We use Matomo analytics to track your visit to the Data Privacy Handbook. You can read how in our privacy statement.

  • Utrecht University logo
  • Intro
  • Data Privacy Handbook
    • About
      • License and Citation
      • Contributions
    • How to use this Handbook
      • What are you looking for?
    • Disclaimer
    • Your own privacy
  • Get started
  • 10 steps to get started
  • Typical privacy issues in…
    • Interview research
      • Recording the interview
      • Oral or written information for participants
      • Legal basis: consent or public interest
      • Collecting unnecessary personal data
      • Transcription
      • Anonymisation
      • Sharing interview data for publication and reuse
    • Social media research
      • Typical issues in social media research
      • Further reading
  • Privacy FAQs
    • General questions
    • Procedures and responsibilities
    • Informed consent
    • Legal questions
    • Storing personal data
    • Sharing, publishing and reusing personal data
    • Practical questions
    • Students and student data
    • Finding support
  • Knowledge Base
  • The GDPR
    • Chapter summary
    • What is the GDPR?
    • Definitions in the GDPR
    • Principles in the GDPR
    • Data Subjects’ Rights
  • What are personal data?
    • Definition of personal data
    • How to assess whether data contain personal data?
    • Special types of personal data
      • Special categories of personal data
      • Data that are otherwise sensitive
  • Legal bases
    • Legal bases suitable for research
    • Legal bases generally not suitable for reseach
    • Further processing for research purposes
    • Which legal basis to use?
    • Public interest
      • What does it mean to use public interest as a legal basis?
      • When to use public interest as a legal basis?
      • When is public interest less suitable as a legal basis?
      • What are my obligations when using public interest?
    • Consent
      • Different types of consent
      • Consent step-by-step
      • When to use consent as a legal basis?
      • Requirements for valid consent
      • What forms of consent are valid?
      • Demonstrating (valid) consent
      • Broad consent in research
      • Examples and templates
    • Legitimate interest
      • When to (not) use legitimate interest as a legal basis?
      • What are my obligations when using legitimate interest?
      • Legitimate interest assessment
      • Examples and templates
  • Risk Assessment
    • How to assess privacy risks?
      • Risk assessment step by step
    • What are high-risk operations?
      • Examples of high-risk scenarios
    • Data classification
      • Classification levels
    • Examples of risks and how to mitigate them
      • Unwarranted access to personal data
      • Loss of personal data
      • Unintended collection of personal data
      • Invalid legal basis
      • Risks for data subjects
  • How To
  • Designing your project
    • Privacy scan
      • When to use a privacy scan?
      • Examples and templates
    • Data Protection Impact Assessment
      • The process of performing a DPIA
      • Examples and templates
    • Privacy by Design strategies
      • control icon Control
      • enforce icon Enforce
      • demonstrate icon Demonstrate
    • Information to data subjects
      • When to use a privacy notice?
      • Form of a privacy notice
      • Content and examples of privacy notices
    • Processing register
  • Storing personal data
    • Chapter summary
    • Where should I store personal data?
    • How should I store personal data?
    • For how long should I store personal data?
      • Deleting personal data
  • Sharing data with collaborators
    • Third-country transfers
      • What is a third-country transfer?
      • When is a third-country transfer possible?
    • Data Transfer Impact Assessment
      • Goal and content of a DTA
      • Content of a DTIA
      • Examples and templates
    • Agreements
      • How to set up an agreement?
      • Non-disclosure agreement
      • Data processing agreement
      • Data Transfer Agreement
      • Joint controllers agreement
      • Data Use Agreement
      • Standard Contractual Clauses for international transfers
  • Sharing data for reuse
    • Sharing anonymised data
    • Sharing personal data with a legal basis
      • 1. Be transparent
      • 2. Make sure you have a legal basis
      • 3. Protect the data while sharing
      • 4. Make your data FAIR
    • Alternatives to sharing personal data
      • Publish metadata and documentation
      • Use other techniques and strategies to enable reuse
  • Techniques & Tools
  • Pseudonymisation & Anonymisation
    • What are pseudonymisation and anonymisation?
      • Pseudonymisation
      • Anonymisation
      • The identifiability spectrum
      • When are data anonymous?
      • Alternatives to anonymisation
    • Step-by-step de-identification
    • De-identification techniques
    • Tools and further reading
  • Statistical approaches to de-identification
    • K-anonymity, l-diversity and t-closeness
      • Identifiers, quasi-identifiers, and sensitive attributes
      • How it works
      • When to use
      • Implications for research
      • Further reading
    • Differential privacy
      • How it works
      • Implications for research
      • When to use
      • Further reading
  • Secure computation
    • “Regular” data analysis: data-to-code
      • When to use
      • Implications for research
      • Examples
    • Code-to-data (one data provider)
      • When to use
      • Implications for research
      • Examples
    • Federated analysis
      • When to use
      • Implications for research
      • Examples
    • Cryptographic techniques
      • Secure multiparty computation
      • Confidential computing
      • (Fully) homomorphic encryption
  • Other techniques
    • Encryption
      • Types of encryption
      • When to use
      • Implications for research
      • Tools and resources
    • Synthetic Data
      • When to use
      • Implications for research
      • Tools and resources
    • Data donation
      • When to use
      • Implications for research
      • Examples and resources
  • Tools & Services
    • Utrecht University tool finders
    • Tools to deidentify, synthetise and work safely with personal data
    • Requirements for a third-party tool
      • 1. Who is processing the personal data: arrange an agreement
      • 2. Security level
  • Use Cases
  • Data minimisation in a survey
  • Data pseudonymisation
    • General steps
    • Pseudonymisation per data type
  • Publishing metadata
  • Reusing education data for research
  • Resources
  • Seeking help at Utrecht University
    • Education
    • Online information
    • In-person support
  • Glossary
  • Resources
  • Visit the GitHub repository

