GDPR: how can I ensure that the processing of personal data is lawful?
The processing of personal data is only lawful if one of the conditions or legal grounds of the General Data Protection Regulation (GDPR) is met.
It is very important to indicate the applicable legal basis for the processing at the start of your research in the GDPR register. The processing of personal data in your research must be based on one of the legal grounds mentioned below.
There can only be one legal ground per purpose of the data processing activity. If the processing is based on public interest, the consent of the data subject is not required for the processing to be legitimate. But, this consent can be an ethical guarantee.
Multiple purposes can be linked to multiple legal grounds. The processing of personal data for scientific research can be based on the public interest, while you need the consent of the data subjects in order process their personal data (e.g. mail addresses) to send a newsletter.
1. Consent
The data subjects have given explicit consent to the processing of their personal data.
It is important to distinguish this consent as a legal basis in the GDPR from an ethical consent (as a guarantee). For ethical reasons, you may need consent from the participants to take part in a particular study (this may be required by law or ethically recommended). Although both can be combined, the ethical consent is not necessarily subject to the same conditions as the consent as legal basis in the GDPR.
According to the GDPR, consent as a legal basis must meet a number of conditions in order to be valid.
In addition, data subjects also have different rights with regard to the processing of their personal data and they can, for example, withdraw their consent at any time on the basis of the GDPR. The consequence of this is that further processing of personal data already collected can no longer take place.
2. Public interest
Research projects that process personal data can also be carried out because this is necessary for the fulfillment of a task of public interest ("public interest").
This legal basis can only be used if there is an urgent social need for the processing of certain personal data. This means that there must be an explicit increase in knowledge in the interest of society. However, this is not standard applicable to the majority of the research. This may be the case, for example, in research into poverty reduction.
In addition, this legal basis also requires that an effective task of public interest is assigned to the controller. This task must be laid down in the national law of a Member State. In the founding decrees of Ghent University, conducting scientific research has been laid down as one of the tasks of Ghent University, and in the Codex Higher Education this is also assigned as a task to universities.
The use of the legal basis of general interest therefore requires a social necessity, an increase in knowledge for society and an explicit task in the public interest assigned to Ghent University.
In the context of industry funded research, the pharmaceutical company will, being data controller, determine the legal ground. These pharmaceutical companies cannot rely on the legal ground of public interest.
3. Legitimate interests
The processing is necessary to promote the legitimate interests of the institution, or of a third party.
The legal basis of legitimate interest can only be invoked when the interest to conduct a particular research project outweighs the interests of the persons whose personal data are processed, which is usually not the case in the case of children. Consequently, invoking legitimate interest as a legal basis for the direct (primary) acquisition of personal data from children in the context of scientific research is almost impossible.
For the secondary processing of personal data, this legal basis may be used, if the necessary protective measures have been taken (e.g. pseudonymisation).
Finally, the legal basis of legitimate interest cannot be invoked for those tasks that Ghent University performs as a public authority in the public interest (research).
4. Legal obligation
The processing of personal data is necessary in the context of a legal obligation of the institution or organisation, for example on the basis of a decree.
5. Execution of an agreement
The processing is necessary for the implementation of an agreement with the data subject(s) whose data is being processed. Please note, this is not the processing agreement.
6. Vital interests
The processing is necessary in order to protect the vital interests of the data subjects or of another natural person.
More information
More tips
- GDPR: Can I share research data with personal data with other researchers or institutions when my research project has ended? (Research integrity & ethics)
- GDPR: how do I protect my data correctly? (Research integrity & ethics)
- GDPR: how do I register personal data processing activities? (Research integrity & ethics)
- GDPR: how long may I store research data containing personal data? (Research integrity & ethics)
- GDPR: how to be transparent to data subjects in my research? (Research integrity & ethics)
- GDPR: Pseudonymisation of personal data (Research integrity & ethics)
- GDPR: what are personal data? (Research integrity & ethics)
- GDPR: what are some things to consider when processing personal data from minors? (Research integrity & ethics)
- GDPR: what are the basic principles? (Research integrity & ethics)
- GDPR: what are the different roles and responsibilities according to the GDPR? (Research integrity & ethics)
- GDPR: What do I need to think about when transferring personal data to third countries or international organisations? (Research integrity & ethics)
- GDPR: what do I need to think about when using a mailing list in the context of my research? (Research integrity & ethics)
- GDPR: what has changed with regard to the previous privacy legislation? (Research integrity & ethics)
- GDPR: what information should I include in an informed consent form when the processing of personal data is based on the consent of the data subjects? (Research integrity & ethics)
- GDPR: what is the General Data Protection Regulation? (Research integrity & ethics)
- GDPR: what rights do data subjects have, how do I respect them and what exceptions may apply to research? (Research integrity & ethics)
- GDPR: What should I do if there is a data breach? (Research integrity & ethics)
- GDPR: what should I do in the event of further/secondary processing of personal data? (Research integrity & ethics)
- GDPR: what should I keep in mind when designing my research? (Research integrity & ethics)
- GDPR: what should I keep in mind when processing special categories of personal data? (Research integrity & ethics)
- GDPR: What should I think about when I collaborate with others or share my data? (Research integrity & ethics)
- GDPR: When am I processing high-risk personal data and when do I need to conduct a DPIA? (Research integrity & ethics)
- GDPR: when does it apply to my research? (Research integrity & ethics)
- GDPR: who are considered as vulnerable persons? (Research integrity & ethics)
- GDPR: why is it important to comply with this legislation? (Research integrity & ethics)
- How to use Qualtrics? (Research integrity & ethics)
Translated tip
Last modified Sept. 21, 2022, 11:39 a.m.