GDPR: what are the different roles and responsibilities according to the GDPR?

Various roles are defined within the General Data Protection Regulation (GDPR) for the processing of personal data. The most important roles are: 

  • Data controller
  • Joint data controller 
  • Data processor

Since controllers and processors have different responsibilities and obligations, it is important that you clearly define these roles (together with the other partners in your research) at the start of the research.

Controller

The controller is defined as the institution/organisation/person who determines the purpose of and means for the processing. Please note, merely providing research funding (such as by the FWO, the European Commission, etc.) is not sufficient to be a controller in the context of research. In this case, Ghent University remains the controller.

  • For example: you are an FWO PhD fellow and together with the supervisor, who is a professor at Ghent University, you determine the objectives of your research. Although your research is funded by the FWO, Ghent University is the controller. The FWO is merely a funder.
  • For example: Ghent University is data controller for research by UGent researchers on patients/volunteers - including personal data, human body material (MLM), imaging, surveys, etc. and their use - (e.g. general practitioner medicine, studies with nursing home residents, Faculty of Psychology & Educational Sciences,...) where no use is made of patient data or other data collected within UZ Gent. 
  • For example: for research on UZ Gent patients, including personal data, human body material (MLM), imaging, surveys, etc. and their use by a principal investigator who is not affiliated with UGent, and for research projects with volunteers at UZ Gent services, e.g. D.R.U.G., CEVAC, Outpatient services, by a principal investigator who is not affiliated with UGent, UGent is not the data controller but Ghent University Hospital is the data controller. 

Although Ghent University acts as the controller for most of the research with personal data that is done at Ghent University, this is a shared responsibility with you and the other researchers involved. Researchers are responsible within their own research projects to thoroughly consider the privacy aspects and to comply with the legal obligations of the GDPR and the Generic Code of Conduct for the processing of personal data and confidential information at Ghent University.

Joint controllers

With joint controllers, the purpose and means are determined by two or more organisations or institutions.

In this situation, it is important to establish in a transparent manner, together with the other controllers, who is responsible for providing information to data subjects and who data subjects can contact if they want to exercise their rights.

  • For example: you conduct research together with another university in Belgium or abroad, where both partners design the research plan (to a greater or lesser extent). This is not a situation where one university is merely a supplier of data or only carries out a specific contract for subcontracting.
  • For example: Ghent University and Ghent University Hospital are joint controllers for research on UZ Gent patients, including personal data, human body material (MLM), imaging, surveys, etc. and their use by a principal investigator affiliated with UGent, and research projects with volunteers at UZ Gent services, e.g. D.R.U.G., CEVAC, Outpatient services, by a principal investigator affiliated with UGent. If ithere is another university, hospital, research institute or partner involved in the research (besides Ghent University and/or Ghent University Hospital), Ghent University and/or Ghent University Hospital will be acting as a joint controller together with this other party, or as a processor or sub processor on behalf of this other party (see below). 

Processor

Finally, an institution, organisation or researcher can also act as a processor. In this case, the institution, organisation or a researcher processes personal data on behalf of another organisation.

  • For example: contract research, services commissioned by private companies, or some types of policy-relevant research

As part of a research project or a research collaboration, you may also work with processors to collect, process, store or make personal data available.

  • For example: researchers contract with a company to send surveys to data subjects, or to analyse certain results of interviews and surveys. In this case, Ghent University will act as the controller and the company as the processor.
  • For example: researchers conducting a clinical trial on behalf of a (commercial) sponsor.

It is important to set down all arrangements between the controller(s) and the processor(s) or between processors and sub-processors in an agreement. You can contact contracten@ugent.be for this.

More information

More tips

Translated tip


Last modified March 30, 2020, 1:34 p.m.