Withdrawal of consent for processing personal data in biomedical research

In the context of biomedical research, consent is both a ground for the lawful processing of personal data and a bioethical requirement for participation in scientific research projects. While the conditions for obtaining valid consent are extensively discussed in legal and bioethical literature, withdrawal of consent has received considerably less attention. According to the EU General Data Protection Regulation (GDPR), that data subjects have the right to withdraw their consent at any time, but the duties of the entities processing personal data are not clearly defined in the text of the Regulation. Pursuant to Article 7 GDPR, withdrawal ‘shall not affect the lawfulness of processing based on consent before its withdrawal’, but there is no clear specification of the rules governing what happens after this moment. The assumption underlying this article is that a participant expresses a valid consent for the collection and processing of personal data and, at a certain point during the research life-cycle, decides to withdraw her/his consent. This decision would, prima facie, result in an obligation of the data controller to cease processing the data. However, when more closely examined, there are practical, legal, and ethical reasons for why this might not always be the optimal solution. Stopping the processing after receiving a withdrawal request is not an absolute mandate. Pursuant to the GDPR, consent is one Key Points

This article argues that in the context of biomedical research, there are several distinct rights and interests that need to be reconciled: the interests of individuals to control the processing of their personal data, the interests of biomedical research entities to continue processing the personal data collected, and the public interest in creating an optimal environment for the development of biomedical research.
This article suggests that, in the absence of sectoral law allowing the continuation of the processing after withdrawal, a layered system allowing individuals to modify their preferences and to file partial withdrawal requests could reconcile the rights and interests at stake.
A framework for assessing the effects of withdrawal is proposed, consisting of a balancing exercise, based on the principle of proportionality and in light of the fundamental rights at stake. of six grounds for lawfulness, and processing personal data could rely on an alternative ground (eg, legitimate interest or compliance with a legal obligation) after the moment when consent is withdrawn. However, such a practice might deplete the right to withdraw of its content and frustrate the expectations of data subjects who consented to the processing of their personal data, affecting the fairness of the processing.
The practice of providing and retracting consent for participation in biomedical research brings about specific challenges because of the sensitive nature of the data processed, the overlap with bioethical constraints, as well as the requirements specific to sectoral laws. Therefore, the interpreter of the law is faced with a dilemma: How should a withdrawal request be handled? There is no easy answer to this question, as the extent of the right to withdraw consent will have an impact on the rights and interests of the stakeholders involved in biomedical research.
The research organizations have an interest in completing pending studies, while the individual participants have an interest in controlling the processing of their personal data. The research community has an interest in upholding the standards for scientific integrity and the verifiability of studies and, often keeping a record of the personal data processed is necessary for this purpose. Finally, society as a whole has an interest in finding a balance between all these interests, taking into account the values at stake: efficiency, autonomy, dignity, integrity, and how they contribute to the overall societal welfare. This raises the question as to how withdrawal affects a pending research study, a problem that has no clear answers and which can only be solved by finding a middle ground between various social values, while leaving sufficient space for individual choice. 2 How is this conflict of interests solved in European data protection law? Starting from the substantive reasons presented above, the next sections explore whether and to what extent the GDPR allows the controllers undertaking biomedical research to continue the processing of personal data after receiving a withdrawal request.
The right to withdraw consent before and after the GDPR Although the right to withdraw consent is not new in the data protection framework, the challenges around the interpretation of the texts regulating it are rather recent, as the right to withdraw was not included explicitly in the text of Directive 95/46/EC, the predecessor to the GDPR. 3 Although the Article 29 Working Party (WP 29) and several authors recognized it as a necessary component of the consent regime, the consequences of withdrawal are not explained in detail in the existing literature. Kosta considers that the right to withdraw follows from the right to informational self-determination. 4 Her seminal work on consent focuses mainly on the distinction between withdrawal, the right to object and the right to erasure. The content of the right to withdraw is not expressly delineated and the duties arising from withdrawal are defined in a negative form only: the data controllers do not have the obligation to delete 'all traces of prior processing, if documentation is necessary'. 5 For Curren and Kaye, the right to withdraw consent, although not expressly granted under English law, was a means of expression of an individual's autonomy and, potentially, a means of exercising one's right to privacy, granted under Article 8 of the European Convention of Human Rights. 6 Bartolini and Siry show how national laws implemented the provisions regarding withdrawal in the ePrivacy Directive and the Data Protection Directive, respectively, and challenge the idea that there was a generalized right to withdrawal of consent implicitly granted under the former general data protection regime. 7 According to the WP 29 Guidance on Consent dating from 2011, the possibility to withdraw consent was implicit in Directive 95/46/EU and connected to the notion of control over the processing of one's personal data. 8 The guidance states that, in principle, withdrawal of consent prevents further processing of personal data, and that its effects shall not be retroactive. 9 In the opinion on Electronic Health Records, the WP 29 ties the possibility to withdraw consent to the genuine character of the choice and to the requirement of consent to be free. 10 The GDPR codifies the opinions mentioned above and, pursuant to Article 7 (3) GDPR, the data subjects have a right to withdraw consent at any time. 11 The Regulation also refers to the standard for expressing the decision to withdraw, stipulating that it shall be as easy to withdraw consent as it is to give consent. In addition, Recital 42 GDPR connects withdrawal to the conditions of consent to be freely given and requires that withdrawal shall not cause detriment to the requestor. This codification brings much-needed clarity on the existence of the right to withdraw and pinpoints some of the characteristics of its regime, but the core of the right remains open for interpretation: the actions that the data controllers are obliged to take after receiving a withdrawal request are not clearly delineated in the text of the Regulation.
The duties corresponding to the right to withdraw consent Withdrawal is designated in Article 7 (3) GDPR as a 'right', but it is not listed under Chapter III of GDPR, 'Rights of the data subject', but under Chapter II, 'Principles'. This separation is a possible indication of the different nature of the right to withdraw consent, compared to the other rights in the GDPR. The content of withdrawal is vague when compared with the right of access, 12 the right to erasure, 13 or the right to object, 14 which contain clear duties on the entities involved in the processing activity (eg to provide certain information according to a particular standard, to erase the data, to no longer process it, etc.).
