Service Center Research Data Management

Handling Personal Data

The EU Charter of Fundamental Rights and Germany’s Basic Law (Grundgesetz) grant every individual the right to have their personal data protected. This means that the scientific community also has to comply with data protection rules when working with research data.

The data protection legislation specifies how personal data should be handled. Since TU Berlin is governed by the State of Berlin, the University and its employees are subject to the Berlin Data Protection Act as well as the GDPR.

Handling personal data - key processes

Preparation

Determining the legal basis

You always need a legal basis when working with personal data. This is usually informed consent, which you obtain from the participants. Other legal bases are possible, theoretically, but you should consult the Data Protection team before using them. Since the consent form has to contain certain information by law, you should also contact the Data Protection team to check the content before using one. They also provide a model consent form.

Commissioned data processing

If you forward personal data from your project to any service providers (e.g. transcription services or laboratories), you will need to conclude a special agreement with them. This “Commissioned Data Processing” agreement (Auftragsverarbeitungsvertrag) obliges the service provider to comply with data protection requirements. The Data Protection team provides a model agreement and helps with the details.

Cooperative research

If you process data in a cooperative research project (e.g. a joint project), all cooperating parties share responsibility for data protection compliance (joint control). In this case, a written agreement must be made, specifying each cooperating institution’s responsibility (e.g. to inform research subjects, ensure compliance with research subjects’ rights, etc.). Where possible, the Data Protection team should be consulted on the wording of the agreement.

Processing

Once the data has been collected, it must be anonymized immediately. If anonymization conflicts with the purpose of the research, the data should at least be pseudonymized. The original personal data and the key used to pseudonymize it must be stored separately from the pseudonymized data. In addition, technical and organizational measures (e.g. access privileges restricted to project managers) must be taken to protect the pseudonymized data. Other procedures (e.g. not pseudonymizing the data until after the project) are only permitted if they are explicitly included in the consent form. Valid reasons must be given for such cases.

Archiving and publication

After completion of the project, the research data on which the results are based must be retained for at least 10 years and, if possible, made publicly available. If it does not affect the traceability of the results, this is provided in anonymized form either within the institution or in a multi-site repository. If complete anonymization is not possible, it is mandatory that the research data be held in trust - in this case, contact the Data Protection team. Anonymized data can be published via a research data repository without any problems - in the case of data that still contain a personal reference, this is only possible with the explicit consent of the persons concerned.

Frequently asked questions

Is the data personal if the survey only includes a few questions about demographic aspects such as degree program or age?

Data is considered personal if it enables the user to identify the individual to whom it relates. Whether that is possible can depend on the research context. If the data is collected via an online survey, for instance, and there are thousands of respondents, questions about age and gender will not enable individual participants in the survey to be identified. But if the same survey is conducted with a specific, smaller group of people (e.g. a company’s employees or a club’s members), it is possible that information about age and gender would enable others to identify individual participants easily. So, without knowing the research context, it is not possible to say whether a data set contains data that would enable participants to be identified. Consequently, you should contact the Data Protection team if your research involves asking several questions about demographic aspects. They can tell you whether they think the data can be considered anonymous or not.

Can I work with personal data without the subjects’ consent?

Besides consent, one main legal basis for research is “exercise of assigned tasks” (Ausübung hoheitlicher Aufgaben). This means you can handle personal data without consent for scientific or historical research purposes in the public interest or for statistical purposes, if the public interest in carrying out the project substantially outweighs the interests worthy of protection of the data subject and the purpose cannot be achieved by other means. In other words, it must be proved that the public interest outweighs the research subjects’ interests. Since this is a complex and time-consuming task, it is usually not advisable to use this legal basis as it is not practical.

Can children give informed consent too?

The law does not specify an age from which people can be considered able to give their consent. However, Article 8 of the GDPR would suggest that young people aged 16 or above can be assumed to be capable of giving informed consent. For younger children, it is usually necessary to obtain their legal guardians’ consent. Having said that, there are some situations in which it might be possible to assume that the child is capable of giving consent. The Data Protection team is happy to advise.

What do I have to do if research subjects revoke their consent?

Revocation does not take effect until the actual time at which consent is revoked. In other words, any data processing that has already taken place (publication, for instance) remains lawful. When a person exercises their right to revoke consent, any data processing must stop and the data must be deleted unless another legal basis permits further processing.

Can consent be given orally?

Theoretically, yes, but researchers need to be able to prove that they obtained consent. Consent should therefore be given in writing, wherever possible, via an automated process like an opt-in or in the conventional text form with a signature.

Do I always have to anonymize personal research data?

If the research purpose allows so, personal data must be anonymized as soon as it has been collected. If full anonymization is not possible, it should at least be pseudonymized. The original personal data and the key used to pseudonymize it must be stored separately from the pseudonymized data. In addition, technical and organizational measures (e.g.access privileges restricted to project managers) must be taken to protect the pseudonymized data. Other procedures (e.g. not pseudonymizing the data until after the project) are only permitted if they are explicitly included in the consent form. Valid reasons must be given for such cases.

What is the difference between anoymization and pseudonymization?

Anonymization means that all personal references are removed from the data and the original data is completely deleted. It is then no longer to re-identify the research subjects. Anonymized data is thus no longer personal data and, as such, no longer subject to data protection requirements. Pseudonymization means that the data that enables the individual to be identified (the name, for example) is replaced by a pseudonym (an identifier, for example) in the data set. The key showing which name belongs to which identifier must be stored safely, separately from the other data, and technical and organizational measures taken to protect it (e.g. access privileges restricted to project managers). The key can then be use to re-identify the subjects. Pseudonymized data is fully subject to data protection rules.

Once personal data has been collected, can I use it for other research projects?

Usually, you can only do this if the participants have given their consent to re-use in other projects. It is best to obtain separate consent for this so that any revocation is also separate.

Is personal research data also subject to the ten-year storage period required by good academic practice?

Yes, the preservation period applies to all primary data that are the basis of research findings. If it does not affect the traceability of the results, the data must be anonymized for this purpose. If complete anonymization is not possible, the research data must still be retained - in this case, however, it is mandatory that the data be held in a trust. For this purpose, please contact the TU Berlin's Data Protection Team.

Can I publish personal data?

Personal data can be published (in repositories, for example) if the research subjects have given their consent. If not, the data can only be published in anonymized form.

The chat is currently unavailable.

Please use our alternative contact options.

Privacy notice: The TU Berlin offers a chat information service. If you enable it, your IP address and chat messages will be transmitted to external EU servers. more information