Where personal, usually pseudonymised, from health research or healthcare are made available for scientific purposes, especially across borders, it is unclear what GDPR roles apply. This is a persistent roadblock for accelerating data-driven scientific discovery or for establishing large research consortia.
The assignment of GDPR roles is a matter of form and function (unless roles are assigned by law). A controller determines the purpose and essential means of processing. Essential means include determining the types of data, the categories of data subjects, the parties having access to data, and the length of data retention. Joint controllers arise where two or more parties jointly determine the purpose and essential means of processing through a common decision or converging decisions.
We argue that a data user (research organisation) will normally be the sole controller for a research project accessing personal data, because the data user independently determines the purposes and means of the associated processing. A party that only provides data (hospital or research organisation) for the research project will not normally be a controller for the research project, unless it actively participates in the design of the research project or requires researchers to share ownership in derived intellectual property or enriched data. Data providers who require data users to remotely access data in a secure computing environment hosted by the data provider will generally be processors, not joint controllers.
Becker, Regina and Thorogood, Adrian and Bovenberg, Jasper and Mitchell, Colin and Hall, Alison, Applying GDPR Roles and Responsibilities to Scientific Data Sharing (May 1, 2021).