Which legal basis should I use?

background-image: url(data:image/png;base64,#../../img/UU_logo_2021_EN_RGB.png)
background-position: 2% 98%
background-size: 20%

---

## Which legal basis should I use?

It is not always clear-cut which legal basis is the best one to choose in a 
research project. You can use this flow chart to decide which legal basis is 
most suitable for your situation.

If you do not understand a question, more elaborate information is displayed 
under the <img src="data:image/png;base64,#../../img/info.svg" height="25px" alt="Info icon"/> icon 
that appears along with the question.

<div class="warning">
        This flowchart does not cover all possible research scenarios and is 
        purely meant for advisory purposes. Does your research project not fit 
        the flow chart? Is anything unclear, or ambiguous? Please contact your 
        <a href="https://utrechtuniversity.github.io/dataprivacyhandbook/seeking-help.html" target="_blank">privacy officer</a> 
        for advice. 
</div>

---

## Start
Which of the below purposes fits your research project best?

.center[
<a href="#public-interest" style="text-decoration: none;"><button>Wholly or partly public interest</button></a>
<a href="#private-interest" style="text-decoration: none;"><button>Solely private interest</button></a>
]

<details open class="info-details">
  <summary class="info-button"><img src="data:image/png;base64,#../../img/info.svg" alt="Info Icon"/></summary>
  <div class="info-content">
        <ul>
                <li>Research in the <b>public interest</b> is focused primarily 
                on societal knowledge expansion. Most research performed at
                the university will fall into this category.</li>
                <li>Research with solely a <b>private interest</b> could concern 
                commissioned research, research on behalf of a commercial party, 
                or research focused on a private interest of the university.</li>
        </ul>
  </div>
</details>

---

<div class="keywords">
<a href="#start">Public interest</a>
</div>

Did or will data subjects consciously choose to participate in the research project?

.center[
<a href="#conscious-choice-public" style="text-decoration: none;"><button>Yes</button></a>
<a href="#contactless-public" style="text-decoration: none;"><button>No</button></a>
]

<details open class="info-details">
  <summary class="info-button"><img src="data:image/png;base64,#../../img/info.svg" alt="Info Icon"/></summary>
  <div class="info-content">
        This question is asked to determine whether you work with participants 
        in the usual sense of the word, that is: people who know that you are 
        conducting research on them and who participate voluntarily. It is also 
        possible that you process personal data of people who are not aware of 
        your project. Consider, for example, web scraping, archival research and 
        other forms of contactless or unsolicited research. Asking for consent 
        from such data subjects is often impossible or extremely difficult and 
        time-consuming. A follow-up question will be asked about this later. 
  </div>
</details>

---

<div class="keywords">
<a href="#start">Public interest</a> > <a href="#public-interest">Conscious choice</a>
</div>

Do you want to give participants extra control over their personal data?

.center[
<a href="#extra-control-public" style="text-decoration: none;"><button>Yes</button></a>
<a href="#no-extra-control-public" style="text-decoration: none;"><button>No</button></a>
]

<details open class="info-details">
  <summary class="info-button"><img src="data:image/png;base64,#../../img/info.svg" alt="Info Icon"/></summary>
  <div class="info-content">
        In very sensitive research (for example into transgressive behaviour), 
        people sometimes only want to participate if they maintain maximum 
        control over their personal data. The 
        <a href="https://utrechtuniversity.github.io/dataprivacyhandbook/informed-consent-forms.html" target="_blank">legal 
        basis of consent</a> 
        then gives 
        them a certain degree of extra control, because the participants know 
        that it is very easy for them to withdraw that consent. You usually have 
        to comply with such a withdrawal request.
  </div>
</details>

---

<div class="keywords">
<a href="#start">Public interest</a> > <a href="#public-interest">Conscious choice</a> > <a href="#conscious-choice-public">Extra control</a>
</div>

Is there an imbalance of power between the participant and the researcher?

.center[
<a href="#imbalance-public" style="text-decoration: none;"><button>Yes</button></a>
<a href="#no-imbalance-public" style="text-decoration: none;"><button>No</button></a>
]

<details open class="info-details">
  <summary class="info-button"><img src="data:image/png;base64,#../../img/info.svg" alt="Info Icon"/></summary>
  <div class="info-content">
        This question is asked to determine whether participants can give 
        <a href="https://utrechtuniversity.github.io/dataprivacyhandbook/informed-consent-forms.html" 
        target="_blank"><i>legally valid</i> consent</a>. 
        A condition for lawful consent is that 
        that consent is given "freely". The participant should experience no 
        benefits from granting consent and no disadvantages from refusing or 
        withdrawing consent. However, in the event of a power relationship 
        (e.g., employer/employee or teacher/student), this free choice cannot be 
        guaranteed. It cannot be ruled out that the participant is nevertheless 
        impressed by the position that the researcher (or his employer) takes 
        in relation to them. 
  </div>
</details>

---

<div class="keywords">
<a href="#start">Public interest</a> > <a href="#public-interest">Conscious choice</a> > 
<a href="#conscious-choice-public">Extra control</a> > <a href="#extra-control-public">Power imbalance</a>
</div>

Because there is an imbalance of power, you cannot rely on the legal basis of 
consent. Please return to the previous step to figure out whether you can use 
another legal basis.

.center[
<a href="#conscious-choice-public" style="text-decoration: none;"><button>Previous step</button></a>
]

---

You can use consent as your legal basis for processing both regular types of 
personal data and special categories of personal data.

