In the age of big data and AI, the ability to extract knowledge and value from personal data is promising, especially for researchers and policymakers. The new findings based on the vast amount of data have the potential to save lives and reduce expenses for the whole society. However, processing sensitive data for a new purpose poses complex ethical, legal and technical challenges. The EU General Data Protection Regulation (GDPR) accounts for this challenge by allowing researchers to process and further use personal data under the ‘research exemption’. However, many aspects of this exemption would need further clarification: what level of public interest is necessary e.g., general, important or substantial, how the data should be de-identified and what kind of activities can fit in the definition of ‘scientific research’. The issue is elaborated through the GDPR and its implementation in England and Germany, focusing on the secondary use of health data.