GDPR: how to be transparent to data subjects in my research?
Informing the persons whose personal data are processed (the data subjects) is one of the basic principles and obligations of the General Data Protection Regulation (GDPR).
As a researcher, it's your responsibility to communicate this information to the data subjects in clear and simple language, and in a concise, transparent, comprehensible and easily accessible format.
In the context of a research project you can provide this information in various ways, such as via a privacy statement or an information letter (this information letter doesn't have to be signed by the parties involved, but you must make it available).
To provide this information to the data subjects, the GDPR makes a distinction between
- the processing of personal data collected from the data subjects themselves, and
- the processing of personal data that were not obtained from the data subjects themselves.
Personal data collected directly from the data subjects
If you collect the personal data directly from the data subjects through, for example, an interview, survey or questionnaire, you can use the checklist in the attachments below (checklist_primair_ENG) to ensure that the data subjects are informed in an appropriate manner.
Personal data not collected from the data subjects themselves
If the personal data you use in your research weren't collected directly from the data subjects (secondary/further processing), you must also inform them of this processing and about the source from which you obtained the personal data.
This information must be provided to the data subjects within a reasonable time frame:
- after obtaining the personal data (at the latest within one month);
- at the time of the first communication to the data subjects;
- when the personal data are first disclosed.
In the case of secondary processing, you don't have to provide this information when:
- the data subject already has the information, or
- providing the information would involve a disproportionate effort, or is likely to seriously impair achieving the processing's purposes, or even render it impossible.
If you use one of these two exceptions for your research, you must always take appropriate technical and organizational measures such as pseudonymizing the data. In addition, you must motivate/document this exception in Ghent University's GDPR register.
You can use the checklist in the attachments below (checklist_secundair_ENG) when drawing up your information letter.
Last modified Oct. 20, 2022, 5:46 p.m.