A proactive GDPR-compliant solution for fostering medical scientific research as a secondary use of per-sonal health data

The secondary processing of personal health data for scientific research in the medical field is fundamental for fostering innovation and growing knowledge that improves individual and public health. Personal health data that are primarily processed for healthcare purposes by healthcare providers may be secondarily used by researchers for scientific purposes. However, the data controller shall assess the applicable grounds and conditions and then comply with the data protection framework to safeguard fundamental rights and freedoms. In this paper we analyse the legal requirements laid down on these aspects by the General Data Protection Regulation at the European Union level, which harmonises the general rules, and by two national implementations at the Member State level, Italy and France, which further regulate with specific conditions. After this comparative investigation, we propose a proactive, legal-technical e-health solution that complies with the rules and principles of the legal frameworks and empowers the individual’s control over personal health data while promoting medical research. To this end, the data protection by design concept plays a central role, and an interdisciplinary approach is fundamental in combining legal and technical perspectives.