How do you process personal data in research lawfully?
In order to use personal data in research, you need to ensure that the processing is lawful with respect to those whose personal data you are processing (also called data subjects). This page tells you what you need to think about to make sure this is the case.
In order to lawfully process personal data, a processing basis must apply according to the GDPR. One of the legal processing bases for scientific research is consent of the respondent. In exceptional cases, however, other processing bases may also be applicable. If special personal data are processed in scientific research, explicit consent must be given. Again, exceptions to this are possible. However, even if consent is not required on the basis of the GDPR, Tilburg University has opted, for ethical reasons, to ask respondents for informed consent for new datasets and for the reuse of existing datasets.
Asking for consent can be combined with the informed consent requests required from an ethical point of view so as not to overburden the respondent with different forms. The informed consent form needs to contain the following information: the content and duration of the study, consequences, or risks and the rights of the respondent. More information about this can be found on the website of the Ethics Review Boards.
If asking for consent and informed consent is not possible (for instance if you don’t have contact information of the data subjects) or if that would require a disproportionate effort, it is also possible to process personal data on the grounds of the public interest of conducting scientific research. An example of this is when you are making use certain secondary data or web-scraping. The justification that there is this impossibility or disproportionate effort for requesting permission will then have to be properly motivated and included in the application for the ERB. There must also be safeguards in place so that the privacy of the data subject is not disproportionately affected (for example, by pseudonymizing or anonymizing the data). In addition, the data subjects will have to be informed by other means. This can be done, for example, by means of a privacy statement, which can be published on our website.
Other party/parties involved in processing
As mentioned above, you are responsible as a researcher of Tilburg University for the proper handling of personal data. This also means that, if research data is shared with other researchers, institutes or organizations, agreements must be made with these parties about how they must handle the data. A research agreement and/or processor agreement may need to be entered into. Transfer of personal data to a country outside the European Economic Area may also require a separate agreement.
For all situations mentioned above, model agreements are available and the Data Representative of the Research Support Team can help you with this. More information can be found on our general page about making arrangements with third parties when transferring data.