.center[
<a href="https://utrechtuniversity.github.io/dataprivacyhandbook/informed-consent-forms.html" style="text-decoration: none;"><button>Read about consent</button></a>
<a href="https://utrechtuniversity.github.io/dataprivacyhandbook/special-types-personal-data.html" style="text-decoration: none;"><button>Read about special categories of personal data</button></a>
<a href="#start" style="text-decoration: none;"><button>Back to start</button></a>
]

---

<div class="keywords">
<a href="#start">Public interest</a> > <a href="#public-interest">Conscious choice</a> > 
<a href="#conscious-choice-public">No extra control</a>
</div>

<div class="keywords">
<a href="#start">Public interest</a> > 
<a href="#public-interest">Contactless research</a> >
<a href="#contactless-public">Reuse</a> >
<a href="#public-contactless-reuse">Original legal basis not consent</a>
</div>

<div class="keywords">
<a href="#start">Public interest</a> > 
<a href="#public-interest">Contactless research</a> >
<a href="#contactless-public">No reuse</a>
</div>

Do you collect, store, analyse and/or share 
[special categories of personal data](https://utrechtuniversity.github.io/dataprivacyhandbook/special-types-personal-data.html)?

.center[
<a href="#sensitive-public" style="text-decoration: none;"><button>Yes</button></a>
<a href="#normal-public" style="text-decoration: none;"><button>No</button></a>
]

<details open class="info-details">
  <summary class="info-button"><img src="data:image/png;base64,#../../img/info.svg" alt="Info Icon"/></summary>
  <div class="info-content">
        This is a crucial question. The processing of 
        <a href="https://utrechtuniversity.github.io/dataprivacyhandbook/special-types-personal-data.html" 
        target="_blank">special categories of personal data</a> 
        is prohibited, unless there is an exception. The follow-up 
        questions examine which exception may apply to your research. 
  </div>
</details>

---

<div class="keywords">
<a href="#start">Public interest</a> > <a href="#public-interest">Conscious choice</a> > 
<a href="#conscious-choice-public">No extra control</a> >
<a href="#no-extra-control-public">No special category personal data</a>
</div>
<div class="keywords">
<a href="#start">Public interest</a> > <a href="#public-interest">Contactless research</a> >
<a href="#contactless-public">Reuse</a> >
<a href="#public-contactless-reuse">Original legal basis not consent</a> >
<a href="#no-extra-control-public">No special category personal data</a>
</div>
<div class="keywords">
<a href="#start">Public interest</a> > 
<a href="#public-interest">Contactless research</a> >
<a href="#contactless-public">No reuse</a> >
<a href="#no-extra-control-public">No special category personal data</a>
</div>

You can rely on the legal basis of public interest in your project.

---

Did data subjects make these special categories of personal data publicly 
available themselves?

.center[
<a href="#public-interest-sensitive-made-public" style="text-decoration: none;"><button>Yes</button></a>
<a href="#public-sensitive-not-made-public" style="text-decoration: none;"><button>No, or only partly</button></a>
]

<details open class="info-details">
  <summary class="info-button"><img src="data:image/png;base64,#../../img/info.svg" alt="Info Icon"/></summary>
  <div class="info-content">
        This question is asked because "self-disclosing" is the most obvious 
        exception to the prohibition on processing 
        <a href="https://utrechtuniversity.github.io/dataprivacyhandbook/special-types-personal-data.html" 
        target="_blank">special categories of personal data</a>. 
        If someone has made those data public themselves, the 
        researcher can collect them from that public place and may in principle 
        use them, if it concerns truly public sources where no privacy is 
        expected, and the participant indeed intended to disclose the personal 
        data "as special category personal data".
  </div>
</details>

---

<div class="keywords">
<a href="#start">Public interest</a> > <a href="#public-interest">Conscious choice</a> > 
<a href="#conscious-choice-public">No extra control</a> > <a href="#no-extra-control-public">Special categories</a> >
<a href="#sensitive-public">Made public by data subject</a>
</div>
<div class="keywords">
<a href="#start">Public interest</a> > <a href="#public-interest">Contactless research</a> >
<a href="#contactless-public">Reuse</a> >
<a href="#public-contactless-reuse">Original legal basis not consent</a> >
<a href="#no-extra-control-public">Special categories</a> > 
<a href="#sensitive-public">Made public by data subject</a>
</div>
<div class="keywords">
<a href="#start">Public interest</a> > 
<a href="#public-interest">Contactless research</a> >
<a href="#contactless-public">No reuse</a> >
<a href="#no-extra-control-public">Special categories</a> >
<a href="#sensitive-public">Made public by data subject</a>
</div>

.center[
<a href="https://utrechtuniversity.github.io/dataprivacyhandbook/public-interest.html" style="text-decoration: none;"><button>Read about public interest</button></a>
<a href="https://utrechtuniversity.github.io/dataprivacyhandbook/special-types-personal-data.html" style="text-decoration: none;"><button>Read about special categories of personal data</button></a>
<a href="#start" style="text-decoration: none;"><button>Back to start</button></a>
]

---

<div class="keywords">
<a href="#start">Public interest</a> > <a href="#public-interest">Conscious choice</a> > 
<a href="#conscious-choice-public">No extra control</a> > <a href="#no-extra-control-public">Special categories</a> >
<a href="#sensitive-public">Not made public by data subject</a>
</div>
<div class="keywords">
<a href="#start">Public interest</a> > <a href="#public-interest">Contactless research</a> >
<a href="#contactless-public">Reuse</a> >
<a href="#public-contactless-reuse">Original legal basis not consent</a> >
<a href="#no-extra-control-public">Special categories</a> > 
<a href="#sensitive-public">Not made public by data subject</a>
</div>
<div class="keywords">
<a href="#start">Public interest</a> > 
<a href="#public-interest">Contactless research</a> >
<a href="#contactless-public">No reuse</a> >
<a href="#no-extra-control-public">Special categories</a> >
<a href="#sensitive-public">Not made public by data subject</a>
</div>

Is it (nearly) impossible to obtain and/or demonstrate consent? For example, in 
field work in a non-Western country, or when using data from a large amount of 
participants?

