The General Data Protection Regulation (GDPR) has important implications for FGB researchers. This page summarizes the main issues you will need to bear in mind while conducting research within the faculty.

When does the GDPR apply to my research?

Almost all research conducted by FGB researchers is subject to the GDPR. The GDPR regulates the processing of personal data and in the legislation:

  • Processing means basically all research activities being done with the data, namely:
    • Collecting
    • Adapting
    • Storing
    • Analysing
    • Archiving
    • Deletion
  • Personal data means more than just an individual’s name or contact information. This is explained further in this definition of personal data. Much of your research data is personal data.

The GDPR applies to all personal data processed by researchers who work for the VU, regardless of whether the processing takes place in the EU or not. If processing by a VU researcher takes place outside of the European Economic Area (EU + Iceland, Norway and Liechtenstein), there may also be local privacy laws that compliment or supersede the GDPR.


When does the GDPR not apply to my research?

The GDPR doesn’t apply when:

  • The data are about deceased individuals or “legal persons” (i.e. corporations)
    • NB: If the data about deceased individuals can be linked to living individuals, the GDPR does apply
  • Data are anonymous, however, this is rarely the case for data from FGB. Only “Blue” data (from the FGB Privacy Risks Categorization) are anonymous
  • Data are not from human research subjects, such as animal studies


What are the most important parts of the GDPR for me to know?

Controllers and Processors

The GDPR defines various roles and in most research cases our institution, the Stichting VU, will be defined as the data controller: the party responsible for deciding the aims and purposes of the data processing. You decide these things as a researcher (i.e. your research question and how you plan to answer it), but the VU as your employer is the responsible party. There can also be more than one controller:

  1. If you’re collaborating with another research institution on (some of) the same data, and both institutions are deciding on the aims and purposes of the research, both the VU and the other institution will be joint controllers. A joint controller agreement will need to be drawn up between the institutions (in addition to any collaboration or consortium agreements)
  2. If you’re sharing data with another research institution that will use it independently to do research on that data, there won’t be a joint controller relationship, but a data sharing agreement will need to be set up.

Any organizations that are hired to process (some of) the data on your behalf are defined as processors. These parties do not determine the aims and purposes of any data processing, they only work with the data in a manner that has been defined for them by the data controller. Processors currently working for the VU include SURF, Qualtrics, Castor and Survalyzer, amongst others.


Any time that a third party is going to be given access to (some of) your research data, you must determine: the role of the third party; whether the necessary agreements with that third party are in place and; if agreements are not in place, which types of agreements need to be arranged. The FGB Privacy Champion can help you get started with the first two concerns mentioned and they will also connect you to the correct people in the VU Legal department should any new agreements need to be drawn up.

NB: Additional contracts and legal advice may be necessary when working with/sharing data with third parties located outside of the EU.


Legal Grounds for Processing

The primary legal ground for data processing in research is informed consent. More information on how to carry out informed consent in a way that is in-line with the GDPR can be found in this checklist.

“Legitimate interests” as a legal ground for data processing is also an option in cases where informed consent is not feasible. However the rules for using this option are quite strict, especially if your data fall into the special category. If you are considering this option for your research, discuss this with the FGB Privacy Champion before pursuing it. It is very important to assess this as early as possible in your research planning!


Special Categories of Data

The GDPR defines several types of data as “special”. To use these data in your research you must must meet additional legal requirements. These types of data are ethnicity, religion, sexuality, health data, genetics, biometric data for identification purposes (e.g. fingerprints), political opinions and information on trade union memberships. The vast majority of data collected within FGB will be considered “special” data even if they don’t seem all that sensitive. For example, reaction time data, data from a FitBit and kinematic data are all considered health data, even when they are collected from healthy adults without any known medical concerns. More information on what makes data sensitive vs. “special” is found here.

If the data you plan to use are “special” under the GDPR, informed consent is the best legal ground upon which to base your data processing. If consent is not feasible, speak to the FGB Privacy Champion as soon as possible.


Registration of Personal Data Processing

Registration of personal data processing for research purposes is achieved using DMPonline. Registration of data processing in DMPonline is described in detail below with a section from the VU’s Research Support Handbook:


Data Protection

The GDPR requires that you adequately protect the data you are working with. There are several ways you can protect the data, including:

  • Don’t collect more data than you need to answer your research question
  • Maintain the accuracy and organization of your data by creating, maintaining and following a data management plan (which you should also discuss with the FGB Data Stewards)
  • Assess whether a data protection impact assessment (DPIA) needs to be carried out with the help of the FGB Privacy Champion, particularly if you are working with vulnerable populations and/or sensitive research topics.
  • De-identify your data as soon and as much as possible
  • Apply sufficient security measures to your data and make sure the measures are appropriate for the risks posed by your data
  • If you suspect that data have been leaked, contact the IT Service Desk immediately with an urgent message. Also inform the FGB REPS team.
    • A data breach includes: a lost USB stick, a hacked VU account, e-mailing data to the wrong e-mail address, a stolen laptop etc.
    • More information on this topic is found here


Additional Information

  • FGB has set out some policy positions on how to handle certain aspects of the GDPR with regards to research in the faculty. You can find that information here.

  • Your starting point for support on privacy and research in the faculty is always the FGB Privacy Champion.

  • Additionally, you can find more detailed information on the GDPR and the VU here and here.

  • The full GDPR text can be found here and the Dutch implementation legislation for the GDPR (UAVG) can be found here.