GDPR in research: introduction

This webpage provides a general introduction to the GDPR in research:

Introduction to the GDPR

As of May 25 2018, the GDPR (General Data Protection Regulation) - or AVG in Dutch (Algemene Verordening Gegevensbescherming) - will apply to the entire European Union. This regulation is the successor of the privacy legislation of the individual countries. In the Netherlands this was the Dutch Data protection act (Wet Bescherming Persoonsgegevens).

The GDPR facilitates harmonisation of privacy laws across Europe, protects and empowers EU residents’ data privacy, and reshapes the way organisations across the region approach data privacy for EU residents wherever they work or are subject to data processing in the world. The GDPR also changes some of the rules regarding the processing of personal data. Processing means any operation which is performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, use, erasure or destruction.

Processing of special categories of personal data

Be aware that there is a difference between personal data and special categories of personal data. For example, special categories are data revealing ethnic origin or religious beliefs. When you are processing special categories of personal data, the GDPR gives more strict requirements. For more information see Article 9.

Processing data within or outside the EEA

The GDPR applies throughout the European Union, all countries within the EU are bound by the provisions of the GDPR. Norway, Liechtenstein and Iceland have the same level of protection, which means that data can therefore be exchanged relatively easily within the EEA. Outside the EEA, the level of protection of personal data is often less well regulated. Therefore, additional measures must be taken if there is an exchange of information with a party outside the EEA. If the correct measures are not taken, the transfer of personal data is not lawful.

Transfers outside the EEA can be lawful in several ways:

  1. The European Commission has taken an adequacy decision with regard to the country to which the transfer takes place. This applies to a limited number of countries. The most recent overview can be found via this link.
  2. If no adequacy decision has been taken, a transfer may only take place if the party outside the EEA offers appropriate safeguards and data subjects have enforceable rights and effective remedies.

    The most relevant options are:
    - Governments have concluded an agreement on the protection of personal data. An example of this is the EU-US Privacy Shield. An American company that complies with the principles of this Privacy Shield can be certified. When the company has a certificate, it is permitted to provide personal data. Via this website you can check whether a company complies with the Privacy Shield principles.
    - Standard Contractual Clauses (model contract) is declared applicable. These model contract provisions have been established by the European Commission. Nothing may be adjusted to the model contract provisions. It is, however, possible to conclude a processor agreement in addition to the model contract, to arrange additional matters. It must, however, be stipulated that in the event of a conflict, the model contract will prevail over the processor agreement.

    Two model contracts have been established. One for the situation of transfer from a controller within the EEA to a controller outside the EEA and one for the situation of transfer from a controller within the EEA to a processor outside the EEA. These model contracts can be found via this link.
  1. Where an adequacy decision has not been taken and there are no adequate safeguards, transfers outside the EEA may only take place if there are approved binding company rules. Binding company rules are only approved if they are legally binding on, apply to and are enforced by all involved members of the group and the company rules grant enforceable rights to those involved with regard to the processing of personal data and the company rules meet the requirements of Article 47 section 2.

  2. If no adequacy decision has been taken and there are no adequate safeguards and no binding company rules have been approved, it must be considered per specific situation whether there is still the possibility of passing on data outside the EEA. Article 49 provides a handle for this. This article can only be used if one of the aforementioned points does not apply. One of the options in this case is that the person concerned gives permission for transfer outside the EEA. The person involved must first be informed of the risks that such transfers may entail.

Privacy by design and privacy by default

Core principles in the protection of personal data are the concepts of privacy by design and privacy by default:

  • Privacy by design implies that right from the start, any actions involving the processing of personal data is done with data protection and privacy in mind.
  • Privacy by default ensures that by default, all technical and organisational measures are taken to process data with the highest privacy protection (for example: only data necessary should be processed, short storage period, limited accessibility).

Based on the privacy by design principle, Radboud University has developed a video with eight guidelines on the use of personal data: data minimisation, data quality, goal setting, minimisation of use, security measures, transparency, rights of data subjects and liability. In line with these eight guidelines, the present website explains the implications of the GDPR for privacy protection in research, including research data management.

Definitions

The following guidelines assume some awareness of the various definitions used in the GDPR.

Relevant links

Contact

Reporting an incident
A stolen phone, a data breach, phishing e-mail or other security incident? Report it to the ICT Helpdesk instantly. 024 - 362 22 22 (24/7 reachable) or icthelpdesk@ru.nl.

Questions on the GDPR and personal data in education and support
Contact your own faculty’s Data Protection Manager (DPM). If the DPM can’t help you, he or she will contact the central office.

Questions on the GDPR and personal data in research and research data management
Contact RDM support or your institute’s data steward.

Frequently asked questions

Read the general frequently asked questions about the GDPR and its implications for research data management.