Roles and responsibilities for processing personal data in scientific research

A research project can involve a variety of parties in different roles. Personal data may be processed for research purposes by one or more research organizations, persons in charge of the study, customers, researchers and other personnel. The roles of the various parties with regard to the processing of personal data and the controller’s responsibility must be defined clearly before the start of the study.

A controller is a person, company, authority or community that defines the purposes and methods of processing personal data. The controller is responsible for the lawfulness of the processing of personal data for the entire lifespan of the processing. “Controller” is a functional definition; its purpose is to allocate responsibility for compliance with data protection regulations where there is a genuine opportunity to influence the processing.

This definition and any specific legislation applying to the research project that would influence choosing a controller for the processing activities need to be considered when designating the controller.

For example, certain state research institutes have a statutory task to conduct research and have specific enactments that provide for their processing of personal data for these specific purposes. In international research, it pays to remember that the designation of controller can also be influenced by national legislation.

The controller for a research project is designated based on a case-by-case assessment. The controller can be an individual scientist, research team, research organisation or all the aforementioned together. The important thing is to define the responsibilities for the processing of personal data clearly from the beginning of the study to its end. Every participant in the research project must know their duties. No blind spots are acceptable in the processing of personal data.

Factors influencing the assignment of responsibility for processing

1. Is the research project and its purpose being planned by one party or several?

• The controller alone determines the purposes and means of processing personal data.
• If several parties act as joint controllers, they define the purposes and methods of personal data processing together and share the controller’s responsibility. They shall determine their respective responsibilities for compliance with the obligations under the GDPR in a transparent manner by means of an arrangement between them, as provided for in Article 26 of the GDPR. Duties regarding the exercise of the rights of data subjects and informing them must be divided clearly. The arrangement shall duly reflect the roles and relationships of the joint controllers in relation to data subjects. The essential information on how the responsibilities are divided must be made available to the data subjects.

2. Will the research organisation perform all processing itself, or will the implementation of the study require the purchase of external processing services?

• A controller can commission services related to the processing of personal data from a processor. A processor is an individual or an organisation that processes personal data on behalf of a controller.  Processors operate according to the controller’s instructions and under its supervision. They do not have independent control over the data being processed, and they may only process the data as instructed by the controller. The controller determines the purposes and means of processing personal data.
• The GDPR requires the processing carried out by a processor to be defined in an agreement or other binding legal document between the processor and controller. The agreement or document must confirm the subject, duration, nature and purpose of the processing, the type of personal data, the categories of data subjects and the obligations and rights of the controller. Article 28 of the GDPR contains more detailed provisions on the relationship of the controller and processor and on the terms to be included in the agreement.

The controller’s duties in research activities

It is essential to appoint a controller capable of performing the duties imposed on controllers and demonstrating compliance with data protection regulations in practice. 

The duties of the controller include ensuring that

• data-protection principles are followed in the research project, and adherence to the principles is documented for the entire duration of the study;
• the risk related to the processing is assessed, and technical and organisational safeguards for protecting the personal data are implemented;
• an impact assessment is done if the nature of the research or derogations from the rights of data subjects so require;
• the Data Protection Ombudsman is consulted if the impact assessment indicates a high risk that cannot be reduced with safeguards;
• appropriate agreements are signed with processors of personal data and they are given detailed instructions on the processing;
• the respective responsibilities of joint controllers are agreed on in a transparent manner;
• data subjects are informed and the exercise of their rights is facilitated;
• possible restrictions to the rights of data subjects are justified;
• a record of processing activities has been drawn up;
• procedures have been designed for personal data breaches;
• a Data Protection Officer has been designated if the processing activities entailed by the research project so require; and
• other documentation required for accountability has been drawn up and is updated when necessary.