Rights of the data subject in scientific research

The rights of the data subject arising from the basis for processing should be considered at the planning stage of the study. Research subjects must be informed of how their personal data will be processed, as well as their rights and how to exercise them.  The controller must seek to facilitate the exercise of the data subjects’ rights. 

When a data subject contacts the controller about their rights, the controller must respond to the data subject without undue delay and not later than one month from receiving the request. In the reply, the controller shall indicate the measures taken due to the request. If the requests are numerous or complex, the controller can reply that it needs more time to process them. In such cases, the deadline can be extended by a maximum of two months. Justifications must be provided for the extension. As a rule, the exercise of the data subject’s rights is free of charge.

Derogation from the rights of the data subject is only rarely possible. The research subjects must be informed of their rights and the limitation of these rights as early as possible. If the controller refuses the data subject's request, it must notify the data subject of this within one month of receiving the request. The refusal must be justified to the data subject. In addition, the controller must also inform the data subject of the possibility of lodging a complaint with the supervisory authority and the availability of judicial remedies.

Three steps for identifying the rights of the data subject

With the following three steps, you can determine the rights of research subjects with regard to the processing of their personal data.

  1. Determine the rights arising from your chosen basis for processing. Design procedures and define responsibilities for responding to requests related to the rights of data subjects. Data subjects can monitor and influence the processing of their personal data for research purposes by exercising their rights.
  2. When planning your study, think about whether the research scheme involves a particular reason for restricting the rights of data subjects. Justify any restrictions of rights and take the necessary measures (such as delivering the impact assessment to the Office of the Data Protection Ombudsman). Inform the research subjects of the restrictions so that they will not be a surprise. Respond to the queries of research subjects appropriately and tell them why the exercise of their rights is not possible.
  3. Even if the research scheme does not require the restriction of data subjects’ rights, some requests for the exercise of rights may need to be refused or limited on the basis of general grounds for restriction.  Determine the basis for limiting the exercise of rights and notify the data subject of it.

Rights of the data subject and their restrictions

As a rule, historical and scientific research provides data subjects with the rights arising from the chosen basis for processing. Data subjects can influence the processing of their personal data for research purposes primarily through these rights.

Some exceptional research projects can require the data subject’s rights arising from the basis for processing to be restricted, however. Restricting the rights of data subjects can come into consideration during the research planning phase or later, when the project is already under way. Different rights have different grounds for derogation. Some grounds for derogation require measures before the start of actual processing.

Derogating from the rights of data subjects always requires an evaluation of the specific case at hand. There must be a justified reason for the derogation. The rights of data subjects may not be restricted any more than necessary for the purpose of the study. Merely the fact that implementing the rights of the data subject would require effort and the use of resources on the part of the controller does not permit derogation from them. Controllers that derogate from the rights of data subjects must be able to demonstrate that the derogation took place in compliance with data protection legislation. The controller must also notify the data subjects of their right to submit the derogation of their rights to the Data Protection Ombudsman for review.

Research subjects must be provided with sufficient advance information on the rights and specific restrictions that the controller may exercise. The restriction of the rights of data subjects must not come as a surprise when a data subject attempts to exercise their rights.

Not informing data subjects of restrictions to their rights is only possible if the notification could jeopardise the purpose of the study and appropriate safeguards have been implemented. The notification obligation can also be waived on other statutory grounds.

In any case, derogating from the notification obligation is only possible if the personal data is being processed in compliance with data protection regulations in all other respects.  The controller must pay special attention to the enhanced data protection and minimisation obligations related to scientific research. The appropriate safeguards depend on the specific conditions of the processing, but can include a data processing impact assessment, pseudonymisation of personal data, minimisation of the collection and storage of personal data, along with technical and organisational measures for ensuring a high level of protection.  

Data processing for research purposes does not usually require the identification of the data subjects. Studies seek to minimise the processing of personal data as soon as possible, often by pseudonymising or anonymising the data. The controller does not have an obligation to store, obtain or process additional data for identifying the data subject if it would be required only for complying with the GDPR.