Is this just an oversight of the legislator or a space intended to allow a flexible interpretation based on the context of the processing activity? The source of the indeterminacy of the right can be observed by employing the system that Hohfeld developed for describing the basic components of a right, which consists of eight elements: rights, duties, privileges (liberties), no-rights, powers, liabilities, immunities, and disabilities. 15 In order to effectively apply this system to the concern at hand, it is necessary to divide the timeline of processing between three moments: (i) before consent is provided, (ii) after consent is provided, and (iii) after consent is withdrawn.
Before providing consent, the data subject has a claim right against the controller correlating to the duty of the controller not to process the individual's personal data. 16 The right and the corresponding duty are an effect of the law. After providing consent, this relationship changes and the data controllers are endowed with a privilege to process the personal data, while the data subjects will not be in a position to prevent the controllers from doing so. The privilege is the opposite of a duty and thus, the controllers will have no duty to refrain from processing the personal data. Correspondingly, the data subject has a no right in relation to this procedure, meaning that the controller will not infringe the data subject's rights by processing their personal data. However, the data subject retains a second order power to alter the legal relation with the controller and to revoke the privilege previously granted to the controller, at any moment. Consequently, after withdrawal, the controller will have a duty towards the data subject and the latter will have a right against the controller. The law does not provide the content of this duty.
In the view expressed in this article, the parties do not return to the previous situation existing before consent was initially expressed. The difficulties in interpreting the effects of withdrawal are not a consequence of an unclear formulation. Rather, the vagueness is caused by the fact that the law does not refer to the consequences of withdrawal at all. Therefore, since there are no clear requirements on the conduct of the controllers following receipt of a withdrawal request, the legal nature of withdrawal is more akin to a principle, an optimization requirement that permits some degree of compliance. The next sections will explore whether continuing the processing of personal data after the moment of withdrawal is permitted in light of several of the principles governing GDPR and the fundamental rights at stake.
The ex nunc effects of withdrawal of consent The wording of Article 7(3) GDPR states clearly that withdrawal shall only provide ex nunc effects in what concerns the lawfulness of the processing activity: 'withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.' However, simply 'freezing' the processing activities is not an option, because storage of the data is, in itself, a processing activity that must rely on a ground for lawfulness. 17 In the absence of any action from the data controller, the processing activities conducted before revocation will continue to produce legal effects. In order to cease the processing activity for the future, an action, such as deletion, must be taken. Such an action poses the risk of affecting the purpose of the processing activities undertaken before withdrawal. The separation between processing activities before and after the moment of withdrawal cannot be made simply by pinpointing a moment in time. Imagine a car driving at 120 km/h, with a passenger having the right to request that the vehicle stop at any time. Can the vehicle stop right at the moment of the request? It certainly can, but suddenly applying the brakes is likely to not only be an issue for the driver and passenger; it is also potentially damaging to the other road users as well. Similarly, stopping the processing activity at the moment of the withdrawal request poses both ethical and legal challenges. This creates a dilemma and raises several problems. First, it might be impossible to stop the processing, as certain activities are fait accompli. For example, studies might have already been published and disseminated at the moment of withdrawal, together with some data elements (subject to pseudonymization or other privacy preserving techniques). Secondly, it might be difficult and costly to pause the process, identify the data elements affected by a withdrawal request, and stop the processing concerning those specific data elements. Thirdly, in certain cases, stopping the processing is feasible, but poses the risk of compromising the scientific integrity and reliability of the research altogether.
From an ethical perspective, we can take a deontological approach, arguing that the right to withdraw should be fully complied with regardless of the costs. Another approach, a utilitarian perspective, would be that ceasing processing depends on the consequences or costs to be taken into account. From a legal perspective, it is not clear which subsequent processing activities are regarded as unlawful. According to the WP 29/EDPB opinions, in the absence of another lawful basis, the data should be deleted. 18 However, on a closer look, the connection between withdrawal of consent and deletion of data is more complex. Turning to the definition of the concept of 'data processing' in Article 4(2) GDPR, operations such as erasure or anonymization are considered data processing activities and require a legal basis to be performed. While the right to be forgotten contains a clear action that is required from the controller (eg to delete the data), the right to withdraw consent does not prescribe a specific course of action.
It appears to be the case that withdrawal of consent will not automatically lead to erasure of the data. According to 17(1) GDPR, the data subject have 'the right to obtain from the controller the erasure of personal data' concerning them, suggesting that there is a need for a positive action on the side of the data subjects. By withdrawing consent, the data subjects do not also express their will to have their personal data erased. Ausloos explains the difference between the right to object (Article 21 GDPR) and the right to erasure, arguing that the former refers to processing operations, whereas the latter affects the data. 19 Thus, erasure will only be performed when all processing operations in a given context are unlawful. 20 By analogy, the right to withdraw consent can also affect certain operations only. This interpretation is supported by the requirements of consent to be 'freely given' and 'specific', 21 conditions that require granularity in expressing the purpose of processing. 22 As a matter of symmetry, withdrawal should also be expressed granularly and affect only certain processing operations.
Furthermore, pursuant to Article 17(1)(b) GDPR, data controllers have a correlative obligation to erase the data only when there is no other legal ground for 17 According to General Data Protection Regulation, art 4(2), 'processing' means 'any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction'. processing. The current article presents several options for continuing a part of the processing operations in the 'Consent as a ground for lawfulness' section. Finally, even if erasure is requested together with withdrawal, Article 17(3) GDPR contains exemptions from the right to erasure, one of which focuses specifically on scientific research. 23 The requirements for invoking this ground are rather strict, applying only to processing that is 'necessary' and referring to cases when erasure would 'render impossible or seriously impair the achievement of the objectives of that data processing', imposing a rather strict requirement. The question that can be raised at this point is, what course of action should be taken if deletion is not required and an alternative legal basis cannot be identified? There are no legal grounds for storing the data (because consent was withdrawn), but there are no grounds for deleting the data, either (because there is no request in this respect).
A clear separation between the processing operations before and after withdrawal is practically difficult and legally unclear. On this basis, it is possible to argue that the interpretation of the right to withdraw consent will often involve a balancing exercise. In order to distinguish between cases when deletion is required and cases when processing can continue, the right to withdraw shall be interpreted considering the principles governing the GDPR, the aims of the Regulation and its connection with the fundamental rights at stake.
A flexible approach to withdrawal in biomedical research?