.center[
<a href="#public-sensitive-noconsent" style="text-decoration: none;"><button>Yes</button></a>
<a href="#public-sensitive-consent" style="text-decoration: none;"><button>No</button></a>
]

<details open class="info-details">
  <summary class="info-button"><img src="data:image/png;base64,#../../img/info.svg" alt="Info Icon"/></summary>
  <div class="info-content">
        <a href="https://wetten.overheid.nl/BWBR0040940/2021-07-01#Hoofdstuk3" 
        target="_blank">UAVG Article 24</a> 
        specifies that consent for using 
        <a href="https://utrechtuniversity.github.io/dataprivacyhandbook/special-types-personal-data.html" 
        target="_blank">special categories of personal data</a> 
        can be waived if requesting consent is so difficult or 
        time-consuming that it could jeopardize the entire research project. If 
        this is the case, you must substantiate this danger to your project and 
        take additional protection measures. 
  </div>
</details>

---

<div class="keywords">
<a href="#start">Public interest</a> > <a href="#public-interest">Conscious choice</a> > 
<a href="#conscious-choice-public">No extra control</a> > <a href="#no-extra-control-public">Special categories</a> >
<a href="#sensitive-public">Not made public by data subject</a> >
<a href="#public-sensitive-not-made-public">No consent possible</a>
</div>
<div class="keywords">
<a href="#start">Public interest</a> > <a href="#public-interest">Contactless research</a> >
<a href="#contactless-public">Reuse</a> >
<a href="#public-contactless-reuse">Original legal basis not consent</a> >
<a href="#no-extra-control-public">Special categories</a> > 
<a href="#sensitive-public">Not made public by data subject</a> >
<a href="#public-sensitive-not-made-public">No consent possible</a>
</div>
<div class="keywords">
<a href="#start">Public interest</a> > 
<a href="#public-interest">Contactless research</a> >
<a href="#contactless-public">No reuse</a> >
<a href="#no-extra-control-public">Special categories</a> >
<a href="#sensitive-public">Not made public by data subject</a> >
<a href="#public-sensitive-not-made-public">No consent possible</a>
</div>

You can use the legal basis of public interest for processing personal data in
your research project, and use the special categories of personal data in your
research, based on the fact that it is nearly impossible or would take an 
inappropriate amount of effort to obtain or demonstrate valid consent. Keep in 
mind that you do have to substantiate that this is the case.

---

<div class="keywords">
<a href="#start">Public interest</a> > <a href="#public-interest">Conscious choice</a> > 
<a href="#conscious-choice-public">No extra control</a> > <a href="#no-extra-control-public">Special categories</a> >
<a href="#sensitive-public">Not made public by data subject</a> >
<a href="#public-sensitive-not-made-public">Consent possible</a>
</div>
<div class="keywords">
<a href="#start">Public interest</a> > <a href="#public-interest">Contactless research</a> >
<a href="#contactless-public">Reuse</a> >
<a href="#public-contactless-reuse">Original legal basis not consent</a> >
<a href="#no-extra-control-public">Special categories</a> > 
<a href="#sensitive-public">Not made public by data subject</a> >
<a href="#public-sensitive-not-made-public">Consent possible</a>
</div>
<div class="keywords">
<a href="#start">Public interest</a> > 
<a href="#public-interest">Contactless research</a> >
<a href="#contactless-public">No reuse</a> >
<a href="#no-extra-control-public">Special categories</a> >
<a href="#sensitive-public">Not made public by data subject</a> >
<a href="#public-sensitive-not-made-public">Consent possible</a>
</div>

Is there an imbalance of power between the participant and the researcher?

.center[
<a href="#public-sensitive-imbalance" style="text-decoration: none;"><button>Yes</button></a>
<a href="#public-sensitive-noimbalance" style="text-decoration: none;"><button>No</button></a>
]

<details open class="info-details">
  <summary class="info-button"><img src="data:image/png;base64,#../../img/info.svg" alt="Info Icon"/></summary>
  <div class="info-content">
        This question is asked to determine whether participants can give 
        <a href="https://utrechtuniversity.github.io/dataprivacyhandbook/informed-consent-forms.html" 
        target="_blank"><i>legally valid</i> consent</a>. 
        A condition for lawful consent is that 
        that consent is given "freely". The participant should experience no 
        benefits from granting consent and no disadvantages from refusing or 
        withdrawing consent. However, in the event of a power relationship 
        (e.g., employer/employee or teacher/student), this free choice cannot be 
        guaranteed. It cannot be ruled out that the participant is nevertheless 
        impressed by the position that the researcher (or his employer) takes 
        in relation to them. 
  </div>
</details>

