GDPR in research: goal setting

This website provides information about goal setting in the context of the GDPR in research:

• Definition
• Guidelines
• GDPR articles
• Frequently asked questions

Definition

In your goal setting, you must describe in detail what personal data you will be processing, with which legitimate purpose (Article 6), and for how long you are going to keep this data. There is no room for vagueness or interpretation here. Using the personal data for another purpose than described in the goal setting at a later time is not permitted.

Guidelines

1. Make sure you process data only for purposes and a legal basis that are specified, explicated and legitimate, based on the AVG (Article 6).
   
   
2. It is advisable to not further process and/or reuse personal data in a way that is incompatible with those purposes (unless with a new consent by the data subject).
   
   
3. If the purpose for the processing of personal data is legitimate interest (Article 6.1.f), don’t forget to describe those interests.
   
   
4. Make sure you have an adequate informed consent procedure in place at the time of data collection, in which you inform data subjects about (Article 13). Click here for more information on the informed consent procedure.
   - What personal data, with what purpose, by whom and for how long are processed.
   - The identity and contact information of the controller (usually the researcher), and where applicable, of the controller’s representative and of the data protection officer. 
   Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
   Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Article 4).
   - The categories of recipients to whom the personal data have been or will be disclosed. Specify if the recipient is in another country/international organisation, including safety measures. Also specify if the recipient is outside the EEA, including safety measures.
   - Period of storage, or the criteria used to determine that period.
   - The right to rectify or erase personal data, to restrict processing, to object to processing and the right to data portability.
   - The right to withdraw consent.
   - The right to complain.
   
   
5. Think about the documentation of all processing of personal data in your research project. You can do that by maintaining a written record (logbook) in which you describe (Article 30):
   - What personal data, with what purpose, by whom and for how long are processed.
   - The identity and contact information of the controller/processor¹, and where applicable, of the controller/processor’s representative, and of the data protection officer.
   - The categories/types of data subjects and of the categories/types of personal data.
   - The categories of recipients to whom the personal data have been or will be disclosed. Specify if the recipient is in another country/international organisation (inside or outside the EEA).
   - Where possible, a general description of the technical and organisational security measures (Article 32.1).

GDPR articles

Information about data quality can be found in the following articles and recitals in the GDPR.

• Article 5
• Article 6
• Article 13
• Article 30

Frequently asked questions

Read the frequently asked questions about goal setting in the GDPR and its implications for research data management.