The purpose of data minimisation is not to impair the rights of the data subject, however. Data subjects must be able to exercise their rights by providing the additional information required for identification. For this purpose, the controller must be able to specify the additional information it will need to fulfil the rights of the data subject. If the controller is unable to specify the required additional information, it is de facto preventing the data subject from exercising their rights. It bears keeping in mind that the controller has an obligation to facilitate the exercise of the data subject’s rights.

Data for historical and scientific research and the compilation of statistics is often obtained from data files established for other purposes, such as the Population Information System or patient registers. Even if the rights of data subjects have been restricted on statutory grounds with regard to historical and scientific research, such restrictions do not apply to processing the data for its original purposes. Data subjects can exercise their rights with regard to the original data source of the research data file to the extent permitted by the original purpose and basis for processing. The study’s controller must respond appropriately to requests related to the rights of data subjects, and any derogation from such rights requires statutory grounds. The study’s controller cannot transfer their responsibility for the implementation of the rights of the data subject to the controller of the original data source.

The derogations from the rights of data subjects based on the processing of personal data for the purposes of historical or scientific research are reviewed below.

Derogation from the rights of the data subject when the purpose of processing is historical or scientific research

The data subject’s right to obtain information on the processing of their personal data

When the data is collected directly from the research subject

The research subject has the right to obtain information on the processing of their personal data. When personal data is collected directly from the data subject, the controller is only permitted to derogate from its obligation to inform the data subject if the data subject has already been informed of the processing of their personal data.

The controller is required to inform the data subject if they intend to process personal data originally collected for a different purpose for purposes of historical or scientific research. The data subject must be informed before the start of such processing.

If the data is collected from another source

If the data relating to the data subject is obtained from another source than the data subject themselves, derogation from informing the data subject is possible subject to certain conditions.  For example, data for historical or scientific research can be obtained from official personal data files by the authority’s permission.

Cases in which derogation is possible

1. Informing the data subjects is impossible.

  • This is an “all or nothing” condition, since something either is or is not possible. If a controller invokes this exception, it must be able to demonstrate the factors that prevent it from delivering the information to the data subjects. If these obstacles are removed in time, making it possible to inform the data subjects, the controller is required to inform them immediately. In practice, controllers are very rarely able to demonstrate that delivering the information to the data subjects would be impossible.

2. Informing the data subjects would require unreasonable effort.

  • The controller can estimate whether informing the data subjects would require unreasonable effort.  The controller must compare the effort required to deliver the information with the impact of not doing so on the data subjects. Factors to consider in the evaluation include the number of data subjects, age of the data and any approved suitable safeguards. The controller must document this evaluation in accordance with the accountability obligation.

Example:  
Historians attempting to trace a family line based on surnames obtain a large dataset containing the personal data of 20,000 data subjects.  The data were compiled 50 years ago and have not been updated since. There are no contact details in the data. To provide the data subjects with the required information, the researchers would have to attempt to trace every one of the 20,000 data subjects individually. Taking the size, and especially the age, of the database into account, delivering the information would require unreasonable effort from the research team.

3. Providing the required information would prevent or seriously hinder the achievement of the research goals.

  • In order to make use of this exception, the controller must be able to demonstrate that the delivery of the required information would in itself prevent the achievement of the project’s research goals.

Derogating from the obligation to inform the data subject also requires the controller to carry out an impact assessment. The controller must implement appropriate measures to protect the data subject's rights and freedoms and legitimate interests.

In addition, the controller must make the required information publicly available, even if the controller would not be required to deliver them to the data subjects themselves. In practice, the controller can provide information on the processing of the personal data on its website, in a newspaper advertisement or on posters hung on the walls of its office. The controller must decide the most appropriate way of publicising the information according to the specifics of the case.

Right of access by the data subject

Data subjects have the right to receive a confirmation from the controller on whether or not the controller is processing personal data that concerns them. If data concerning the data subject is being processed, the controller must provide the data subject with a copy of the personal data being processed. If the data subject makes the request electronically, the data must be provided in a commonly used electronic format unless otherwise requested by the data subject.

This right can be derogated from, if

1) the processing is based on an appropriate research plan;
2) a person or team responsible for the study has been appointed; and
3) the personal data will only be used and disclosed for purposes of historical or scientific research or other compatible purposes, and data relating to any specific individual will not be disclosed to third parties.