---

<div class="keywords">
<a href="#start">Public interest</a> > <a href="#public-interest">Conscious choice</a> > 
<a href="#conscious-choice-public">No extra control</a> > <a href="#no-extra-control-public">Special categories</a> >
<a href="#sensitive-public">Not made public by data subject</a> >
<a href="#public-sensitive-not-made-public">Consent possible</a> >
<a href="#public-sensitive-consent">Power imbalance</a>
</div>
<div class="keywords">
<a href="#start">Public interest</a> > <a href="#public-interest">Contactless research</a> >
<a href="#contactless-public">Reuse</a> >
<a href="#public-contactless-reuse">Original legal basis not consent</a> >
<a href="#no-extra-control-public">Special categories</a> > 
<a href="#sensitive-public">Not made public by data subject</a> >
<a href="#public-sensitive-not-made-public">Consent possible</a> >
<a href="#public-sensitive-consent">Power imbalance</a>
</div>
<div class="keywords">
<a href="#start">Public interest</a> > 
<a href="#public-interest">Contactless research</a> >
<a href="#contactless-public">No reuse</a> >
<a href="#no-extra-control-public">Special categories</a> >
<a href="#sensitive-public">Not made public by data subject</a> >
<a href="#public-sensitive-not-made-public">Consent possible</a> >
<a href="#public-sensitive-consent">Power imbalance</a>
</div>

You can only use any regular personal data in your research based on the legal 
basis of public interest. You cannot use the 
[special categories of personal data](https://utrechtuniversity.github.io/dataprivacyhandbook/special-types-personal-data.html),
because you indicated that there is a power imbalance. This means that the
special categories of personal data cannot be used legitimately. We recommend to:

- Collect the data anonymously. If there are no personal data involved, the 
GDPR simply does not apply.
- Change the set-up of your project, for example with a different sample or
different outcome variables.

Please feel free to ask your privacy officer for help.

---

<div class="keywords">
<a href="#start">Public interest</a> > <a href="#public-interest">Conscious choice</a> > 
<a href="#conscious-choice-public">No extra control</a> > <a href="#no-extra-control-public">Special categories</a> >
<a href="#sensitive-public">Not made public by data subject</a> >
<a href="#public-sensitive-not-made-public">Consent possible</a> >
<a href="#public-sensitive-consent">No power imbalance</a>
</div>
<div class="keywords">
<a href="#start">Public interest</a> > <a href="#public-interest">Contactless research</a> >
<a href="#contactless-public">Reuse</a> >
<a href="#public-contactless-reuse">Original legal basis not consent</a> >
<a href="#no-extra-control-public">Special categories</a> > 
<a href="#sensitive-public">Not made public by data subject</a> >
<a href="#public-sensitive-not-made-public">Consent possible</a> >
<a href="#public-sensitive-consent">No power imbalance</a>
</div>
<div class="keywords">
<a href="#start">Public interest</a> > 
<a href="#public-interest">Contactless research</a> >
<a href="#contactless-public">No reuse</a> >
<a href="#no-extra-control-public">Special categories</a> >
<a href="#sensitive-public">Not made public by data subject</a> >
<a href="#public-sensitive-not-made-public">Consent possible</a> >
<a href="#public-sensitive-consent">No power imbalance</a>
</div>

You can use the legal basis of consent *or* public interest. For the use of 
special categories of personal data, you should use explicit consent from data 
subjects. Depending on the amount of "regular" personal data in your project,
you can choose to either rely on public interest or consent.

In many cases, consent is used for the entire project, if it is also already 
used for the special categories of personal data.

.center[
<a href="https://utrechtuniversity.github.io/dataprivacyhandbook/public-interest.html" style="text-decoration: none;"><button>Read about public interest</button></a>
<a href="https://utrechtuniversity.github.io/dataprivacyhandbook/special-types-personal-data.html" style="text-decoration: none;"><button>Read about consent</button></a>
<a href="https://utrechtuniversity.github.io/dataprivacyhandbook/special-types-personal-data.html" style="text-decoration: none;"><button>Read about special categories of personal data</button></a>
<a href="#start" style="text-decoration: none;"><button>Back to start</button></a>
]

---

<div class="keywords">
<a href="#start">Public interest</a> > <a href="#public-interest">Contactless research</a>
</div>

Are you reusing previously collected (personal) data?

.center[
<a href="#public-contactless-reuse" style="text-decoration: none;"><button>Yes</button></a>
<a href="#no-extra-control-public" style="text-decoration: none;"><button>No</button></a>
]

<details open class="info-details">
  <summary class="info-button"><img src="data:image/png;base64,#../../img/info.svg" alt="Info Icon"/></summary>
  <div class="info-content">
    We speak of reusing previously collected (personal) data when you use 
    complete or partial datasets that: 
    <ul>
      <li>you previously compiled yourself</li>
      <li>other researchers or other institutions have compiled</li>
      <li>you collect data from existing public sources, such as through web 
      scraping, archives, etc.</li>
    </ul>
    Previously collected data may be subject to restrictions, both contractual 
    and legal. The follow-up questions are about one of those limitations.
  </div>
</details>

---

<div class="keywords">
<a href="#start">Public interest</a> > <a href="#public-interest">Contactless research</a> >
<a href="#contactless-public">Reuse</a>
</div>

Was consent the legal basis for the original data collection?