Data Privacy Handbook

Legal bases

On this page: legal basis, legal ground, consent, public interest, legitimate interest, secondary use
Date of last review: 2023-10-02

Many scientific research projects process personal data. According to the GDPR, you can only process personal data if you have a “reason”, or a legal basis, to do so: why is it necessary to use these personal data? For you as a researcher, it is important to know your legal basis for processing personal (research) data, as this not only indicates whether the processing of your research data is lawful, but also determines key actions you should take, such as which information you need to provide to data subjects, and whether you need to ask for consent. There are 6 possible legal bases, which are outlined below. In research, the legal bases “public interest”, “consent”, and to some extent “legitimate interest of the controller or a third party” are usually most suitable.

Legal bases suitable for research

  1. Public interest
    Public interest can be used to perform scientific research when the research is shown to clearly benefit the public good or when it fulfills a public task. In essence, public interest can be used for research that is conducted by employees of public institutions, when their research interest has been recognised by an official authority. For example, conducting research at Dutch universities has been officially recognised in the Higher Education and Scientific Research Act to be a public task. Read more on when and how to use public interest.
  2. Consent
    Consent is a frequently used legal basis in research. Usually, GDPR-consent (i.e., consent to process personal data) is combined with ethical informed consent (i.e., consent to ascertain that data subjects are informed and participate voluntarily). When using consent, you should be able to demonstrate that the data subject was informed and has given consent, and for which purpose(s) they gave their consent. In all cases, consent has to be freely given, specific, informed and unambiguous. Read more on when and how to use consent.
  3. Legitimate interest of the controller or a third party
    Legitimate interest of the controller or a third party is a less often used legal basis to use personal data in scientific research. It is often used by companies to process personal data that are necessary for their company’s functioning. In research, legitimate interest is often used for processing activities that do not directly benefit society in general. Also, research that does not serve a public but a private interest, can be performed on this legal basis. Read more on when and how to use legitimate interest.

Legal bases generally not suitable for reseach

  1. Processing is necessary because of a legal obligation of the controller
    This legal basis is rarely suitable for research. As an example, Utrecht University has to share tax data with the Dutch tax administration to comply with tax legislation. Another, research-related, example is the use of Covid-19 related legislation, where data were collected based on a legal obligation, and were consequently used for research on public health (see EDPB, 2020).
  2. Processing is necessary for the performance of a contract
    This legal basis is not very common in research. As an example, Utrecht University has contracts with its employees, which require it to manage the employee’ financial data. In research, this legal basis could in some cases be used when participants are recruited using a contract, i.e., they are properly hired to work on the research project. As long as the contract is valid under European law, and the processing is necessary, then this legal basis could be used.
  3. Processing is necessary to protect the vital interests of the data subject or someone else
    This legal basis is likely not suitable for research. If processing someone’s personal data is crucial to someone’s health or even life, that processing is allowed under the GDPR.

For different purposes in your research project, a different legal basis may apply.

For example:

  • you may use public interest for collecting, storing, analysing and publishing the data, and ask consent to contact data subjects again for a follow-up study.
  • you may use consent for making, sharing, distributing and reusing audio or video recordings of an interview, and public interest for transcribing and analysing the interview.

Further processing for research purposes

It may happen that you want to process personal data for other purposes than previously specified (e.g., because you formulated an additional research question), or you want to reuse previously collected personal data in your research. In these cases, it may be possible to apply GDPR article 5(1)(b), which states:

“further processing for […] scientific purposes shall […] not be considered to be incompatible with the initial purposes”.

Basically, this means that personal data that were previously collected for any purpose, can be reused for scientific research, even when the personal data were initially collected for non-scientific research purposes. Using this exemption is only allowed if you (art. 89):

  1. put in place sufficient safeguards to protect the personal data
  2. inform data subjects about the further processing (if possible), and
  3. allow them to exercise their rights.

But you need to do this anyway.

“Further processing” is not a legal basis. Instead, it functions as a way to legitimise - for research purposes - further processing of personal data that were previously collected for a different purpose. At the moment, it is unclear if this further processing exemption for scientific research holds for data that were originally collected based on consent. This is because valid consent should be specific, suggesting that the further processing should fall within the specific boundaries of the original consent (i.e, the purpose of the further processing should be compatible with the original purpose, rec. 50). The European Data Protection Board has announced that it will provide guidelines for reusing personal data for scientific research in the future, which should make this issue more explicit. For the time being, it is better to stay on the safe side and not rely on this derogation when consent was the original legal basis.


Utrecht University logo

Data Privacy Handbook

The information presented here is provided as is, with no guarantees of accuracy or completeness. For the most up-to-date information, please refer to your privacy officer, the university website or intranet. We cannot be held responsible for any negative consequences due to incorrect interpretation or use, and inconsistencies with policies/views of other institutions.

Privacy policy | Cite the Data Privacy Handbook