Informing Research Participants about the Processing of Their Personal Data

Informing Research Participants about the Processing of Their Personal Data

1. General

Informing research participants about the processing of their personal data is a crucial part of the transparency principle laid down in the General Data Protection Regulation of the European Union (GDPR). Based on the provided information, the participants must understand how their personal data are being collected, used, stored, disseminated or otherwise made available, or otherwise processed. The significance of forward planning is emphasised in the processing of personal data. Informing research participants can be challenging without thorough consideration of all phases of the research and the applicable regulatory framework before starting research. On the other hand, if personal data processing has been planned thoroughly and systematically in advance, informing participants becomes much more straightforward.

The rules of informing research participants about the processing of their personal data depends on whether personal data are collected from the participant or from some source other than the participant. When planning the provision of information to research participants regarding the processing of their personal data, you should divide the personal data streams into these two categories. This affects the timing of providing the information and partly also the content. Practical differences are described in the paragraphs concerning the timing and content of providing the information.

  • Personal data are collected from the research participant when the research participant consciously provides his/her own personal data to the researchers. Usual situations where this applies are when the participant is interviewed or when they fill out a questionnaire. In addition, personal data are received directly from the research participant when data are collected for scientific purposes by observation of the participant, for instance, by audio/video recording a performance or social interaction carried out by the participant.
  • Personal data are not obtained from the research participant if the data are received from a source other than the research participant, such as other data controllers, publicly available sources, or other data subjects. Typical situations where this applies are when research data are combined with register data, or when research data are enriched with personal data received from another data controller in a large research project.

Sometimes personal data belonging to both of the above categories are part of the same research project. Example: Contact details of people belonging to the target group of a study are obtained from a third party (organisation, company, association, agency or other equivalent actor). These personal data (i.e. contact details) are not obtained from research participants. Once researchers proceed to interview data subjects, the data gathered in the process are collected from the research participants. In this example, instructions regarding both of the above situations apply.

If the intention is to disclose, disseminate or otherwise make available personal data to another data controller (e.g. a research partner) or to a processor (e.g. a party that carries out data collection and/or combines data to register data, or a company providing transcription services), read carefully the section on recipients or categories of recipients of personal data.

Informing research participants about the processing of their personal data always includes special situations that require more in-depth consideration and cannot be properly taken into consideration in these guidelines. Special situations may be caused by, for instance, any required changes or additions to the information provided to participants. These amendments may be required when there are changes during research that affect the processing of personal data. To recognise these situations, please read the sections relating to content of the information and exceptions to the obligation to provide information.

Other special situations include research concerning children or other persons belonging to vulnerable groups. Additionally, to fulfil the principle of transparency, it may be appropriate in some situations to provide research participants with more detailed information, although it is not explicitly required in the provisions regarding the provided information. This information may concern, for example, risks and safeguards related to personal data processing. If necessary, you can contact the data protection officer in your organisation for more detailed advice.

2. Clarity requirements and form of the information

A general condition for the processing of personal data is that the information regarding the processing is provided to research participants in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The understandability of the information and the transparency of personal data processing are to be considered from the research participant's perspective in particular. When informing research participants about personal data processing, complex phrases, specialised jargon and ambiguous wordings should be avoided whenever possible. The information concerning personal data processing should be kept, if possible, separate from other information. A central prerequisite is that research participants should have access to all parts of the information without having to search for information on their own. In principle, research participants should be provided with the information in writing or electronically unless they ask to receive the information orally.

The required conciseness, clarity and scope of the information can be reconciled by applying a layered approach to providing the information. The main principle is that research participants must be provided with all information required by the GDPR concerning the processing of their personal data. A layered approach means that the information regarding personal data processing is divided into layers based on the importance of the information. The first layer contains the most essential information with regard to your research. The most essential information includes at least the purpose(s) for which personal data are processed, the identity of the data controller, and the rights of research participants. Other important information includes aspects or impacts connected to the processing of their personal data that participants could find surprising. The information that is provided later, for instance on a web page, can include further details.