The necessity of derogation must be evaluated on a case-by-case basis. The data subject’s rights can only be derogated from insofar as
1) they would probably prevent or seriously hinder the achievement of the study’s specific purposes; and
2) the derogations are necessary for the fulfilment of these purposes.

The controller must consider whether derogating from the right of access is necessary and appropriately justified in the specific case at hand. In order to make use of this exception, the controller must be able to demonstrate that the implementation of the right of access would in itself prevent or seriously hinder the achievement of the project’s research goals.

If the controller wants to derogate from the right of access with regard to the processing of special categories of personal data or personal data related to criminal convictions or offences, the controller is required to conduct a data protection impact assessment as provided for in Article 35 of the GDPR in addition to the requirements listed above.  The impact assessment must be delivered in writing to the Data Protection Ombudsman before the start of processing.

If the controller has grounds for restricting the right of access, the exercise of other rights can also be limited as a result, as data subjects will not be able to evaluate the accuracy of their data, for example. The disclosure of data for scientific research is in any case recorded in the data file from which the data was obtained, such as a patient record or credit information file. In such cases, the data subject can obtain information on the personal data being processed from the original source of the data.  A data subject may wish to have their data erased from the research file even if they do not have the right of access to it.

The data subject’s right to rectification

Data subjects have the right to demand the rectification of inaccurate personal data concerning them and to have incomplete personal data completed.

This right can be derogated from, if

1) the processing is based on an appropriate research plan;
2) a person or team responsible for the study has been appointed; and
3) the personal data will only be used and disclosed for purposes of historical or scientific research or other compatible purposes, and data relating to any specific individual will not be disclosed to third parties.

The necessity of derogation must be evaluated on a case-by-case basis. The data subject’s rights can only be derogated from insofar as
1) they would probably prevent or seriously hinder the achievement of the study’s specific purposes; and
2) the derogations are necessary for the fulfilment of these purposes.

The controller must consider whether derogating from the right is necessary and appropriately justified in the specific case at hand. In order to make use of this exception, the controller must be able to demonstrate that the implementation of the right to rectification would in itself prevent or seriously hinder the achievement of the project’s research goals.

The accuracy of the data can have a direct impact on the accuracy and reliability of the research results, however, so it can be in the researcher’s interest too to have the data rectified. Different parties may have differing opinions on the accuracy of the data collected for research, however. In such cases, the grounds for derogation must be considered on a case-by-case basis.

If the controller wants to derogate from the data subject’s right to rectification with regard to the processing of special categories of personal data or personal data related to criminal convictions or offences, the controller is required to conduct a data protection impact assessment as provided for in Article 35 of the GDPR in addition to the requirements listed above. The impact assessment must be delivered in writing to the Data Protection Ombudsman before the start of processing.

The data subject’s right to erasure and to be forgotten

A data subject can demand the erasure of their data when

  • withdrawing their consent for the processing;
  • exercising their right to object to the processing;
  • they consider the data to be unnecessary for the research; or
  • they think that their data has been otherwise processed unlawfully by the research project.

Research subjects can drop out of a study by stopping to attend meetings related to the research project. This alone does not obligate the controller to erase the data subject’s data from the research. The controller can continue processing the personal data within the limits of the study unless the research subject makes an explicit request for the erasure of their data.

It is possible to derogate from the right to erasure and to be forgotten if erasing the data would be likely to prevent or seriously hinder the processing of personal data for historical or scientific research. In order to make use of this exception, the controller must demonstrate how erasing the data would prevent or seriously hinder the achievement of the purposes of the scientific research in the particular case at hand.

A general reference to the impact of erasing data on the reliability of research results is not in itself a sufficient basis for restricting the data subject’s right to erasure. The derogation and its necessity must be justified with reference to the specific research being done.

The accuracy of research results is influenced by a variety of factors, beginning with the formulation of the research question. If a data subject exercises their right to erasure in the study, the researcher can replace the missing data and correct the research results by reporting on methods and possible changes in the research sample, recruiting more subjects and using calculation methods that seek to neutralise the effect of the missing data. The risk posed by the erasure of one individual’s data to the accuracy of research results depends on the overall research scheme, and the grounds for restricting the right must be weighed against it.