The GDPR is an omnibus instrument and therefore withdrawal of consent is regulated under a uniform regime, irrespective of the sectors of activity in which data are processed. Biomedical research has certain characteristics that invite reflection on whether consent and withdrawal therein should enjoy a specific regime. First, consent for processing personal data overlaps with the ethical requirement of obtaining consent for participation in medical research. Secondly, a strict regime of withdrawal would impede the process of conducting biomedical research, by affecting the scientific integrity and verifiability of the studies. Invalidating the results of the research will affect the interests of various stakeholders invested in the completion of the research and, potentially, fundamental rights protected under the CFREU.
Participants in research are required to provide consent for two purposes: being enrolled in scientific research and having their data processed for this purpose. Since the processing of personal data is often a necessary condition for conducting biomedical research, the separation between consent for processing personal data and consent for participation in research might seem artificial. Processing of personal data is a necessary condition for conducting biomedical research, so expressing consent for this purpose might seem superfluous. However, from a regulatory perspective, the two are separate requirements, regulated by distinct instruments with different legal force and applying at different levels. 24 Consent for participation in biomedical research is mentioned in the Nuremberg Code, dating from 1947, 25 the Declaration of Helsinki, adopted in 1964, 26 and the Convention for the Protection of Human Rights and Dignity of the Human Being with regard to the Application of Biology and Medicine of 1997. 27 Mirroring the distinction between the two types of consent, withdrawal from the experiment is different from withdrawal of consent for processing personal data. Conceptually, the separation between the two types of consent is justified, since research ethics/medical law and data protection have different primary objectives. 28 While consent for participation in biomedical research aims to protect the participants from physical and psychological harm, consent for processing personal data is part of a set of checks and balances aimed at protecting a broad range of interests, as will be further detailed in 'Consent and the fundamental right to protection of personal data' section. 29 Often processing of personal data is a necessary condition for conducting biomedical research, but the scope of processing, the involvement of third parties or the opportunities for re-using the personal data can differ. To affirm their autonomy, participants should be in a position to granularly choose and agree or disagree with certain processing activities and certain purposes. Considering this difference, withdrawal from (active) participation in the study can be separated from withdrawal of consent for processing personal data. The processing of the data involves a different type of involvement (generally passive) and poses different risks, exposing the individual participants to a distinct type of harm. While processing personal data for scientific research has a specific regime in the GDPR, containing certain derogations, 30 there are no explicit exceptions from the right to withdraw consent. 31 By way of comparison, the United States Food and Drug Administration (FDA) issued guidance on the retention of data when subjects withdraw from FDA-regulated clinical trials. 32 The general principle is that the data collected from the participants, including personal identification information, shall be maintained as part of the study after the individuals decide to discontinue their participation, provided that safeguards related to privacy and confidentiality are implemented. 33 The rationale behind this approach is the importance of maintaining complete clinical study data, including information such as adverse events experienced by the subject. 34 Furthermore, the validity of the study might be affected by 'non-random' removal of data, in cases of, for example, the subjects being unhappy with their experience or failing to obtain the desired result. 35 Not processing their personal information after withdrawal would hide important safety details regarding the study, jeopardizing its validity and posing risks for other participants in the study and for future beneficiaries of the results. Additionally, there is a risk that certain participants are incentivized by interested parties to withdraw, in order to artificially improve the results of the study.
Another guidance paper, issued by the Office for Human Research Protection under the US Department of Health and Human Services, provides further clarity on preferred practices regarding retention of data from subjects withdrawing from research for other types of studies and promotes the same principle: data already collected shall be retained and analysed, even if it includes identifiable private information about the subject. 36 However, for the studies that are not FDA approved, the investigators, in consultation with the funding agency, can choose to honour a request to destroy or exclude the data from any analysis. 37 The guidance recommends, as a general rule, to document withdrawal requests. It also contains prescriptions regarding the information that researchers should provide, with the most pertinent to this article being that they shall inform the subjects about what it means to have the right to discontinue participation at any time, including information on whether their personal data will remain in the database after withdrawal. 38 From a practical perspective, a study on various biobanks shows that actual practices concerning withdrawal of consent exhibit a certain degree of flexibility. 39 This illustrates that some of the institutions offer different layers of withdrawal and provide for certain exceptions from the right to withdraw. One biobank, located in Canada, offers users the possibility to withdraw their consent at any time. Samples, together with the attached personal data, will no longer be used after withdrawal. However, data that is already part of a dataset, will not be destroyed. As a mitigation measure, the code that enables the biobank to re-link the samples and personal information will be deleted and no further information about the participant will be collected. 40 Furthermore, the signed consent form and the withdrawal form will continue to be stored as a record of the participant's wishes, and the analysis that has already been completed will remain intact. For another biobank, located in the same country, data and samples that have 30 Eg, General Data Protection Regulation, arts 5(1)(b), 9(2)(j), 14(5)(b), 21(6). 31 General Data Protection Regulation, art 7(3)(d) is considered an exemption from the right to erasure. The right to erasure is separated from the right to withdraw consent, see 'Consent as a ground for lawfulness' section. 32  To date, except for the provision in the GDPR, withdrawal does not enjoy much attention in European or national legislation. The European Data Protection Board (EDPB) recently released a study on the appropriate safeguards under Article 89(1) GDPR for the processing of personal data for scientific research, containing an overview of laws implementing GDPR, sectoral laws, as well as soft laws regulating research. 41 Withdrawal is merely discussed, being mentioned only four times in the 68-pages of the report, in connection with the national guidance documentation, codes of conduct and case law in Germany, 42 sectoral law in Estonia 43 and Italy 44 and in general in relation to deletion of data. 45 The lack of European legislation regulating biomedical research might be due to the fact that, although the European Union has certain competences in what concerns European research initiatives, its power to regulate research is limited as per Article 4(3) TFEU. 46 The Clinical Trials Regulation (CTR) does refer to certain processing activities that will be conducted irrespective of consent and withdrawal thereof. 47 However, the scope of the regulation excludes noninterventional studies and other types of research that do not fall within the definition of 'clinical trials' in Article 2(2) CTR. Therefore, there are a wide range of biomedical research activities that are not covered by said regulation.
