GDPR: what should I do in the event of further/secondary processing of personal data?
Primary vs. secondary processing
In the case of further or secondary processing of personal data in a research project, the personal data will not be directly collected from the data subjects by you.
If you do collect the personal data directly from the data subjects as part of your research with a specific objective in mind, this is a primary processing of personal data.
A few examples of secondary processing are:
- the personal data have already been collected by you: personal data that you collected yourself for a specific purpose and that you wish to process for a different research question in a subsequent study will also be considered as further processing
- the personal data were collected as part of another research project at Ghent University
- the personal data were previously collected by a third party from whom you receive the data at the start of your research
Secondary processing of pseudonomysed data
Please note, if you receive pseudonymised data in the context of secondary processing (you or the institution from whom you receive the data can still identify the data subjects, for example by using a key), then this is not anonymous data. These are personal data that are subject to the rules of the General Data Protection Regulation (GDPR).
Only in cases where you receive the data anonymously does the processing of this data not fall under the GDPR/privacy legislation. Anonymous means that the data subject can in no way be identified by any person. It is therefore not sufficient that you as a researcher can no longer identify the data subjects. If data are very unique, identification by third parties may be simple.
Compatibility with original purposes
In the context of further processing of personal data, we recommend that you thoroughly read the information provided to the data subjects and possibly the informed consent. This will allow you to evaluate whether the processing of personal data (in the context of a new research project or a new research question) is compatible with the purposes for which the data were originally collected.
Lawful processing
Personal data can only be lawfully processed with a specific legal basis.
This legal basis is determined by the primary data collection. If your research involves further processing of personal data, you should check with the party who first collected the data as to the legal basis for that collection.
Transparency
It is still important to be transparent towards the data subjects for the further processing of personal data. For example, the data subjects must also be informed about this new further processing of their personal data.
More information
More tips
- GDPR: Can I share research data with personal data with other researchers or institutions when my research project has ended? (Research integrity & ethics)
- GDPR: how can I ensure that the processing of personal data is lawful? (Research integrity & ethics)
- GDPR: how do I protect my data correctly? (Research integrity & ethics)
- GDPR: how do I register personal data processing activities? (Research integrity & ethics)
- GDPR: how long may I store research data containing personal data? (Research integrity & ethics)
- GDPR: how to be transparent to data subjects in my research? (Research integrity & ethics)
- GDPR: what are personal data? (Research integrity & ethics)
- GDPR: what are some things to consider when processing personal data from minors? (Research integrity & ethics)
- GDPR: what are the basic principles? (Research integrity & ethics)
- GDPR: what are the different roles and responsibilities according to the GDPR? (Research integrity & ethics)
- GDPR: What do I need to think about when transferring personal data to third countries or international organisations? (Research integrity & ethics)
- GDPR: what do I need to think about when using a mailing list in the context of my research? (Research integrity & ethics)
- GDPR: what has changed with regard to the previous privacy legislation? (Research integrity & ethics)
- GDPR: what information should I include in an informed consent form when the processing of personal data is based on the consent of the data subjects? (Research integrity & ethics)
- GDPR: what is the General Data Protection Regulation? (Research integrity & ethics)
- GDPR: what rights do data subjects have, how do I respect them and what exceptions may apply to research? (Research integrity & ethics)
- GDPR: What should I do if there is a data breach? (Research integrity & ethics)
- GDPR: what should I keep in mind when designing my research? (Research integrity & ethics)
- GDPR: what should I keep in mind when processing special categories of personal data? (Research integrity & ethics)
- GDPR: What should I think about when I collaborate with others or share my data? (Research integrity & ethics)
- GDPR: When am I processing high-risk personal data and when do I need to conduct a DPIA? (Research integrity & ethics)
- GDPR: when does it apply to my research? (Research integrity & ethics)
- GDPR: who are considered as vulnerable persons? (Research integrity & ethics)
- GDPR: why is it important to comply with this legislation? (Research integrity & ethics)
Translated tip
Last modified Sept. 21, 2022, 11:43 a.m.