GDPR: what do I need to think about when using a mailing list in the context of my research?
As a researcher, you sometimes make use of mailing lists for your research (e.g. sending invitations to participate in a survey/interview) or for your research activities (e.g. sending invitation to an event/conference). Mailing lists consist of postal addresses or e-mail addresses (even purely professional e-mail addresses). These are personal data that fall within the scope of the General Data Protection Regulation (AVG/GDPR).
When working with mailing lists the following conditions must be met:
- The creation, processing and use of a mailing list must always be done in accordance with a correct legal ground. This legal ground may differ depending on the purpose or the use of the mailing list (see below).
- The recipients must always be correctly informed about who is responsible for the mailing list, about the data that are collected/processed and about the purpose. This can be done in a privacy statement or a reference to a privacy statement. When using electronic mailing lists, a short summary about privacy should be mentioned at the bottom of the e-mail with a link to a (more) extensive privacy statement. For paper mailing lists, a similar approach can be used.
- To protect the privacy of the recipients and to avoid e-mail addresses from a mailing list being inadvertently further distributed or used, the names and e-mail addresses should not be visible to one another. In electronic mail traffic, it is therefore recommended to put the recipients in "bcc".
- The recipients must have the opportunity to indicate that they no longer wish to receive these communications. An unsubscribe option must therefore be provided. Moreover, it must be possible to unsubscribe in a simple way. For example, the professional telephone number and/or e-mail address of the person or department responsible can be mentioned and/or an unsubscribe link can be provided.
- In order to meet the accountability and documentation requirements, you also have to register the use of the mailing list in the GDPR Register of Ghent University. For research, this registration should be done in the AVG Register for research related activities (in DMPonline.be). Contact firstname.lastname@example.org if you have any questions.
The processing of personal data (in this case the creation/use of a mailing list) is only lawful if one of the legal grounds of the GDPR is met.
The three most common legal grounds for working with mailing lists at UGent in the context of research are:
- the active consent of the recipient. When this legal ground applies you will first have to ask the recipients of your mailing list for permission to send an invitation to an event, a request for participation in a study,.... The conditions that need to be met for asking active consent are described in this research tip. A given consent has a certain validity period. If desired, the consent can be asked again after some time and thus renewed. Based on the nature and content of the communication, an appropriate period of validity must be established.
- the legitimate interest of UGent or of a third party which, after careful weighing of the interests, must outweigh the rights and freedoms, including the privacy of the recipients.
- the agreement (the 'contract') that the university has with its students and employees. For research, however, this legal basis will not often be able to be used.
For internal communication (to staff and/or students from Ghent University), a distinction is made between the dissemination of essential, non-essential or mixed information (one message containing both essential and non-essential information). Essential information is information that is directly related to the core tasks of UGent. Examples of essential information are: communicating room changes, information about student assignments, information about security, ... The use of mailing lists in the context of research will rarely be considered as essential information. Therefore, most of the time an active consent of the participants (students/staff) will be necessary to be part of the mailing list.
Setting up mailing lists to contact external participants also requires active consent from the participants. If, as a researcher, you are using a mailing list that has been set up by others, always check that the people on this mailing list have given their permission.
UGent staff and students can create and/or use and/or save a mailing list in the Application 'Lists' (https://lists.ugent.be) to communicate to individuals inside and outside of Ghent University, for purposes related to the tasks of Ghent University. This research tip also applies to Lists.
For calls to participate in research, UGent employees can use a specific form on the intranet (www.ugent.be/actueel/nl/oproep-toevoegen). These calls are then brought to the attention through the UGent news section. Faculties can be 'tagged' in these messages so that the call will also appear in the news section of the faculty(ies) concerned. Further communication and distribution of the call is done via (the network of) the researcher making the call. Faculty communication officers and/or the Department for Communication and Marketing may also further distribute the call through communication channels that are appropriate.
- AVG: waar moet ik aan denken wanneer ik gebruik maak van een mailinglijst/verzendlijst in het kader van mijn onderzoek?
Last modified Sept. 9, 2021, 11:22 a.m.