Answering the question of whether a flexible interpretation of withdrawal is possible under the current data protection legal framework in the European Union (EU) should start from the role of consent. If consent is just one of several grounds for lawfulness, one can argue that there are cases in which processing starts on the basis of consent and continues on the basis of another legal ground. However, this might interfere with other principles of the Regulation, such as fairness and transparency. If consent is not only a ground for lawfulness, but also an element aimed at enhancing the control of individuals over the processing of their personal data, limiting withdrawal might affect the fundamental right to protection of personal data. The next sections will focus on analysing consent in connection with the principle of lawfulness ('Consent as a ground for lawfulness' section), fairness and transparency ('Withdrawal in connection with fairness and transparency' section) and the fundamental right to protection of personal data in Article 8 CFREU ('Designing withdrawal mechanisms' section).

Consent as a ground for lawfulness
Can a processing activity that started based on consent continue after withdrawal on the basis of an alternative legal ground? One view, expressed by the Irish Data Protection Commission, states that in cases when withdrawal is highly impractical, impossible or makes the purpose of processing unworkable, consent is not a valid ground for lawfulness to begin with. 48 The WP 29 notes that an incorrect use of consent renders the subject's control over personal data illusory and thus consent is an inappropriate basis for processing. 49 Furthermore, the guidance emphasizes that, in cases when withdrawal would compromise the overall purpose of the processing, another legal basis might be more appropriate.
The GDPR is silent on the possibility to continue processing personal data after withdrawal. The Explanatory Report accompanying another instrument regulating the processing of personal data in Europe, the Modernized Convention 108, 50 mentions that processing can continue after withdrawal, if it is justified by some other legitimate basis laid down by the law. 51 The EDPB Guidelines on Consent dated 2020, 52  maintain that, under certain conditions, processing of personal data can continue if it is based on another legal ground. Consequently, a first condition to ascertain whether processing after withdrawal complies with the law, is to identify an alternative ground for lawfulness. The rest of this section presents three options in this respect, focusing on the context of biomedical research.
Before proceeding, the relationship between Article 6 GDPR and Article 9 GDPR must be briefly addressed. There are two possible connections between these articles. In a first interpretation, processing special categories of data must only satisfy the requirements of Article 9, which is lex specialis in connection with Article 6. In a second interpretation, the two articles must be applied cumulatively. In this reading of the law, if special categories of data are processed, both a legal ground (under Article 6) and a specific derogation from the prohibition to process personal data (under Article 9) must be identified and documented. A recent European Parliament resolution, the traveaux preparatoires preceding the adoption of the GDPR, the guidance issued by the Information Commissioner's Office in the UK (ICO) and the EDPS support the second approach. 55 Therefore, the grounds under Article 6 and the exceptions from the prohibitions to process special categories of data under Article 9 will be discussed.
Continuing processing that is necessary for compliance with a legal obligation to which the controller is subject It must be recalled that the scenario underpinning this article is that the data subjects express consent for processing their personal data and for participation in biomedical research. The interplay between these two instances of consent was addressed by the European Commission and the EDPB. 56 The guidance compares the regime of withdrawal and concludes that, unlike the Clinical Trials Regulation, 57 the GDPR does not provide any exceptions for withdrawal of consent when processing personal data for scientific research purposes. 58 However, it nuances the consequences of this finding, suggesting that certain processing operations can continue, as they are based on different legal grounds from the beginning. 59 The guidance suggests that the operations can be separated as follows: processing personal data 'purely related to research activities' and, 'reliability and safety', including safety reporting to national competent authorities or archiving of the clinical master file or the medical files of the subjects. 60 When the former are based on consent, the latter can be justified under a different legal ground and will not be affected by withdrawal of consent. In order to comply with the principle of lawfulness, processing activities aimed at ensuring reliability and safety can be based on Article 6(1)c) (processing necessary for compliance with a legal obligation) in conjunction with Article 9(2)(i) (processing necessary for reasons of public interest in the area of public health).
One might object that, in the instance presented above, the processing does not continue on the basis of another ground for lawfulness, as it has always relied on the stated ground. From a formal perspective, this objection is justified: Processing for safety purposes, for example, was never based on consent. However, these processing operations are all circumscribed to conducting scientific research and would not have started in the absence of consent. In fact, these purposes are a spillover of the consented-to processing activities, expanding the scope of consent. According to Recital 32 GDPR, 'Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them' (emphasis added). In the interpretation of the EDPB, this provision refers to the granularity of consent, allowing the data subject to express consent to specific (as opposed to broad or general) purposes. However, it can also be read as addressing the intersection between consent and other grounds for lawfulness, requiring that consent is expressed for all related purposes.
By expressing their consent, the data subject authorizes the processing activity for research purposes and also triggers the legal obligation(s) that serve as lawful grounds for processing data for additional purposes. Therefore, the data subject is forced to accept or refuse a package deal, with several processing operations, for connected purposes, some of which are conducted on the basis of consent and some of which rely on other legal grounds.
Continuing the processing based on Union or Member State law Not all biomedical research is regulated in as detailed a fashion as clinical trials are. For example, biobanks lack a uniform regime at the level of the EU. 61 The preservation of the reliability and safety of these types of biomedical studies is also important in other types of biomedical research and might be jeopardized by a brusque termination of all processing activities following a withdrawal request.
The legal basis in Article 6 (1)(c) GDPR depends on Union or Member State law requiring the processing of the data for compliance with a legal obligation. In other words, European data protection law imposes a uniform interdiction for processing special categories of data, leaving derogations to be decided for specific circumstances at sectoral level by the European or Member State law.
However, in the absence of a law requiring the processing to continue after withdrawal, a controller could still process personal data on the basis of Article 6(1)(f) GDPR, the legitimate interests pursued by the controller. Evaluating this ground for lawfulness involves an ex post balancing exercise that assesses whether the interest to process the data overrides the interests, rights, and freedoms of the data subjects. In what concerns the conditions for processing special categories of data, there are two provisions that can be applied for biomedical research: processing necessary for scientific research purposes (Articles 9(2)(j) GDPR) and processing necessary for reasons of public interest in the area of public health (Article 9(2)(i) GDPR), both requiring processing to be based on Union or Member State law.
What is the difference between the processing activities 'based on Union or Member State law' and those 'necessary for compliance with a legal obligation', required under Article 6(1)(c)? The distinction lies in the type of norm regulating the processing of personal data.
Article 6(3) GDPR lists the criteria that a law must meet in order to function as a legal basis under Article 6(1)(c) and (e). Specifically, the law should contain specific details, such as the types of data which are subject to the processing, the data subjects concerned, the entities to and the purposes for which the personal data may be disclosed, storage periods, processing operations and processing procedures. The national legislation should also meet an objective of public interest and should be proportionate to the legitimate aim pursued.
