GDPR: what should I do in the event of further/secondary processing of personal data?

Primary vs. secondary processing

In the case of further or secondary use of personal data in a research project, the personal data will not be directly collected from the data subjects by you.

If you do collect the personal data directly from the data subjects as part of your research with a specific objective in mind, this is a primary processing of personal data.

With further or secondary use of personal data, in a research project, the personal data are not collected directly from the data subjects. Reusing research data, which you yourself have collected in one research project, for another research project is also a further or secondary use of personal data. This is because in these cases, you are using personal data that was initially processed for another purpose or research project.

A few examples of secondary processing are:

the personal data were previously collected by you for another research project, but you want to reuse them in a subsequent study to process them for a different research question;
the personal data were collected as part of another research project at Ghent University;
the personal data were previously collected by a third party from whom you receive the data at the start of your research.

Pseudonomysed data

Please note, if you receive pseudonymised data (you or the institution from which you receive the data can still identify the data subjects, for example by using a key, code or additional information), you remain subject to the rules of the General Data Protection Regulation (GDPR).

Only in cases where you receive the data anonymously, processing operation with this anonymous data do not fall under the GDPR/privacy legislation. Anonymous means that the data subjects cannot be identified by any person and in any way.

Compatibility with original purposes

Firstly, the GDPR requires that, even in the case of secondary processing of personal data, the processing in the context of your research must be based on one of the six legal grounds in the GDPR. When processing special categories ofpersonal data, an exception ground from Article 9 GDPR should also apply.

If the original processing was based on the consent of the data subject(s), you should check whether this consent also covers the purpose of the secondary use or re-use (i.e. scientific research).

If the original consent does not cover the further processing (for scientific research), you will need to find another legal basis for this further processing.

Secondly, collected data may not be further processed in a manner incompatible with the original purposes. So, as a researcher, in case of secondary processing, you have to perform a compatibility test.

The GDPR does stipulate a "presumption of compatibility" when data is further processed for the purpose of scientific research. This means that when personal data are further processed for scientific research, compatibility is presumed. However, the processing for the purpose of scientific research should be subject to appropriate safeguards in accordance with the GDPR regarding the rights and freedoms of the data subject (Article 89 GDPR).

However, it is advisable to check, also in the case of scientific research, whether the further use falls within the expectations of the data subject(s). The following points can be considered:

The relationship between the original purpose and the new purpose;
The context in which the data were collected;
The type and nature of the data (does it concern sensitive data?);
The possible consequences of the secondary use (what are the consequences for the data subject?);
The existence of sufficient technical and organisational measures (e.g. anonymous data should preferably be used and data should be pseudonymised as soon as possible).

If the use is not within the expectation person of the data subject(s), the data will not be able to be lawfully further processed.

We advise you to thoroughly read the information that was provided to the data subjects and, if applicable, the consent, when further processing personal data. This allows you to evaluate whether the processing of personal data (in the context of a new research project or a new research question) is compatible with the purposes for which the data were originally collected.

Transparency

Even with further use of personal data, it remains important to be transparent to data subjects. Thus, even when their personal data are further processed, data subjects must be informed about this new processing. However, there is an "exception" to this in the context of scientific research: if providing the information turns out to be impossible or would require unreasonable effort, you can deviate from the information obligation. In that case, however, technical and organisational measures must still be taken to protect the rights and freedoms of the data subject and to guarantee minimal data processing.

More information

Privacy and research

More tips

GDPR: Can I share research data with personal data with other researchers or institutions when my research project has ended? (Research integrity & ethics)
GDPR: how can I ensure that the processing of personal data is lawful? (Research integrity & ethics)
GDPR: how do I protect my data correctly? (Research integrity & ethics)
GDPR: how do I register personal data processing activities? (Research integrity & ethics)
GDPR: how long may I store research data containing personal data? (Research integrity & ethics)
GDPR: how to be transparent to data subjects in my research? (Research integrity & ethics)
GDPR: what are personal data? (Research integrity & ethics)
GDPR: what are some things to consider when processing personal data from minors? (Research integrity & ethics)
GDPR: what are the basic principles? (Research integrity & ethics)
GDPR: what are the different roles and responsibilities according to the GDPR? (Research integrity & ethics)
GDPR: What do I need to think about when transferring personal data to third countries or international organisations? (Research integrity & ethics)
GDPR: what do I need to think about when using a mailing list in the context of my research? (Research integrity & ethics)
GDPR: what has changed with regard to the previous privacy legislation? (Research integrity & ethics)
GDPR: what information should I include in an informed consent form when the processing of personal data is based on the consent of the data subjects? (Research integrity & ethics)
GDPR: what is the General Data Protection Regulation? (Research integrity & ethics)
GDPR: what rights do data subjects have, how do I respect them and what exceptions may apply to research? (Research integrity & ethics)
GDPR: what should I do in case of a data breach? (Research integrity & ethics)
GDPR: what should I keep in mind when designing my research? (Research integrity & ethics)
GDPR: what should I keep in mind when processing special categories of personal data? (Research integrity & ethics)
GDPR: What should I think about when I collaborate with others or share my data? (Research integrity & ethics)
GDPR: When am I processing high-risk personal data and when do I need to conduct a DPIA? (Research integrity & ethics)
GDPR: when does it apply to my research? (Research integrity & ethics)
GDPR: who are considered to be vulnerable persons? (Research integrity & ethics)
GDPR: why is it important to comply with this legislation? (Research integrity & ethics)

Translated tip

AVG: wat moet ik doen bij een verdere/secundaire verwerking van persoonsgegevens?

tags:

Research integrity & ethics

Last modified Nov. 15, 2023, 3:19 p.m.

Questions? Suggestions?

libservice@ugent.be