GDPR: how to be transparent to data subjects in my research?
Informing the persons whose personal data are processed (the data subjects) is one of the basic principles and obligations of the General Data Protection Regulation (GDPR).
As a researcher, it's your responsibility to provide information about your research to the data subjects in your research.
Elements of transparancy
The information you provide must meet the following requirements:
- the information must be concise, transparent, understandable and easily accessible;
- clear and simple language must be used. This last requirement is particularly important when the information is specifically addressed to a minor;
- information must be provided in writing (including electronic means). In the context of a research project, you can provide the information in different ways, such as via a privacy statement or an information letter (the information letter doesn’t have to be signed by the data subject, but you must make it available);
- if requested by the data subject, the information can be communicated orally; and
- the information must generally be provided free of charge.
For the provision of this information to the data subjects, the GDPR makes a distinction between
- the processing of personal data collected from the data subjects themselves, and
- the processing of personal data that were not obtained from the data subjects themselves.
Personal data collected directly from the data subjects
If you collect the personal data directly from the data subjects through, for example, an interview, survey or questionnaire (primary collection), you can use the checklist in the attachments below (checklist_primair_ENG) to ensure that the data subjects are informed in an appropriate manner.
In the case of primary processing, you do not have to provide the information when the data subject already has the information. The principle of self-responsibility does require that you demonstrate (and document in the GDPR-record of Ghent University) what information the data subject already has, how and when the data subject received it and that no changes have taken place since then in the information that make the information obsolete.
Personal data not collected from the data subjects themselves
If the personal data you use in your research weren't collected directly from the data subjects (secondary/further processing), you must also inform them of this processing and about the source from which you obtained the personal data.
This information must be provided to the data subjects within a reasonable time frame:
- after obtaining the personal data (at the latest within one month);
- at the latest at the time of the first communication to the data subjects (if the personal data are to be used for communication with the data subject);
- if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.
In the case of secondary processing, you don't have to provide this information when:
- the data subject already has the information; or
- providing the information would involve a disproportionate effort, in particular for processing for scientific or historical research purposes, or is likely to seriously impair achieving the processing's purposes, or even render it impossible.
If you use one of these two exceptions for your research, you must always take appropriate technical and organizational measures such as pseudonymizing the data and making the information publicly available. In addition, you must motivate/document this exception in Ghent University's GDPR register.
You can use the checklist in the attachments below (checklist_secundair_ENG) when drawing up your information letter.
Last modified Nov. 20, 2023, 1:54 p.m.