public structure whose objective is to enable project coordinators to access non-nominative data hosted on a secure platform. Fourthly, since the data would only be accessible for a period of 5 years (after which it would be deleted or anonymised), the data controller would not be exceeding the period necessary for the collection and processing purposes of the data pursuant to Article 5(1)(e) GDPR. The data controller was also not required to individua