However, research participants must be given a real possibility to acquaint themselves with the layers that provide more detailed information. The data controller is also accountable for informing research participants in the extent required by the GDPR. Research participants can be provided with a written or electronic privacy notice that includes all of the information required by the GDPR in a concise form. However, providing research participants with a privacy notice does not indicate that they have understood all the information they have received. The content of the information regarding personal data processing (written and oral) as well as how and when the information is provided must be justified and documented to demonstrate compliance with the data controller's accountability requirements.

Technical and audiovisual solutions can also be used in informing research participants. Additional information can be given by providing a link to a website or other material introducing the study. A short video presentation may also be a practical way of giving a general introduction to a study for younger research participants.

3. Timing for providing the information

The timing of informing participants about the processing of their personal data depends on whether the data are collected from the research participant or from some other source. When personal data are collected from research participants, rules on the timing of providing the information are straightforward. When personal data are not received from research participants, more detailed rules apply. If personal data are received from a source other than the research participant, see also the section on exceptions to the obligation to provide information.

  • When personal data are collected from research participants, information on the processing of their personal data must be provided at the time of collecting/obtaining the data. The information may be provided, for instance, at the beginning of an interview or questionnaire.
  • When personal data are received from a source other than the research participant, research participants must be informed about the processing of their personal data within a reasonable period of time, however no later than one month counting from the point when the personal data are received. The time limit may be shorter depending on specific circumstances relating to processing.

    When personal data are received from a source other than the data subjects, there are two situations in which information must be provided to research participants on the processing of their personal data earlier than within a month: Firstly, the information must be provided to research participants immediately when they are first contacted. Even if contacting a research participant regarding the research has been planned for later (for instance, to arrange an interview), the participant must in any case be informed about personal data processing within one month counting from the point when the researcher first receives personal data. Secondly, if personal data are meant to be disclosed to another recipient, research participants must be informed before the end of the time limit. In this case, research participants must also be informed at the latest when the data are disclosed to a recipient for the first time.

In view of the above, it is best to carefully consider the timing of sampling or otherwise obtaining contact details for potential participants. If contact details are to be obtained from a third party, the researcher/research team should plan the timing for obtaining personal data so that it is possible to comply with the time limit of one month for informing data subjects. In spite of the fact that the time limit allows for one month, the recommended interpretation has been that the data controller informs research participants well before the end of the time limit, in accordance with the principle of fairness.

4. Content of the information

Table 1: Information provided to research participants on the processing of their personal data:

Information provided to research participants on the processing of their personal data Collected from the research participant Obtained from a source other than the research participant
Identity and contact information of the data controller x x
Contact details of the data protection officer x x
Legal basis for processing personal data x x
Legitimate interests pursued by the controller or by a third party, if processing is based on article 6, section 1(f) of the GDPR x x
Information on the right to withdraw consent and the impact of withdrawal of consent x x
The purpose(s) for processing personal data x x
Recipients or categories of recipients of personal data x x
Storage period of personal data, or if not possible to define, the criteria used to determine the storage period x x
Categories of personal data and information on the source of personal data x
Information on the source of personal data x
Information on the right to lodge a complaint with a supervisory authority x x
Rights of the data subject x x
Information relating to the transfer of personal data to third countries x x
Information relating to contractual or statutory requirements for providing personal data x
Automated decision-making and profiling x x

4.1. Identity and contact information of the data controller

Research participants shall be provided with information on the identity and contact details of the data controller. That is why the roles and responsibilities connected to personal data processing must be determined well before starting the research. Determining the data controller correctly and informing research participants of the identity of the data controller are some of the most essential elements of responsible and transparent processing of personal data.

The data controller is a natural or legal person, a public authority, agency or other body which, alone or jointly with others, determines the purposes and means of personal data processing. Where two or more data controllers jointly determine the purposes and means of processing, they shall be considered joint controllers.

To comply with the requirement of providing this information, two factors need to be taken into consideration. Firstly, data controllers must be unequivocally identifiable by the research participant. It is often difficult for outsiders to deduce who the data controller is if multiple persons and organisations are mentioned in the information provided to research participants. In addition, conducting the research in the premises of a company or public agency, for instance, may give research participants a false impression on the controller of the personal data processed in the research.

