GDPR: how do I register personal data processing activities?
Why register processing activities?
The General Data Protection Regulation (GDPR, known as AVG in Dutch) requires that all activities concerning personal data processing at UGent and UZ Gent are documented and registered in a 'register of processing activities', the GDPR Register.
This internal registration replaces the former 'obligation to report' with the Privacy Commission, and is an essential tool to help researchers comply with the GDPR principle of accountability.
When to register processing activities?
New processing activities
Registration must be done for each new processing activity, i.e. at the start of each new research project that processes personal data (or the phase in the project that processes personal data), and this before the start of the actual data collection/processing.
Existing processing activities
Existing processing activities must also be registered. This applies to ongoing research projects, whether they started before or after 25 May 2018 (i.e. the day when the GDPR came into force).
In addition, it's important to keep the information regarding the registered processing activities up to date for the duration of the research project.
Where and how to register processing activities?
For research, researchers can register their processing activities while creating their Data Management Plan (DMP), because entering information into the GDPR register can be done through the DMPonline.be interface.
Use the templates in the online tool DMPonline.be
A DMP obligation may exist, but doesn't apply to all projects. It's currently the case for all PhDs started since 2020-2021 and/or if the research funder requires it (e.g. FWO, Horizon 2020, Horizon Europe, BOF, etc.). If it's not mandatory, it's still good practice to draft a plan describing how you will manage your research data.
- More information about the Ghent University policy regarding Data Management Plans
- More information about the requirements of external funders regarding Data Management Plans
Additionally, there's the mandatory registration of all research projects that process personal data. This registration also requires the use of DMPonline.be. To this end, you (only) fill out the part ‘GDPR record’ and if necessary ‘DPIA’, or you create an item of the type ‘GDPR record’, which only contains these sections.
Hence, there are two possible routes for documenting and registering personal data processing activities via DMPonline.be:
- If you want or have to prepare a DMP for a research project, e.g. for an external funder, you can also register your processing activities at the same time .
- If you're not writing a DMP or there's a separate DMP already, and you only need to register processing activities with regard to personal data, you can select the UGent/UZ Gent template 'GDPR Record (EN)' or 'AVG Record (NL)'.
In case your existing DMP doesn't contain a GDPR record tab, it's not possible to add one. Instead, you should go for option 2 described above.
How to proceed?
- Log in with your UGent or UZ Gent account at https://dmponline.be.
Creating a new plan
- Create a new entry by clicking 'Create plan'.
- In the 'Create a new plan' page, enter the correct title of the research project for which you want to write the DMP/register the processing activities.
- Leave Ghent University (UGent) as 'primary research organisation'. Templates for UZ Gent and UGent are both maintained and provided by this 'research organisation'.
- Then go through the rest of the form to choose a suitable template (i.e. the UGent/UZ Gent ‘GDPR Record (EN)’ or 'AVG Record (NL)' template, or a GDPR-compatible DMP template). Select an external funder from the list, or choose ‘no funder associated with this plan or not listed’ if you're not creating a DMP for a funder/your funder isn't included in the list.
Completing the plan
- In the newly created plan, complete the 'Project details' (i.e. basic information about the research project):
- the person creating the plan is automatically entered in the plan details as the research project's 'Creator' . If necessary, you can modify the contribution roles via the 'Share' tab. Similarly, you can also specify an additional contact person for the DMP where appropriate. If you're not the main supervisor of the project, don't forget to add your supervisor as 'Principal Investigator' and change your own role to 'Data Manager' or 'Project Administrator' for the plan.
- Answer the questions in your plan. You can find them by navigating to the tabs next to 'Project details':
- to register your processing activities with regard to personal data, you must at the very least fill in the mandatory GDPR questions under the tab 'GDPR Record' or 'AVG Register'.
- in case your research constitutes a probable high-risk processing of personal data, you'll also need to conduct a Data Protection Impact Assessment (DPIA) or Gegevensbeschermingseffectbeoordeling (GEB) by answering the questions under the ‘DPIA’ or ‘GEB’ tab.