.center[
<a href="#public-reuse-originalconsent" style="text-decoration: none;"><button>Yes</button></a>
<a href="#no-extra-control-public" style="text-decoration: none;"><button>No</button></a>
]

<details open class="info-details">
  <summary class="info-button"><img src="data:image/png;base64,#../../img/info.svg" alt="Info Icon"/></summary>
  <div class="info-content">
    Check the legal basis on which the personal data were originally collected. 
    If that was 
    <a href="https://utrechtuniversity.github.io/dataprivacyhandbook/informed-consent-forms.html" 
    target="_blank">consent</a>, 
    the strict requirements for consent also apply to your 
    new research project. One of those requirements is that the consent must be 
    specific. The original consent statement must indicate what exactly the 
    data subjects have given consent for.
  </div>
</details>

---

<div class="keywords">
<a href="#start">Public interest</a> > <a href="#public-interest">Contactless research</a> >
<a href="#contactless-public">Reuse</a> > <a href="#public-contactless-reuse">Consent original legal basis</a>
</div>

Does the new research project fall within the original consent?

.center[
<a href="#public-reuse-within-originalconsent" style="text-decoration: none;"><button>Yes</button></a>
<a href="#public-reuse-not-within-originalconsent" style="text-decoration: none;"><button>No</button></a>
]

<details open class="info-details">
  <summary class="info-button"><img src="data:image/png;base64,#../../img/info.svg" alt="Info Icon"/></summary>
  <div class="info-content">
    Check what exactly the data subjects gave consent for at the time. Do your
    research activities fall within the limits of that consent? Then the 
    consent given will not hinder your research and you can use this consent as 
    a basis for your reuse, and perhaps even as an exception for the processing 
    of 
    <a href="https://utrechtuniversity.github.io/dataprivacyhandbook/special-types-personal-data.html" target="_blank">special categories of personal data</a>.
    Does your research fall outside the 
    limits of the original consent? Then you must still ask the people in 
    question for consent to use their personal data for your research. This 
    also applies if asking for consent is impossible or requires a 
    disproportionate amount of effort: the limits of consent are binding.
  </div>
</details>

---

<div class="keywords">
<a href="#start">Public interest</a> > <a href="#public-interest">Contactless research</a> >
<a href="#contactless-public">Reuse</a> > 
<a href="#public-contactless-reuse">Consent original legal basis</a> >
<a href="#public-reuse-originalconsent">Reuse within original consent</a>
</div>

You can reuse the personal data based on the originally provided consent of 
data subjects. This goes for both "regular" personal data, as well as any 
potential 
[special categories of personal data](https://utrechtuniversity.github.io/dataprivacyhandbook/special-types-personal-data.html), 
for which data subjects gave explicit consent in the original data source.

.center[
<a href="https://utrechtuniversity.github.io/dataprivacyhandbook/share-reuse-legal-basis.html" style="text-decoration: none;"><button>Read about sharing and reusing personal data</button></a>
<a href="https://utrechtuniversity.github.io/dataprivacyhandbook/legal-basis.html#further-processing" style="text-decoration: none;"><button>Read about further processing for research</button></a>
<a href="#start" style="text-decoration: none;"><button>Back to start</button></a>
]

---

<div class="keywords">
<a href="#start">Public interest</a> > <a href="#public-interest">Contactless research</a> >
<a href="#contactless-public">Reuse</a> > 
<a href="#public-contactless-reuse">Consent original legal basis</a> >
<a href="#public-reuse-originalconsent">Reuse not within original consent</a>
</div>

You cannot reuse the personal data for your project, unless new consent is 
obtained from the original data subjects.

.center[
<a href="https://utrechtuniversity.github.io/dataprivacyhandbook/informed-consent-forms.html" style="text-decoration: none;"><button>Read about consent</button></a>
<a href="https://utrechtuniversity.github.io/dataprivacyhandbook/legal-basis.html#further-processing" style="text-decoration: none;"><button>Read about further processing for research</button></a>
<a href="#start" style="text-decoration: none;"><button>Back to start</button></a>
]

---

<div class="keywords">
<a href="#start">Private interest</a>
</div>

Did or will data subjects consciously choose to participate in the research project?

.center[
<a href="#conscious-choice-private" style="text-decoration: none;"><button>Yes</button></a>
<a href="#contactless-private" style="text-decoration: none;"><button>No</button></a>
]

<details open class="info-details">
  <summary class="info-button"><img src="data:image/png;base64,#../../img/info.svg" alt="Info Icon"/></summary>
  <div class="info-content">
        This question is asked to determine whether you work with participants 
        in the usual sense of the word, that is: people who know that you are 
        conducting research on them and who participate voluntarily. It is also 
        possible that you process personal data of people who are not aware of 
        your project. Consider, for example, web scraping, archival research and 
        other forms of contactless or unsolicited research. Asking for consent 
        from such data subjects is often impossible or extremely difficult and 
        time-consuming. A follow-up question will be asked about this later. 
  </div>
</details>

---

<div class="keywords">
<a href="#start">Private interest</a> > 
<a href="#private-interest">Conscious choice</a>
</div>

Do you want to give participants extra control over their personal data?

.center[
<a href="#extra-control-private" style="text-decoration: none;"><button>Yes</button></a>
<a href="#no-extra-control-private" style="text-decoration: none;"><button>No</button></a>
]

<details open class="info-details">
  <summary class="info-button"><img src="data:image/png;base64,#../../img/info.svg" alt="Info Icon"/></summary>
  <div class="info-content">
        In very sensitive research (for example into transgressive behaviour), 
        people sometimes only want to participate if they maintain maximum 
        control over their personal data. The 
        <a href="https://utrechtuniversity.github.io/dataprivacyhandbook/informed-consent-forms.html" 
        target="_blank">legal basis of consent</a> 
        then gives 
        them a certain degree of extra control, because the participants know 
        that it is very easy for them to withdraw that consent. You usually have 
        to comply with such a withdrawal request.
  </div>
</details>

---

<div class="keywords">
<a href="#start">Private interest</a> > 
<a href="#private-interest">Conscious choice</a> >
<a href="#conscious-choice-private">Extra control</a>
</div>

Is there an imbalance of power between the participant and the researcher?

