GDPR: What do I need to think about when using a mailing list in the context of my research?
As a researcher, you sometimes make use of mailing lists for your research (e.g. sending invitations to participate in a survey/interview) or for your research activities (e.g. sending invitation to an event/conference).
Mailing lists consist of a (large) list of postal addresses or e-mail addresses (even purely professional e-mail addresses) to which certain messages are sent once, repeatedly or regularly. These are personal data that fall within the scope of the General Data Protection Regulation (GDPR).
General principles
When working with mailing lists the following conditions must be met:
- The creation, processing and use of a mailing list must always be done in accordance with a correct legal ground. This legal ground may differ depending on the purpose or the use of the mailing list (see below).
- The recipients must always be correctly informed about who is responsible for the mailing list, about the data that are collected/processed and about the purpose. This can be done in a privacy statement or a reference to a privacy statement. When using electronic mailing lists, a short summary about privacy should be mentioned at the bottom of the e-mail with a link to a (more) extensive privacy statement. For paper mailing lists, a similar approach can be used.
- To protect the privacy of the recipients and to avoid e-mail addresses from a mailing list being inadvertently further distributed or used, the names and e-mail addresses should not be visible to one another. In electronic mail traffic, it is therefore recommended to put the recipients in "bcc".
- The recipients must have the opportunity to indicate that they no longer wish to receive these communications. An unsubscribe option must therefore be provided. Moreover, it must be possible to unsubscribe in a simple way. For example, the professional telephone number and/or e-mail address of the person or department responsible can be mentioned and/or an unsubscribe link can be provided.
- In order to meet the accountability and documentation requirements, you also have to register the use of the mailing list in the GDPR Register of Ghent University. For research, this registration should be done in the AVG Register for research related activities (in DMPonline.be). Contact privacy@ugent.be if you have any questions.
Legal ground
The processing of personal data (in this case the creation/use of a mailing list) is only lawful if one of the legal grounds of the GDPR is met.
The three most common legal grounds for working with mailing lists at UGent in the context of research are:
- the active consent of the recipient. When this legal ground applies you will first have to ask the recipients of your mailing list for permission to send an invitation to an event, a request for participation in a study,.... This is referred to as an opt-in. The conditions that need to be met for asking active consent are described in this research tip. A given consent has a certain validity period. If desired, the consent can be asked again after some time and thus renewed. Based on the nature and content of the communication, an appropriate period of validity must be established.
- the legitimate interest of UGent or of a third party which, after careful weighing of the interests, must outweigh the rights and freedoms, including the privacy of the recipients.
- the agreement (the 'contract') that the university has with its students and employees. For research, however, this legal basis will not often be able to be used.
For internal communication (to staff and/or students from Ghent University), a distinction is made between the dissemination of essential, non-essential or mixed information (one message containing both essential and non-essential information).
- Essential information. This is information that is directly related to the core tasks of UGhent. Examples of essential information are: communicating room changes, information about student assignments, information about security, ... The legal basis for essential use of internal mailing lists is the agreement (the 'contract') that the university has with its students/employees.
- Non-essential information. This is information that is not essential to UGhent's core tasks. Examples include the use of mailing lists in the context of research, invitation to an event, career opportunities for students. The legal basis for non-essential use of internal mailing lists is legitimate interest. There are 2 main exceptions to this:
- When the recipients have no objective interest or benefit in receiving the non-essential information, the legal basis is the recipient's prior active consent.
- When mailing lists are used to disseminate political, philosophical, religious or trade union information, the legal basis is the addressee's prior active consent.
- Mixed information. If internal mailing lists provide both essential and non-essential information, they are treated as containing only essential information. The legal basis for this is the agreement (the 'contract') the university has with its students/employees.
Information about your research is (usually) considered non-essential information, where the addressees have no objective interest or benefit. As a result, the legal basis is the recipients' prior active consent.
For external communication a distinction is made between corporate recipients and private recipients for determining the legal basis.
- Corporate recipients. These are persons contacted as representatives of a particular company, organisation or institute in their function. The legal basis for using a mailing list to communicate with external business contacts is legitimate interest.
- Private recipients. These are natural persons contacted via their professional or private e-mail address. The legal basis is prior active consent.
Research participants are (usually) private recipients, so the legal basis is the prior active consent of the recipient.
If, as a researcher, you are using a mailing list that has been set up by others, always check that the people on this mailing list have given their permission.
Practical tools
UGent staff and students can create and/or use and/or save a mailing list in the application 'Lists' (https://lists.ugent.be) to communicate to individuals inside and outside of Ghent University, for purposes related to the tasks of Ghent University. This research tip also applies to Lists.
For calls to participate in research, UGent employees can use a specific form on the website. These calls are then brought to the attention through the UGent news section. Faculties can be 'tagged' in these messages so that the call will also appear in the news section of the faculty(ies) concerned. Further communication and distribution of the call is done via (the network of) the researcher making the call. Faculty communication officers and/or the Department for Communication and Marketing may also further distribute the call through communication channels that are appropriate.
Guidelines for the use of mailing lists at Ghent University (only in Dutch).
More tips
- GDPR: Can I share research data with personal data with other researchers or institutions when my research project has ended? (Research integrity & ethics)
- GDPR: how can I ensure that the processing of personal data is lawful? (Research integrity & ethics)
- GDPR: how do I protect my data correctly? (Research integrity & ethics)
- GDPR: how do I register personal data processing activities? (Research integrity & ethics)
- GDPR: how long may I store research data containing personal data? (Research integrity & ethics)
- GDPR: how to be transparent to data subjects in my research? (Research integrity & ethics)
- GDPR: what are personal data? (Research integrity & ethics)
- GDPR: what are some things to consider when processing personal data from minors? (Research integrity & ethics)
- GDPR: What are the basic principles? (Research integrity & ethics)
- GDPR: What are the different roles and responsibilities according to the GDPR? (Research integrity & ethics)
- GDPR: What do I need to think about when transferring personal data to third countries or international organisations? (Research integrity & ethics)
- GDPR: what has changed with regard to the previous privacy legislation? (Research integrity & ethics)
- GDPR: What information should I include in an informed consent form when the processing of personal data is based on the consent of the data subjects? (Research integrity & ethics)
- GDPR: what is the General Data Protection Regulation? (Research integrity & ethics)
- GDPR: What rights do data subjects have, how do I respect them and what exceptions may apply to research? (Research integrity & ethics)
- GDPR: what should I do in case of a data breach? (Research integrity & ethics)
- GDPR: What should I do in the event of further/secondary processing of personal data? (Research integrity & ethics)
- GDPR: What should I keep in mind when designing my research? (Research integrity & ethics)
- GDPR: what should I keep in mind when processing special categories of personal data? (Research integrity & ethics)
- GDPR: What should I think about when I collaborate with others or share my data? (Research integrity & ethics)
- GDPR: When am I processing high-risk personal data and when do I need to conduct a DPIA? (Research integrity & ethics)
- GDPR: when does it apply to my research? (Research integrity & ethics)
- GDPR: who are considered to be vulnerable persons? (Research integrity & ethics)
- GDPR: why is it important to comply with this legislation? (Research integrity & ethics)
- Qualtrics: how do I use this survey tool? (Research integrity & ethics)
Translated tip
Last modified Aug. 28, 2024, 9:45 a.m.