• Intro
  • Data Privacy Handbook
    • How to use this Handbook
      • What are you looking for?
    • License and Citation
    • Disclaimer
    • Contributions
  • Privacy FAQs
    • General questions
    • Procedures and responsibilities
    • Informed consent
    • Legal questions
    • Storing personal data
    • Sharing, publishing and reusing personal data
    • Practical questions
    • Students and student data
    • Finding support
  • Knowledge Base
  • The GDPR
    • Chapter summary
    • What is the GDPR?
    • Definitions in the GDPR
    • Principles in the GDPR
    • Legal bases for working with personal data
      • Legal bases suitable for research
      • Legal bases not suitable for reseach
      • Further processing for research purposes
    • Data Subjects’ Rights
  • What are personal data?
    • Definition of personal data
    • How to assess whether data contain personal data?
    • Special types of personal data
      • Special categories of personal data
      • Data that are otherwise sensitive
  • Designing your project
    • Privacy by Design strategies
    • Data-oriented strategies
      • Minimise
      • Separate
      • Abstract
      • Hide
    • Process-oriented strategies
      • Inform
      • Control
      • Enforce
      • Demonstrate
  • Risk Assessment
    • How to assess privacy risks?
    • What are high-risk operations?
    • Classifying personal data
    • Examples of privacy risks and how to mitigate them
  • Documents & Assessments
    • Information to data subjects
      • When to use a privacy notice?
      • Content and examples of privacy notices
      • Form of a privacy notice
    • Informed consent
      • Consent step-by-step
      • Requirements for valid consent
      • What forms of consent are valid?
      • Demonstrating (valid) consent
      • Broad consent in research
      • Examples and templates
    • Privacy scan
      • When to use a privacy scan?
      • Examples and templates
    • Data Protection Impact Assessment
      • The process of performing a DPIA
      • Examples and templates
    • Legitimate interest assessment
      • How to do a legitimate interest assessment?
      • Examples and templates
    • Data Transfer Impact Assessment
      • What is a third-country transfer?
      • Goal and content of a DTA
      • Examples and templates
    • Processing register
    • Agreements
      • How to set up an agreement?
      • Non-disclosure agreement
      • Data processing agreement
      • Data Transfer Agreement
      • Joint controllers agreement
      • Data Use Agreement
      • Standard Contractual Clauses for international transfers
  • Techniques & Tools
  • Research scenarios
  • Pseudonymisation & Anonymisation
  • Statistical privacy
    • Statistical disclosure control
    • K-anonymity and its descendents
    • Differential privacy
  • Secure computing
  • Other techniques
    • Encryption
    • Synthetic Data
    • Data donation
  • Tools & Services
    • Utrecht University tool finders
    • Tools to deidentify, synthetise and work safely with personal data
    • Requirements for a third-party tool
      • 1. Who is processing the personal data: arrange an agreement
      • 2. Security level
  • Storage, Sharing, Publication
  • Storing personal data
    • Chapter summary
    • Where should I store personal data?
      • Storage media at UU
    • How should I store personal data?
    • For how long should I store personal data?
      • Deleting personal data
  • Sharing data with collaborators
  • Sharing data for reuse
    • Sharing anonymised data
    • Sharing personal data with a legal basis
      • 1. Be transparent
      • 2. Make sure you have a legal basis
      • 3. Protect the data while sharing
      • 4. Make your data FAIR
    • Alternatives to sharing personal data
      • Publish metadata and documentation
      • Use other techniques and strategies to enable reuse
  • Use Cases
  • Data minimisation in a survey
  • Data pseudonymisation
  • Publishing metadata
  • Reusing education data for research
  • Resources
  • Seeking help at Utrecht University
    • Education
    • Online information
    • In-person support
  • Glossary
  • Resources
  • Visit the GitHub repository

Data Privacy Handbook

Legal bases for working with personal data

You can only process personal data if you have a legal basis to do so, which should be registered, among other information, in the processing register and communicated to data subjects. There are 6 possible legal bases which are outlined below. In research, the legal bases ‘informed consent’, ‘public interest’ and to some extent ‘legitimate interests of the controller’ are most often used.