The data subject’s right to restriction of processing

If the processing of personal data is restricted, it can still be stored, but its processing is only permitted subject to very specific conditions, such as the data subject’s consent. A research subject has the right to restrict the processing of their personal data, for example if the basis for processing is the controller’s legitimate interest, or the data subject objects to the processing and it is being investigated whether the controller’s legitimate interest overrides the data subject’s rights. The restriction can be implemented by transferring the data to another processing system or by preventing users from accessing the data, for example.

It is possible to derogate from the right to restriction of processing if
1) the processing is based on an appropriate research plan;
2) a person or team responsible for the study has been appointed; and
3) the personal data will only be used and disclosed for purposes of historical or scientific research or other compatible purposes, and data relating to any specific individual will not be disclosed to third parties.

The necessity of derogation must be evaluated on a case-by-case basis. The data subject’s rights can only be derogated from insofar as
1) they would probably prevent or seriously hinder the achievement of the study’s specific purposes; and
2) the derogations are necessary for the fulfilment of these purposes.

If the controller wants to derogate from the data subject’s right to rectification with regard to the processing of special categories of personal data or personal data related to criminal convictions or offences, the controller is required to conduct a data protection impact assessment as provided for in Article 35 of the GDPR in addition to the requirements listed above. The impact assessment must be delivered in writing to the Data Protection Ombudsman before the start of processing.

The data subject’s right to object

If personal data is processed for scientific or historical research purposes or statistical purposes, the data subject may object to the processing on grounds relating to his or her particular situation, unless the processing is necessary for performing a task carried out for reasons of public interest. If a data subject objects to the processing of their personal data, the controller is not permitted to continue processing the data unless it has grounds for derogating from the right to object.

Restricting the right to object may also be justified for reasons related to the research project itself. The Data Protection Act requires the procedure provided for in section 31 to be followed with regard to restricting the right to object in the context of historical and scientific research, regardless of the basis for processing the personal data (e.g. a task carried out in the public interest). In such cases, derogating from the right to object is possible if

1) the processing is based on an appropriate research plan;
2) a person or team responsible for the study has been appointed; and
3) the personal data will only be used and disclosed for purposes of historical or scientific research or other compatible purposes, and data relating to any specific individual will not be disclosed to third parties.

The necessity of derogation must be evaluated on a case-by-case basis. The data subject’s rights can only be derogated from insofar as
1) they would probably prevent or seriously hinder the achievement of the study’s specific purposes; and
2) the derogations are necessary for the fulfilment of these purposes.

The controller must consider whether derogating from the right to object is necessary and appropriately justified in the specific case at hand. In order to make use of this exception, the controller must be able to demonstrate that the implementation of the right to object would in itself prevent or seriously hinder the achievement of the project’s research goals.

If the controller wants to derogate from the data subject’s right to object to the processing of special categories of personal data or personal data related to criminal convictions or offences, the controller is required to conduct a data protection impact assessment as provided for in Article 35 of the GDPR in addition to the requirements listed above. The impact assessment must be delivered in writing to the Data Protection Ombudsman before the start of processing.

In addition to the general obligation to provide information to data subjects, the controller is required to specifically inform them of the right to object when contacting the research subject for the first time. The information on the right to object must be presented clearly and separately from other information.

Other grounds for restriction

Other enactments may also contain grounds for limiting data subjects from exercising their rights. For example, the Data Protection Act specifies general grounds for restricting the obligation to provide information (section 33) and the right of access (section 34).

Limiting the right of access, for example, may be justified in a research project if providing the information could cause a serious hazard to the rights of the data subject or another individual. Highly confidential data can be collected for purposes of research, so it is important to evaluate the implementation of data subject’s rights also from the perspectives of confidentiality and the data subject’s own safety. This perspective could come into play if the person participating in the study is not the one wishing to exercise their data protection rights (e.g. if the subjects are children).

The applicability of the general grounds for restriction specified in the Data Protection Act can also be evaluated later, after a data subject has made a request, even if the rights had not been restricted at the start of the study as described above.