Information on data protection

RatSWD recommendation:

General questions for processing data

• Are personal data being processed?
  • Definition under Art. 4 No. 1 GDPR. No personal data in case of effective anonymisation.
  • Every processing operation requires justification according to Art. 6 para. 1 GDPR: consent or statutory authorisation.
• Are the data special personal data (Art. 9 GDPR)?
  • Listed under Art. 9 para. 1 GDPR and defined in more detail under Art. 4 No. 13 et seq. GDPR.
  • If so, additional justification is necessary in accordance with Art. 9 para. 2 GDPR besides the regular justification (Art. 6 para. 1 GDPR).
• Have technical and organisational measures been taken to protect the data during
  processing?
  • This includes measures to protect against destruction, modification, loss, or disclosure of data using state-of-the-art technology.
  • Physical security measures, technological security measures for virtual storage capacities, training for personnel, written agreements (licence agreements), rights management.
• Is a data protection impact assessment required?

The following must be reviewed for every processing step:

• For public entities: Is the processing of the data necessary to fulfil a research obligation?
• For non-public entities: Is the processing of the data necessary in the interest of research, which is not overridden by the interests of the data subjects?
• OR: Is effective (voluntary) consent given (Art. 4 No. 11 GDPR)?
• Are there any important interests that nevertheless oppose the processing of the data?
• Could the task be completed using less data?
• Could it be carried out with anonymous/pseudonymous data
• Are personal data being processed?

Further considerations

• How are data being stored?
  • Safe storage solutions must be selected that prevent, as much as possible, the loss of or unauthorised access to data.
• Who can access the data? (Research team, assistants, office)
  • Access to the data must be restricted to include only those who need to work with the data
• How long will the data be stored?
  • The maximum storage duration should be defined in all cases.
• Have the data subjects been informed about the processing of the data?
  • The obligation to provide information arises out of Art. 13 and Art. 14 GDPR and must be reviewed on a case-by-case basis.
• Is it possible to object to the processing of the data (erasure)?
  • This option must be given in every case.
• Will the data be transferred to third parties? If so, to whom? Does this include third parties outside the European Union or the European Economic Area?
  • The transfer of data is an independent processing step and must be reviewed for its legitimacy. The transfer of data to third countries must be reviewed independently in accordance with Art. 44 et seq. GDPR (see DSK 2019).

See: RatSWD (German Data Forum). (2020). Data protection guide, 2nd edition: 2nd fully revised edition. (Output Series, 6. Berufungsperiode Nr. 8). Berlin. doi: 10.17620/02671.57, p. 32 f. Link

RatSWD recommendation (excerpt):

• The research question and the methods used in a research project must be stated in a research design, which meets the standards of the research community regarding its content and approach. It should explain the types and scope of personal data that are collected, processed, and stored, and the technological means used to do so.
• The data protection officer of the applicable institution should be involved in the project as early as possible and be informed of any changes in the research design over the course of the project.
• The legal bases for processing the data for the project should be reviewed. This includes considering the option of obtaining consent even if consent does not take priority over other justifications. The reasons why a particular legal basis was deemed relevant for the planned processing of data should be documented. The key criteria for the weighing of interests should also be noted.
• The data collected will regularly be reviewed for their quality, security, and necessity.
• Technical and organisational measures should be taken to protect the data. They include but are not limited to – precautions to minimise data, anonymisation or pseudonymisation, the definition of and adherence to time limits for storage, the erasure of data that are obsolete or not useful, the implementation of role concepts, and secure access solutions. Security mechanisms must be installed to prevent the data from being scraped or manipulated.
• To protect the rights of data subjects, a suitable technical and organisational framework must be established, for example through the order of the datasets.
• The research results and the databases on which they are based must be archived for the long term in compliance with data protection regulations if they are needed for other projects or for research reproducibility.
• Research results must be communicated in compliance with data protection regulations. In this regard, the possibility that modern technology may identify persons by using ostensibly harmless information should be taken into consideration

See: RatSWD (German Data Forum). (2020). Data protection guide, 2nd edition: 2nd fully revised edition. (Output Series, 6. Berufungsperiode Nr. 8). Berlin. doi: 10.17620/02671.57, p. 33 f. Link

Please note that the European General Data Protection Regulation GDPR has been the basis for data processing since 2018. In Germany, it is supplemented by the Federal Data Protection Act (BDSG) and state-level data protection laws.

• RatSWD (German Data Forum). (2020). Data protection guide: 2nd fully revised edition. (Output Series, 6. Berufungsperiode Nr. 8). Berlin. doi: 10.17620/02671.57. Link

• Antony, G., Bialkem M., Pommerening, K. & Repp, R. (2017). Checkliste zur Erstellung eines Datenschutzkonzeptes. Version 1.0 vom 12.12.2017. Berlin. Technologie- und Methodenplattform für die vernetzte medizinische Forschung (TMF). Link
• Bundesbeauftragter für Datenschutz und Informationsfreiheit. (2020). Datenschutz-Grundverordnung – Bundesdatenschutzgesetz – Texte und Erläuterung (Info 1). Link
• Datenschutzkonferenz. (2017). Datenschutz-Folgenabschätzung nach Art. 35 DS-GVO (Kurzpapier Nr. 5). Link
• Datenschutzkonferenz. (2018). Risiko für die Rechte und Freiheiten natürlicher Personen (Kurzpapier Nr. 18). Link
• Liebig, S., Gebel, T., Grenzer, M., Kreusch, J., Schuster, H., Tscherwinka, R. & Witzel, A. (2014). Datenschutzrechtliche Anforderungen bei der Generierung und Archivierung qualitativer Interviewdaten. Erarbeitet und verfasst von der Arbeitsgruppe Datenschutz und qualitative Sozialforschung (RatSWD Working Paper 238/2014). Berlin. Rat für Sozial- und Wirtschaftsdaten (RatSWD). Link [Please note the new requirements of the GDPR for this working paper.!]
• Meyermann, A. & Porzelt, M. (2019). Datenschutzrechtliche Anforderungen in der empirischen Bildungsforschung – eine Handreichung: Version: 2 (forschungsdaten bildung informiert Nr. 6). Link
• Vettermann, O. (2023). Entscheidungsbaum: Datenschutzkonformes internes Teilen von Forschungsdatensätzen. NFDI4Culture; FIZ Karlsruhe. Link
• Vettermann, O. (2023). Entscheidungsbaum: Video-Uploads auf Video-Plattformen. NFDI4Culture; FIZ Karlsruhe. Link
• Vettermann, O. (2023). Handreichung: Datenschutzrechtliche Aspekte zum Video-Upload auf Video-Plattformen. NFDI4Culture; FIZ Karlsruhe. Link