Sharing personal data with a legal basis

If you cannot fully anonymise your data, they are still considered personal data. In order to share personal data for reuse, you therefore need to consider the following steps:

Be transparent in your information to data subjects
Make sure you have a legal basis
Protect the data while sharing
Make your personal data FAIR

If you are in doubt whether you can share personal data for reuse, please ask your privacy officer for help. If you cannot share the personal data for reuse, there are still alternatives you can apply to make (characteristics of) your data useful to others.

1. Be transparent

Irrespective of the legal basis you use to share personal data, data subjects must be informed about any reuse of their data. This allows them to exercise their rights, such as the right to object (if you use public interest) or to withdraw their consent (if you use consent). If data subjects haven’t been informed that you will share their data, you cannot share their data: you have not fulfilled your transparency obligation!

Before the start of your project

Include the intention of sharing data in your information to data subjects, how you plan to keep them informed, and how they can exercise their rights. Avoid language that precludes sharing, such as “your data will remain strictly confidential”, and “your data will only be shared with members of the research team”.

If it is not possible to identify the specific data subject that objected or withdrew consent within the dataset, without additional information provided by the data subject themselves, data subjects can simply not exercise those rights anymore. Let data subjects know about this!

At the time of data sharing

If you can still identify the data subjects in your dataset at the time of data sharing (e.g., if you still have a keyfile and/or contact information), inform the data subjects specifically about the data sharing process, using appropriate channels such as email (art. 12, art. 14): which data are shared, with whom exactly, for which purposes, under which restrictions, and how can data subjects object or withdraw consent?

If you cannot identify data subjects in the dataset at the time of data sharing (e.g., there is no keyfile/contact information anymore, but the data are not anonymous), inform them indirectly on how their data are being (re)used and if/how they can exercise their rights, via channels that are easily accessible, for example through a project website, newsletter, mailing list, etc.

In most cases, the original owner (controller) of the data is responsible for informing data subjects and handling requests related to data subjects’ rights, unless otherwise agreed.

2. Make sure you have a legal basis

When you share personal data with another organisation for their own specified reuse, the recipient will likely become a new controller of the personal data. This means that both you and the recipient need a valid legal reason to share (you, the owner) and (re)use (recipient) the personal data.

For the original owner, there are multiple possibilities to rely on to share the data:

Further processing for research purposes

This is a derogation in the GDPR that enables personal data to be further processed (e.g., shared) for research purposes, without requiring a new legal basis, as long as sufficient safeguards are in place to protect the data (e.g., pseudonymisation, access control, data transfer agreement, etc, art. 5(1)(b), art. 89). If the data are not shared for research purposes, then this derogation does not apply. Note: There is ongoing discussion whether you can rely on this derogation if you used consent to collect the data: sharing that falls outside of the scope of the original consent, may not meet the specificity criterium and may not be fair to data subjects. You can rely on it, however, if you used another legal basis to collect the data (e.g., public interest, legitimate interest).

Consent for data sharing

This entails asking explicit consent to share data with others for reuse for specified purposes, before you collect the data. In this guide you can find more information about that.

An advantage of this approach is that it gives data subjects a lot of control, and reuse does not have to be limited to scientific research only (as it is with further processing).
A limitation of this approach is that consent has to be specific in order to be valid. Thus, consent for data sharing is only legitimate when you additionally inform data subjects about the specific sharing right before you share the data (e.g., with whom specifically will the data be shared and why?), so that data subjects can still withdraw their data sharing consent.

Public or legitimate interest

Public or legitimate interest could in principle also be used as a legal bases to share personal data, when sharing the data is necessary and proportional and it does not override the interests of the data subjects (a privacy scan is a good way to assess that).

For the recipient, in most cases the legal basis for reusing the received data is public interest (when reused for research purposes), although legitimate interest (when reused for non-research purposes) and consent (if the recipient can themselves obtain consent from the data subjects) are also possible. Using public (and legitimate) interest requires the recipient to assess the risks for data subjects against the benefits of using the data for their purposes (a privacy scan is a good way to do that). This is necessary because the recipient will become a new controller and therefore also has to treat the personal data in a fair, transparent and lawful way. The recipient is usually also bound by the restrictions set forth by the original owner, which usually happens through a data transfer agreement or custom license (e.g., use safeguards to protect the data, do not share the data any further, only use the data for the specified purposes, etc.).

If you want to share or reuse special categories of personal data, you may still need explicit consent, except when the data subject had made their data publicly available themselves, or when obtaining consent would involve an unreasonable amount of effort.

4. Make your data FAIR

Personal data or not, you can always make your data Findable, Accessible, Interoperable and Reusable:

Findable

Publish your metadata and documentation in a data repository that assigns a persistent identifier to the dataset. Depending on your situation, you may be able to deposit the data there as well (under restricted access).

Accessible

Clearly specify if and how others can access your dataset and make that information publicly available. Some studies have set up a data access protocol in which this is made clear (e.g., data are accessible after signing an agreement, writing a research proposal, helping to collect new data, etc.). You can find an example here.

Interoperable

Structure and document your data so that they are easily understandable for humans and machines (see our FAIR guide).

Reusable

If you only deposited metadata and documentation, add an open license to the dataset (e.g., CC0 or CC BY 4.0). If you deposited the personal data in the data repository as well, there will usually be custom terms of use such as the data access protocol mentioned under Accessible.