GDPR: what should I do in the event of further/secondary processing of personal data?
Primary vs. secondary processing
In the case of further or secondary use of personal data in a research project, the personal data will not be directly collected from the data subjects by you.
If you do collect the personal data directly from the data subjects as part of your research with a specific objective in mind, this is a primary processing of personal data.
With further or secondary use of personal data, in a research project, the personal data are not collected directly from the data subjects. Reusing research data, which you yourself have collected in one research project, for another research project is also a further or secondary use of personal data. This is because in these cases, you are using personal data that was initially processed for another purpose or research project.
A few examples of secondary processing are:
- the personal data were previously collected by you for another research project, but you want to reuse them in a subsequent study to process them for a different research question;
- the personal data were collected as part of another research project at Ghent University;
- the personal data were previously collected by a third party from whom you receive the data at the start of your research.
Please note, if you receive pseudonymised data (you or the institution from which you receive the data can still identify the data subjects, for example by using a key, code or additional information), you remain subject to the rules of the General Data Protection Regulation (GDPR).
Only in cases where you receive the data anonymously, processing operation with this anonymous data do not fall under the GDPR/privacy legislation. Anonymous means that the data subjects cannot be identified by any person and in any way.
Compatibility with original purposes
Firstly, the GDPR requires that, even in the case of secondary processing of personal data, the processing in the context of your research must be based on one of the six legal grounds in the GDPR. When processing special categories ofpersonal data, an exception ground from Article 9 GDPR should also apply.
If the original processing was based on the consent of the data subject(s), you should check whether this consent also covers the purpose of the secondary use or re-use (i.e. scientific research).
If the original consent does not cover the further processing (for scientific research), you will need to find another legal basis for this further processing.
Secondly, collected data may not be further processed in a manner incompatible with the original purposes. So, as a researcher, in case of secondary processing, you have to perform a compatibility test.
The GDPR does stipulate a "presumption of compatibility" when data is further processed for the purpose of scientific research. This means that when personal data are further processed for scientific research, compatibility is presumed. However, the processing for the purpose of scientific research should be subject to appropriate safeguards in accordance with the GDPR regarding the rights and freedoms of the data subject (Article 89 GDPR).
However, it is advisable to check, also in the case of scientific research, whether the further use falls within the expectations of the data subject(s). The following points can be considered:
- The relationship between the original purpose and the new purpose;
- The context in which the data were collected;
- The type and nature of the data (does it concern sensitive data?);
- The possible consequences of the secondary use (what are the consequences for the data subject?);
- The existence of sufficient technical and organisational measures (e.g. anonymous data should preferably be used and data should be pseudonymised as soon as possible).
If the use is not within the expectation person of the data subject(s), the data will not be able to be lawfully further processed.
We advise you to thoroughly read the information that was provided to the data subjects and, if applicable, the consent, when further processing personal data. This allows you to evaluate whether the processing of personal data (in the context of a new research project or a new research question) is compatible with the purposes for which the data were originally collected.
Even with further use of personal data, it remains important to be transparent to data subjects. Thus, even when their personal data are further processed, data subjects must be informed about this new processing. However, there is an "exception" to this in the context of scientific research: if providing the information turns out to be impossible or would require unreasonable effort, you can deviate from the information obligation. In that case, however, technical and organisational measures must still be taken to protect the rights and freedoms of the data subject and to guarantee minimal data processing.
Last modified Nov. 15, 2023, 3:19 p.m.