Information to data subjects
A privacy notice is any information given to data subjects about what is happening with their personal data. In research, a privacy notice is usually combined with general information about the research project and often with an informed consent form, to satisfy both privacy and ethical concerns. Generally, the aim of a privacy notice is to inform data subjects on how and why their data are being processed. Providing that information is the “cornerstone of data subjects’ rights”, as without it, data subjects cannot exercise their other privacy rights.
When to use a privacy notice?
Informing data subjects is always required, for all legal bases (so not only when you use informed consent). Being properly informed is a data subject’s right in itself (art. 12): it is necessary so that data subjects can exercise their other rights (e.g., right to be forgotten, right to object, etc.).
You need to inform data subjects before you start collecting or otherwise processing their personal data (so before the start of your research project). If you share personal data with an external party, you should inform data subjects at the latest when first sharing those data with that external party.
When you use personal data from another source, you have to inform your data subjects within a month after obtaining their data (art. 14), except if:
- they have already been properly informed elsewhere
- this would involve a disproportionate effort
- this would seriously impair your processing purposes (e.g., if you cannot answer your research question anymore, art. 14(5)).
Content and examples of privacy notices
Below you can find a list of items to include in your information to data subjects (Template) and some example sentences to (not) include in your privacy notice (click to expand).
|“After the project ends, we will delete all of your data, so that you will not be identifiable anymore.”||“After the end of the study, we will delete the code linking your data to your name. We will store your de-identified data for 10 years for integrity purposes.”|
|“Your data will be fully anonymised before they are shared with others.”||“We will remove personal information that could reasonably identify you before we share any files with other researchers.”|
|“All data that you will provide will be kept strictly confidential and will not be shared further.”||“The main researcher will keep a link that identifies you to your coded information. They will keep this link secure and available only to the selected members of the research team.”|
|“Your data will only be accessible by the research team, and no one else.”||“We will only share your de-identified data with other researchers if they agree to treat your data confidentially and only after approval from the original research team.”|
|“You can withdraw your consent from this study at any time up until the end of the research project. If you withdraw your consent, we will delete all your data from our dataset immediately.”||“You can withdraw your consent from this study at any time, without stating a reason why and without any repercussions. Please inform the researcher about your decision. We will then delete any personal data referring to you that we still have, where this is still possible.”|
Form of a privacy notice
The format of the privacy notice is also crucial. Even if you include all necessary components in your privacy notice, it will not be GDPR-compliant if you fail to provide the information in an appropriate form, shape and time.
The information you provide to data subjects should be:
Clear and understandable
A privacy notice is not a legal document, so do not write it like you would write a legal contract. The information should be understandable for data subjects and it should have a clear and concrete meaning. For example, avoid using words like “may”, “some”, “often” and write active and short sentences. Tip: try these writing tips, this language tester, or use this simplified information sheet (all in Dutch).
Data subjects should be able to find the information easily. For example, publish the privacy notice on your project website, give participants a copy, or provide a QR-code or short URL. Even if you cannot inform data subjects directly, you should make an effort to inform them and put the information somewhere they will likely come across (such as a website or on social media).
Via multiple channels (when appropriate)
Textual information sheets are by no means the only way to inform data subjects. If appropriate, you can provide the information via other channels too, e.g., oral statements, images (example), audio, video (example), etc. For some data subjects, such other channels of informing can lead to a better understanding of your processing activities.
Layered (when appropriate)
To balance being complete with being understandable, you can layer the information you provide. For example, provide concise information up front and provide more detailed information elsewhere (e.g., via a link or dropdown menu).
If you are uncertain about the level of intelligibility and transparency of the information, you can test these, for example through user panels, readability testing, or by interactions with data subjects themselves (or their representatives).