Scientific research FAQ
Learn more about scientific research on our website Scientific research and data protection.
No. Personal data can be processed for research also on other processing bases than consent. The basis for processing can be a legal provision (e.g. sections 4 and 6 of the Data Protection Act) or the controller’s legitimate interest.
Other aspects of the proposed research may still require consent even if the processing of personal data does not. For example, you may need the research subject’s consent for participation or taking blood samples. Requesting consent for a blood sample protects the research subject’s physical integrity, not their personal data. The requirement of informed consent for medical research and clinical drug trials is an important ethical value, but it is not related to the processing of personal data.
It is vital to specify the purpose of consent clearly to avoid misunderstandings on the basis and methods for processing personal data in the context of research.
An impact assessment must be delivered to the Office of the Data Protection Ombudsman in two scenarios related to scientific research.
Submitting an impact assessment is required if
1) the historical or scientific research derogates from the rights of the data subject and the data being processed belongs to special categories of personal data; or
2) a prior consultation of the Data Protection Ombudsman is required. A prior consultation is necessary if the impact assessment performed for the study has identified a high risk to the rights of data subjects and the controller has not been able to reduce the risk through measures of its own.
Please remember that an impact assessment is required in many other scenarios as well, but the controller is only required to deliver it to the Office of the Data Protection Ombudsman in the two cases listed above.
The Data Protection Officer must be independent and cannot have duties that would create conflicts of interest with those of the Data Protection Officer.
The Data Protection Officer cannot hold a position or duty that requires him or her to define the purposes and methods of the processing of personal data. Defining the purposes and methods of personal data processing is the controller's responsibility. Conflicts of interest may arise if, for example, an information security officer or senior manager is designated as the Data Protection Officer.
Such conflicts of interest must be evaluated on a case-by-case basis, as every organisation is different.
If the research project involves several parties, their roles must be specified. Being an employee does not prevent a researcher from being a controller. The final analysis of the project’s roles must nevertheless be made on the basis of its individual characteristics and the General Data Protection Regulation’s definition for controller.
According to the GDPR, controller refers to a natural person, legal entity, authority, agency or other body that determines the purposes and methods of personal data processing, either alone or in cooperation with others.
The GDPR also recognises the possibility of joint controllers. If several parties act as joint controllers, they define the purposes and methods of personal data processing together and share the controller’s responsibility. Such joint controllers shall determine their respective responsibilities for compliance with the obligations under the GDPR in a transparent manner by means of an arrangement between them, as provided for in Article 26 of the GDPR. The division of duties must be clear with regard to the rights of data subjects and informing the data subjects. The arrangement shall duly reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects. Information on the responsibilities and other essential details of the joint controllers must be provided to the data subjects in an accessible place, such as the research project’s website.
You need to take data protection regulations into account normally when processing personal data, even if the data collected for research purposes originates from the internet or another public source.
When a patient record file provides you with data for purposes of scientific research, the purpose of the disclosed information is research, not the treatment of patients. The disclosed data constitute an independent and separate entity from the original data source. The purpose of processing the personal data changes, and you need to plan the lifespan of the processing from beginning to end. The plan must take data protection regulations into consideration from the perspective of research.
The data forms a separate research data file under the responsibility of the study’s controller (a researcher or research organisation) for the purpose of conducting research in accordance with the research plan.
Yes. Data remains personal data for as long as it can be converted back to identifying form with some additional information, even if this information is not in the possession of the controller.
In research, data is often protected by pseudonymising and minimising the data being processed.