Secondly, sufficient contact details shall be provided on the data controller(s). If possible, research participants should be provided with multiple ways of contacting the data controller, for instance, a telephone number, email address and postal address. When choosing the contact details to be provided, one should consider their permanence and the possibility of reaching the data controller through them. As data subjects, research participants should be able to exercise their rights efficiently without delays caused by insufficient contact information.

A simple solution to the mentioned requirements is to include the following information in the participant information sheet:

Data controller: Organisation, postal address
Contact details: [telephone number], [email address]

If the research is conducted by joint controllers, key information on the arrangement between the controllers must be made available to research participants.

Researchers should be prepared to answer research participants' questions regarding what 'data controller' means. An example of a short answer in plain language could be: The data controller is responsible for the appropriate and lawful processing of the personal data in the research. This can also be included directly in the information provided to participants.

4.2. Contact details of the data protection officer

If the data controller has appointed a data protection officer, research participants must be provided with the data protection officer's contact details. Appointing a data protection officer may be based on the GDPR or other statute, or it can be voluntary for the organisation.

Contact details for the data protection officer must be provided in such a way that research participants can easily contact the officer. Appropriate contact details include, for instance, a postal address as well as a telephone number and/or email address specifically assigned to the data protection officer. If it is possible to contact the data protection officer, for instance, through a contact form, research participants can be informed about it. Find out the recommended way of providing the contact details for the data protection officer in your organisation.

A central criterion in evaluating the sufficiency of the contact information provided to research participants is whether it is possible to contact the data protection officer directly without having to contact the data controller. Indicating the data protection officer's name has not been deemed necessary, but in some cases it may be a good practice. One should take into consideration the employee turnover at the organisation when naming the data protection officer. The essential thing, however, is that research participants have a direct way of contacting the data protection officer based on the information that they are given.

Processing personal data in research must always have a legal basis, and research participants shall be informed of the basis on which their personal data are processed. The legal basis chosen for personal data processing also affects the information that is provided to research participants. The legal basis defines which rights research participants can exercise pertaining to their personal data.

When planning and implementing the provision of information to research participants, two different legal bases for processing personal data have to be considered.

  1. A legal basis for processing personal data refers to one of the legal grounds listed in article 6, section 1 of the GDPR. This basis is always required when personal data are processed.
  2. A legal basis for processing special categories of personal data refers to one of the legal grounds listed in article 9, section 2 of the GDPR, which allow for the processing of special categories of personal data. This basis is required in addition to the general legal basis when the special categories of personal data, referred to in article 9, section 1 of the GDPR, are processed.

The data controller is responsible for choosing the suitable legal basis for processing personal data in the research. Only one legal basis should be chosen for each purpose for processing personal data. Estimate carefully which legal basis for processing personal data applies to your research and follow the criteria laid out for its use. You can, for example, contact the data protection officer in your organisation for help with choosing the correct legal basis.

Typical legal bases for processing personal data in scientific research

  • Consent of the research participant. Consent shall be a freely given, specific, informed and unambigous indication of the research participant's wishes, by which he/she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Some further conditions apply for using consent as the legal basis for processing personal data, and it - as well as other legal bases for processing personal data - should be based on appropriate discretion. General information on the preconditions of consent is available on the website of the Data Protection Ombudsman.
    In connection with scientific research, one should note that consent to participate in research is not consenting to personal data processing.
  • Compliance with a legal obligation to which the data controller is subject. In some cases, conducting research is part of complying with the data controller's statutory obligations. Using this legal basis for personal data processing requires that basis for processing is laid down in national legislation.
  • Processing of personal data is necessary for the performance of a task carried out in the public interest. Using this legal basis for personal data processing requires that it is laid down in national legislation. The Finnish Data Protection Act provides a basis for the processing of personal data when it is necessary for scientific or historical research or for statistical purposes and it is proportionate to the pursued objective in the public interest (Data Protection Act, section 4, paragraph 3).
  • Legitimate interests pursued by the data controller. Processing personal data for scientific research can in some cases rely on the legitimate interests of the data controller or a third party as the legal basis. This legal basis for processing personal data does not apply to processing carried out by public authorities in the performance of their tasks. In addition, this legal basis shall not override the interests or fundamental rights and freedoms which require the protection of personal data of research participants. A so-called balancing test can be used in evaluating the legitimacy of the interest of the data controller. Choosing this legal basis for processing personal data requires particularly careful consideration when the data subject is a child. General information regarding the legitimate interests of the controller can be found on the website of the Data Protection Ombudsman.

