GDPR: what are the different roles and responsibilities according to the GDPR?
Various roles are defined within the General Data Protection Regulation (GDPR) for the processing of personal data. The most important roles are:
- Data controller
- Joint data controller
- Data processor
Since controllers and processors have different responsibilities and obligations, it is important that you clearly define these roles (together with the other partners in your research) at the start of the research.
The controller is defined as “the institution/organisation who determines the purpose of and means of the processing”. Please note, merely providing research funding (such as by the FWO, the European Commission, etc.) is not sufficient to be considered as a controller in the context of research. In this case, Ghent University remains the controller.
- you are an FWO PhD fellow and together with the supervisor, who is a professor at Ghent University, you determine the objectives of your research. Although your research is funded by the FWO, Ghent University is the controller. The FWO is merely a funder.
- UGent researchers of the Faculty of Psychology and Educational Sciences collect data (including personal data, human body material (MLM), imaging, surveys, etc.) from patients/volunteers. These data are not originated/collected from/within UZ Ghent. Ghent University is the data controller.
- UZGent researchers (not affiliated with UGent) collect data (including personal data, such as human body material (MLM), imaging, surveys, etc.) from patients. UGent is not the data controller but Ghent University Hospital is the data controller. This is also the case for research projects with volunteers at UZ Gent services, e.g. D.R.U.G., CEVAC, Outpatient services, whereby the principal investigator is not affiliated with Ughent.
- Ugent/UZGent researchers process personal data in the context of industry funded research. The pharmaceutical company is the sponsor of the clinical trial and will act as data controller. Therefore, Ghent University and Ghent University Hospital are data processors.
Although Ghent University acts as the controller for most research with personal data that happens at Ghent University, data protection is a shared responsibility between you and the other researchers involved. Researchers are responsible within their own research projects to thoroughly consider the privacy aspects and to comply with the legal obligations of the GDPR and the Generic Code ofConduct for the processing of personal data and confidential information atGhent University.
With joint controllers, the purpose and means of the processing are determined by two or more organisations/institutions.
Joint data controllers should transparently set out their respective responsibilities for complying with the obligation of the GDPR, including establishing who is responsible for providing information to data subjects and who is responsible for handling requests relating to data subjects’rights.
- You conduct research together with another university in Belgium or abroad, where both partners determine the research design (to a greater or lesser extent). UGent and the partner are joint data controllers. This is not a situation where one university is merely a supplier of data or only carries out a specific contract for subcontracting.
- A principal investigator affiliated with Ghent University collects/uses data (including personal data, human body material (MLM), imaging, surveys, etc.) from UZ Ghent patients. Ghent University and Ghent University Hospital are joint data controllers. This is also the case for research projects involving volunteers from UZ Ghent services, e.g. D.R.U.G., CEVAC, outpatient services, by a principal investigator affiliated with UGent.
- If there is another university, hospital, research institute or partner involved in the research (besides Ghent University and/or Ghent University Hospital), Ghent University and/or Ghent University Hospital will be acting as a joint controller together with this other party, or as a processor or sub processor on behalf of this other party (see below).
Finally, an institution/ organisation or researcher can also act as a processor. In this case, the institution, organisation or a researcher processes personal data on behalf of another organisation.
- Contract research, services commissioned by private companies, or some types of policy-relevant research
- In the context of industry-funded research, a pharmaceutical company is the sponsor of a clinical trial and will act as the data controller. Consequently, Ghent University and Ghent University Hospital are data processors.
Within a research project or a research collaboration, you may as a researcher yourself also call upon processors to collect, process, store or make personal data available.
For example: researchers call upon a company to send out surveys to data subjects, or to analyse certain results of interviews and surveys. In this case, Ghent University will act as the controller and the company as the processor.
It is important to set down all arrangements between the controller(s) and the processor(s) or between processors and sub-processors in an agreement. You can contact the legal support office of TechTransfer for this.
Last modified Nov. 20, 2023, 1:31 p.m.