The next step for the researchers is to identify if personal data are going to be collected directly from the data subjects, or indirectly (e.g., other researchers, commercial databases, etc.). While this does not necessarily bind researchers to adopt a particular legal basis (see “Identify the most appropriate legal basis“), it might influence such decision. For instance, if researchers decide to collect data directly from the data subjects, they might be more favorable toward using consent as the legal basis, since a direct relation with the data subjects is going to be established anyway. Moreover, as per Articles 13 and 14 GDPR, choosing a direct or indirect approach to data collection changes the information that the data controllers need to provide to the data subjects(see the “Right to Information” subsection in the Rights section of the General Part of these Guidelines).
Information to be provided to data subjects according to the collection approach | ||
Directly | Indirectly | |
The identity and contact details of the controller | ✓ | ✓ |
If applicable, the identity and contact details of the controller’s representative | ✓ | ✓ |
The contact details of the data protection officer | ✓ | ✓ |
The purposes of the processing | ✓ | ✓ |
The categories of personal data concerned | ✓ | |
The legal basis for the processing | ✓ | ✓ |
If applicable, legitimate interests pursued by the controller or by third parties | ✓ | ✓ |
Recipients or categories of recipients of the personal data | ✓ | ✓ |
The intention of the controller to transfer personal data to a third country or international organisation | ✓ | ✓ |
In case of transfer, the existence or absence of an adequacy decision by the Commission, or, where applicable, reference to the safeguards and the means by which to obtain a copy of the data | ✓ | ✓ |
The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period | ✓ | ✓ |
The existence of the right to request access to and rectification or erasure of data or restriction of processing concerning the data subject or to object to processing and the right to data portability | ✓ | ✓ |
In case of ‘explicit consent’ as legal basis for processing, the existence of the right to withdraw consent at any time | ✓ | ✓ |
The right to lodge a complaint with a supervisory authority | ✓ | ✓ |
The source of the personal data, and if applicable, whether they came from publicly accessible sources | ✓ | |
Whether the provision of data is a statutory or contractual requirement, or a requirement to enter into a contract, and whether the data subject is obliged to provide the data and the consequences of failure to provide such data | ✓ | |
The existence of automated decision-making, including profiling | ✓ | ✓ |
In the case of automated decision-making, information on the logic involved, the significance of processing, and its envisaged consequences for the subject | ✓ | ✓ |
The GDPR acknowledges there might be cases when this information duty might not be applicable and lists exemptions in Article 14.5 GDPR. These exceptions are:
- The data subject already has the information;
- The provision of such information:
- proves impossible;
- would involve a disproportionate effort,
- is likely to render impossible or seriously impair the achievement of the objectives of that processing.
In this regard, it is important to clarify that this exception particularly applies for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, in compliance with the conditions and safeguards enshrined in Article 89.1 GDPR (see the “Data protection and scientific research” subsection in the Main Concepts section in the General Part of these Guidelines).
Besides, in such cases the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available;
- The controller is required by EU or Member State law to obtain or disclose the personal data;or
- Where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.
Regardless of how data is collected, the data controller shall take appropriate steps to ensure the data is accurate and up to date (e.g., regular accuracyaudit). Collecting data directly from the data subjects might help to lower the risk of inaccuracy (especially regarding behavioral biometric data, which might change over time). Also, the controller shall ensure transparency in every step of the process (see the “Lawfulness, fairness and transparency” subsection in the Principles section of the General Part of these Guidelines). For a more detailed explanation regarding the right to information and its nuances, please see the section ‘Data subjects’ rights’ in the General Part.