Special categories of personal data refer to such personal data that reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, data concerning health, or sexual life or orientation. These special categories also include genetic and biometric data for identifying a natural person.

Such personal data should not be processed at all, unless processing is allowed in specific cases set out in the GDPR or in Finnish legislation. The following is a list of specific cases commonly used in scientific research.

Specific cases for processing special categories of personal data

  • Research participant's explicit consent. The difference here to the consent used as a general legal basis for processing personal data is that, in addition to the general requirements for valid consent, the consent has to be explicit.
  • Processing is necessary for scientific research purposes in the public interest. This exemption requires a basis in either EU law or national legislation. According to section 6, subsection 1, paragraph 7 of the Finnish Data Protection Act, the special categories of personal data can be processed for scientific or historical research or statistical purposes.

As part of the information provided to research participants, they shall be informed about the legal basis on which the processing of their personal data is based. The provision of information shall include a general legal basis for processing personal data, and, if special categories of personal data are processed in the research, the specific case relied on for processing the special categories of personal data shall also be indicated. A solution could be to add a paragraph of the following type as part of the information:

The processing of your personal data is necessary for scientific research purposes in the public interest based on section 4, paragraph 3 of the Data Protection Act (1050/2018). Special categories of personal data are processed for scientific purposes in accordance with section 6, subsection 1, paragraph 7 of the Data Protection Act.

Specific rules apply to some legal bases for processing personal data. The first is related to the controller's legitimate interest.

  • When using the data controller's or a third party's legitimate interest as a legal basis for processing personal data, research participants shall be informed of the legitimate interest in question.
  • Additionally, it is a good practice to inform them about the balancing test related to the data subject's legitimate interest. The layered approach can be used to inform research participants about the balancing test. If the information is not directly provided to research participants, they can be told that they have the possibility to receive information regarding the test, should they want to have it.
  • If the legal basis for processing personal data is consent, or if the processing of personal data belonging to the special categories is based on explicit consent, research participants must be informed about their right to withdraw their consent at any time. In addition, research participants must be informed that their withdrawal of consent will not affect the lawfulness of the processing of personal data conducted before the withdrawal.
  • The information on the possibility to withdraw consent must be provided to research participants before they consent to the processing of their personal data.

4.4. Purpose for processing personal data

Personal data shall only be collected for a specific, explicit and legitimate purpose(s). The purpose specified for personal data processing must be included in the information provided to research participants. In many cases, it is sufficient to inform participants that their personal data are processed for the purposes of a single, specified study.

The relevant thing is to take care that the specified purpose given covers personal data processing in the extent required. Further information on the objective and subject of the study may be given with other information material provided to participants.

4.5. Recipients or categories of recipients of personal data

Research participants must be informed about disclosure of their personal data to recipients. Third parties in particular are defined as recipients of personal data. Third parties include, for instance, all natural persons not part of the research team, legal persons, authorities, public agencies and other bodies. In addition to these, recipients include data controllers, joint controllers and processors of personal data. For example, research partners to whom data are disclosed shall be defined as recipients.

One should note that 'processor' is a special role governed by data protection legislation. For instance, if a person employed by the data controller transcribes the data, he/she is not a processor. If, however, an outside company is commissioned to transcribe the data, the company is considered a processor, of which research participants shall be informed.

When planning research, data flows related to personal data should be charted as early as possible, before data collection and provision of information to participants.

As a principle, data subjects are provided with the names of recipients. In the case that recipients cannot be named, it is possible to provide the category/categories of recipients. In order to demonstrate their accountability, data controllers must be able to provide justification for the decision to use the categories instead of named recipients.