In contrast, Article 9(2) GDPR imposes specific requirements for each exception. Processing of personal data for reasons of public interest in the area of public health requires a Union or Member state law that 'provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy', while processing of personal data for scientific research requires that the law 'shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject'.
In addition to the requirements of Article 6(1)(f), Article 9(2)(j) refers specifically to the right to protection of personal data, mentions a proportionality assessment and requires the implementation of safeguards. It also references Article 89 GDPR which, in turn, demands 'appropriate safeguards' with an emphasis on the principle of data minimization. 62 These are different requirements and the type of norm referred to in Article 6(1)(c) and (e) differs from the law mentioned in Article 9(2)(i) and (j). 63 The former requires the processing of personal data, while the second allows it, under certain conditions. In order to process data based on Union or Member State law, the controller shall identify a Union or Member State law regulating the processing activity that complies with the requirements of Article 9 GDPR and also conduct a specific balancing exercise (to ensure that the interests, rights, and freedoms of individuals are sufficiently protected).
Lastly, the legitimate interest analysis should factor in the will of the data subjects who withdraw their consent. This act triggers a presumption of unlawfulness for continuing the processing, tipping the balance in favour of the data subject. 64  said data, the research entities would have to complete a stringent legitimate interest analysis, proving that their interests significantly override the interests of the data subjects to control the processing of their personal data. The importance of control in interpreting data protection law will be further discussed in 'Consent and the fundamental right to protection of personal data' section.

Continuing the processing based on consent
The title of this section might sound contradictory-how can processing activities after withdrawal of consent be based on consent? The answer lies in that withdrawal can also be partial and the data subject can modify the initially expressed consent without revoking it altogether. The legal provisions on withdrawal of consent leave some manoeuvrability for the parties to agree on the scope and limitations of the request. A data subject who initially agreed to processing of her personal data might have reasons to totally withdraw from the study and to request the deletion of their data. However, as anticipated in 'The ex nunc effects of withdrawal of consent' section, the data subject might choose to file a partial withdrawal request, altering the initial consent without revoking it altogether. Thus, withdrawal can target specific processing activities as opposed to purposes or bundles of purposes. Furthermore, the requestor can also opt for a particular course of action following withdrawal, such as limiting the processing activities, anonymizing or pseudonymizing the data, restricting the scope of processing (eg, the data can only be used for operations strictly necessary for preserving the scientific integrity of the research that is pending or was completed), or rendering the data not machine readable (to avoid function creep). 65 These options can be proposed by the data controller, as means of exercising the rights that data subjects enjoy under the regulation.
It is important to note that the law sets certain limits to the agreement of the parties, imposing safeguards in favour of the data subject. The means offered by the controller shall not make withdrawal difficult, as required under Article 7(3) GDPR: 'it shall be as easy to withdraw as to give consent'. This provision does not stop the controller from offering a layered system containing various options that the data subject can choose from. Therefore, withdrawal could be partial and continuing the processing activity thereafter can be authorized, explicitly or implicitly by the withdrawing agent.

Withdrawal in connection with fairness and transparency
Presuming that an alternative ground for lawfulness was identified, this section discusses whether continuing the processing after withdrawal is fair and transparent. The starting hypothesis is that reliance on other grounds for lawfulness might interfere with the principle of fairness and breach requirements of transparency, giving the data subjects a false sense of control.
The concept of fairness is not defined in the GDPR and its role in the data protection framework is far from clear. Besides being a principle of data protection law, it is also a general desideratum of the law. Its broad meaning can function as an argument to exclude outcomes that are legally justified, but unjust. However, this advantage comes at the price of lack of certainty and predictability. There are various interpretations of the notion of fairness in European data protection law. Starting from a linguistic argument, the different versions of translating 'fairness' in the Member States of the EU include 'correctness', 'loyalty', and 'equitability'. Malgieri considers that fairness refers to a substantial balancing of interests among data controllers and data subjects. 66 In the view of van Alsenoy and others, fairness is connected to the individual's reasonable expectations of privacy and to human dignity. 67 Clifford and Ausloos present several dimensions of the principle of fairness and argue in favour of its autonomy from lawfulness and transparency. 68 As a starting point for clarifying the principle, they propose a separation between explicit fairness (eg, Articles 13 and 14 GDPR) and implicit fairness. The latter is further divided between fair balancing (a means of reconciling various rights and interests), and procedural fairness (requiring that the balancing is performed at different moments throughout the processing life-cycle). For example, the obligation to comply with Article 25 GDPR (data protection by design and by default) or evaluating the legitimate interest of data controllers, Article 6(1)(f) GDPR are ex ante requirements, while the right to object and erasure are ex post requirements, all requiring a fair balancing exercise. The Fundamental Rights Agency handbook on data protection law refers to several elements of fairness, 69 beginning with the pronouncement that the processing of personal data shall be transparent, so that data subjects are aware of potential risks. Furthermore, especially when the ground for lawfulness is consent, the controllers shall act in accordance with the wishes of the data subjects. Finally, the principle of fairness is linked to processing personal data in an ethical manner. This interpretation of fairness brings withdrawal of consent for processing personal data closer to its counterpart specific to bioethics, informed consent for participating in biomedical research.
The EDPB notes in the Guidelines on consent under the GDPR that it is fundamentally unfair to convey to the individuals the message that the processing is based on consent and to actually rely on another legal basis. 70 Similarly, the ICO indicates in its guidance that swapping between legal bases during the processing life-cycle is not permitted and that retaining the data under another lawful basis is only acceptable if it is fair to do so. 71 The WP 29 notes that starting the processing on the basis of consent and continuing it on another legal basis is permitted only under special circumstances, such as when a new law regulating the database concerned enters into force, justifying the new ground for lawfulness. 72 Indeed, the controller will have a duty to justify the fairness of the practice of relying on consent, if there were alternative grounds for lawfulness at the moment when data was collected. Legal bases can co-exist and an activity that is based on consent will often comply with Article 6(1)(f) GDPR. 73 Furthermore, the dynamic of the interests and rights at stake can evolve during the processing life-cycle. 74 As a consequence, the result of the balancing exercise for continuing the processing after withdrawal based on legitimate interest, might differ from the moment when data are collected. The resources invested, the anticipated societal benefits and the safeguards for privacy will be factored into the balancing test and the result might be in favour of the data controllers.