For different purposes in your research project, a different legal basis may apply. For example, you may contact data subjects before they start participating based on a legitimate interest and use informed consent for collecting, storing, analysing and publishing the data.

Legal bases suitable for research

  1. Informed consent

    Informed consent is the most frequently used legal basis in research and is often not only a legal (GDPR-consent), but also an ethical obligation (e.g., METC informed consent). When using informed consent, you should be able to demonstrate that the data subject was informed and has given consent, and for which purpose(s) they gave their consent. In all cases, consent has to be freely given, specific, informed and unambiguous. Please refer to the Informed consent section for guidance on applying informed consent in your research.

  2. Public interest

    Public interest is sometimes used in research when the research is shown to clearly benefit the public good or fulfills a public task. In essence, public interest can be used for research that is conducted by employees of public institutions, when their research interest has been recognised by an official authority. For example, conducting research at Dutch universities has been officially recognised in the Higher Education and Scientific Research Act to be a public task. Public interest is often used when consent is not a good option. For example, it may be impossible or impractical to obtain consent when performing public observations or social media research. Or when participants actually do not have a free choice, such as in clinical trials when participants would experience significant disadvantages when not participating.

    If you want to use public interest as a legal basis, you need to assess the necessity and proportionality of your processing. Additionally, you need to demonstrate that the interests of data subjects do not override your research interests. To do so, please contact your privacy officer to assess whether you can use this legal basis in your research.

  3. Legitimate interest of the controller

    Legitimate interest is often used by companies to process personal data necessary for the functioning of their own company, e.g., processing user data for fraud prevention, or keeping a registration system to provide better services. In research, legitimate interest is often used for processing activities that have no direct research purpose. For example, this can be the case when you need to collect contact information to approach data subjects to participate, and you can only obtain their consent for participating in your research after contacting them. Since contacting data subjects is a prerequisite to perform your research, it can be in the university’s legitimate (research) interest to process their contact information.

    To evaluate whether you can use legitimate interest as a legal basis, you always need to weigh the interests of the controller (e.g., Utrecht University) and the data subjects in a Legitimate interest assessment. Please contact your privacy officer to assess whether you can use this legal basis in your research.

Legal bases not suitable for reseach

  1. Processing is necessary because of a legal obligation of the controller

    This basis is not suitable for research. As an example, Utrecht University has to share tax data with the Dutch tax administration in order to comply with tax legislation.

  2. Processing is necessary for the performance of a contract

    This basis is not suitable for research. As an example, Utrecht University has contracts with its employees, which require it to manage the employees’ financial data.

  3. Processing is necessary to protect a person’s vital interests

    This basis is generally not suitable for research. If processing someone’s personal data is crucial to their health or even life, that processing is allowed under the GDPR.

Further processing for research purposes

It may happen that you want to process personal data for other purposes than previously specified (e.g., because you formulated an additional research question), or you want to reuse previously collected personal data in your research. In these cases, it may be possible to make use of article 5(1)(b), which states that “further processing for […] scientific purposes shall […] not be considered to be incompatible with the initial purposes”. Basically, this means that you can reuse personal data, that were previously collected for other purposes, for scientific research purposes. This is only allowed if you put in place sufficient safeguards to protect the personal data, inform data subjects, and allow them to exercise their rights (art. 89). “Further processing” is not strictly a legal basis. Instead, it functions as a way to legitimise further processing of personal data (which was previously collected for a different purpose, using one of the six legal bases) for research purposes.

Public interest, legitimate interest, and relying on further processing are ways to meet your legal requirements for processing personal data, but not necessarily your ethical requirements: you may still need consent if demanded so from an ethical perspective. Before you rely on any of these, you should first assess whether they are indeed suitable with your faculty privacy officer, and determine whether your research interests outweigh the privacy rights of the data subjects.


Utrecht University logo

Data Privacy Handbook

The information presented here is provided as is, with no guarantees of accuracy or completeness. For the most up-to-date information, please refer to your privacy officer, the university website or intranet. We cannot be held responsible for any negative consequences due to incorrect interpretation or use, and inconsistencies with policies/views of other institutions.

💡 Give feedback about this page