If the data controller provides information to research participants only on the categories of recipients, the categories can be defined with the following criteria:
  • type of recipient (e.g. reference to the activities of the recipient)
  • industry
  • sector / sub-sector
  • location

When research data are to be archived at the Finnish Social Science Data Archive (FSD), the archive acts as a processor of personal data. In this case, FSD is a recipient of personal data, and research participants shall be informed about this. For the archiving of the data, the researcher and FSD will enter into an agreement on the terms and conditions regarding personal data processing. Regardless of whether the researcher considers all personal data in the research data to have been removed, the agreement is always made in case that the data still contain, for instance, indirect identifiers that may enable identifying research participants.

Archiving research data at FSD for reuse

After the research has been completed, the research data are deposited at the Finnish Social Science Data Archive, which acts as a processor of personal data. FSD reviews the anonymisation carried out by the researcher, removes any further identifying information if necessary, and processes the data to be suitable for long-term preservation and reuse.

If you are planning to collect data that you will most likely not be able to anonymise and you wish to archive them at FSD, please contact FSD User Services before commencing your research (email: asiakaspalvelu.fsd at tuni.fi, telephone: +358 40 190 1442).

4.6. Storage period of personal data

Research participants shall be informed about the storage period of their personal data primarily as an explicit period of time. If this is not possible, research participants can be informed about the criteria according to which the storage period is determined. Depending on the case, the period can be related to the provisions relevant to the data controller or, for example, codes of conduct.

When determining the storage period, one should note that research participants should be able to estimate the storage period of their personal data based on the information provided to them. Defining the storage period in a general way, i.e. that the personal data are stored for as long is needed to complete the purpose for processing, may not be sufficient. Consequently, determining that personal data are stored for the duration of the research project, without defining any further criteria for the storage period, should be avoided, if possible. Depending on the details of the research, separate storage periods may be needed for different categories of personal data. Additionally, if the research includes multiple purposes for processing personal data, it is appropriate to indicate separate storage periods for different purposes.

Providing information on the storage period of personal data is related to the GDPR principles of data minimisation and storage limitation. The data controller is also required to work in compliance with the principles of privacy by design and privacy by default, which are closely linked to data minimisation and storage limitation.

4.7. Categories of personal data and information on the source of personal data

In situations where personal data are received from a source other than the research participant, two additional requirements apply to providing information. Both situations are related to the fact that, contrary to the situation where personal data are collected from the research participant, the participant may not be aware of the content and source of the personal data collected from other sources.

The first additional information requirement concerns the categories of personal data collected. The granularity/specificity of the information provided on the different categories should be decided on a case-by-case basis. When determining the extent of the information, one should note that personal data processing must be transparent from the data subject's perspective. Depending on the case, categories of personal data may include, among others, income, address information, employment history, and educational background.

The other additional information requirement concerns the source of the personal data. If it is possible to name the source, it is appropriate to provide this information to participants. If not, information on the type of the source is provided. This includes, depending on the case, information whether the personal data were received from a publicly available source.

Information that can replace a named source includes the following:
  • information on whether the source is publicly available or not
  • organisation type
  • industry
  • sector

If it is not possible to inform research participants about a specific source because personal data have been collected from multiple sources, general information regarding the sources shall be provided. However, one should avoid situations where sources cannot be named explicitly. The requirements of privacy by design and privacy by default include defining the source of personal data in an appropriate manner.

4.8. Information on the right to lodge a complaint with a supervisory authority

Research participants have the right to lodge a complaint with a supervisory authority. Information on this right must be provided to participants. They should be provided with at least the following information:

You have the right to lodge a complaint with an authority supervising the processing of personal data if you have a suspicion that your personal data are processed in violation of data protection legislation.

Research participants can also be provided with more detailed information with regard to using this right, for example, by providing a link to the website of the Data Protection Ombudsman (tietosuoja.fi/en). In principle, the complaint is lodged with the supervisory authority either in the EU member state where the research participant's residence or workplace is located or where the alleged violation of the rules regarding personal data processing has taken place.

4.9. Rights of the data subject

Data subjects have certain rights pertaining to the processing of their personal data. The rights available depend on the legal basis for the processing. This means two things from the perspective of the information provided to research participants. Firstly, the rights that data subjects have relating to the legal basis for the processing of personal data must be charted. Secondly, scientific research may, in some specific cases, derogate from the research participants' rights. The provided information on the rights of the research participants has to be in line with the planned processing of personal data.