.center[
<a href="#imbalance-private" style="text-decoration: none;"><button>Yes</button></a>
<a href="#no-imbalance-private" style="text-decoration: none;"><button>No</button></a>
]

<details open class="info-details">
  <summary class="info-button"><img src="data:image/png;base64,#../../img/info.svg" alt="Info Icon"/></summary>
  <div class="info-content">
        This question is asked to determine whether participants can give 
        <a href="https://utrechtuniversity.github.io/dataprivacyhandbook/informed-consent-forms.html" 
        target="_blank"><i>legally valid</i> consent</a>. 
        A condition for lawful consent is that 
        that consent is given "freely". The participant should experience no 
        benefits from granting consent and no disadvantages from refusing or 
        withdrawing consent. However, in the event of a power relationship 
        (e.g., employer/employee or teacher/student), this free choice cannot be 
        guaranteed. It cannot be ruled out that the participant is nevertheless 
        impressed by the position that the researcher (or his employer) takes 
        in relation to them. 
  </div>
</details>

---

<div class="keywords">
<a href="#start">Private interest</a> > 
<a href="#private-interest">Conscious choice</a> >
<a href="#conscious-choice-private">Extra control</a> >
<a href="#extra-control-private">Power imbalance</a>
</div>

Because there is an imbalance of power, you cannot rely on the legal basis of 
consent. Please return to the previous step to figure out whether you can use 
another legal basis.

.center[
<a href="#conscious-choice-private" style="text-decoration: none;"><button>Previous step</button></a>
]

---

You can use consent as your legal basis for processing both regular types of 
personal data and special categories of personal data.

---

<div class="keywords">
<a href="#start">Private interest</a> > 
<a href="#private-interest">Conscious choice</a> > 
<a href="#conscious-choice-private">No extra control</a>
</div>

Do you collect, store, analyse and/or share 
[special categories of personal data](https://utrechtuniversity.github.io/dataprivacyhandbook/special-types-personal-data.html)?

.center[
<a href="#sensitive-private" style="text-decoration: none;"><button>Yes</button></a>
<a href="#normal-private" style="text-decoration: none;"><button>No</button></a>
]

<details open class="info-details">
  <summary class="info-button"><img src="data:image/png;base64,#../../img/info.svg" alt="Info Icon"/></summary>
  <div class="info-content">
        This is a crucial question. The processing of 
        <a href="https://utrechtuniversity.github.io/dataprivacyhandbook/special-types-personal-data.html" 
        target="_blank">special categories of personal data</a> 
        is prohibited, unless there is an exception. The follow-up 
        questions examine which exception may apply to your research. 
  </div>
</details>

---

You can rely on the legal basis of legitimate interest of the controller in 
your project, provided you assess the necessity and proportionality of your 
project, for example in a privacy scan or Data Protection Impact Assessment.

---

Did data subjects make these special categories of personal data publicly 
available themselves?

.center[
<a href="#private-interest-sensitive-made-public" style="text-decoration: none;"><button>Yes</button></a>
<a href="#private-sensitive-not-made-public" style="text-decoration: none;"><button>No, or only partly</button></a>
]

<details open class="info-details">
  <summary class="info-button"><img src="data:image/png;base64,#../../img/info.svg" alt="Info Icon"/></summary>
  <div class="info-content">
        This question is asked because "self-disclosing" is the most obvious 
        exception to the prohibition on processing 
        <a href="https://utrechtuniversity.github.io/dataprivacyhandbook/special-types-personal-data.html" 
        target="_blank">special categories of personal data</a>. 
        If someone has made those data public themselves, the 
        researcher can collect them from that public place and may in principle 
        use them, if it concerns truly public sources where no privacy is 
        expected, and the participant indeed intended to disclose the personal 
        data "as special category personal data".
  </div>
</details>

---

<div class="keywords">
<a href="#start">Private interest</a> > 
<a href="#private-interest">Conscious choice</a> > 
<a href="#conscious-choice-private">No extra control</a> > <a href="#no-extra-control-private">Special categories</a> >
<a href="#sensitive-private">Not made public by data subject</a>
</div>

<div class="keywords">
<a href="#start">Private interest</a> > 
<a href="#private-interest">Contactless research</a> >
<a href="#contactless-private">Reuse</a> >
<a href="#private-contactless-reuse">Original legal basis not consent</a> >
<a href="#no-reuse-private">Special categories</a> > 
<a href="#sensitive-private-noreuse">Not made public by data subject</a> >
<a href="#private-sensitive-noreuse-notpublic">No consent possible</a>
</div>

<div class="keywords">
<a href="#start">Private interest</a> > 
<a href="#private-interest">Contactless research</a> >
<a href="#contactless-private">No reuse</a> >
<a href="#no-reuse-private">Special categories</a> >
<a href="#sensitive-private-noreuse">Not made public by data subject</a> >
<a href="#private-sensitive-noreuse-notpublic">No consent possible</a>
</div>

Is there an imbalance of power between the participant and the researcher?

