GDPR: how am I transparent to data subjects in my research?

Informing the persons whose personal data are processed (the data subjects) is one of the basic principles and obligations of the General Data Protection Regulation (GDPR).

As a researcher, it is your responsibility to communicate this information to the data subjects in a concise, transparent, comprehensible and easily accessible form and in clear and simple language.

In the context of a research project you can provide this information in various ways, such as via a privacy statement or an information letter (this information letter does not have to be signed by the parties involved, but must be made available).

To provide this information to the data subjects, the GDPR makes a distinction between the processing of personal data collected from the data subjects themselves, and the processing of personal data that were not obtained from the data subjects themselves.

Personal data collected directly from the data subjects

If you collect the personal data directly from the data subjects through, for example, an interview, survey or questionnaire, you can use the checklist in the attachments below (checklist_primair_ENG) to ensure that the data subjects are informed in an appropriate manner.

Personal data not collected from the data subjects themselves

If the personal data you use in your research were not collected directly from the data subjects (secondary/further processing), you must also inform them of this processing and about the source from which you obtained the personal data.

Period

This information must be provided to the data subjects within a reasonable period of time:

  • After obtaining the personal data (at the latest within one month)
  • At the time of the first communication to the data subjects
  • When the personal data are first disclosed

Exceptions

In the case of secondary processing, you do not have to provide this information when:

  1. The data subject already has the information, or
  2. The provision of the information would involve a disproportionate effort, or is likely to render impossible or seriously impair the achievement of the purposes of the processing.

If you use one of these two exceptions for your research, you must always take appropriate technical and organizational measures such as pseudonymizing the data. In addition, you must motivate/document this exception in the GDPR register of Ghent University.

You can use the checklist in the attachments below (checklist_secundair_ENG) when drawing up your information letter.

More information

Attachments

More tips

Translated tip


Last modified April 24, 2020, 12:04 p.m.