Below is a list of participant rights relating to typical legal bases for processing personal data in scientific research.

  • Consent of the research participant
    • Right of access
    • Right to rectification
    • Right to erasure (the GDPR includes an exception to this pertaining to purposes of scientific research)
    • Right to restriction of processing
    • Right to data portability (only applies to automated processing of personal data)
  • Processing of personal data is necessary for the performance of a task carried out in the public interest (scientific research, Data Protection Act, section 4, paragraph 3)
    • Right of access
    • Right to rectification
    • Right to restriction of processing
    • Right to object processing of personal data
  • Legitimate interest pursued by the data controller
    • Right of access
    • Right to rectification
    • Right to erasure
    • Right to restriction of processing
    • Right to object processing of personal data
With regard to consent and the legitimate interest of the data controller, read the section on the legal basis for processing personal data for additional information concerning information provision to research participants.

A special feature of scientific research is that it can derogate in some parts from the rights of data subjects, provided that the preconditions for derogation are met. It is important to note pertaining to the information provided to research participants that derogation from data subjects' rights is not automatic and requires careful consideration. To comply with the principle of transparency in the processing of personal data, research participants should be informed about this. If personal data are processed for the performance of a task carried out in the public interest in accordance with section 4, paragraph 3 of the Finnish Data Protection Act, the following information could be provided to research participants about their rights and the restriction of rights based on national legislation:

You have the right to access your personal data, to have inaccurate personal data rectified, to restrict the processing of your personal data, and to object to the processing of your personal data. In connection with scientific research, restriction of said rights is possible in accordance with national legislation.

If specific contact persons or practices are in place in your organisation for using these rights, you can consider informing research participants about this. In some situations, data subjects may ask what the different rights involve. Using the rights and the content of the rights involve several things to consider. The website of the Data Protection Ombudsman contains further information on data subjects' rights.

4.10. Information relating to the transfer of personal data to third countries

Research participants shall be provided with certain additional information if personal data are to be transferred outside of the EU/EEA to third countries or international organisations. In addition to compliance with other preconditions for the legality of the processing of personal data, transferring the personal data in these situations requires that the transfer has a legal basis referred to in chapter V of the GDPR. This also includes onward transfers of personal data from the receiving country or organisation to a third country or another international organisation.

In scientific research, the transfer may, for example, be based on an adequacy decision of the European Commission on the appropriate level of data protection in the country (article 45). The countries/territories with an adequacy decision currently include Andorra, Argentina, Canada (with limitations), the Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, and Uruguay. The United States of America is subject to the EU-U.S. Privacy Shield Framework, which requires certification of the recipient of personal data as part of the arrangement. Other bases for the transfer can be transfers subject to appropriate safeguards (article 46), binding corporate rules (article 47), and derogations for specific situations (article 49). If the research includes transferring personal data to third countries or international organisations, it is recommended to contact the data protection officer or lawyer in your organisation to ensure the correct application of rules regarding transfers.

Information provided to research participants regarding transfers

The content of the information provided to research participants is determined by the mechanism used for the transfer. If personal data are transferred in the way mentioned above, the information provided to research participants must include

  • information about the intended transfer of personal data to third countries or an international organisation
  • information about the existence or non-existence of an adequacy decision on the appropriate level of data protection
  • information about the transfer mechanism corresponding to the GDPR (and the relevant article)
  • information about the content of the mechanism used, or where this information is available.

The information must be provided in a manner that is as meaningful as possible to research participants. It is a good practice to name the third countries to which the data are to be transferred. Depending on the case, the layered approach can be used in providing the information.

Adequacy decisions on the appropriate level of data protection already made can be found on the European Commission website. Different language versions in the official EU languages are available through the links to the adequacy decisions on the EUR-Lex website.

