We use Matomo analytics to track your visit to the Data Privacy Handbook. You can read how in our privacy statement.

  • Utrecht University logo
  • Intro
  • Data Privacy Handbook
    • About
      • License and Citation
      • Contributions
    • How to use this Handbook
      • What are you looking for?
    • Disclaimer
    • Your own privacy
  • Get started
  • 10 steps to get started
  • Typical privacy issues in…
    • Interview research
      • Recording the interview
      • Oral or written information for participants
      • Legal basis: consent or public interest
      • Collecting unnecessary personal data
      • Transcription
      • Anonymisation
      • Sharing interview data for publication and reuse
    • Social media research
      • Typical issues in social media research
      • Further reading
  • Privacy FAQs
    • General questions
    • Procedures and responsibilities
    • Informed consent
    • Legal questions
    • Storing personal data
    • Sharing, publishing and reusing personal data
    • Practical questions
    • Students and student data
    • Finding support
  • Knowledge Base
  • The GDPR
    • Chapter summary
    • What is the GDPR?
    • Definitions in the GDPR
    • Principles in the GDPR
    • Data Subjects’ Rights
  • What are personal data?
    • Definition of personal data
    • How to assess whether data contain personal data?
    • Special types of personal data
      • Special categories of personal data
      • Data that are otherwise sensitive
  • Legal bases
    • Legal bases suitable for research
    • Legal bases generally not suitable for reseach
    • Further processing for research purposes
    • Which legal basis to use?
    • Public interest
      • What does it mean to use public interest as a legal basis?
      • When to use public interest as a legal basis?
      • When is public interest less suitable as a legal basis?
      • What are my obligations when using public interest?
    • Consent
      • Different types of consent
      • Consent step-by-step
      • When to use consent as a legal basis?
      • Requirements for valid consent
      • What forms of consent are valid?
      • Demonstrating (valid) consent
      • Broad consent in research
      • Examples and templates
    • Legitimate interest
      • When to (not) use legitimate interest as a legal basis?
      • What are my obligations when using legitimate interest?
      • Legitimate interest assessment
      • Examples and templates
  • Risk Assessment
    • How to assess privacy risks?
      • Risk assessment step by step
    • What are high-risk operations?
      • Examples of high-risk scenarios
    • Data classification
      • Classification levels
    • Examples of risks and how to mitigate them
      • Unwarranted access to personal data
      • Loss of personal data
      • Unintended collection of personal data
      • Invalid legal basis
      • Risks for data subjects
  • How To
  • Designing your project
    • Privacy scan
      • When to use a privacy scan?
      • Examples and templates
    • Data Protection Impact Assessment
      • The process of performing a DPIA
      • Examples and templates
    • Privacy by Design strategies
      • control icon Control
      • enforce icon Enforce
      • demonstrate icon Demonstrate
    • Information to data subjects
      • When to use a privacy notice?
      • Form of a privacy notice
      • Content and examples of privacy notices
    • Processing register
  • Storing personal data
    • Chapter summary
    • Where should I store personal data?
    • How should I store personal data?
    • For how long should I store personal data?
      • Deleting personal data
  • Sharing data with collaborators
    • Third-country transfers
      • What is a third-country transfer?
      • When is a third-country transfer possible?
    • Data Transfer Impact Assessment
      • Goal and content of a DTA
      • Content of a DTIA
      • Examples and templates
    • Agreements
      • How to set up an agreement?
      • Non-disclosure agreement
      • Data processing agreement
      • Data Transfer Agreement
      • Joint controllers agreement
      • Data Use Agreement
      • Standard Contractual Clauses for international transfers
  • Sharing data for reuse
    • Sharing anonymised data
    • Sharing personal data with a legal basis
      • 1. Be transparent
      • 2. Make sure you have a legal basis
      • 3. Protect the data while sharing
      • 4. Make your data FAIR
    • Alternatives to sharing personal data
      • Publish metadata and documentation
      • Use other techniques and strategies to enable reuse
  • Techniques & Tools
  • Pseudonymisation & Anonymisation
    • What are pseudonymisation and anonymisation?
      • Pseudonymisation
      • Anonymisation
      • The identifiability spectrum
      • When are data anonymous?
      • Alternatives to anonymisation
    • Step-by-step de-identification
    • De-identification techniques
    • Tools and further reading
  • Statistical approaches to de-identification
    • K-anonymity, l-diversity and t-closeness
      • Identifiers, quasi-identifiers, and sensitive attributes
      • How it works
      • When to use
      • Implications for research
      • Further reading
    • Differential privacy
      • How it works
      • Implications for research
      • When to use
      • Further reading
  • Secure computation
    • “Regular” data analysis: data-to-code
      • When to use
      • Implications for research
      • Examples
    • Code-to-data (one data provider)
      • When to use
      • Implications for research
      • Examples
    • Federated analysis
      • When to use
      • Implications for research
      • Examples
    • Cryptographic techniques
      • Secure multiparty computation
      • Confidential computing
      • (Fully) homomorphic encryption
  • Other techniques
    • Encryption
      • Types of encryption
      • When to use
      • Implications for research
      • Tools and resources
    • Synthetic Data
      • When to use
      • Implications for research
      • Tools and resources
    • Data donation
      • When to use
      • Implications for research
      • Examples and resources
  • Tools & Services
    • Utrecht University tool finders
    • Tools to deidentify, synthetise and work safely with personal data
    • Requirements for a third-party tool
      • 1. Who is processing the personal data: arrange an agreement
      • 2. Security level
  • Use Cases
  • Data minimisation in a survey
  • Data pseudonymisation
    • General steps
    • Pseudonymisation per data type
  • Publishing metadata
  • Reusing education data for research
  • Resources
  • Seeking help at Utrecht University
    • Education
    • Online information
    • In-person support
  • Glossary
  • Resources
  • Visit the GitHub repository

Data Privacy Handbook

Sharing personal data with a legal basis

On this page: pseudonymous, personal, sensitive, share, transfer, open science, reuse, access control, legal basis, legal ground, data sharing, transparency, transparent, inform, further processing, secondary use, secondary processing, safeguards, protection, FAIR data
Date of last review: 2023-03-09

If you cannot fully anonymise your data, they are still considered personal data. In order to share personal data for reuse, you therefore need to consider the following steps:

  1. Be transparent in your information to data subjects
  2. Make sure you have a legal basis
  3. Protect the data while sharing
  4. Make your personal data FAIR

If you are in doubt whether you can share personal data for reuse, please ask your privacy officer for help. If you cannot share the personal data for reuse, there are still alternatives you can apply to make (characteristics of) your data useful to others.

1. Be transparent

Irrespective of the legal basis you use to share personal data, data subjects must be informed about any reuse of their data. This allows them to exercise their rights, such as the right to object (if you use public interest) or to withdraw their consent (if you use consent). If data subjects haven’t been informed that you will share their data, you cannot share their data: you have not fulfilled your transparency obligation!

Before the start of your project

Include the intention of sharing data in your information to data subjects, how you plan to keep them informed, and how they can exercise their rights. Avoid language that precludes sharing, such as “your data will remain strictly confidential”, and “your data will only be shared with members of the research team”.

If it is not possible to identify the specific data subject that objected or withdrew consent within the dataset, without additional information provided by the data subject themselves, data subjects can simply not exercise those rights anymore. Let data subjects know about this!

At the time of data sharing

If you can still identify the data subjects in your dataset at the time of data sharing (e.g., if you still have a keyfile and/or contact information), inform the data subjects specifically about the data sharing process, using appropriate channels such as email (art. 12, art. 14): which data are shared, with whom exactly, for which purposes, under which restrictions, and how can data subjects object or withdraw consent?

If you cannot identify data subjects in the dataset at the time of data sharing (e.g., there is no keyfile/contact information anymore, but the data are not anonymous), inform them indirectly on how their data are being (re)used and if/how they can exercise their rights, via channels that are easily accessible, for example through a project website, newsletter, mailing list, etc.

In most cases, the original owner (controller) of the data is responsible for informing data subjects and handling requests related to data subjects’ rights, unless otherwise agreed.

2. Make sure you have a legal basis

When you share personal data with another organisation for their own specified reuse, the recipient will likely become a new controller of the personal data. This means that both you and the recipient need a valid legal reason to share (you, the owner) and (re)use (recipient) the personal data.

