The General Data Protection Regulation (GDPR) defines the persons whose personal data are processed as data subjects.

As a researcher, you have to take into account that the data subjects can in accordance with the GDPR exercise different rights with regard to their personal data.

1. Right to information

You are obliged to inform the data subjects in a clear and transparent manner about the personal data that is processed from them and for what purpose this processing takes place. This is in line with the basic principle that the processing of personal data must be transparent.

2. Right to access

A data subject can ask whether personal data is being processed about him/her, which categories of personal data this concerns, why they are processed and with whom they are shared.

3. Right to rectification

If the data are not correct, the data subjects can ask to correct, supplement or erase them.

4. Right to be forgotten

In a number of cases and circumstances the data subjects can have their personal data deleted. Exceptions may be made to this right in the context of scientific research insofar as the exercise of this right threatens to render impossible the achievement of the purposes of that processing or seriously jeopardise it. 

5. Right to limit the processing

If certain criteria are met, the data subjects can ask you to (temporarily) stop processing their personal data.

6. Right to data portability

Data subjects have the right to receive personal data in a structured, commonly used and machine-readable format. They may also request that these personal data be transferred directly to another controller, if technically possible. 

7. Right to object to the processing of personal data and to automated decision-making and profiling

Data subject have the right to object to the processing of their personal data, including processing for direct marketing purposes and to automated decision-making, including profiling.

Restricting the rights of data subjects

Within a research context, some rights can be restricted to a greater or lesser extent in different circumstances. Namely when the exercise of these rights seriously impedes or threatens to render the research objectives impossible.

If this is the case for your research, it is important to clearly state the need for deviating from one or more of these rights, per right, in the GDPR register.

Since limiting the rights entails more risks for the data subjects, it is important to provide appropriate safeguards and organisational and technical security measures in your research. You must also document this information in the GDPR register.

Exercising rights

It is also important to inform data subjects about who they can contact to exercise their rights. As a researcher you will usually be the first contact person for this.

Below are some guidelines that may be helpful when data subjects seek to exercise their rights:

• the exercise of these rights naturally only applies to the data subject's own data. You cannot therefore exercise any rights with regard to the personal data of others
• exercising rights with regard to fully anonymised data (where the original data set has been deleted) will by definition be impossible
• for requests to exercise rights with regard to pseudonymised data, you can first of all make it clear to the data subject that you can no longer access the data, precisely because you have pseudonymised it for security reasons. If the data subject insists, you will still have to make access/correction, etc. possible using the key.

More information

• Privacy and research