Example on informing research participants about transfers to third countries

A Finnish data controller participates in an international research project where personal data are transferred to Sweden, Germany and Israel. Pertaining to recipients and categories of recipients of personal data, the rules described earlier are applied. Additionally, rules regarding transfers to third countries apply to this situation. Because Sweden and Germany are part of the EU, no further information regarding transfers to these countries need to be provided to research participants. Israel is not an EU member state, but the European Commission has given an adequacy decision on the appropriate level of data protection concerning Israel. In this case, research participants could be informed about transfers to third countries in the following way:

Your personal data are transferred to Israel, which is not part of the European Union. The transfer is based on an adequacy decision given by the European Commission on the appropriate level of data protection (article 45 of the General Data Protection Regulation). Further information is available in the Commission's decision.

If the transfer of personal data to a third country or an international organisation is based on explicit consent in accordance with article 49 of the GDPR, research participants must be informed, prior to giving consent, that the transfers may pose a risk to them due to the lack of an adequacy decision and the lack of appropriate safeguards.

4.11. Information on the provision of personal data being a statutory or contractual requirement

In situations where personal data are collected from research participants, the participants must be informed if providing personal data is a statutory or contractual requirement or a requirement for concluding a contract. Research participants must also be informed about whether they are obliged to provide the data, along with the possible consequences of not providing the data.

This issue is important because of the generally voluntary nature of research. Informing data subjects about the obligation or voluntariness clarifies the situation in research conducted in, for instance, workplaces, public agencies and institutions. If providing personal data does not involve contractual or statutory requirements, and not providing the data does not have consequences for research participants, the information can be provided in the following way:

Providing personal data is not required on statutory or contractual grounds, or on the grounds of concluding a contract. Not providing the data does not have any consequences for you.

However, if providing the personal data is based on a statutory or contractual requirement, the information provided to research participants must specify the basis of the requirement applied, and the possible consequences of failure to provide the data.

4.12. Automated decision-making and profiling

Providing information related to automated decision-making and profiling has some additional requirements. Further information on definitions can be found on the website of the Data Protection Ombudsman. Detailed instructions are in the document Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 (pdf).

If personal data are not used for automated decision-making or profiling in the research, research participants can be informed about this in the following way:

Your personal data are not used for automated decision-making or profiling.

5. Exceptions to the obligation to provide information

The obligation to provide research participants with information regarding the processing of their personal data has some exceptions. In principle, however, one should refrain from derogating from providing information, unless the derogation is necessary. If you decide to derogate from providing certain information to research participants, it is important to ensure appropriate documenting and justification of these decisions in order to comply with the accountability requirements of the data controller. In uncertain situations, you should contact the data protection officer in your organisation.

When personal data are collected from research participants, derogation is possible insofar as research participants have already received the information. This includes, for example, situations where a research participant has already been in contact with the data controller at an earlier time. However, the data controller must be able to demonstrate how and when the research participant has received the information. Additionally, the data controller must be able to demonstrate that the information has not changed or become outdated. If the situation involves changes in the details of personal data processing, it may be appropriate, depending on the case, to provide all information again in addition to the changed information. In this case, the details that have changed in the provided information should be emphasised to research participants.

Situations where personal data are received from some other source than the research participant involve multiple exceptions for derogation. The situation mentioned above where the research participant has already received the information also applies to personal data received from a source other than the research participant. Other examples for derogation could be a situation where the provision of such information proves to be impossible or would involve a disproportionate effort, when the conditions and safeguards laid down in article 89 of the GDPR are applied, or a situation where the obligation to provide such information is likely to render impossible or seriously impair achieving the scientific objectives of the research. It is recommended to contact the data protection officer in your organisation if you want to apply a derogation, due to the careful consideration, documentation and safeguards needed for this.

The Office of the Data Protection Ombudsman, which is the Finnish authority supervising personal data processing, has taken the view that a data protection impact assessment (DPIA) shall be carried out in specific situations where these exceptions are applied to the obligation to provide information. Situations where an impact assessment is required include, but are not limited to, research where personal data are processed on a large scale, where the processing of personal data includes matching or combining datasets, where personal data of vulnerable individuals are processed, or where personal data are processed in the innovative use or application of new technological or organisational solutions. Further information on processing operations that require impact assessment is available on the website of the Data Protection Ombudsman.

Print
updated 2019-03-12