Identify the data collection approach
Home » Biometrics » Exposition and Step by Step Guidelines » Preparation phase » Identify the data collection approach

The next step for the researchers is to identify if personal data are going to be collected directly from the data subjects, or indirectly (e.g., other researchers, commercial databases, etc.). While this does not necessarily bind researchers to adopt a particular legal basis (see “Identify the most appropriate legal basis“), it might influence such decision. For instance, if researchers decide to collect data directly from the data subjects, they might be more favorable toward using consent as the legal basis, since a direct relation with the data subjects is going to be established anyway. Moreover, as per Articles 13 and 14 GDPR, choosing a direct or indirect approach to data collection changes the information that the data controllers need to provide to the data subjects(see the “Right to Information” subsection in the Rights section of the General Part of these Guidelines).

Information to be provided to data subjects according to the collection approach
Directly Indirectly
The identity and contact details of the controller
If applicable, the identity and contact details of the controller’s representative
The contact details of the data protection officer
The purposes of the processing
The categories of personal data concerned
The legal basis for the processing
If applicable, legitimate interests pursued by the controller or by third parties
Recipients or categories of recipients of the personal data
The intention of the controller to transfer personal data to a third country or international organisation
In case of transfer, the existence or absence of an adequacy decision by the Commission, or, where applicable, reference to the safeguards and the means by which to obtain a copy of the data
The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period
The existence of the right to request access to and rectification or erasure of data or restriction of processing concerning the data subject or to object to processing and the right to data portability
In case of ‘explicit consent’ as legal basis for processing, the existence of the right to withdraw consent at any time
The right to lodge a complaint with a supervisory authority
The source of the personal data, and if applicable, whether they came from publicly accessible sources
Whether the provision of data is a statutory or contractual requirement, or a requirement to enter into a contract, and whether the data subject is obliged to provide the data and the consequences of failure to provide such data
The existence of automated decision-making, including profiling
In the case of automated decision-making, information on the logic involved, the significance of processing, and its envisaged consequences for the subject

The GDPR acknowledges there might be cases when this information duty might not be applicable and lists exemptions in Article 14.5 GDPR. These exceptions are:

  • The data subject already has the information;
  • The provision of such information:
    • proves impossible;
    • would involve a disproportionate effort,
    • is likely to render impossible or seriously impair the achievement of the objectives of that processing.

In this regard, it is important to clarify that this exception particularly applies for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, in compliance with the conditions and safeguards enshrined in Article 89.1 GDPR (see the “Data protection and scientific research” subsection in the Main Concepts section in the General Part of these Guidelines).

Besides, in such cases the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available;

  • The controller is required by EU or Member State law to obtain or disclose the personal data;or
  • Where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.

Regardless of how data is collected, the data controller shall take appropriate steps to ensure the data is accurate and up to date (e.g., regular accuracyaudit). Collecting data directly from the data subjects might help to lower the risk of inaccuracy (especially regarding behavioral biometric data, which might change over time). Also, the controller shall ensure transparency in every step of the process (see the “Lawfulness, fairness and transparency” subsection in the Principles section of the General Part of these Guidelines). For a more detailed explanation regarding the right to information and its nuances, please see the section ‘Data subjects’ rights’ in the General Part.


Skip to content