- if you're writing a DMP in addition to registering your personal data processing activities/conducting a DPIA, you'll also find a ‘DMP’ tab with questions to help you draft your DMP.
Access Data Protection Officer
- The Data Protection Officer of UGent (firstname.lastname@example.org)/ UZ Gent (email@example.com) has automatic read-only access to your plan in DMPonline.be, as one of the admins of the application.
Exporting the plan
- You can export each individual component of your plan (GDPR Record, DPIA, DMP) from the tool in various file formats (.docx, .pdf, .txt), e.g. when you want to save a milestone version, or when you want to formally submit a document to a funder, to the Research Co-ordination office, to your ethics committee, etc.
- However, to actually register your processing activities in order to comply with the GDPR, in principle all you have to do is fill in the GDPR questions in the online tool - you don't have to export and submit a document for this yourself.
- Please note: if you need or want advice from an ethics committee for your research, submitting your GDPR Record document is an admissibility requirement for your application for ethical approval. In this case, you'll have to export a document from the tool yourself.
Keeping the plan up to date
- Keep your plan, and in particular the questions under the 'GDPR Record' tab, up to date in DMPonline.be during the course of your research project. Via 'My Dashboard' you can see a list of existing plans which you can then edit further.
A more detailed manual for the use of DMPonline.be can be found in the research tip: DMPonline.be: how do I write a Data Management Plan?
- DMPonline.be: How do I write a Data Management Plan? (Write)
- DMPonline.be: when and how to sign in via ORCID? (Research integrity & ethics)
- GDPR: What to keep in mind when developing or deploying apps for research? (Research integrity & ethics)
- GDPR: Can I share research data with personal data with other researchers or institutions when my research project has ended? (Research integrity & ethics)
- GDPR: how can I ensure that the processing of personal data is lawful? (Research integrity & ethics)
- GDPR: how do I protect my data correctly? (Research integrity & ethics)
- GDPR: how do I register personal data processing activities? (Research integrity & ethics)
- GDPR: how long may I store research data containing personal data? (Research integrity & ethics)
- GDPR: how to be transparent to data subjects in my research? (Research integrity & ethics)
- GDPR: Pseudonymisation of personal data (Research integrity & ethics)
- GDPR: what are personal data? (Research integrity & ethics)
- GDPR: what are some things to consider when processing personal data from minors? (Research integrity & ethics)
- GDPR: what are the basic principles? (Research integrity & ethics)
- GDPR: what are the different roles and responsibilities according to the GDPR? (Research integrity & ethics)
- GDPR: What do I need to think about when transferring personal data to third countries or international organisations? (Research integrity & ethics)
- GDPR: what do I need to think about when using a mailing list in the context of my research? (Research integrity & ethics)
- GDPR: what has changed with regard to the previous privacy legislation? (Research integrity & ethics)
- GDPR: what information should I include in an informed consent form when the processing of personal data is based on the consent of the data subjects? (Research integrity & ethics)
- GDPR: what is the General Data Protection Regulation? (Research integrity & ethics)
- GDPR: what rights do data subjects have, how do I respect them and what exceptions may apply to research? (Research integrity & ethics)
- GDPR: what should I do in case of a data breach? (Research integrity & ethics)
- GDPR: what should I do in the event of further/secondary processing of personal data? (Research integrity & ethics)
- GDPR: what should I keep in mind when designing my research? (Research integrity & ethics)
- GDPR: what should I keep in mind when processing special categories of personal data? (Research integrity & ethics)
- GDPR: What should I think about when I collaborate with others or share my data? (Research integrity & ethics)
- GDPR: When am I processing high-risk personal data and when do I need to conduct a DPIA? (Research integrity & ethics)
- GDPR: when does it apply to my research? (Research integrity & ethics)
- GDPR: who are considered to be vulnerable persons? (Research integrity & ethics)
- GDPR: why is it important to comply with this legislation? (Research integrity & ethics)
- Qualtrics: how do I use this survey tool? (Research integrity & ethics)
Last modified Oct. 21, 2022, 12:58 p.m.