The expectations of individuals and the information made available regarding the limitations on the right to withdraw plays an important role in assessing the fairness of processing after withdrawal. It would be unfair to mislead or deceive the data subjects, and have them believe that they have absolute control and that withdrawal is always possible, when there is a possibility that processing can and may continue after their withdrawal. 75 Considering that the duties of the controllers after withdrawal are not specifically defined in law, further information and explanations are necessary in order to ensure that the data subjects have a clear and certain understanding of their options regarding the processing of their personal data, both at the moment when consent is obtained and at the moment when the data subjects seek to withdraw it. As mentioned by the European Court of Justice (ECJ) in the TK v Asociatia de Proprietari case, the legitimate expectations of individuals are important in balancing the various rights and interests at stake. 76 The recent EDPB Binding Decision on Meta confirms that fairness, although connected to lawfulness and transparency, has an independent meaning. 77 One aspect of fairness involves addressing power asymmetries and protecting the data subjects from abuse and deception. What is especially relevant for the current discussion is the connection with the identification of a legal basis. Relying on previous guidance, the EDPB affirms that evaluating the fairness of the processing requires 'an assessment of the consequences that the choice and presentation of the legal basis' entails on users. 78 To ensure that fairness is respected, the Board suggests that the relation between the type of data, the legal basis and the purpose of processing should be  2021) 24, the EDPB was asked about the characteristics of the change that justify the use of a new legal basis, different from the initial one, but refused to comment, stating that an answer requires further analysis and discussion and that it will be provided in the Guidelines on the processing of personal data for scientific research purposes that were due in 2021. clarified, in order to enable the exercise of data subject rights. 79 Delivering the appropriate information on the legal basis for each purpose and the potential fallback legal basis, at the appropriate times during the processing life-cycle can shape the expectations of the participants in research. Limitations to the right to withdraw that are known from the outset should be conveyed before requesting the consent of the individual, and any changes that occur throughout the processing life-cycle should be communicated in due time. 80 The right to withdraw consent is considered by Bygrave 81 as a means enabling the data subject to gather more information regarding the processing of her personal data. The actual experience of having their data processed extends the information basis of the data subject, adding an empirical perspective to the knowledge that the data subject has about the processing of their data. This can also be regarded as a means of attenuating the information asymmetry between the parties.
The importance of transparency and its connection to trust is emphasized in the Regulation on European Data Governance Act. 82 More transparency will contribute to increased trust and will encourage individuals to share their data for altruistic purposes, in serving the general interest. To this end, controllers will mention the reasons underlying the limitations to the right to withdraw, in accordance with the standards required in connection with transparency and modalities, as well as information and access to personal data. 83 In cases when the data subject is in charge of making the choice as to whether and to what extent processing can continue after withdrawal, information about the effects of this choice can also shape the decision of the requestor.
When presenting the (negative) effects of withdrawal, it is important to take into account the detrimental effect on the data subjects. The EDPB connected the concept to fairness with detriment. 84 Recital 42 GDPR requires that withdrawal shall not cause detriment to the data subject. The recital aims to protect the individual who withdraws against any negative consequences as a result of this decision. However, withdrawing consent is not a zero-sum game and completely stopping the processing could also lead to detriment. Giving an extreme example, if withdrawal compromises the results of a pending study developing a revolutionary treatment that the withdrawing agent could benefit from, withdrawing will deprive the individual of such benefits. The decision has the potential to produce negative effects to the individual and, if the research is conducted in the public interest, to society as a whole.
The data controller should develop technical and organizational measures to receive, analyze and interpret the request for withdrawal, in order to ascertain what actions are necessary to implement it. Although the text of the GDPR only refers to the informed character of consent, a meaningful exercise of withdrawal should also be informed; the data subject should be offered the necessary information to enable them to make a meaningful choice regarding the processing of their personal data.

Designing withdrawal mechanisms
Designing withdrawal mechanisms is both an obligation and an opportunity for data controllers. It is an obligation because the GDPR requires controllers to provide means for exercising their rights granted under the Regulation. 85 It is an opportunity because offering a layered withdrawal system can result in partial withdrawal requests, which enable the continuation of processing for certain, restricted purposes. Although there is no express provision regarding the right to withdraw consent, the requirements regarding the informed character of consent can be applied by analogy. Article 12 GDPR requires that the information is presented in an intelligible and easily accessible form, using clear and plain language. The information must be provided in writing or by other means, including, where appropriate, by electronic means. Considering the importance of the decision to withdraw, from the perspective of the individual and its impact on other stakeholders participating in the research, withdrawal should also be informed. However, in the absence of a provision expressly requiring what type of information shall be presented, data controllers have a certain degree of discretion in choosing the 79 Ibid, para 229. 'Modalities should be provided for facilitating the exercise of the data subject's rights under this Regulation, including mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object.' content thereof. Although the requirements of fairness and transparency discussed above apply, the manner in which the information is presented and the design of the mechanisms is left to the controllers to decide. In his book Code: Version 2.0, Lawrence Lessig argues that the design of different technologies is one of the factors that shape the conduct of individuals. 86 Withdrawal forms are not always technology-based, but their design and content will influence the conduct of individuals. Having to choose between different layers of withdrawal represents some degree of interference in the decision-making process of data subjects. The fact that individuals are required to become informed about the consequences of their actions can be regarded as a limitation of their autonomy. The choices themselves, the style in which the information is presented, how easy it is to move from one to another, will all have an effect on the decision that the subject makes.
