Determining the legal basis
You always need a legal basis when working with personal data. This is usually informed consent, which you obtain from the participants. Other legal bases are possible, theoretically, but you should consult the Data Protection team before using them. Since the consent form has to contain certain information by law, you should also contact the Data Protection team to check the content before using one. They also provide a model consent form.
Commissioned data processing
If you forward personal data from your project to any service providers (e.g. transcription services or laboratories), you will need to conclude a special agreement with them. This “Commissioned Data Processing” agreement (Auftragsverarbeitungsvertrag) obliges the service provider to comply with data protection requirements. The Data Protection team provides a model agreement and helps with the details.
If you process data in a cooperative research project (e.g. a joint project), all cooperating parties share responsibility for data protection compliance (joint control). In this case, a written agreement must be made, specifying each cooperating institution’s responsibility (e.g. to inform research subjects, ensure compliance with research subjects’ rights, etc.). Where possible, the Data Protection team should be consulted on the wording of the agreement.
Once the data has been collected, it must be anonymized immediately. If anonymization conflicts with the purpose of the research, the data should at least be pseudonymized. The original personal data and the key used to pseudonymize it must be stored separately from the pseudonymized data. In addition, technical and organizational measures (e.g. access privileges restricted to project managers) must be taken to protect the pseudonymized data. Other procedures (e.g. not pseudonymizing the data until after the project) are only permitted if they are explicitly included in the consent form. Valid reasons must be given for such cases.
After completion of the project, the research data on which the results are based must be retained for at least 10 years and, if possible, made publicly available. If it does not affect the traceability of the results, this is provided in anonymized form either within the institution or in a multi-site repository. If complete anonymization is not possible, it is mandatory that the research data be held in trust - in this case, contact the Data Protection team. Anonymized data can be published via a research data repository without any problems - in the case of data that still contain a personal reference, this is only possible with the explicit consent of the persons concerned.
Data is considered personal if it enables the user to identify the individual to whom it relates. Whether that is possible can depend on the research context. If the data is collected via an online survey, for instance, and there are thousands of respondents, questions about age and gender will not enable individual participants in the survey to be identified. But if the same survey is conducted with a specific, smaller group of people (e.g. a company’s employees or a club’s members), it is possible that information about age and gender would enable others to identify individual participants easily. So, without knowing the research context, it is not possible to say whether a data set contains data that would enable participants to be identified. Consequently, you should contact the Data Protection team if your research involves asking several questions about demographic aspects. They can tell you whether they think the data can be considered anonymous or not.
Besides consent, one main legal basis for research is “exercise of assigned tasks” (Ausübung hoheitlicher Aufgaben). This means you can handle personal data without consent for scientific or historical research purposes in the public interest or for statistical purposes, if the public interest in carrying out the project substantially outweighs the interests worthy of protection of the data subject and the purpose cannot be achieved by other means. In other words, it must be proved that the public interest outweighs the research subjects’ interests. Since this is a complex and time-consuming task, it is usually not advisable to use this legal basis as it is not practical.
The law does not specify an age from which people can be considered able to give their consent. However, Article 8 of the GDPR would suggest that young people aged 16 or above can be assumed to be capable of giving informed consent. For younger children, it is usually necessary to obtain their legal guardians’ consent. Having said that, there are some situations in which it might be possible to assume that the child is capable of giving consent. The Data Protection team is happy to advise.
Revocation does not take effect until the actual time at which consent is revoked. In other words, any data processing that has already taken place (publication, for instance) remains lawful. When a person exercises their right to revoke consent, any data processing must stop and the data must be deleted unless another legal basis permits further processing.
If the research purpose allows so, personal data must be anonymized as soon as it has been collected. If full anonymization is not possible, it should at least be pseudonymized. The original personal data and the key used to pseudonymize it must be stored separately from the pseudonymized data. In addition, technical and organizational measures (e.g.access privileges restricted to project managers) must be taken to protect the pseudonymized data. Other procedures (e.g. not pseudonymizing the data until after the project) are only permitted if they are explicitly included in the consent form. Valid reasons must be given for such cases.
Anonymization means that all personal references are removed from the data and the original data is completely deleted. It is then no longer to re-identify the research subjects. Anonymized data is thus no longer personal data and, as such, no longer subject to data protection requirements. Pseudonymization means that the data that enables the individual to be identified (the name, for example) is replaced by a pseudonym (an identifier, for example) in the data set. The key showing which name belongs to which identifier must be stored safely, separately from the other data, and technical and organizational measures taken to protect it (e.g. access privileges restricted to project managers). The key can then be use to re-identify the subjects. Pseudonymized data is fully subject to data protection rules.
Yes, the preservation period applies to all primary data that are the basis of research findings. If it does not affect the traceability of the results, the data must be anonymized for this purpose. If complete anonymization is not possible, the research data must still be retained - in this case, however, it is mandatory that the data be held in a trust. For this purpose, please contact the TU Berlin's Data Protection Team.