.center[
<a href="#private-sensitive-imbalance" style="text-decoration: none;"><button>Yes</button></a>
<a href="#private-sensitive-noimbalance" style="text-decoration: none;"><button>No</button></a>
]

<details open class="info-details">
  <summary class="info-button"><img src="data:image/png;base64,#../../img/info.svg" alt="Info Icon"/></summary>
  <div class="info-content">
        This question is asked to determine whether participants can give 
        <a href="https://utrechtuniversity.github.io/dataprivacyhandbook/informed-consent-forms.html" 
        target="_blank"><i>legally valid</i> consent</a>. 
        A condition for lawful consent is that 
        that consent is given "freely". The participant should experience no 
        benefits from granting consent and no disadvantages from refusing or 
        withdrawing consent. However, in the event of a power relationship 
        (e.g., employer/employee or teacher/student), this free choice cannot be 
        guaranteed. It cannot be ruled out that the participant is nevertheless 
        impressed by the position that the researcher (or his employer) takes 
        in relation to them. 
  </div>
</details>

---

You can only use any regular personal data in your research based on the legal 
basis of legitimate interest of the controller. You cannot use the special 
categories of personal data, because you indicated that you could not obtain
additional consent, or that there is a power imbalance. This means that the 
special categories of personal data cannot be used legitimately. We recommend to:

Please feel free to ask your privacy officer for help.

.center[
<a href="https://utrechtuniversity.github.io/dataprivacyhandbook/seeking-help.html" style="text-decoration: none;"><button>Contact your privacy officer</button></a>
<a href="https://utrechtuniversity.github.io/dataprivacyhandbook/privacy-by-design.html" style="text-decoration: none;"><button>Read about project design</button></a>
<a href="https://utrechtuniversity.github.io/dataprivacyhandbook/special-types-personal-data.html" style="text-decoration: none;"><button>Read about special categories of personal data</button></a>
<a href="#start" style="text-decoration: none;"><button>Back to start</button></a>
]

---

<div class="keywords">
<a href="#start">Private interest</a> >
<a href="#private-interest">Conscious choice</a> > 
<a href="#conscious-choice-private">No extra control</a> > 
<a href="#no-extra-control-private">Special categories</a> >
<a href="#sensitive-private">Made public by data subject</a>
</div>

You can use the legal basis of legitimate interest of the controller for 
processing personal data in your research project, and use the special 
categories of personal data in your research, based on the fact that these 
were made publicly available by the data subjects.

.center[
<a href="https://utrechtuniversity.github.io/dataprivacyhandbook/legitimate-interest-assessment.html" style="text-decoration: none;"><button>Read about legitimate interest</button></a>
<a href="https://utrechtuniversity.github.io/dataprivacyhandbook/special-types-personal-data.html" style="text-decoration: none;"><button>Read about special categories of personal data</button></a>
<a href="#start" style="text-decoration: none;"><button>Back to start</button></a>
]

---

<div class="keywords">
<a href="#start">Private interest</a> > 
<a href="#private-interest">Contactless research</a> >
<a href="#contactless-private">No reuse</a> >
<a href="#no-reuse-private">Special categories</a> > 
<a href="#sensitive-private-noreuse">Not made public by data subject</a> >
<a href="#private-sensitive-noreuse-notpublic">No consent possible</a> >
<a href="#private-sensitive-not-made-public">No power imbalance</a> >
</div>

You can use the legal basis of consent *or* legitimate interest of the 
controller. For the use of special categories of personal data, you should use 
explicit consent from data subjects. Depending on the amount of "regular" 
personal data in your project, you can choose to either rely on legitimate 
interest or consent.

In many cases, consent is used for the entire project, if it is also already 
used for the special categories of personal data.

.center[
<a href="https://utrechtuniversity.github.io/dataprivacyhandbook/legitimate-interest-assessment.html" style="text-decoration: none;"><button>Read about legitimate interest</button></a>
<a href="https://utrechtuniversity.github.io/dataprivacyhandbook/informed-consent-forms.html" style="text-decoration: none;"><button>Read about consent</button></a>
<a href="https://utrechtuniversity.github.io/dataprivacyhandbook/special-types-personal-data.html" style="text-decoration: none;"><button>Read about special categories of personal data</button></a>
<a href="#start" style="text-decoration: none;"><button>Back to start</button></a>
]

---

<div class="keywords">
<a href="#start">Private interest</a> > 
<a href="#private-interest">Contactless research</a>
</div>

Are you reusing previously collected (personal) data?

.center[
<a href="#private-contactless-reuse" style="text-decoration: none;"><button>Yes</button></a>
<a href="#no-reuse-private" style="text-decoration: none;"><button>No</button></a>
]

<details open class="info-details">
  <summary class="info-button"><img src="data:image/png;base64,#../../img/info.svg" alt="Info Icon"/></summary>
  <div class="info-content">
    We speak of reusing previously collected (personal) data when you use 
    complete or partial datasets that: 
    <ul>
      <li>you previously compiled yourself</li>
      <li>other researchers or other institutions have compiled</li>
      <li>you collect data from existing public sources, such as through web 
      scraping, archives, etc.</li>
    </ul>
    Previously collected data may be subject to restrictions, both contractual 
    and legal. The follow-up questions are about one of those limitations.
  </div>
</details>

---

<div class="keywords">
<a href="#start">Private interest</a> > 
<a href="#private-interest">Contactless research</a> >
<a href="#contactless-private">Reuse</a>
</div>

Was consent the legal basis for the original data collection?