In order to reconcile the various interests at stake and to protect the autonomy of the data subject, the design of the mechanisms can draw some inspiration from the literature on nudging or liberal paternalism. 87 The default choice/choices for withdrawal presented to the individual should be socially desirable and the application of the principles discussed above can ensure that this objective is achieved. The design of withdrawal forms should ensure that the different layers of withdrawal clearly show the effects of this decision on the stakeholders involved, in an objective manner. If one of the options is presented as the default choice, this should consist of an equitable compromise between all the rights and interests at stake. Furthermore, in order to ensure that the individual is in a position to actually make a choice, the switch from the standard options to other alternatives should involve no burdens for the withdrawing agent. 88 As mentioned above, it should be as easy to withdraw as it is to give consent. 89 Therefore, choosing between different options should not involve a burdensome process. The use of the mechanisms offered by the controller should be optional and the data subject must have the possibility to easily formulate a request by using alternative means, such as sending an e-mail or a letter through the standard channels of communication. These alternative means should be clearly presented to the data subject together with the default choices. Ideally, individuals would read the information accompanying the withdrawal options presented, comprehend its meaning and make an informed decision on its basis. However, the extent to which this actually occurs in practice is doubtful. The problem mirrors the shortcomings of providing informed consent: individuals might not be willing to become informed and even when they do, their ability to make decisions regarding the processing of their data is limited. 90 The pursuit of designing withdrawal mechanisms is complex, costly and its success depends on the degree of involvement of individuals in making decisions regarding the processing of their personal data. However, it enhances individual control over the processing of personal data. In the absence of an alternative legal ground for processing, this might be the only solution for continuing the processing after withdrawal of consent.

Consent and the fundamental right to protection of personal data
The previous sections show that processing personal data after the moment when the data subject withdraws consent poses challenges to several principles governing the GDPR. Lawfulness is questioned because, in many instances, the controllers would have to undertake a balancing exercise, in order to contest the presumption of unlawful processing triggered by the exercise of the right to withdraw consent. 91 Furthermore, in order to comply with the requirements for processing special categories of data, controllers are under a duty to develop and implement safeguards required under Article 89 GDPR. Fairness is challenged by the switch between legal bases during the processing life-cycle. This change might result in deceiving the data subjects and, contrary to their expectations, limiting the control over the processing of their personal data. This section questions how the limitations to the right to withdraw consent described so far interfere with the right to protection of personal data in Article 8 of the Charter of Fundamental Rights of the European Union (CFREU). 92 The constitution: the right to dignity and the general right to personality, the court recognized the new right to informational self-determination. 94 In previous stages of its development, informational self-determination was a central component of the right to protection of personal data. 95 According to Kranenborg, understanding Article 8 CFREU as informational self-determination implies that consent is the key notion for lawful data processing. 96 The evolution of the traveaux preparatoires preceding the entry into force of the CFREU shows that this option was rejected by the legislator. An initial form of the Charter referred to the right of the individual to 'determine for himself whether and how his personal data may be collected, disclosed or used.' 97 However, the current form offers alternatives to consent and data can be processed not only on the basis of consent, but also based on any 'other legitimate basis laid down by law'. This suggests that consent has no superior normative value compared to the other grounds for lawfulness. Starting from the current form of Article 8 CFREU, the right to protection of personal data has been constructed as establishing the 'rules of the game' or a 'system of checks and balances' for protecting individuals in what concerns the processing of their personal data. 98 In this understanding, data subjects have a claim to the fair processing of their personal data. Instead of control over the processing of personal data, fairness is considered the central value that is protected. 99 This interpretation supports the argument of this article, that the right to withdraw consent can be limited, if sufficient safeguards are implemented.
But what if the right to protection of personal data is constructed as promoting individual control? This article proposes that the right to withdraw consent can still be limited when control is at the core of Article 8 CFREU. Empowerment measures (in the form of the active participation of individual data subjects) are part of an architecture of control that regulates disporportionate power. 100 In GDPR, control is reflected as a set of ex ante and ex post measures including protective measures that impose obligations on entities processing personal data, without the active involvement of individuals. 101 Withdrawal of consent is one of the 'micro rights' that enable individuals to control the processing of their personal data. 102 Implementations of a transparent processing activity and a system that allows users to easily exercise their rights can ensure that individual control is guaranteed. If the processing continues based on legitimate interest, the data subjects can exercise their right to object, pursuant to Article 21 GDPR, triggering yet another balancing exercise.
Lynskey presents two functions of an independent right to data protection in the EU legal order: (i) promoting informational self-determination and individual personality rights and (ii) reducing information and power asymmetries. Consent is discussed under the second function, aimed at redressing the power and information imbalances between controllers and data subjects. 103 The power relation between researchers, acting as data controllers and the subject of biomedical research has a certain dynamic that is relevant for the present analysis. Before enrolling in the study, the individual has total control over their data and, in this sense, has a claim against anyone to refrain from the processing of this data for research purposes. By agreeing to participate in the research, the data subject limits this power and authorizes one or several research institutions, acting as data controllers, to process part of their personal data for a specific set of purposes and under a certain governance regime. 104 In order to maintain the balance during the processing life-cycle, the law requires that the data subject shall have the right to withdraw consent at any time and without detriment. From a consequentialist perspective, the disparity in power and information can make individuals feel powerless in the face of data controllers, which could be regarded as intangible harm. 105 Therefore, to maintain an equilibrium, the limitations to the right to withdraw consent must be compensated by appropriate safeguards that ensure that processing is fair and that individuals are not affected by the power and information disparity between them and the entities processing their personal data. Individual empowerment is not the only means of achieving the right balance between protection of individuals and free flow of personal data. The normative assumption behind privacy self-management, that the primary harm to be redressed is non-consensual data collection, use or disclosure is challenged. 106 Immediate preferences of individuals might interfere with goals that require collective action to be achieved.
To conclude, limitations to the right to withdraw consent can affect the architecture of control or, in another reading of Article 8 CFREU, weaken the system of checks and balances. However, the effect of these limitations should be assessed holistically, considering the protection measures implemented to compensate the limitation.

Withdrawal of consent as a question of proportionality?
The absence of clear rules on the effects of withdrawal of consent and on the possibility of limiting this right allows for adapting the interpretation depending on the context and enables an individualized assessment of the relevant circumstances specific to each case. While this discretion in interpreting the law has the potential of achieving just outcomes, it affects legal certainty. In the absence of guidance, the interpreter of the law will be faced with the difficult task of reconciling the various rights and interests at stake. This section proposes a framework for assessing whether continuing to process personal data after the moment of withdrawal complies with the law.
