GDPR: how to be transparent to data subjects in my research?
Informing the persons whose personal data are processed (the data subjects) is one of the basic principles and obligations of the General Data Protection Regulation (GDPR).
As a researcher, it's your responsibility to communicate this information to the data subjects in clear and simple language, and in a concise, transparent, comprehensible and easily accessible format.
In the context of a research project you can provide this information in various ways, such as via a privacy statement or an information letter (this information letter doesn't have to be signed by the parties involved, but you must make it available).
To provide this information to the data subjects, the GDPR makes a distinction between
- the processing of personal data collected from the data subjects themselves, and
- the processing of personal data that were not obtained from the data subjects themselves.
Personal data collected directly from the data subjects
If you collect the personal data directly from the data subjects through, for example, an interview, survey or questionnaire, you can use the checklist in the attachments below (checklist_primair_ENG) to ensure that the data subjects are informed in an appropriate manner.
Personal data not collected from the data subjects themselves
If the personal data you use in your research weren't collected directly from the data subjects (secondary/further processing), you must also inform them of this processing and about the source from which you obtained the personal data.
Time frame
This information must be provided to the data subjects within a reasonable time frame:
- after obtaining the personal data (at the latest within one month);
- at the time of the first communication to the data subjects;
- when the personal data are first disclosed.
Exceptions
In the case of secondary processing, you don't have to provide this information when:
- the data subject already has the information, or
- providing the information would involve a disproportionate effort, or is likely to seriously impair achieving the processing's purposes, or even render it impossible.
If you use one of these two exceptions for your research, you must always take appropriate technical and organizational measures such as pseudonymizing the data. In addition, you must motivate/document this exception in Ghent University's GDPR register.
You can use the checklist in the attachments below (checklist_secundair_ENG) when drawing up your information letter.
More information
Attachments
More tips
- GDPR: What to keep in mind when developing or deploying apps for research? (Research integrity & ethics)
- GDPR: Can I share research data with personal data with other researchers or institutions when my research project has ended? (Research integrity & ethics)
- GDPR: how can I ensure that the processing of personal data is lawful? (Research integrity & ethics)
- GDPR: how do I protect my data correctly? (Research integrity & ethics)
- GDPR: how do I register personal data processing activities? (Research integrity & ethics)
- GDPR: how long may I store research data containing personal data? (Research integrity & ethics)
- GDPR: what are personal data? (Research integrity & ethics)
- GDPR: what are some things to consider when processing personal data from minors? (Research integrity & ethics)
- GDPR: what are the basic principles? (Research integrity & ethics)
- GDPR: what are the different roles and responsibilities according to the GDPR? (Research integrity & ethics)
- GDPR: What do I need to think about when transferring personal data to third countries or international organisations? (Research integrity & ethics)
- GDPR: what do I need to think about when using a mailing list in the context of my research? (Research integrity & ethics)
- GDPR: what has changed with regard to the previous privacy legislation? (Research integrity & ethics)
- GDPR: what information should I include in an informed consent form when the processing of personal data is based on the consent of the data subjects? (Research integrity & ethics)
- GDPR: what is the General Data Protection Regulation? (Research integrity & ethics)
- GDPR: what rights do data subjects have, how do I respect them and what exceptions may apply to research? (Research integrity & ethics)
- GDPR: what should I do in case of a data breach? (Research integrity & ethics)
- GDPR: what should I do in the event of further/secondary processing of personal data? (Research integrity & ethics)
- GDPR: what should I keep in mind when designing my research? (Research integrity & ethics)
- GDPR: what should I keep in mind when processing special categories of personal data? (Research integrity & ethics)
- GDPR: What should I think about when I collaborate with others or share my data? (Research integrity & ethics)
- GDPR: When am I processing high-risk personal data and when do I need to conduct a DPIA? (Research integrity & ethics)
- GDPR: when does it apply to my research? (Research integrity & ethics)
- GDPR: who are considered to be vulnerable persons? (Research integrity & ethics)
- GDPR: why is it important to comply with this legislation? (Research integrity & ethics)
- Qualtrics: how do I use this survey tool? (Research integrity & ethics)
Translated tip
Last modified Oct. 20, 2022, 5:46 p.m.