• Intro
  • Data Privacy Handbook
    • How to use this Handbook
      • What are you looking for?
    • License and Citation
    • Disclaimer
    • Contributions
  • Privacy FAQs
    • General questions
    • Procedures and responsibilities
    • Informed consent
    • Legal questions
    • Storing personal data
    • Sharing, publishing and reusing personal data
    • Practical questions
    • Students and student data
    • Finding support
  • Knowledge Base
  • The GDPR
    • Chapter summary
    • What is the GDPR?
    • Definitions in the GDPR
    • Principles in the GDPR
    • Legal bases for working with personal data
      • Legal bases suitable for research
      • Legal bases not suitable for reseach
      • Further processing for research purposes
    • Data Subjects’ Rights
  • What are personal data?
    • Definition of personal data
    • How to assess whether data contain personal data?
    • Special types of personal data
      • Special categories of personal data
      • Data that are otherwise sensitive
  • Designing your project
    • Privacy by Design strategies
    • Data-oriented strategies
      • Minimise
      • Separate
      • Abstract
      • Hide
    • Process-oriented strategies
      • Inform
      • Control
      • Enforce
      • Demonstrate
  • Risk Assessment
    • How to assess privacy risks?
    • What are high-risk operations?
    • Classifying personal data
    • Examples of privacy risks and how to mitigate them
  • Documents & Assessments
    • Information to data subjects
      • When to use a privacy notice?
      • Content and examples of privacy notices
      • Form of a privacy notice
    • Informed consent
      • Consent step-by-step
      • Requirements for valid consent
      • What forms of consent are valid?
      • Demonstrating (valid) consent
      • Broad consent in research
      • Examples and templates
    • Privacy scan
      • When to use a privacy scan?
      • Examples and templates
    • Data Protection Impact Assessment
      • The process of performing a DPIA
      • Examples and templates
    • Legitimate interest assessment
      • How to do a legitimate interest assessment?
      • Examples and templates
    • Data Transfer Impact Assessment
      • What is a third-country transfer?
      • Goal and content of a DTA
      • Examples and templates
    • Processing register
    • Agreements
      • How to set up an agreement?
      • Non-disclosure agreement
      • Data processing agreement
      • Data Transfer Agreement
      • Joint controllers agreement
      • Data Use Agreement
      • Standard Contractual Clauses for international transfers
  • Techniques & Tools
  • Research scenarios
  • Pseudonymisation & Anonymisation
  • Statistical privacy
    • Statistical disclosure control
    • K-anonymity and its descendents
    • Differential privacy
  • Secure computing
  • Other techniques
    • Encryption
    • Synthetic Data
    • Data donation
  • Tools & Services
    • Utrecht University tool finders
    • Tools to deidentify, synthetise and work safely with personal data
    • Requirements for a third-party tool
      • 1. Who is processing the personal data: arrange an agreement
      • 2. Security level
  • Storage, Sharing, Publication
  • Storing personal data
    • Chapter summary
    • Where should I store personal data?
      • Storage media at UU
    • How should I store personal data?
    • For how long should I store personal data?
      • Deleting personal data
  • Sharing data with collaborators
  • Sharing data for reuse
    • Sharing anonymised data
    • Sharing personal data with a legal basis
      • 1. Be transparent
      • 2. Make sure you have a legal basis
      • 3. Protect the data while sharing
      • 4. Make your data FAIR
    • Alternatives to sharing personal data
      • Publish metadata and documentation
      • Use other techniques and strategies to enable reuse
  • Use Cases
  • Data minimisation in a survey
  • Data pseudonymisation
  • Publishing metadata
  • Reusing education data for research
  • Resources
  • Seeking help at Utrecht University
    • Education
    • Online information
    • In-person support
  • Glossary
  • Resources
  • Visit the GitHub repository

Data Privacy Handbook

Sharing personal data with a legal basis

If you cannot fully anonymise your data, they are still considered personal data. In order to share personal data for reuse, you therefore need to consider the following steps:

  1. Be transparent in your information to data subjects
  2. Make sure you have a legal basis
  3. Protect the data while sharing
  4. Make your personal data FAIR

If you are in doubt whether you can share personal data for reuse, please ask your privacy officer for help. If you cannot share the personal data for reuse, there are still alternatives you can apply to make (characteristics of) your data useful to others.

1. Be transparent

Irrespective of the legal basis you use to share personal data, data subjects must be informed about any reuse of their data. This allows them to exercise their rights, such as the right to object (if you use public interest) or to withdraw their consent (if you use consent). If data subjects haven’t been informed that you will share their data, you cannot share their data: you have not fulfilled your transparency obligation!

Before the start of your project

Include the intention of sharing data in your information to data subjects, how you plan to keep them informed, and how they can exercise their rights. Avoid language that precludes sharing, such as “your data will remain strictly confidential”, and “your data will only be shared with members of the research team”.

If it is not possible to identify the specific data subject that objected or withdrew consent within the dataset, without additional information provided by the data subject themselves, data subjects can simply not exercise those rights anymore. Let data subjects know about this!

