GDPR: What should I think about when I collaborate with others or share my data?
Sharing personal data within Ghent University
Research data with personal data can be shared within Ghent University with fellow researchers (within or outside your research project) under certain conditions for further processing or reuse of the research data. It is important to document and justify this transfer of data in the GDPR register. Also, do not forget to complete the register for each new processing by yourself or by fellow researchers within Ghent University.
What are the conditions for the reuse of personal data?
- Sufficient technical and organisational measures must be taken such as pseudonymisation, limitation of access to the data, encryption, ...
- The principle of data minimisation must be respected (do not collect more personal data than necessary and do not transmit more personal data than necessary).
- If the research goal of the reuse can be achieved with anonymous data, this is definitely preferred. If anonymisation is not possible then personal data should be pseudonymised as much as possible.
- The purpose of the reuse must fall within the expectations of the data subjects.
- If the data was originally collected on the basis of consent, consent must also be requested for reuse.
If special categories of personal data are involved, an additional check is applicable in scientific research: transfer is only allowed if necessary and proportionate and if appropriate measures are taken.
Sharing personal data outside Ghent University
If the data are shared with institutions or people outside Ghent University, it is necessary to draw up an agreement. This agreement should describe how the data will be transferred and what may happen with the data. There are a number of possible agreements depending on the roles that these institutions or persons play in the processing of personal data during or after your research:
- If you are working within a research project, with a processor, or if you (Ghent University) also take on the role of processor, a processing agreement must be prepared. A processing agreement stipulates how the personal data can be processed, who has access and for what exact purpose they can be used. For example: in the context of industry funded research, a pharmaceutical company is the sponsor of th clinical trial and will act as the data controller. Therefore, Ghent University and Ghent University Hospital are data processors.
- If, in addition to Ghent University, another researcher, institution or organisation is a controller (i.e. joint controller) you must record in (an addendum to) the consortium agreement or cooperation agreement who is responsible for providing information to the data subjects and for the exercise of the rights of the data subjects.
- When (personal) data are transferred between two researchers, institutions or organisations where the other party re-uses the data for their own purposes, a data transfer agreement must be drawn up. Just like in a processing agreement, the data transfer agreement determines how the personal data can be processed, who has access and for what exact purpose they can be used. In case of a data transfer to a third country (outside of the EEA), the data transfer agreement should mention that is an incidental transfer for a specific study, and that the patient explicitly and informed consented to this transfer of personal data.
- If other researchers wish to reuse your data (which contain personal data) after your research, a data use agreement will be drawn up. Thid agreement clearly describe the conditions under which your data can be reused.
You can contact the legal support office of TechTransfer to draw up these contracts.
In addition to the roles that researchers, institutions or organisations play, the country in which these are located may also set certain requirements or conditions for the transfer of data. For more information take a look at the research tip on transfers of personal data to other countries or international organisations.
More tips
- GDPR: Can I share research data with personal data with other researchers or institutions when my research project has ended? (Research integrity & ethics)
- GDPR: how can I ensure that the processing of personal data is lawful? (Research integrity & ethics)
- GDPR: how do I protect my data correctly? (Research integrity & ethics)
- GDPR: how do I register personal data processing activities? (Research integrity & ethics)
- GDPR: how long may I store research data containing personal data? (Research integrity & ethics)
- GDPR: how to be transparent to data subjects in my research? (Research integrity & ethics)
- GDPR: what are personal data? (Research integrity & ethics)
- GDPR: what are some things to consider when processing personal data from minors? (Research integrity & ethics)
- GDPR: What are the basic principles? (Research integrity & ethics)
- GDPR: What are the different roles and responsibilities according to the GDPR? (Research integrity & ethics)
- GDPR: What do I need to think about when transferring personal data to third countries or international organisations? (Research integrity & ethics)
- GDPR: What do I need to think about when using a mailing list in the context of my research? (Research integrity & ethics)
- GDPR: what has changed with regard to the previous privacy legislation? (Research integrity & ethics)
- GDPR: What information should I include in an informed consent form when the processing of personal data is based on the consent of the data subjects? (Research integrity & ethics)
- GDPR: what is the General Data Protection Regulation? (Research integrity & ethics)
- GDPR: What rights do data subjects have, how do I respect them and what exceptions may apply to research? (Research integrity & ethics)
- GDPR: what should I do in case of a data breach? (Research integrity & ethics)
- GDPR: What should I do in the event of further/secondary processing of personal data? (Research integrity & ethics)
- GDPR: What should I keep in mind when designing my research? (Research integrity & ethics)
- GDPR: what should I keep in mind when processing special categories of personal data? (Research integrity & ethics)
- GDPR: When am I processing high-risk personal data and when do I need to conduct a DPIA? (Research integrity & ethics)
- GDPR: when does it apply to my research? (Research integrity & ethics)
- GDPR: who are considered to be vulnerable persons? (Research integrity & ethics)
- GDPR: why is it important to comply with this legislation? (Research integrity & ethics)
Translated tip
Last modified Aug. 28, 2024, 9:41 a.m.