GDPR: What should I think about when I collaborate with others or share my data?

Sharing personal data within Ghent University

Research data with personal data can be shared within Ghent University with fellow researchers (within or outside your research project) under certain conditions for further processing or reuse of the research data. It is important to document and justify this transfer of data in the GDPR register. Also, do not forget to complete the register for each new processing by yourself or by fellow researchers within Ghent University.

What are the conditions for the reuse of personal data?

  • Sufficient technical and organisational measures must be taken such as pseudonymisation, limitation of access to the data, encryption, ...
  • The principle of data minimisation must be respected (do not collect more personal data than necessary and do not transmit more personal data than necessary).
  • If the research goal of the reuse can be achieved with anonymous data, this is definitely preferred. If anonymisation is not possible then personal data should be pseudonymised as much as possible. 
  • The purpose of the reuse must fall within the expectations of the data subjects.
  • If the data was originally collected on the basis of consent, consent must also be requested for reuse.

If special categories of personal data are involved, an additional check is applicable in scientific research: transfer is only allowed if necessary and proportionate and if appropriate measures are taken.

Sharing personal data outside Ghent University

If the data are shared with institutions or people outside Ghent University, it is necessary to draw up an agreement. This agreement should describe how the data will be transferred and what may happen with the data. There are a number of possible agreements depending on the roles that these institutions or persons play in the processing of personal data during or after your research:

  • If you are working within a research project, with a processor, or if you (Ghent University) also take on the role of processor, a processing agreement must be prepared. A processing agreement stipulates how the personal data can be processed, who has access and for what exact purpose they can be used. For example: in the context of industry funded research, a pharmaceutical company is the sponsor of th clinical trial and will act as the data controller. Therefore, Ghent University and Ghent University Hospital are data processors.
  • If, in addition to Ghent University, another researcher, institution or organisation is a controller (i.e. joint controller) you must record in (an addendum to) the consortium agreement or cooperation agreement who is responsible for providing information to the data subjects and for the exercise of the rights of the data subjects.
  • When (personal) data are transferred between two researchers, institutions or organisations where the other party re-uses the data for their own purposes, a data transfer agreement must be drawn up. Just like in a processing agreement, the data transfer agreement determines how the personal data can be processed, who has access and for what exact purpose they can be used. In case of a data transfer to a third country (outside of the EEA), the data transfer agreement should mention that is an incidental transfer for a specific study, and that the patient explicitly and informed consented to this transfer of personal data.
  • If other researchers wish to reuse your data (which contain personal data) after your research, a data use agreement will be drawn up. Thid agreement clearly describe the conditions under which your data can be reused.

You can contact the legal support office of TechTransfer to draw up these contracts.

In addition to the roles that researchers, institutions or organisations play, the country in which these are located may also set certain requirements or conditions for the transfer of data. For more information take a look at the research tip on transfers of personal data to other countries or international organisations.

More tips

Translated tip


Last modified Aug. 28, 2024, 9:41 a.m.