At the time of data sharing

If you can still identify the data subjects in your dataset at the time of data sharing (e.g., if you still have a keyfile and/or contact information), inform the data subjects specifically about the data sharing process, using appropriate channels such as email (art. 12, art. 14): which data are shared, with whom exactly, for which purposes, under which restrictions, and how can data subjects object or withdraw consent?

If you cannot identify data subjects in the dataset at the time of data sharing (e.g., there is no keyfile/contact information anymore, but the data are not anonymous), inform them indirectly on how their data are being (re)used and if/how they can exercise their rights, via channels that are easily accessible, for example through a project website, newsletter, mailing list, etc.

In most cases, the original owner (controller) of the data is responsible for informing data subjects and handling requests related to data subjects’ rights, unless otherwise agreed.

2. Make sure you have a legal basis

When you share personal data with another organisation for their own specified reuse, the recipient will likely become a new controller of the personal data. This means that both you and the recipient need a valid legal reason to share (you, the owner) and (re)use (recipient) the personal data.

For the original owner, there are multiple possibilities to rely on to share the data:

Further processing for research purposes
This is a derogation in the GDPR that enables personal data to be further processed (e.g., shared) for research purposes, without requiring a new legal basis, as long as sufficient safeguards are in place to protect the data (e.g., pseudonymisation, access control, data transfer agreement, etc, art. 5(1)(b), art. 89). If the data are not shared for research purposes, then this derogation does not apply. Note: There is ongoing discussion whether you can rely on this derogation if you used consent to collect the data: sharing that falls outside of the scope of the original consent, may not meet the specificity criterium and may not be fair to data subjects. You can rely on it, however, if you used another legal basis to collect the data (e.g., public interest, legitimate interest).
Consent for data sharing
This entails asking explicit consent to share data with others for reuse for specified purposes, before you collect the data. In this guide you can find more information about that.
  • An advantage of this approach is that it gives data subjects a lot of control, and reuse does not have to be limited to scientific research only (as it is with further processing).
  • A limitation of this approach is that consent has to be specific in order to be valid. Thus, consent for data sharing is only legitimate when you additionally inform data subjects about the specific sharing right before you share the data (e.g., with whom specifically will the data be shared and why?), so that data subjects can still withdraw their data sharing consent.
Public or legitimate interest
Public or legitimate interest could in principle also be used as a legal bases to share personal data, when sharing the data is necessary and proportional and it does not override the interests of the data subjects (a privacy scan is a good way to assess that).

For the recipient, in most cases the legal basis for reusing the received data is public interest (when reused for research purposes), although legitimate interest (when reused for non-research purposes) and consent (if the recipient can themselves obtain consent from the data subjects) are also possible. Using public (and legitimate) interest requires the recipient to assess the risks for data subjects against the benefits of using the data for their purposes (a privacy scan is a good way to do that). This is necessary because the recipient will become a new controller and therefore also has to treat the personal data in a fair, transparent and lawful way. The recipient is usually also bound by the restrictions set forth by the original owner, which usually happens through a data transfer agreement or custom license (e.g., use safeguards to protect the data, do not share the data any further, only use the data for the specified purposes, etc.).

If you want to share or reuse special categories of personal data, you may still need explicit consent, except when the data subject had made their data publicly available themselves, or when obtaining consent would involve an unreasonable amount of effort.

3. Protect the data while sharing

Unless you have a legal basis to make personal data publicly available, you should aim to protect the personal data also while sharing them. For example:

  • Do not share more data than needed; pseudonymise the data as much as possible.
  • Put in place an agreement that forces recipients to treat the data confidentially and that clarifies each party’s responsibilities.
  • Share the data safely, for example by giving access via a secure storage environment, or encrypting the data before transferring them.
  • Always follow the restrictions that you communicated to data subjects.

4. Make your data FAIR

Personal data or not, you can always make your data Findable, Accessible, Interoperable and Reusable:

Findable
Publish your metadata and documentation in a data repository that assigns a persistent identifier to the dataset. Depending on your situation, you may be able to deposit the data there as well (under restricted access).
Accessible
Clearly specify if and how others can access your dataset and make that information publicly available. Some studies have set up a data access protocol in which this is made clear (e.g., data are accessible after signing an agreement, writing a research proposal, helping to collect new data, etc.). You can find an example here.
Interoperable
Structure and document your data so that they are easily understandable for humans and machines (see our FAIR guide).
Reusable
If you only deposited metadata and documentation, add an open license to the dataset (e.g., CC0 or CC BY 4.0). If you deposited the personal data in the data repository as well, there will usually be custom terms of use such as the data access protocol mentioned under Accessible.

Utrecht University logo

Data Privacy Handbook

The information presented here is provided as is, with no guarantees of accuracy or completeness. For the most up-to-date information, please refer to your privacy officer, the university website or intranet. We cannot be held responsible for any negative consequences due to incorrect interpretation or use, and inconsistencies with policies/views of other institutions.

💡 Give feedback about this page