Data protection in research projects
The processing of personal data for research purposes is also subject to the regulations of the GDPR, but enjoys a partially privileged position there (see § 17 BlnDSG). In general, however, the principles of data protection also apply here – see FAQ “May I process personal data”.
Researchers have several basic strategies at their disposal for processing personal data:
Strategy 1: There is a legal basis for processing personal data for the respective research purpose, such as in the Law on Statistics in the State of Berlin.
Strategy 2: Obtaining informed consent from the data subjects for the processing of personal data.
The principles of data protection apply without restriction.
Strategy 3: Obtain informed consent and subsequent anonymisation at the earliest possible time to process the personal data.
The data protection principles apply without restriction until anonymisation. In particular, this means that all non-anonymised data must be deleted as soon as the research purpose has been fulfilled. This is regularly the case after the non-anonymised data has been evaluated. In addition, the consent obtained should be retained for a period of time in order to comply with the obligation to provide evidence under the GDPR and to guarantee the rights of data subjects.
Strategy 4: Processing without consent and subsequent anonymisation at the earliest possible stage (§17 (1) BlnDSG) for the processing of personal data while fulfilling the following circumstances
a) performance of a task for scientific or historical research purposes in the public interest or for statistical purposes,
b) if the public interest in the performance of the task significantly outweighs the interests of the data subject that are worthy of protection
c) and the purpose cannot be achieved in any other way.
Until anonymisation takes place, the personal data must be pseudonymised and may only be merged if the research or statistical purpose requires this (Section 17 (2) BlnDSG).
The facts are to be interpreted cumulatively. Apart from the obligation to obtain consent, the principles of data protection apply in full. The data protection officer should be involved for your protection.
Strategy 5: Anonymisation of personal data from the outset, taking into account different anonymisation strategies and group sizes of data subjects.
Data anonymised from the outset is not subject to the principles of data protection. Anonymised data are not considered personal data in the sense of the GDPR.
Special categories of personal data
When processing, appropriate and specific measures shall be taken to safeguard the interests of the data subject. Taking into account the state of the art, the costs of implementation and the nature, scope, circumstances and purposes of the processing, as well as the varying likelihood and severity of the risks to the rights and freedoms of natural persons presented by the processing, these may include in particular:
- Specific technical and organisational measures to ensure lawful processing
- Awareness-raising of those involved in processing operations
- Restricting access to personal data by persons under the authority of the controller or processor; and
Anonymisation
The administratively complex requirements under data protection law can be circumvented if the data are already fully anonymised at the time of collection. The transition between personal data and anonymised research data is fluid in places and depends largely on two influencing factors:
Group size and “strength” of the anonymisation strategy.
In small (to be surveyed) groups (less than 20 persons), it tends to be necessary to work with “stronger or several complementary” anonymisation strategies. In groups of more than 50 people, “weaker” anonymisation tends to be unproblematic. However, the individual case is also relevant here.
An overview of different anonymisation strategies for qualitative and quantitative research data can be found here.
Purpose limitation
Since it is not always possible in scientific projects to specify the exact purpose of the processing at the time of collection, the purpose can be defined somewhat more broadly. However, the purpose should only be as broad as absolutely necessary. Thus, blanket statements of purpose, e.g. that the data is collected “for research purposes”, are not legal. The data subject should be given the opportunity to give consent only for specific research areas or sub-projects for which the data are actually necessary. (cf. recital 33 of the GDPR).
This is easy to implement for large survey groups. In smaller groups, however, individual data in the questionnaire can make an allocation possible. In this case, anonymisation can be ensured through aggregation, the formation of groups or the omission of individual questions.
Further information:
Since it is not possible to create a generally applicable model consent in view of the large number of different research projects, you will find assistance in the following links for creating legally compliant informed consents and for anonymisation: