FAQ transparency

This website provides frequently asked questions about transparency in the context of the GDPR in research. Additionally, it is useful to read the general information about transparency.

  1. Withdrawing the right to share de-identified data: is it possible?
  2. How and where should I store informed consent forms and contact information?
  3. How do I interpret the right of a participant to receive data?

1. Provided a participant has agreed (via an informed consent form) with the de-identified sharing of research data, to what extent has that person the right to withdraw this agreement?

See also GDPR minimisation of use. In short, de-identified data cannot be linked to the participant, and the participant can no longer exercise his rights concerning those data. This must be transparent to the participant, e.g. in the information brochure and/or informed consent form. For instance, you can define a reasonable period in which the participant can still withdraw from sharing data, i.e. as long as you, as a researcher are able to identify the participant from it (e.g. for pseudonymised data).

2. How and where should I keep consent forms and contact information that is required in case a data subject would after all like to have his data removed? It should be transparent that there is a limitation as to when data subjects can request data removal.

In general, what should be leading, is that direct identifiable personal data should be disposed as soon as it is no longer required for its purpose (see GDPR data minimisation). Informed consent forms contain personal data and are an exception, as they must be preserved for reasons of scientific integrity. Whether or not to store contact information for a longer period depends on your goal description. Contact information can be stored in an institute specific storage system or password-protected file. Be transparent in information brochures for how long this contact information is stored and for how long participants can thus request removal.

3. According to Article 20.2 in the GDPR (right to data portability), participants have the right to receive personal data concerning him or her which he or she has provided to the data controller. How can ‘data provided’ be interpreted?

Indeed, participants have the right to receive any of their processed data. For instance, participants may request research data (questionnaire data, interviews, MRI scans etc.). In general, it is the researchers’ responsibility to make sure that the participant receives this data. At some point, it may no longer be possible to provide individual data, as data has been anonymised and/or de-identified. The right to receiving data (for a limited time) should be clearly described in the information brochure.