We use cookies to track how you interact with the Data Privacy Handbook. Do you accept?

  • Utrecht University logo
  • Intro
  • Data Privacy Handbook
    • About
      • License and Citation
      • Contributions
    • How to use this Handbook
      • What are you looking for?
    • Disclaimer
    • Your own privacy
  • Get started
    • Typical privacy issues in…
    • Interview research
      • Recording the interview
      • Oral or written information for participants
      • Legal basis: consent or public interest
      • Collecting unnecessary personal data
      • Transcription
      • Anonymisation
      • Sharing interview data for publication and reuse
  • Privacy FAQs
    • General questions
    • Procedures and responsibilities
    • Informed consent
    • Legal questions
    • Storing personal data
    • Sharing, publishing and reusing personal data
    • Practical questions
    • Students and student data
    • Finding support
  • Knowledge Base
  • The GDPR
    • Chapter summary
    • What is the GDPR?
    • Definitions in the GDPR
    • Principles in the GDPR
    • Data Subjects’ Rights
  • What are personal data?
    • Definition of personal data
    • How to assess whether data contain personal data?
    • Special types of personal data
      • Special categories of personal data
      • Data that are otherwise sensitive
  • Legal bases
    • Legal bases suitable for research
    • Legal bases generally not suitable for reseach
    • Further processing for research purposes
    • Which legal basis to use?
    • Public interest
      • What does it mean to use public interest as a legal basis?
      • When to use public interest as a legal basis?
      • When is public interest less suitable as a legal basis?
      • What are my obligations when using public interest?
    • Consent
      • Different types of consent
      • Consent step-by-step
      • When to use consent as a legal basis?
      • Requirements for valid consent
      • What forms of consent are valid?
      • Demonstrating (valid) consent
      • Broad consent in research
      • Examples and templates
    • Legitimate interest
      • When to (not) use legitimate interest as a legal basis?
      • What are my obligations when using legitimate interest?
      • Legitimate interest assessment
      • Examples and templates
  • Risk Assessment
    • How to assess privacy risks?
      • Risk assessment step by step
    • What are high-risk operations?
      • Examples of high-risk scenarios
    • Data classification
      • Classification levels
    • Examples of risks and how to mitigate them
      • Unwarranted access to personal data
      • Loss of personal data
      • Unintended collection of personal data
      • Invalid legal basis
      • Risks for data subjects
  • How To
  • Designing your project
    • Privacy scan
      • When to use a privacy scan?
      • Examples and templates
    • Data Protection Impact Assessment
      • The process of performing a DPIA
      • Examples and templates
    • Privacy by Design strategies
      • control icon Control
      • enforce icon Enforce
      • demonstrate icon Demonstrate
    • Information to data subjects
      • When to use a privacy notice?
      • Content and examples of privacy notices
      • Form of a privacy notice
    • Processing register
  • Storing personal data
    • Chapter summary
    • Where should I store personal data?
    • How should I store personal data?
    • For how long should I store personal data?
      • Deleting personal data
  • Sharing data with collaborators
    • Third-country transfers
      • What is a third-country transfer?
      • When is a third-country transfer possible?
    • Data Transfer Impact Assessment
      • Goal and content of a DTA
      • Content of a DTIA
      • Examples and templates
    • Agreements
      • How to set up an agreement?
      • Non-disclosure agreement
      • Data processing agreement
      • Data Transfer Agreement
      • Joint controllers agreement
      • Data Use Agreement
      • Standard Contractual Clauses for international transfers
  • Sharing data for reuse
    • Sharing anonymised data
    • Sharing personal data with a legal basis
      • 1. Be transparent
      • 2. Make sure you have a legal basis
      • 3. Protect the data while sharing
      • 4. Make your data FAIR
    • Alternatives to sharing personal data
      • Publish metadata and documentation
      • Use other techniques and strategies to enable reuse
  • Techniques & Tools
  • Pseudonymisation & Anonymisation
    • What are pseudonymisation and anonymisation?
      • Pseudonymisation
      • Anonymisation
      • The identifiability spectrum
      • When are data anonymous?
      • Alternatives to anonymisation
    • Step-by-step de-identification
    • De-identification techniques
    • Tools and further reading
  • Statistical approaches to de-identification
    • K-anonymity, l-diversity and t-closeness
      • Identifiers, quasi-identifiers, and sensitive attributes
      • How it works
      • When to use
      • Implications for research
      • Further reading
    • Differential privacy
      • How it works
      • Implications for research
      • When to use
      • Further reading
  • Secure computation
    • “Regular” data analysis: data-to-code
      • When to use
      • Implications for research
      • Examples
    • Code-to-data (one data provider)
      • When to use
      • Implications for research
      • Examples
    • Federated analysis
      • When to use
      • Implications for research
      • Examples
    • Cryptographic techniques
      • Secure multiparty computation
      • Confidential computing
      • (Fully) homomorphic encryption
  • Other techniques
    • Encryption
      • Types of encryption
      • When to use
      • Implications for research
      • Tools and resources
    • Synthetic Data
      • When to use
      • Implications for research
      • Tools and resources
    • Data donation
      • When to use
      • Implications for research
      • Examples and resources
  • Tools & Services
    • Utrecht University tool finders
    • Tools to deidentify, synthetise and work safely with personal data
    • Requirements for a third-party tool
      • 1. Who is processing the personal data: arrange an agreement
      • 2. Security level
  • Use Cases
  • Data minimisation in a survey
  • Data pseudonymisation
    • General steps
    • Pseudonymisation per data type
  • Publishing metadata
  • Reusing education data for research
  • Resources
  • Seeking help at Utrecht University
    • Education
    • Online information
    • In-person support
  • Glossary
  • Resources
  • Visit the GitHub repository

Data Privacy Handbook

Which legal basis to use?

It is not always clear-cut which legal basis is the best one to choose. Use the below flowchart to decide which legal basis is most suitable for your situation.

Click here to see the flowchart in full-screen mode.

Utrecht University logo

Data Privacy Handbook

The information presented here is provided as is, with no guarantees of accuracy or completeness. For the most up-to-date information, please refer to your privacy officer, the university website or intranet. We cannot be held responsible for any negative consequences due to incorrect interpretation or use, and inconsistencies with policies/views of other institutions.

💡 Give feedback about this page | Privacy policy | Cite the Data Privacy Handbook