GDPR in research

GDPR in research


As of May 25 2018, the GDPR (General Data Protection Regulation), or AVG (Algemene Verordening Gegevensbescherming) in Dutch, will apply to the entire European Union. The GDPR has its implications for research. Anyone who collects personal data within Radboud University during their research, must follow 8 guidelines following the Privacy by design principle.

The guidelines are only applicable for research with personal data. Personal is any data that can lead to the identification of an individual. For example name, birth date, email-address and IP address are direct personal data. But also a combination of data can lead to the identification of an individual and should therefore be treated as personal data. If you don't process personal data in your research, then the GDPR is not applicable. This is for instance the case when your research only includes anonymised data (but be aware that pseudonymised data is personal data).

This webpage intended as a guideline for researchers and will be updated over time. It does not promote a formal Radboud University policy, nor does it constitutes legal advice. The official webpage of the European Union concerning the GDPR can be found here.


The GDPR in research, a.o. special categories of personal data, processing in/outside the European Economic Area (EEA), and privacy by design/default.

Data minimisation

The data minimisation principle comprises that data has to be adequate, relevant and limited to what is necessary for the purposes for which they are processed.

Data quality

The data quality principle comprises that data has to be of good quality, i.e. the data has to be accurate and up-to-date.

Goal setting

In the goal setting, you describe what personal data you process, with which legitimate purpose and for how long.

Minimisation of use

Minimise the processing of and access to personal data, for a pre-defined purpose and period of time, and only by authorised persons.

Security measures

Make sure that the personal data you collect is well secured. When working with personal data, make use of privacy protection techniques.


The GDPR requires the controller to be transparent to data subjects about the processing of their personal data.

Rights of data subjects

Fundamental of the GDPR are the right of data subjects concerning the processing of their personal data.