Below you will find specific information that is relevant for researchers that are working with personal data at the Faculty of Social and Behavioural Sciences. This information is supplement to the central information sources on Intranet that cover working with personal data.

Legal bases for processing

The General Data Protection Regulation (GDPR) states that it is necessary to have a clear legal basis for processing personal data that can be traced back to individuals. This plays a crucial role especially in the field of social scientific research. Consent from participants is often seen as a requirement for such processing. However, consent has its limitations—it is specific to a particular purpose, and can be withdrawn by the participant at any time, which can jeopardize the progress and validity of the research.

Therefore, ‘public interest‘ is the primary legal basis for processing personal data within research activities at our faculty. This applies to all research conducted by researchers and PhD students. This is based on the fact that scientific research is a task of the university assigned by law. Therefore, the processing of personal data is permitted when it is done in the general interest of promoting knowledge and insight. Students will still need to rely on consent for processing personal data.

Consent from participants remains an essential element in research, mainly to involve them in the research in an ethically responsible manner, in accordance with the Declaration of Helsinki. For research involving special categories of personal data, such as data concerning ethnicity or sexual orientation, the need for explicit consent remains unchanged.

For more information on the legal bases for research under the GDPR, and cases where exceptions may apply, see this article on legal bases in the knowledge base.

When a participant withdraws consent

Participants have the right to withdraw their consent. It then matters whether they have given consent solely for participating in your project, or whether it also is the basis for processing their personal data.

1. When consent is the legal basis for processing personal data:

• In your information letter or privacy statement, you will need to indicate that participants have the right to withdraw their consent for the processing of their personal data, and how they can do this. Also emphasize withdrawing their consent should not have any negative consequences for them.
• If a participant withdraws their previously given consent before or during the study, you must immediately erase any personal data that may have been collected. The participant is clearly indicating that they do not wish to participate in the study. On ethical grounds alone, the personal data must then be deleted.
• If someone withdraws their consent after the personal data has been collected, all processing activities (e.g., analyses) that you have conducted with that personal data up to that point remain legally valid. Until you have published your results, the withdrawal of consent must always be honored. You must then erase the personal data of the concerned participant from the research database. If erasing this data makes your research impossible or seriously jeopardizes it, you may also anonymize the personal data.

While it is technically permitted to anonymize the data after a participants withdraws consent, this might not be appropriate in the spirit of withdrawing consent for processing. Therefore, this is only advised if full removal endangers or compromises the research.

2. When consent is only acquired for participation in the research (Declaration of Helsinki):

If personal data is processed based on public or legitimate interest, then withdrawing consent has no consequences for this. Participants are informed that if they wish identifiable research data to be deleted, a request for deletion must be submitted.

When a participants objects

Participants have the right to object when the processing of their data is based on legitimate or public interest. The GDPR states that participants have to show that their particular situation justifies a stop in processing, and that the request may be refused if the processing is considered necessary for public interest reasons. However, at our faculty any objection of processing of personal data is accepted and interpreted as a valid objection. This means that once a participants objects to further processing, you will have to remove their personal data, or anonymize it. Only when achieving the specific purposes of your project is threatened to become impossible or seriously hindered you can continue using personal data (when in doubt, contact the privacy officer).

Collecting special categories of personal information

Special categories of personal information receive additional protection under the GDPR. These are things like racial or ethnic origin, political opinions or health data. See the chapter on special types of personal data in the Data Privacy Handbookfor more information. When processing these types of data, you will need to ask for consent from your participants, even when you are choosing public interest as the legal basis for processing your data. The exception is when processing is serving a public interest, but asking for consent proves impossible or requires a disproportionate effort, and processing the data will not cause disproportionate harm to the participants. In practice this often means that you will need to ask for consent, or process this data anonymously. For instance, when you would like to use ethnicity to describe your sample, you can collect these variables in a separate questionnaire from the rest of your data without any personal identifiers.