GDPR: What are the different roles and responsibilities according to the GDPR?
Various roles are defined within the General Data Protection Regulation (GDPR) for the processing of personal data. The most important roles are:
- Data controller
- Joint data controller
- Data processor
Since controllers and processors have different responsibilities and obligations, it is important that you clearly define these roles (together with the other partners in your research) at the start of the research.
Controller
The controller is defined as “the institution/organisation who determines the purpose of and means of the processing”. Please note, merely providing research funding (such as by the FWO, the European Commission, etc.) is not sufficient to be considered as a controller in the context of research. In this case, Ghent University remains the controller.
- you are an FWO PhD fellow and together with the supervisor, who is a professor at Ghent University, you determine the objectives of your research. Although your research is funded by the FWO, Ghent University is the controller. The FWO is merely a funder.
- UGent researchers of the Faculty of Psychology and Educational Sciences collect data (including personal data, human body material (MLM), imaging, surveys, etc.) from patients/volunteers. These data are not originated/collected from/within UZ Ghent. Ghent University is the data controller.
- UZGent researchers (not affiliated with UGent) collect data (including personal data, such as human body material (MLM), imaging, surveys, etc.) from patients. UGent is not the data controller but Ghent University Hospital is the data controller. This is also the case for research projects with volunteers at UZ Gent services, e.g. D.R.U.G., CEVAC, Outpatient services, whereby the principal investigator is not affiliated with Ughent.
- Ugent/UZGent researchers process personal data in the context of industry funded research. The pharmaceutical company is the sponsor of the clinical trial and will act as data controller. Therefore, Ghent University and Ghent University Hospital are data processors.
Although Ghent University acts as the controller for most research with personal data that happens at Ghent University, data protection is a shared responsibility between you and the other researchers involved. Researchers are responsible within their own research projects to thoroughly consider the privacy aspects and to comply with the legal obligations of the GDPR and the Generic Code ofConduct for the processing of personal data and confidential information atGhent University.
Joint controllers
With joint controllers, the purpose and means of the processing are determined by two or more organisations/institutions.
Joint data controllers should transparently set out their respective responsibilities for complying with the obligation of the GDPR, including establishing who is responsible for providing information to data subjects and who is responsible for handling requests relating to data subjects’rights.
Examples:
- You conduct research together with another university in Belgium or abroad, where both partners determine the research design (to a greater or lesser extent). UGent and the partner are joint data controllers. This is not a situation where one university is merely a supplier of data or only carries out a specific contract for subcontracting.
- A principal investigator affiliated with Ghent University collects/uses data (including personal data, human body material (MLM), imaging, surveys, etc.) from UZ Ghent patients. Ghent University and Ghent University Hospital are joint data controllers. This is also the case for research projects involving volunteers from UZ Ghent services, e.g. D.R.U.G., CEVAC, outpatient services, by a principal investigator affiliated with UGent.
- If there is another university, hospital, research institute or partner involved in the research (besides Ghent University and/or Ghent University Hospital), Ghent University and/or Ghent University Hospital will be acting as a joint controller together with this other party, or as a processor or sub processor on behalf of this other party (see below).
Processor
Finally, an institution/ organisation or researcher can also act as a processor. In this case, the institution, organisation or a researcher processes personal data on behalf of another organisation.
Examples:
- Contract research, services commissioned by private companies, or some types of policy-relevant research
- In the context of industry-funded research, a pharmaceutical company is the sponsor of a clinical trial and will act as the data controller. Consequently, Ghent University and Ghent University Hospital are data processors.
Within a research project or a research collaboration, you may as a researcher yourself also call upon processors to collect, process, store or make personal data available.
For example: researchers call upon a company to send out surveys to data subjects, or to analyse certain results of interviews and surveys. In this case, Ghent University will act as the controller and the company as the processor.
It is important to set down all arrangements between the controller(s) and the processor(s) or between processors and sub-processors in an agreement. You can contact the legal support office of TechTransfer for this.
More information
More tips
- GDPR: Can I share research data with personal data with other researchers or institutions when my research project has ended? (Research integrity & ethics)
- GDPR: how can I ensure that the processing of personal data is lawful? (Research integrity & ethics)
- GDPR: how do I protect my data correctly? (Research integrity & ethics)
- GDPR: how do I register personal data processing activities? (Research integrity & ethics)
- GDPR: how long may I store research data containing personal data? (Research integrity & ethics)
- GDPR: how to be transparent to data subjects in my research? (Research integrity & ethics)
- GDPR: what are personal data? (Research integrity & ethics)
- GDPR: what are some things to consider when processing personal data from minors? (Research integrity & ethics)
- GDPR: What are the basic principles? (Research integrity & ethics)
- GDPR: What do I need to think about when transferring personal data to third countries or international organisations? (Research integrity & ethics)
- GDPR: What do I need to think about when using a mailing list in the context of my research? (Research integrity & ethics)
- GDPR: what has changed with regard to the previous privacy legislation? (Research integrity & ethics)
- GDPR: What information should I include in an informed consent form when the processing of personal data is based on the consent of the data subjects? (Research integrity & ethics)
- GDPR: what is the General Data Protection Regulation? (Research integrity & ethics)
- GDPR: What rights do data subjects have, how do I respect them and what exceptions may apply to research? (Research integrity & ethics)
- GDPR: what should I do in case of a data breach? (Research integrity & ethics)
- GDPR: What should I do in the event of further/secondary processing of personal data? (Research integrity & ethics)
- GDPR: What should I keep in mind when designing my research? (Research integrity & ethics)
- GDPR: what should I keep in mind when processing special categories of personal data? (Research integrity & ethics)
- GDPR: What should I think about when I collaborate with others or share my data? (Research integrity & ethics)
- GDPR: When am I processing high-risk personal data and when do I need to conduct a DPIA? (Research integrity & ethics)
- GDPR: when does it apply to my research? (Research integrity & ethics)
- GDPR: who are considered to be vulnerable persons? (Research integrity & ethics)
- GDPR: why is it important to comply with this legislation? (Research integrity & ethics)
Translated tip
Last modified Aug. 28, 2024, 10:02 a.m.