Sharing personal data with a legal basis
If you cannot fully anonymise your data, they are still considered personal data. In order to share personal data for reuse, you therefore need to consider the following steps:
- Be transparent in your information to data subjects
- Make sure you have a legal basis
- Protect the data while sharing
- Make your personal data FAIR
If you are in doubt whether you can share personal data for reuse, please ask your privacy officer for help. If you cannot share the personal data for reuse, there are still alternatives you can apply to make (characteristics of) your data useful to others.
1. Be transparent
Irrespective of the legal basis you use to share personal data, data subjects must be informed about any reuse of their data. This allows them to exercise their rights, such as the right to object (if you use public interest) or to withdraw their consent (if you use consent). If data subjects haven’t been informed that you will share their data, you cannot share their data: you have not fulfilled your transparency obligation!
Before the start of your project
Include the intention of sharing data in your information to data subjects, how you plan to keep them informed, and how they can exercise their rights. Avoid language that precludes sharing, such as “your data will remain strictly confidential”, and “your data will only be shared with members of the research team”.
If it is not possible to identify the specific data subject that objected or withdrew consent within the dataset, without additional information provided by the data subject themselves, data subjects can simply not exercise those rights anymore. Let data subjects know about this!
At the time of data sharing
If you can still identify the data subjects in your dataset at the time of data sharing (e.g., if you still have a keyfile and/or contact information), inform the data subjects specifically about the data sharing process, using appropriate channels such as email (art. 12, art. 14): which data are shared, with whom exactly, for which purposes, under which restrictions, and how can data subjects object or withdraw consent?
If you cannot identify data subjects in the dataset at the time of data sharing (e.g., there is no keyfile/contact information anymore, but the data are not anonymous), inform them indirectly on how their data are being (re)used and if/how they can exercise their rights, via channels that are easily accessible, for example through a project website, newsletter, mailing list, etc.
In most cases, the original owner (controller) of the data is responsible for informing data subjects and handling requests related to data subjects’ rights, unless otherwise agreed.
2. Make sure you have a legal basis
When you share personal data with another organisation for their own specified reuse, the recipient will likely become a new controller of the personal data. This means that both you and the recipient need a valid legal reason to share (you, the owner) and (re)use (recipient) the personal data.
For the original owner, there are multiple possibilities to rely on to share the data:
Further processing for research purposes
Consent for data sharing
- An advantage of this approach is that it gives data subjects a lot of control, and reuse does not have to be limited to scientific research only (as it is with further processing).
- A limitation of this approach is that consent has to be specific in order to be valid. Thus, consent for data sharing is only legitimate when you additionally inform data subjects about the specific sharing right before you share the data (e.g., with whom specifically will the data be shared and why?), so that data subjects can still withdraw their data sharing consent.
Public or legitimate interest
For the recipient, in most cases the legal basis for reusing the received data is public interest (when reused for research purposes), although legitimate interest (when reused for non-research purposes) and consent (if the recipient can themselves obtain consent from the data subjects) are also possible. Using public (and legitimate) interest requires the recipient to assess the risks for data subjects against the benefits of using the data for their purposes (a privacy scan is a good way to do that). This is necessary because the recipient will become a new controller and therefore also has to treat the personal data in a fair, transparent and lawful way. The recipient is usually also bound by the restrictions set forth by the original owner, which usually happens through a data transfer agreement or custom license (e.g., use safeguards to protect the data, do not share the data any further, only use the data for the specified purposes, etc.).
If you want to share or reuse special categories of personal data, you may still need explicit consent, except when the data subject had made their data publicly available themselves, or when obtaining consent would involve an unreasonable amount of effort.
3. Protect the data while sharing
Unless you have a legal basis to make personal data publicly available, you should aim to protect the personal data also while sharing them. For example:
- Do not share more data than needed; pseudonymise the data as much as possible.
- Put in place an agreement that forces recipients to treat the data confidentially and that clarifies each party’s responsibilities.
- Share the data safely, for example by giving access via a secure storage environment, or encrypting the data before transferring them.
- Always follow the restrictions that you communicated to data subjects.
4. Make your data FAIR
Personal data or not, you can always make your data Findable, Accessible, Interoperable and Reusable: