Legal bases for working with personal data
You can only process personal data if you have a legal basis to do so, which should be registered, among other information, in the processing register and communicated to data subjects. There are 6 possible legal bases which are outlined below. In research, the legal bases ‘informed consent’, ‘public interest’ and to some extent ‘legitimate interests of the controller’ are most often used.
For different purposes in your research project, a different legal basis may apply. For example, you may contact data subjects before they start participating based on a legitimate interest and use informed consent for collecting, storing, analysing and publishing the data.
Legal bases suitable for research
Informed consent is the most frequently used legal basis in research and is often not only a legal (GDPR-consent), but also an ethical obligation (e.g., METC informed consent). When using informed consent, you should be able to demonstrate that the data subject was informed and has given consent, and for which purpose(s) they gave their consent. In all cases, consent has to be freely given, specific, informed and unambiguous. Please refer to the Informed consent section for guidance on applying informed consent in your research.
Public interest is sometimes used in research when the research is shown to clearly benefit the public good or fulfills a public task. In essence, public interest can be used for research that is conducted by employees of public institutions, when their research interest has been recognised by an official authority. For example, conducting research at Dutch universities has been officially recognised in the Higher Education and Scientific Research Act to be a public task. Public interest is often used when consent is not a good option. For example, it may be impossible or impractical to obtain consent when performing public observations or social media research. Or when participants actually do not have a free choice, such as in clinical trials when participants would experience significant disadvantages when not participating.
If you want to use public interest as a legal basis, you need to assess the necessity and proportionality of your processing. Additionally, you need to demonstrate that the interests of data subjects do not override your research interests. To do so, please contact your privacy officer to assess whether you can use this legal basis in your research.
Legitimate interest of the controller
Legitimate interest is often used by companies to process personal data necessary for the functioning of their own company, e.g., processing user data for fraud prevention, or keeping a registration system to provide better services. In research, legitimate interest is often used for processing activities that have no direct research purpose. For example, this can be the case when you need to collect contact information to approach data subjects to participate, and you can only obtain their consent for participating in your research after contacting them. Since contacting data subjects is a prerequisite to perform your research, it can be in the university’s legitimate (research) interest to process their contact information.
To evaluate whether you can use legitimate interest as a legal basis, you always need to weigh the interests of the controller (e.g., Utrecht University) and the data subjects in a Legitimate interest assessment. Please contact your privacy officer to assess whether you can use this legal basis in your research.
Legal bases not suitable for reseach
Processing is necessary because of a legal obligation of the controller
This basis is not suitable for research. As an example, Utrecht University has to share tax data with the Dutch tax administration in order to comply with tax legislation.
Processing is necessary for the performance of a contract
This basis is not suitable for research. As an example, Utrecht University has contracts with its employees, which require it to manage the employees’ financial data.
Processing is necessary to protect a person’s vital interests
This basis is generally not suitable for research. If processing someone’s personal data is crucial to their health or even life, that processing is allowed under the GDPR.
Further processing for research purposes
It may happen that you want to process personal data for other purposes than previously specified (e.g., because you formulated an additional research question), or you want to reuse previously collected personal data in your research. In these cases, it may be possible to make use of article 5(1)(b), which states that “further processing for […] scientific purposes shall […] not be considered to be incompatible with the initial purposes”. Basically, this means that you can reuse personal data, that were previously collected for other purposes, for scientific research purposes. This is only allowed if you put in place sufficient safeguards to protect the personal data, inform data subjects, and allow them to exercise their rights (art. 89). “Further processing” is not strictly a legal basis. Instead, it functions as a way to legitimise further processing of personal data (which was previously collected for a different purpose, using one of the six legal bases) for research purposes.
Public interest, legitimate interest, and relying on further processing are ways to meet your legal requirements for processing personal data, but not necessarily your ethical requirements: you may still need consent if demanded so from an ethical perspective. Before you rely on any of these, you should first assess whether they are indeed suitable with your faculty privacy officer, and determine whether your research interests outweigh the privacy rights of the data subjects.