FAQ rights of data subjects

This website provides frequently asked questions about rights of data subjects in the context of the GDPR in research. Additionally, it is useful to read the general information about rights of data subjects.

  1. What rights do research participants have regarding data erasure?
  2. What are the main exceptions for scientific research?
  3. How do I interpret the right of a participant to receive data?

1. According to Article 17.2, participants have the right to demand from the researcher the erasure of personal data concerning him or her, including data at any third party to which the controller has transmitted the data. In cases that pseudonymised data is archived in an online repository, to what extent can the participant request to erase the data based on this right to be forgotten?

Article 17.2 says: “Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data."

In short, a participant no longer has rights to data that cannot be traced back to him/her (i.e. for de-identified and anonymised data).

If data still contains a pseudonym, it is usually only identifiable by the researchers that have the key-file. Quick solution then would be to remove any links between pseudonym and personal data.

If data still concerns identifiable data like video data, the participant must be properly informed beforehand (through the information brochure) and explicitly consent for publishing his/her data. It must be clear what is possible in terms of withdrawing this consent: if data is published open access, it is not possible to retrace downloaders of the data.

To enable the possibility to inform downloaders about a request for data removal, the online data publication must require authentication so that downloaders are known by the researcher. The researcher should determine beforehand what are reasonable steps to enable this, and inform participants accordingly.

2. The GDPR includes some exceptions concerning data subjects’ rights specifically when personal data is used for scientific or statistical purposes. What are the main exceptions?

Exceptions are formulated in the Uitvoeringswet AVG. For exceptions concerning rights of data subject see Article 44. In short, the right to access the personal data processed, the right to rectify this data and the right to restrict processing of this data do not apply when personal data is used for scientific purposes (after consent).

3. According to Article 20.2 (right to data portability), participants have the right to receive personal data concerning him or her which he or she has provided to the data controller. How can ‘data provided’ be interpreted?

See FAQ GDPR transparency. As long as it is possible (i.e. as long as research data is pseudonymised and/or identifiable), the participant has the right to receive any (personal) data concerning him or her. There are no exceptions to this, including data that was directly provided by the participant or indirectly via e.g. parents or other care takers.