It is the General Data Protection Regulation (GDPR) rather than domestic law that sets out the legal basis for the processing of any personal data, including for research purposes, and domestic law cannot amend the GDPR legal basis. Where health or genetic data is involved, the data controller concerned, whether it is a public authority or a commercial entity, must have a basis in Article 6 and meet a condition in Article 9. The data controller must also comply with the other requirements in the GDPR, in particular the principles in Article 5, and have suitable and specific safeguards in place such as those set out in the Health Research Regulations.