GDPR: what are the different roles and responsibilities according to the GDPR?
Various roles are defined within the General Data Protection Regulation (GDPR) for the processing of personal data. The most important roles are:
- Data controller
- Joint data controller
- Data processor
Since controllers and processors have different responsibilities and obligations, it is important that you clearly define these roles (together with the other partners in your research) at the start of the research.
Controller
The controller is defined as the institution/organisation/person who determines the purpose of and means for the processing. Please note, merely providing research funding (such as by the FWO, the European Commission, etc.) is not sufficient to be a controller in the context of research. In this case, Ghent University remains the controller.
- For example: you are an FWO PhD fellow and together with the supervisor, who is a professor at Ghent University, you determine the objectives of your research. Although your research is funded by the FWO, Ghent University is the controller. The FWO is merely a funder.
- For example: Ghent University is data controller for research by UGent researchers on patients/volunteers - including personal data, human body material (MLM), imaging, surveys, etc. and their use - (e.g. general practitioner medicine, studies with nursing home residents, Faculty of Psychology & Educational Sciences,...) where no use is made of patient data or other data collected within UZ Gent.
- For example: for research on UZ Gent patients, including personal data, human body material (MLM), imaging, surveys, etc. and their use by a principal investigator who is not affiliated with UGent, and for research projects with volunteers at UZ Gent services, e.g. D.R.U.G., CEVAC, Outpatient services, by a principal investigator who is not affiliated with UGent, UGent is not the data controller but Ghent University Hospital is the data controller.
- For example: in the context of industry funded research, the pharmaceutical company is the sponsor and will be data controller. Therefore, Ghent University and Ghent University Hospital are data processors.
Although Ghent University acts as the controller for most of the research with personal data that is done at Ghent University, this is a shared responsibility with you and the other researchers involved. Researchers are responsible within their own research projects to thoroughly consider the privacy aspects and to comply with the legal obligations of the GDPR and the Generic Code of Conduct for the processing of personal data and confidential information at Ghent University.
Joint controllers
With joint controllers, the purpose and means are determined by two or more organisations or institutions.
In this situation, it is important to establish in a transparent manner, together with the other controllers, who is responsible for providing information to data subjects and who data subjects can contact if they want to exercise their rights.
- For example: you conduct research together with another university in Belgium or abroad, where both partners design the research plan (to a greater or lesser extent). This is not a situation where one university is merely a supplier of data or only carries out a specific contract for subcontracting.
- For example: Ghent University and Ghent University Hospital are joint controllers for research on UZ Gent patients, including personal data, human body material (MLM), imaging, surveys, etc. and their use by a principal investigator affiliated with UGent, and research projects with volunteers at UZ Gent services, e.g. D.R.U.G., CEVAC, Outpatient services, by a principal investigator affiliated with UGent. If there is another university, hospital, research institute or partner involved in the research (besides Ghent University and/or Ghent University Hospital), Ghent University and/or Ghent University Hospital will be acting as a joint controller together with this other party, or as a processor or sub processor on behalf of this other party (see below).
Processor
Finally, an institution, organisation or researcher can also act as a processor. In this case, the institution, organisation or a researcher processes personal data on behalf of another organisation.
- For example: contract research, services commissioned by private companies, or some types of policy-relevant research
- For example: in the context of industry funded research, the pharmaceutical company is the sponsor and will be data controller. Therefore, Ghent University and Ghent University Hospital are data processors.
As part of a research project or a research collaboration, you may also work with processors to collect, process, store or make personal data available.
- For example: researchers contract with a company to send surveys to data subjects, or to analyse certain results of interviews and surveys. In this case, Ghent University will act as the controller and the company as the processor.
It is important to set down all arrangements between the controller(s) and the processor(s) or between processors and sub-processors in an agreement. You can contact the legal support office of TechTransfer for this.
More information
More tips
- GDPR: Can I share research data with personal data with other researchers or institutions when my research project has ended? (Research integrity & ethics)
- GDPR: how can I ensure that the processing of personal data is lawful? (Research integrity & ethics)
- GDPR: how do I protect my data correctly? (Research integrity & ethics)
- GDPR: how do I register personal data processing activities? (Research integrity & ethics)
- GDPR: how long may I store research data containing personal data? (Research integrity & ethics)
- GDPR: how to be transparent to data subjects in my research? (Research integrity & ethics)
- GDPR: what are personal data? (Research integrity & ethics)
- GDPR: what are some things to consider when processing personal data from minors? (Research integrity & ethics)
- GDPR: what are the basic principles? (Research integrity & ethics)
- GDPR: What do I need to think about when transferring personal data to third countries or international organisations? (Research integrity & ethics)
- GDPR: what do I need to think about when using a mailing list in the context of my research? (Research integrity & ethics)
- GDPR: what has changed with regard to the previous privacy legislation? (Research integrity & ethics)
- GDPR: what information should I include in an informed consent form when the processing of personal data is based on the consent of the data subjects? (Research integrity & ethics)
- GDPR: what is the General Data Protection Regulation? (Research integrity & ethics)
- GDPR: what rights do data subjects have, how do I respect them and what exceptions may apply to research? (Research integrity & ethics)
- GDPR: what should I do in case of a data breach? (Research integrity & ethics)
- GDPR: what should I do in the event of further/secondary processing of personal data? (Research integrity & ethics)
- GDPR: what should I keep in mind when designing my research? (Research integrity & ethics)
- GDPR: what should I keep in mind when processing special categories of personal data? (Research integrity & ethics)
- GDPR: What should I think about when I collaborate with others or share my data? (Research integrity & ethics)
- GDPR: When am I processing high-risk personal data and when do I need to conduct a DPIA? (Research integrity & ethics)
- GDPR: when does it apply to my research? (Research integrity & ethics)
- GDPR: who are considered to be vulnerable persons? (Research integrity & ethics)
- GDPR: why is it important to comply with this legislation? (Research integrity & ethics)
Translated tip
Last modified Sept. 21, 2022, 11:52 a.m.