Sharing processed data with other researchers
Home » The GDPR » Main Tools and Actions » Sharing processed data with other researchers

Frederic Tronnier (GUF)

This part of The Guidelines was reviewed by Aurélie Pols (DPO) and Iñigo de Miguel Beriain (UPV/EHU).

This part of The Guidelines has been reviewed and validated by Marko Sijan, Senior Advisor Specialist, (HR DPA)

 

This part of the Guidelines provides advice for researchers who want to share processed data with other researchers or research organizations after having accomplished your original research task. The sharing of data with other researchers is likely to be considered a form of ‘dissemination’ or of making data ‘available’ to other researchers. Accordingly, it would be considered a different (further) processing than the original one, which involved data being ‘used’ to tackle a research question (see the subsection on ‘Gaining access to a database’ in the “Main actions” section of the General Part of these Guidelines).

Proceeding on the assumption that no expressed consent has been obtained by the data subjects (otherwise the lawfulness requirement would be easier to meet under Art. 6(1)(a), there are various scenarios demanding different legal evaluations (See “Identification, pseudonymization and anonymization” subsection in the “Concepts” Section of the General Part of these Guidelines):

  • If the data have been pseudonymized or appropriate safeguards against re-identification have been put in place, it may be easier for the ‘sharing’ of data to be found legal under Art. 6(4).
  • Even if the data have not been pseudonymized, as long as the dissemination of data is considered necessary for scientific or historical research purposes (e.g. it is not meant to satisfy the morbid curiosity of other researchers, but to genuinely assist them in progressing in their field), then the processing is still likely to be considered to be compatible lawful processing operations (Recital 50), although it is still highly advised to obtain consent by the data subjects for the further processing. Recital 159 and 33 introduce the notion of broad consent for scientific research, meaning that the exact processing must not be fully specified in advance. Data subjects should however be given the option to give consent to specific areas of research and to withdraw consent for other parts of the research objective.

In any case, controllers will have to satisfy the fairness/transparency principle (see “lawfulness, fairness and transparency” subsection in the “Principles” section of the General Part of these Guidelines) again, making the data-subjects aware of their rights as to this further purpose (Art. 14(4)). All the other principles of the GDPR will have to be complied with in relation to this further processing as well.

As with sale of the personal data, be aware that you maybe in a joint controllership with the recipient of the data and that you are still responsible for the database, i.e. liable if infringements are made by the recipient of the data (see the “Main Actors” section in the General Part of these Guidelines). Therefore, as with all transactions, contracts between you and the recipient of the database are necessary and advised in order to provide all parties with clarity on the legal obligations and rights of every party involved. Contracts should specify the purpose of the recipient with the data as well as how the rights of data subjects will be protected and by whom.

DOs
  • Before purchasing access to a database, a contract between provider and the recipient of the data should define rights and responsibilities of every party involved in the transaction. This includes to define whether the purpose of the processing by the recipient is in line with the processing that the data subjects consented to before.
  • Treat every data with the same care as for personal data and remember that data may be aggregated with additional data from other sources. Thus, anonymization of personal data is very difficult.
  • If you collect consent for sharing data, remember to keep language clear and simple to engage as many people as possible. Make it relevant to people’s lives; use real-life, everyday examples where possible. This includes explaining what the data is needed for, what rights the data subjects have and how you protect the data and the data subject’s privacy. Make sure to collect individual consent for each different purpose, for which you foresee the need to process the personal data.
  • Collect proof that substantial investments have been made for the creation of your database (not on the creation of data as such). This ensures the sui generis rights of the database which grant you the right to prevent others from using the database or extracting information from it.
  • Record everything you do and explain reason why.
  • Be sure to have a legal basis for disclosure to third parties. Pass obligations on to recipients of data and make clear stipulations.
  • If you have questions regarding the commercialization of data, ask as many experts as possible before commercializing data on your own.
  • Inform yourself on the GDPR by reading it. A clear understanding on the basic terms: ‘personal data’, ‘processing’, ‘data processor’, ‘data controller’ and ‘data subject’ is necessary but keep in mind that compliance with the GDPR is more than just these terms. Therefore, consult with a data protection officer (if one has been appointed at your organization) or personal data protection specialists before start of processing operations.
  • For scientific research, use the EDPS opinion on data protection and scientific research[1]
DONT’s
  • Don’t use the paradigm of data ownership – it doesn’t fit. Fundamental rights of data subjects cannot be ‘sold’.
  • Don’t think that if you pay a database makers to use their database, you will be excluded from liability in those cases where the provider of the data infringed another right on a previous database. Always critically questions the origin of the data you are about to buy.
  • Don’t try to collect consent for every possible scenario, people will distrust you. However, don’t also collect one consent for more than one processing purpose. Also, don’t use jargon to hide intent or scare people off.
  • Do not warn about economic consequences of withdrawal of consent or refusing giving consent. Remember to offer participants a real choice.
  • Never assume that the data you collected is uncritical. Don’t skip the application of the GDPR because of the pseudonymization of personal data. In most cases it is much easier to re-identify data subjects that you think (e.g. due to advanced technologies which can correlate data from multiple sources and link to a specific person). Only if data is truly anonymized, it is no longer possible to reverse it to personal data.

 

 

References

1EDPS, 2020. A Preliminary Opinion on data protection and scientific research. Available at: https://edps.europa.eu/sites/edp/files/publication/20-01-06_opinion_research_en.pdf

Skip to content