.center[
<a href="#private-reuse-originalconsent" style="text-decoration: none;"><button>Yes</button></a>
<a href="#no-extra-control-private" style="text-decoration: none;"><button>No</button></a>
]

<details open class="info-details">
  <summary class="info-button"><img src="data:image/png;base64,#../../img/info.svg" alt="Info Icon"/></summary>
  <div class="info-content">
    Check the legal basis on which the personal data were originally collected. 
    If that was 
    <a href="https://utrechtuniversity.github.io/dataprivacyhandbook/informed-consent-forms.html" 
    target="_blank">consent</a>, 
    the strict requirements for consent also apply to your 
    new research project. One of those requirements is that the consent must be 
    specific. The original consent statement must indicate what exactly the 
    data subjects have given consent for.
  </div>
</details>

---

Does the new research project fall within the original consent?

.center[
<a href="#private-reuse-within-originalconsent" style="text-decoration: none;"><button>Yes</button></a>
<a href="#private-reuse-not-within-originalconsent" style="text-decoration: none;"><button>No</button></a>
]

<details open class="info-details">
  <summary class="info-button"><img src="data:image/png;base64,#../../img/info.svg" alt="Info Icon"/></summary>
  <div class="info-content">
    Check what exactly data subjects gave consent for at the time. Do your
    research activities fall within the limits of that consent? Then the 
    consent given will not hinder your research and you can use this consent as 
    a basis for your reuse, and perhaps even as an exception for the processing 
    of 
    <a href="https://utrechtuniversity.github.io/dataprivacyhandbook/special-types-personal-data.html" 
    target="_blank">special categories of personal data</a>. 
    Does your research fall outside the 
    limits of the original consent? Then you must still ask the people in 
    question for consent to use their personal data for your research. This 
    also applies if asking for consent is impossible or requires a 
    disproportionate amount of effort: the limits of consent are binding.
  </div>
</details>

---

<div class="keywords">
<a href="#start">Private interest</a> > 
<a href="#private-interest">Contactless research</a> >
<a href="#contactless-private">Reuse</a> > 
<a href="#private-contactless-reuse">Consent original legal basis</a> >
<a href="#private-reuse-originalconsent">Reuse within original consent</a>
</div>

You can reuse the personal data based on the originally provided consent of 
data subjects. This goes for both "regular" personal data, as well as any 
potential special categories of personal data, for which data subjects gave
explicit consent in the original data source.

.center[
<a href="https://utrechtuniversity.github.io/dataprivacyhandbook/share-reuse-legal-basis.html" style="text-decoration: none;"><button>Read about sharing and reusing personal data</button></a>
<a href="https://utrechtuniversity.github.io/dataprivacyhandbook/special-types-personal-data.html" style="text-decoration: none;"><button>Read about special categories of personal data</button></a>
<a href="#start" style="text-decoration: none;"><button>Back to start</button></a>
]

---

<div class="keywords">
<a href="#start">Private interest</a> > 
<a href="#private-interest">Contactless research</a> >
<a href="#contactless-private">Reuse</a> > 
<a href="#public-contactless-reuse">Consent original legal basis</a> >
<a href="#private-reuse-originalconsent">Reuse not within original consent</a>
</div>

You cannot reuse the personal data for your project, unless new consent is 
obtained from the original data subjects.

---

<div class="keywords">
<a href="#start">Private interest</a> > 
<a href="#private-interest">Contactless research</a> >
<a href="#contactless-private">No reuse</a>
</div>

Do you collect, store, analyse and/or share 
[special categories of personal data](https://utrechtuniversity.github.io/dataprivacyhandbook/special-types-personal-data.html)?

.center[
<a href="#sensitive-private-noreuse" style="text-decoration: none;"><button>Yes</button></a>
<a href="#normal-private" style="text-decoration: none;"><button>No</button></a>
]

<details open class="info-details">
  <summary class="info-button"><img src="data:image/png;base64,#../../img/info.svg" alt="Info Icon"/></summary>
  <div class="info-content">
        This is a crucial question. The processing of 
        <a href="https://utrechtuniversity.github.io/dataprivacyhandbook/special-types-personal-data.html" 
        target="_blank">special categories of personal data</a> 
        is prohibited, unless there is an exception. The follow-up 
        questions examine which exception may apply to your research. 
  </div>
</details>

---

Did data subjects make these special categories of personal data publicly 
available themselves?

.center[
<a href="#private-interest-sensitive-made-public" style="text-decoration: none;"><button>Yes</button></a>
<a href="#private-sensitive-noreuse-notpublic" style="text-decoration: none;"><button>No, or only partly</button></a>
]

<details open class="info-details">
  <summary class="info-button"><img src="data:image/png;base64,#../../img/info.svg" alt="Info Icon"/></summary>
  <div class="info-content">
        This question is asked because "self-disclosing" is the most obvious 
        exception to the prohibition on processing 
        <a href="https://utrechtuniversity.github.io/dataprivacyhandbook/special-types-personal-data.html" 
        target="_blank">special categories of personal data</a>. 
        If someone has made those data public themselves, the 
        researcher can collect them from that public place and may in principle 
        use them, if it concerns truly public sources where no privacy is 
        expected, and the participant indeed intended to disclose the personal 
        data "as special category personal data".
  </div>
</details>

---

<div class="keywords">
<a href="#start">Private interest</a> > 
<a href="#private-interest">Contactless research</a> >
<a href="#contactless-private">Reuse</a> >
<a href="#private-contactless-reuse">Original legal basis not consent</a> >
<a href="#no-reuse-private">Special categories</a> >
<a href="#sensitive-private-noreuse">Not made public by data subject</a>
</div>

Is it still possible to ask data subjects for their consent?

.center[
<a href="#private-sensitive-not-made-public" style="text-decoration: none;"><button>Yes</button></a>
<a href="#private-sensitive-imbalance" style="text-decoration: none;"><button>No, or only partly</button></a>
]