In deciding on unclear matters that require a balancing of rights and interests, the ECJ undertakes an analysis based on proportionality. 107 The principle can be employed when interpreting both primary and secondary legislation, the two being connected. 108 Starting from its role in relation to fundamental rights, proportionality is considered an overarching principle of data protection law, aiming to even out power and information asymmetries. 109 Before delving into the subject, it is necessary to briefly address the nature of this proportionality assessment and its connection with Article 8 CFREU. The GDPR addresses the connection between its scope and the human rights framework in Recital 4: 'The right to the protection of personal data [. . .] must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.' Several authors agree that the balancing exercise required under the GDPR is inspired by the human rights framework. 110 However, it is debated whether the balancing test assesses whether processing is 'fair', as required under Article 8(2) CFREU, 111 or whether it evaluates limitations of the right to protection of personal data, in accordance with Article 52 CFREU. 112 This difference in approach is related to the discussion in 'Consent and the fundamental right to protection of personal data' section about the substance of the right to protection of personal data. If this right is constructed with control at its core, any processing will be an interference that triggers the application of Article 52 CFREU. However, this assessment will not be limited to just one instance of balancing, but will include the entire system of control spread across different provisions of the GDPR. 113 The other theory, constructing the right as a set of checks and balances, positions fairness at its core and differentiates between a fair balancing exercise required by Article 8(2) CFREU and a stricter one under Article 52 CFREU. 114 Both theories can accommodate the evaluation proposed below, which consists of a balancing exercise based on the principle of proportionality.
The framework proposed is inspired by Article 52 CFREU, with the constituent parts of the proportionality assessment being suitability, necessity and proportionality stricto sensu. 115 As a first step, the aim or goal of the processing activity shall be defined. In the context of biomedical research, these could be formulated as practical operations such as safety reporting, archiving of results or maintaining the verifiability of the research, as well as broader and overarching goals, with enhancing the quality of healthcare or discoveries that can bring practical benefits to the health of patients being examples. Furthermore, the freedom of researchers to conduct and finalize their experiments can also be considered as an objective that is worthy of protection.
The second step assesses the suitability of the measure in connection with the goals or objectives to be attained. This is a threshold requirement, the outcome of which is either positive or negative. 116 The next step involves assessing whether the measure is necessary in order to achieve the objectives and whether it is the least intrusive option. 117 The effectiveness of the measure will be assessed as a first sub-step and then alternatives that are equally efficient and less detrimental to the fundamental rights of the individuals affected. In this step, the types of data, the sensitivity thereof and the extent of processing can be analysed. Less intrusive alternatives, such as processing anonymous data or synthetic data 118 could be considered. If they can also achieve the objectives stated, the test would fail at this step. However, if such a solution is not identified, the requirement can be deemed as fulfilled.
The fourth step consists in performing a fair balancing test. Even if the processing will interfere with the right to protection of personal data, such an interference can be justified in light of the anticipated benefits. Different from the previous steps, this phase consists of a value judgement, in which the benefits brought by the processing activity are weighed against the limitations to the fundamental rights of the individuals affected. The limits to the right to withdraw consent can be weighed against interests connected to the right to health protected under Article 35 CFREU and the freedom of the sciences in Article 16 CFREU.
In the end, if the assessment is still inclined towards the negative consequences, safeguards can be developed and implemented. 119 These can range from privacy preserving technologies, such as pseudonymization techniques, access control, or increased security measures. In the context of biomedical research, safeguards can be found in external frameworks, such as sector-specific laws or ethical guidelines requiring the implementation of protective measures, such as ethical boards review. 120 Furthermore, information technology systems, such as dynamic consent interfaces, can be employed in order to ensure transparency in how the data are processed and enabling constant dialogue between researchers and participants. 121 The proportionality analysis can also influence the design of withdrawal mechanisms discussed in 'Withdrawal in connection with fairness and transparency section. This is especially relevant if the tools offered for exercising the right to withdraw aim at influencing the decision of the participants and shape the scope of their request. Employing a proportionality analysis can distinguish between nudging (encouraging the data subject to choose the optimal solution from a societal perspective) and deception or manipulation.

Conclusion
The effects of withdrawal of consent for processing personal data bring about a complex reality that makes the content of the right to withdraw rather vague. The answer to the question of whether or not to continue the processing of personal data after withdrawal depends on an interpretative exercise that needs to take into account the principles governing the processing of personal data in the EU, as well as the human rights at stake. On the one hand, continuing the processing after withdrawal may prove unfair and opaque, and diminish the control of individuals over the processing of their personal data. On the other hand, a strict interpretation of withdrawal of consent would impede certain biomedical research activities. The GDPR provides a degree of flexibility that invites a contextual interpretation of withdrawal. The duties of the data controllers will differ from sector to sector and a withdrawal request will be handled differently in the context of biomedicine, compared to, for example, electronic communications. However, the price of this flexibility is the lack of legal certainty, both for the data controller and for the data subject. Article 7(3) GDPR clearly states that the data subjects have a right to withdraw consent at any time. It is reasonable to assume that participants in biomedical research would expect that their right to withdraw is unfettered. The data controllers are also at risk of being affected by the uncertainty, as the meaning of fairness and transparency and the application of the principle of proportionality are open to interpretation.
There are several possibilities of clarifying the regime of withdrawal and this article focuses on two: the development of mechanisms that inform the data subject about the consequences of withdrawal and offering several levels of withdrawal, and the enactment of Union or Member State laws allowing further processing of personal data after withdrawal. The risk of both approaches is that they will broaden the power and information asymmetries existing between the data subject and the data controller, by limiting the control that data subjects have over their personal data. However, more control does not always mean that the rights of individuals are better protected. The aim of data protection law is not to enable privacy self-management, but to achieve a balance between data protection and other fundamental human rights, in accordance with the principle of proportionality.
Another option, not addressed in this article, would be to exclude consent altogether and to rely on a different legal basis from the beginning. As mentioned in 'A flexible approach to withdrawal in biomedical research' section, individuals are asked for their informed consent to participate in biomedical research. Even if it does not address data protection concerns, informed consent affirms the autonomy of the individual participants and could be constructed as a data protection safeguard. More transparency and an effective system of exercising the right to object in Article 21 of GDPR could ensure an adequate level of control.
All the options for limiting withdrawal require a balancing exercise that involves the application of the principle of proportionality. This exercise requires further development, with a focus on the safeguards that could compensate for the limitations to the fundamental rights at stake. These safeguards could consist of imbedding data protection principles in the design of information technologies that increase the transparency of the processing activity, show the provenance of the data, and allow the data subject to remain constantly informed about the processing of the personal data. Furthermore, the risks of unlawful disclosure of sensitive data can be reduced by implementing privacy preserving technologies.