For the original owner, there are multiple possibilities to rely on to share the data:

Further processing for research purposes

This is a derogation in the GDPR that enables personal data to be further processed (e.g., shared) for any scientific research purposes, without requiring a new legal basis, as long as sufficient safeguards are in place to protect the data (e.g., pseudonymisation, access control, data transfer agreement, etc, art. 5(1)(b), art. 89). If the data are not shared for scientific research purposes, then a new legal basis is required, except if the new purpose is compatible with the original purpose.

Note: There is ongoing discussion whether you can rely on this derogation if you used consent to collect the data, especially if those data are of special categories: sharing that falls outside of the scope of the original consent, may not meet the specificity criterium and may not be fair to data subjects. You can rely on it, however, if you used another legal basis to collect the data (e.g., public interest, legitimate interest).

Consent for data sharing
This entails asking explicit consent to share data with others for reuse for specified purposes, before you collect the data. In this guide you can find more information about that.
  • An advantage of this approach is that it gives data subjects a lot of control, and reuse does not have to be limited to scientific research only (as it is with further processing).
  • A limitation of this approach is that consent has to be specific in order to be valid. Thus, consent for data sharing is only legitimate when you additionally inform data subjects about the specific sharing right before you share the data (e.g., with whom specifically will the data be shared and why?), so that data subjects can still withdraw their data sharing consent.
Public or legitimate interest
Public or legitimate interest could in principle also be used as a legal bases to share personal data, when sharing the data is necessary and proportional and it does not override the interests of the data subjects (a privacy scan is a good way to assess that).


For the recipient, in most cases the legal basis for reusing the received data is public interest (when reused for research purposes), although legitimate interest (when reused for non-research purposes) and consent (if the recipient can themselves obtain consent from the data subjects) are also possible. Using public (and legitimate) interest requires the recipient to assess the risks for data subjects against the benefits of using the data for their purposes (a privacy scan is a good way to do that). This is necessary because the recipient will become a new controller and therefore also has to treat the personal data in a fair, transparent and lawful way. The recipient is usually also bound by the restrictions set forth by the original owner, which usually happens through a data transfer agreement or custom license (e.g., use safeguards to protect the data, do not share the data any further, only use the data for the specified purposes, etc.).

If you want to share or reuse special categories of personal data, you may still need explicit consent, except when the data subject had made their data publicly available themselves, or when obtaining consent would involve an unreasonable amount of effort.

3. Protect the data while sharing

Unless you have a legal basis to make personal data publicly available, you should aim to protect the personal data also while sharing them. For example:

  • Do not share more data than needed; pseudonymise the data as much as possible.
  • Put in place an agreement that forces recipients to treat the data confidentially and that clarifies each party’s responsibilities.
  • Share the data safely, for example by giving access via a secure storage environment, or encrypting the data before transferring them.
  • Always follow the restrictions that you communicated to data subjects.
  • If you will transfer personal data outside of the European Economic Area (EEA), consider which measures are needed, especially if the relevant country does not have an adequate level of data protection.

4. Make your data FAIR

Personal data or not, you can always make your data Findable, Accessible, Interoperable and Reusable:

Findable
Publish your metadata and documentation in a data repository that assigns a persistent identifier to the dataset. Depending on your situation, you may be able to deposit the data there as well (under restricted access).
Accessible
Clearly specify if and how others can access your dataset and make that information publicly available. Some studies have set up a data access protocol in which this is made clear (e.g., data are accessible after signing an agreement, writing a research proposal, helping to collect new data, etc.). You can find an example here.
Interoperable
Structure and document your data so that they are easily understandable for humans and machines (see our FAIR guide).
Reusable
If you only deposited metadata and documentation, add an open license to the dataset (e.g., CC0 or CC BY 4.0). If you deposited the personal data in the data repository as well, there will usually be custom terms of use such as the data access protocol mentioned under Accessible.

Utrecht University logo

Data Privacy Handbook

The information presented here is provided as is, with no guarantees of accuracy or completeness. For the most up-to-date information, please refer to your privacy officer, the university website or intranet. We cannot be held responsible for any negative consequences due to incorrect interpretation or use, and inconsistencies with policies/views of other institutions.

Privacy policy | Cite the Data Privacy Handbook