GDPR: how can I ensure that the processing of personal data is lawful?
The processing of personal data is only lawful if one of the conditions or legal grounds of the General Data Protection Regulation (GDPR) is met.
It is very important to indicate the applicable legal basis for the processing at the start of your research. The processing of personal data in your research must be based on one of the legal grounds mentioned below.
1. Consent
The data subjects have given explicit consent to the processing of their personal data.
It is important to distinguish this consent as a legal basis in the GDPR from an ethical consent (as a guarantee). For ethical reasons, you may need consent from the participants to take part in a particular study (this may be required by law or ethically recommended). Although both can be combined, the ethical consent is not necessarily subject to the same conditions as the consent as legal basis in the GDPR.
According to the GDPR, consent as a legal basis must meet a number of conditions in order to be valid.
In addition, data subjects also have different rights with regard to the processing of their personal data and they can, for example, withdraw their consent at any time on the basis of the GDPR. The consequence of this is that further processing of personal data already collected can no longer take place.
2. Public interest
Research projects that process personal data can also be carried out in the public interest, which means that your research leads to an increase in knowledge and understanding that benefits society (directly or indirectly).
In principle, this means that the results of your research must be made public. When you conduct research using government-funded resources (such as from the FWO, BOF, H2020, etc.), this is an indication that the research is being conducted in the public interest.
The legal basis for data processing is not public interest if the research results are transferred exclusively to another party and the knowledge acquired is intended solely for private interests.
3. Legitimate interests
The processing is necessary to promote the legitimate interests of the institution or organisation, or of a third party.
You must be able to demonstrate that the legitimate interests of the controller have been weighed against the interests of the persons whose data are processed (data subjects).
4. Legal obligation
The processing of personal data is necessary in the context of a legal obligation of the institution or organisation, for example on the basis of a decree.
5. Execution of an agreement
The processing is necessary for the implementation of an agreement with the data subject(s) whose data is being processed. Please note, this is not the processing agreement.
6. Vital interests
The processing is necessary in order to protect the vital interests of the data subjects or of another natural person.
More information
More tips
- GDPR: how am I transparent to data subjects in my research? (Integrity in science)
- GDPR: how do I register personal data processing activities? (Integrity in science)
- GDPR: how long can research data containing personal data be stored? (Integrity in science)
- GDPR: what are personal data? (Integrity in science)
- GDPR: what are the basic principles? (Integrity in science)
- GDPR: what are the different roles and responsibilities according to the GDPR? (Integrity in science)
- GDPR: what has changed with regard to the previous privacy legislation? (Integrity in science)
- GDPR: what information should I include in an informed consent form when the processing of personal data is based on the consent of the data subjects? (Integrity in science)
- GDPR: what is the General Data Protection Regulation? (Integrity in science)
- GDPR: what rights do data subjects have, how do I respect them and what exceptions may apply to research? (Integrity in science)
- GDPR: what should I do in the event of further/secondary processing of personal data? (Integrity in science)
- GDPR: what should I keep in mind when designing my research? (Integrity in science)
- GDPR: what should I keep in mind when processing special categories of personal data? (Integrity in science)
- GDPR: When am I processing high-risk personal data and when do I need to conduct a DPIA? (Integrity in science)
- GDPR: when does it apply to my research? (Integrity in science)
- GDPR: who are considered as vulnerable persons? (Integrity in science)
- GDPR: why is it important to comply with this legislation? (Integrity in science)
Translated tip
Last modified Aug. 25, 2020, 6:40 p.m.