Why register processing activities?

The General Data Protection Regulation (GDPR) requires that all activities concerning personal data processing at UGent and UZ Gent are documented and registered in a 'register of processing activities', the GDPR Register.

This internal documentation obligation is an essential tool to help researchers comply with the principle of accountability.

When to register processing activities?

Whether you act as controller or processor, you must record processing activities that take place under your responsibility.

New processing activities

Registration must be done for each new processing activity, i.e. at the start of each new research project that processes personal data (or the phase in the project that processes personal data), and this before the start of the actual data collection/processing.

Existing processing activities

Existing processing activities must also be registered. This applies to ongoing research projects, whether they started before or after 25 May 2018 (i.e. the day when the GDPR came into force).

Updates

In addition, it's important to keep the information regarding the registered processing activities up to date for the duration of the research project.

Where and how to register processing activities?

There are two possible routes for documenting and registering personal data processing activities via DMPonline.be:

1. If you want or have to prepare a Data Management Plan (DMP) for a research project (for example for an external funder), you can also register your processing activities at the same time .
2. f you're not writing a DMP or there's already a separate/existing DMP without registration of processing activities, you must register your processing activities with regard to personal data by using the UGent/UZ Gent template 'GDPR Record (EN)' or 'AVG Record (NL)'.

With a Data Management Plan

Researchers can register their processing activities while creating their Data Management Plan (DMP), via DMPonline.be.

A DMP obligation may exist, but doesn't apply to all projects. It's currently the case for all PhDs started since 2020-2021 and/or if the research funder requires it (e.g. FWO, Horizon 2020, Horizon Europe, BOF, etc.). If it's not mandatory, it's still good practice to draft a plan describing how you will manage your research data.

• More information about the Ghent University policy regarding Data Management Plans.
• More information about the requirements of external funders regarding DataManagement Plans.

Separate registration

Additionally, there's a mandatory registration for all research projects that process personal data. This registration also requires the use of DMPonline.be. To this end, you (only) select the section ‘GDPR record’ and answer the questions to register your processing activity. If necessary, you may also need to complete the ‘Data Protection Impact Assessment’ (DPIA).

How to proceed?

Logging in

• Log in with your UGent or UZ Gent account at https://dmponline.be.

Creating a new plan

• Create a new entry by clicking 'Create plan'.
• In the 'Create a new plan' page, enter the correct title of the research project for which you want to write the DMP/register the processing activities.
• Leave Ghent University (UGent) as 'primary research organisation'. Templates for UZ Gent and UGent are both maintained and provided by this 'research organisation'.
• Then go through the rest of the form to choose a suitable template (i.e. the UGent/UZ Gent ‘GDPR Record (EN)’ or 'AVG Record (NL)' template, or a GDPR-compatible DMP template). Select an external funder from the list, or choose ‘no funder associated with this plan or not listed’ if you're not creating a DMP for a funder/your funder isn't included in the list.

Completing the plan

• In the newly created plan, complete the 'Project details' (i.e. basic information about the research project):
• the person creating the plan is automatically entered in the plan details as the research project's 'Creator' . If necessary, you can modify the contribution roles via the 'Share' tab. Similarly, you can also specify an additional contact person for the DMP where appropriate. If you're not the main supervisor of the project, don't forget to add your supervisor as 'Principal Investigator' and change your own role to 'Data Manager' or 'Project Administrator' for the plan.
  
• Answer the questions in your plan. You can find them by navigating to the tabs next to 'Project details':
• to register your processing activities with regard to personal data, you must at the very least fill in the mandatory GDPR questions under the tab 'GDPR Record' or 'AVG Register'.
• in case your research constitutes a probable high-risk processing of personal data, you'll also need to conduct a Data Protection Impact Assessment (DPIA) or Gegevensbeschermingseffectbeoordeling (GEB) by answering the questions under the ‘DPIA’ or ‘GEB’ tab.
• if you're writing a DMP in addition to registering your personal data processing activities/conducting a DPIA, you'll also find a ‘DMP’ tab with questions to help you draft your DMP.

                                        

 

Access Data Protection Officer

• The Data Protection Officer of UGent (privacy@ugent.be)/ UZ Gent (dpo@uzgent.be) has automatic read-only access to your plan in DMPonline.be, as one of the admins of the application.

Exporting the plan

• You can export each individual component of your plan (GDPR Record, DPIA, DMP) from the tool in various file formats (.docx, .pdf, .txt), e.g. when you want to save a milestone version, or when you want to formally submit a document to a funder, to the Research Co-ordination office, to your ethics committee, etc.
• However, to actually register your processing activities in order to comply with the GDPR, in principle all you have to do is fill in the GDPR questions in the online tool - you don't have to export and submit a document for this yourself.
• Please note: if you need or want advice from an ethics committee for your research, your application for ethical approval does require submitting your GDPR Record document for admission. In this case, you'll have to export a document from the tool yourself.

Keeping the plan up to date

• Keep your plan, and in particular the questions under the 'GDPR Record' tab, up to date in DMPonline.be during the course of your research project. Via 'My Dashboard' you can see a list of existing plans which you can then edit further.

A more detailed manual for the use of DMPonline.be can be found in the research tip: DMPonline.be: how do I write a Data Management Plan?

More information

• Privacy and research