GDPR: how can I ensure that the processing of personal data is lawful?
The processing of personal data is only lawful if one of the conditions or legal grounds of the General Data Protection Regulation (GDPR) is met.
It is very important to indicate the applicable legal basis for the processing at the start of your research in the GDPR register.
There can only be one legal ground per purpose of the data processing activity. But, multiple purposes can be linked to multiple legal grounds. The processing of personal data for scientific research can be based on the public interest, while you need the consent of the data subjects in order process their personal data (e.g. mail addresses) to send a newsletter.
The processing of personal data in your research will be based on one of the six legal grounds listed below:
The data subjects have given (explicit) consent to the processing of their personal data for or one more specific purposes.
It is important to distinguish this consent as a legal basis in the GDPR from an ethical consent (as a guarantee). For ethical reasons, you may need consent from the participants to take part in a particular study (this may be required by law or ethically recommended). Although both can be combined, the ethical consent is not necessarily subject to the same conditions as the consent as legal basis in the GDPR.
A distinction should also be made between, on the one hand, informed consent with participation in a research (ethical), and, on the other hand, consent as the basis for the processing of personal data associated with it.
According to the GDPR, consent as a legal basis must meet a number of conditions in order to be valid.
In addition, data subjects also have different rights with regard to the processing of their personal data. Data subjects can, for example, withdraw their consent at any time on the basis of the GDPR; this has the effect that no further processing of personal data already collected can take place.
As the responsible researcher, you need to be able to prove that the data subject has given consent.
2. Public interest
Research projects that process personal data can also be carried out because this is necessary for the fulfillment of a task of public interest ("public interest").
This legal basis can only be used if there is an urgent social need for the processing of certain personal data. This means that there must be an explicit increase in knowledge in the interest of society. However, this is not standard applicable to the majority of the research. This may be the case, for example, in research into poverty reduction.
Note that the task of public interest must be assigned by a standard to the controller. This task must be laid down in the national law of a Member State. In the founding decrees of Ghent University, conducting scientific research has been laid down as one of the tasks of Ghent University, and in the Codex Higher Education this is also assigned as a task to universities.
The scope of this legal basis is potentially very broad. You will have to consider on a case-by-case basis whether the public interest task justifies the processing.
The use of the legal basis of general interest therefore requires a social necessity, an increase in knowledge for society and an explicit task in the public interest assigned to Ghent University.
In the context of industry funded research, the pharmaceutical company will, being data controller, determine the legal ground. These pharmaceutical companies cannot rely on the legal ground of public interest.
3. Legitimate interests
The processing is necessary to promote the legitimate interests of the institution, or of a third party.
In order to invoke this legal ground as a researcher, you have to check whether the following 3 conditions are cumulatively fulfilled:
- you as researcher on behalf of UGent (processing responsible party) or a third party pursue a legitimate interest;
- the processing of personal data is necessary for the realisation of this legitimate interest;
- the fundamental rights and freedoms of the data subject do not prevail.
- In the case of children, this is usually not the case. Consequently, invoking legitimate interest as a legal basis for the direct (primary) acquisition of personal data from children in the context of scientific research is almost impossible.
- For the secondary processing of personal data, this legal basis may be used provided strict safeguards are put in place (e.g. pseudonymisation).
Finally, the legal basis of legitimate interest cannot be invoked for those tasks that Ghent University performs as a public authority in the public interest (research).
4. Legal obligation
The processing of personal data is necessary in the context of a legal obligation of the institution or organisation, for example on the basis of a decree.
5. Execution of an agreement
The processing is necessary for the performance of an agreement to which the data subject (the person whose data are being processed) is a party, or in order to take measures at the request of the data subject prior to the conclusion of a contract. Please note, this is not the processing agreement.
6. Vital interests
The processing is necessary in order to protect the vital interests of the data subjects or of another natural person.
This is a legal ground whose use is limited, given that you have to prove that a vital interest is at stake on the one hand and that a data processing is necessary to protect this interest on the other.
Last modified Dec. 19, 2023, 2:44 p.m.