GDPR: what do I need to think about when using a mailing list in the context of my research?
As a researcher, you sometimes make use of mailing lists for your research (e.g. sending invitations to participate in a survey/interview) or for your research activities (e.g. sending invitation to an event/conference). Mailing lists consist of postal addresses or e-mail addresses (even purely professional e-mail addresses). These are personal data that fall within the scope of the General Data Protection Regulation (AVG/GDPR).
General principles
When working with mailing lists the following conditions must be met:
- The creation, processing and use of a mailing list must always be done in accordance with a correct legal ground. This legal ground may differ depending on the purpose or the use of the mailing list (see below).
- The recipients must always be correctly informed about who is responsible for the mailing list, about the data that are collected/processed and about the purpose. This can be done in a privacy statement or a reference to a privacy statement. When using electronic mailing lists, a short summary about privacy should be mentioned at the bottom of the e-mail with a link to a (more) extensive privacy statement. For paper mailing lists, a similar approach can be used.
- To protect the privacy of the recipients and to avoid e-mail addresses from a mailing list being inadvertently further distributed or used, the names and e-mail addresses should not be visible to one another. In electronic mail traffic, it is therefore recommended to put the recipients in "bcc".
- The recipients must have the opportunity to indicate that they no longer wish to receive these communications. An unsubscribe option must therefore be provided. Moreover, it must be possible to unsubscribe in a simple way. For example, the professional telephone number and/or e-mail address of the person or department responsible can be mentioned and/or an unsubscribe link can be provided.
- In order to meet the accountability and documentation requirements, you also have to register the use of the mailing list in the GDPR Register of Ghent University. For research, this registration should be done in the AVG Register for research related activities (in DMPonline.be). Contact privacy@ugent.be if you have any questions.
Legal ground
The processing of personal data (in this case the creation/use of a mailing list) is only lawful if one of the legal grounds of the GDPR is met.
The three most common legal grounds for working with mailing lists at UGent in the context of research are:
- the active consent of the recipient. When this legal ground applies you will first have to ask the recipients of your mailing list for permission to send an invitation to an event, a request for participation in a study,.... The conditions that need to be met for asking active consent are described in this research tip. A given consent has a certain validity period. If desired, the consent can be asked again after some time and thus renewed. Based on the nature and content of the communication, an appropriate period of validity must be established.
- the legitimate interest of UGent or of a third party which, after careful weighing of the interests, must outweigh the rights and freedoms, including the privacy of the recipients.
- the agreement (the 'contract') that the university has with its students and employees. For research, however, this legal basis will not often be able to be used.
For internal communication (to staff and/or students from Ghent University), a distinction is made between the dissemination of essential, non-essential or mixed information (one message containing both essential and non-essential information). Essential information is information that is directly related to the core tasks of UGent. Examples of essential information are: communicating room changes, information about student assignments, information about security, ... The use of mailing lists in the context of research will rarely be considered as essential information. Therefore, most of the time an active consent of the participants (students/staff) will be necessary to be part of the mailing list.
Setting up mailing lists to contact external participants also requires active consent from the participants. If, as a researcher, you are using a mailing list that has been set up by others, always check that the people on this mailing list have given their permission.
Practical tools
UGent staff and students can create and/or use and/or save a mailing list in the Application 'Lists' (https://lists.ugent.be) to communicate to individuals inside and outside of Ghent University, for purposes related to the tasks of Ghent University. This research tip also applies to Lists.
For calls to participate in research, UGent employees can use a specific form on the intranet. These calls are then brought to the attention through the UGent news section. Faculties can be 'tagged' in these messages so that the call will also appear in the news section of the faculty(ies) concerned. Further communication and distribution of the call is done via (the network of) the researcher making the call. Faculty communication officers and/or the Department for Communication and Marketing may also further distribute the call through communication channels that are appropriate.
Guidelines for the use of mailing lists at Ghent University (only in Dutch).
More tips
- GDPR: Can I share research data with personal data with other researchers or institutions when my research project has ended? (Research integrity & ethics)
- GDPR: how can I ensure that the processing of personal data is lawful? (Research integrity & ethics)
- GDPR: how do I protect my data correctly? (Research integrity & ethics)
- GDPR: how do I register personal data processing activities? (Research integrity & ethics)
- GDPR: how long may I store research data containing personal data? (Research integrity & ethics)
- GDPR: how to be transparent to data subjects in my research? (Research integrity & ethics)
- GDPR: what are personal data? (Research integrity & ethics)
- GDPR: what are some things to consider when processing personal data from minors? (Research integrity & ethics)
- GDPR: what are the basic principles? (Research integrity & ethics)
- GDPR: what are the different roles and responsibilities according to the GDPR? (Research integrity & ethics)
- GDPR: What do I need to think about when transferring personal data to third countries or international organisations? (Research integrity & ethics)
- GDPR: what has changed with regard to the previous privacy legislation? (Research integrity & ethics)
- GDPR: what information should I include in an informed consent form when the processing of personal data is based on the consent of the data subjects? (Research integrity & ethics)
- GDPR: what is the General Data Protection Regulation? (Research integrity & ethics)
- GDPR: what rights do data subjects have, how do I respect them and what exceptions may apply to research? (Research integrity & ethics)
- GDPR: what should I do in case of a data breach? (Research integrity & ethics)
- GDPR: what should I do in the event of further/secondary processing of personal data? (Research integrity & ethics)
- GDPR: what should I keep in mind when designing my research? (Research integrity & ethics)
- GDPR: what should I keep in mind when processing special categories of personal data? (Research integrity & ethics)
- GDPR: What should I think about when I collaborate with others or share my data? (Research integrity & ethics)
- GDPR: When am I processing high-risk personal data and when do I need to conduct a DPIA? (Research integrity & ethics)
- GDPR: when does it apply to my research? (Research integrity & ethics)
- GDPR: who are considered to be vulnerable persons? (Research integrity & ethics)
- GDPR: why is it important to comply with this legislation? (Research integrity & ethics)
- Qualtrics: how do I use this survey tool? (Research integrity & ethics)
Translated tip
Last modified Aug. 28, 2023, 10:58 a.m.