Sharing data with collaborators
This chapter addresses guidelines to take into account when you want to share personal data with collaborators outside of your own institution during your research project. For guidelines to share personal data after a research project, please refer to the chapter on Data sharing for reuse.
To be able to share personal data with external collaborators, you should:
1. Make sure you have a legal basis and inform data subjects
- Make sure data subjects are well-informed about your intentions to share the data with collaborators. Include information in your privacy notice on the identity of your collaborators, which data are shared with them and why, how, and for how long. Avoid using statements that preclude sharing such as “Your data will not be shared with anyone else”.
- Make sure you have a legal basis to share the data, e.g., informed consent or public interest. If you use consent, make sure that data subjects are aware that they are also providing consent to share their data with your collaborators.
- Inform data subjects timely - before you start processing their data - and proactively - directly if possible.
2. Protect the personal data appropriately
- Assess the risks of sharing the data and the measures you will take to mitigate those in your Data Management Plan, Privacy scan, or if applicable, Data Protection Impact Assessment. This is especially important if you will share your data with collaborators outside of the European Economic Area.
- Share only the data that the collaborator needs (data minimisation), for example by deleting unnecessary data, pseudonymising the data, and sharing only with those who need access to the data.
- Make sure data subjects can still exercise their data subjects’ rights. For example, if a data subject withdraws their consent, not only you, but also your collaborators will have to stop processing the data subject’s personal data. It is important to make clear how you and them will do so.
3. Come to agreements with collaborators
In order to protect the personal data effectively, it is important to determine which role every collaborator has: controller or processor? And if there are multiple controllers, are they separate or joint controllers? For example, in many collaborative research projects (e.g., in consortia), there are multiple controllers that collectively determine why (e.g., research question) and how (e.g., methods) to process personal data. These parties are then joint controllers, and agreements need to be made in a joint controllers agreement.
In any collaboration in which data are shared, you need to (art. 26):
Come to a formal agreement on:
- The role of each party in the research project
- Respective responsibilities in terms of data protection, such as informing data subjects and handling requests relating to data subjects’ rights
- Who is the main point of contact for data subjects
- Communicate (the essence of) the agreement to data subjects.
Your privacy officer can help you draw up a valid agreement.
4. Pay special attention to third-country transfers
If you share personal data with international collaborators (for example, with countries that have no adequacy decision), you may need to take additional measures. Usually, these measures include drawing up an agreement to make sure the other party is GDPR-compliant and uses the necessary security measures (if you haven’t already done so). The exact type of agreement will depend on your specific situation: your privacy officer can help you choose and set up the right one.
The flowchart below indicates conditions under which you can share data internationally. Note that they assume that you have taken sufficient safeguards to protect the personal data. To determine the possibilities of sharing data internationally in your project, we strongly advise you to consult with your privacy officer. In some cases a Data Transfer Impact Assessment may be required, which can take some effort.
5. Use a secure way to share the data
- Granting access: It is preferable to grant a user access to an existing and safe infrastructure (e.g., add someone to a Yoda group or OneDrive folder), rather than physically sending the data elsewhere. This allows you to keep the data in one place, define specific access rights (read/write), have users authenticate, and easily revoke access to the data after your collaboration has ended. It is also a good idea to take measures to prevent the data from being copied elsewhere.
- Transferring data: When it is absolutely necessary to transfer the files to a different location, you must do so securely. Researchers at Utrecht University can use SURF Filesender with encryption.