Instructions for researchers
Data protection means the protection of the privacy and trust of individuals (data subjects). It comprises the correct processing of personal data and its protection against unauthorised processing (viewing, listening, dissemination, etc.). Compliance with the rules and procedures of the Finnish National Board on Research Integrity (TENK) supports the application of the EU General Data Protection Regulation (GDPR) to practical research.
The instructions presented here have been kept as simple as possible, and they do not cover all special situations involving the processing of personal data.
Please repeat the data management training often enough.
If you are an employee, make sure you have completed the induction training.
- In the research plan, define the research purpose and why you will need to process personal data to resolve research questions.
- Determine the data controller or joint controllership at the stage of drafting the research plan. This will influence the preparation of cooperation agreements (need for a possible joint data controller agreement).
- Check whether you need to enter into any agreements or commitments.
- Describe in the data management plan the flows of personal data and the secure handling of the data.
- Check whether you need to prepare a DPIA before starting processing.
- Inform the research participants by using templates research notification, privacy notice and consent forms. Employees need to sent finalized templates to the Registry Office also (kirjaamo(at)kyu.fi).
- Pseudonymise data where possible as a safety measure.
- Assess the need for personal data during the study and try to minimise the amount of personal data to be processed if possible.
- Remember to report any data breaches without delay.
Remember to submit requests concerning data subjects' rights to the Registry Office (kirjaamo@jyu.fi) and consult the Data Protection Officer (tietosuoja@jyu.fi) on how to respond if the Ģֱ is the data controller. - Take care of the life cycle of personal data processing. There is always a beginning and an end to the processing of personal data. This also applies if data is transferred to an archive after the end of the study. Remember that it might be you who needs to delete data at the end, e.g. from Webropol or it remains there.
- If data protection issues seem tricky, also take advantage of the Moodle course:
The GDPR (EU 679/2016) does not apply to the processing of personal data about deceased persons or situations where personal data is not collected (where persons cannot be, directly or indirectly, identified from the collected data; for example, anonymised data is used). However, when writing about deceased persons, the memory of the deceased should always be respected. The most significant exceptions to the application of the GDPR are intended to guarantee the freedoms of speech and information when personal data is processed in terms of a journalistic, academic, literary or artistic expression.
Academic expression cannot be the primary grounds for processing when conducting scientific research. However, e.g. if a very rare disease is being studied or opinions of a well-known politician, the research subject may be identified from the research results. As a result, an academic expression may be necessary to report the results or present criticism of official or political decisions who are identified from the research results.
The data controller (or joint controllers) is responsible for defining the purpose and means for processing personal data. For example:
- Why will the personal data be processed and for what anticipated outcomes?
- What means will be used (i.e., how will the personal data be processed)?
- What types of procedures will be applied to the data to reach a result?
- By what tools and/or equipment will be used in processing the personal data (e.g., own computer, home, workplace), and how will the data be protected (i.e., information security)?
- What data will be processed, and who will have access to the data?
- For how long will the data be in process?
- How will the processing responsibilities be presented to the data subjects?
For scientific research projects, these matters are described in the data management and research plan as well as in the documents informing the data subjects (i.e., research information letter, privacy notice, consent and where necessary, a separate consent form).
When research is conducted under an employment relationship with the Ģֱ and as a part of the employee’s work duties, the data controller is the Ģֱ. In such a case, research is pursued for the University and the employee him-/herself cannot act as the data controller or processor of personal data. If research is pursued as a part of a project with supplementary funding within JYU (e.g., a doctoral dissertation uses the project’s material), then again JYU is the data controller, even if the researcher would not be in an employment relationship with the University. Fundamentally, then, the personal data are processed for the University’s project and dissertation is about the research questions determined already in the project plan (if not it may also be a controller - to controller disclosure of data).
When research subjects’ personal data are processed (i.e., a personal data register is established) for a researcher’s own use (e.g., for a graduation work, a doctoral dissertation, or a postdoc research conducted with a personal grant), the researcher him/herself is the data controller for this register. In these cases, the specific researcher has authority over the data collected for the study, the register established for the researcher’s own use, the decisions on what is processed and for how long, and so on. Normally, these immaterial property rights are not transferred to the University.
Rule of thumb: If research is not conducted under an employment relationship to JYU or as a part of a JYU project with supplementary funding, the researcher acts as the data controller for the register containing personal data.
Examples of data controllership:
Example 1. A doctoral student makes a dissertation using personal data collected within a project with supplementary funding. The dissertation work begins within a project with supplementary funding where he/she has 3 years of funding. For the last year, he/she receives a personal grant from a foundation.
Regarding data controllership, the data controller for the project with supplementary funding and for the doctoral student’s data is the University, not the doctoral student. The means and purposes of processing the personal data are defined as part of the project. The doctoral student’s personal grant does not change the data controllership because the purpose and means of processing are not changed.
Example 2. A doctoral student makes an entire doctoral dissertation funded by various grants from foundations. The doctoral student is employed for two years outside the University and unemployed for a year. For the dissertation, the doctoral student conducts a survey and interviews to collect material containing personal data. With regard to processing the personal data, the doctoral student is the data controller.
Example 3. A doctoral student has a permanent employment relationship with the University. For his/her dissertation work, the doctoral student has applied and received personal grants from foundations, and during the grant periods he/she has been on study leave and worked on the dissertation. The actual job at the University is not a research post. The controllership for the personal data collected for the doctoral dissertation belongs to the doctoral student.
Example 4. A postdoc researcher, who is not in an employment relationship with the University, receives a personal 24-month grant from foundations’ postdoc pools for research to be conducted abroad. Before leaving Finland, the postdoc researcher collected data at JYU and will collect more at the destination university. After returning to Finland, he/she is unemployed for a year and continues then on another grant from a foundation and completes the research project. Controllership for the personal data collected for the research project belongs to the researcher.
Joint controllers
JYU can be a joint controller with one or more other organisations (usually a university in Finland or abroad), if the purposes and means of the processing of personal data are defined in collaboration with the staff of the respective organisations.
Also individuals can be joint controllers (e.g., a graduation work made jointly by two students).
As an example, JYU participates in a consortium project and accounts for work sets where research subjects are interviewed and survey answers are collected. Producing a paper for publication requires that the subjects’ personal data (including pseudonymised data) are processed jointly with the consortium partners (e.g., three European universities). The Consortium also is completing a joint recruitment where the applicants’ personal data will be processed together. The universities in the consortium are joint controllers both for the research data and for the joint recruitment data. Hence, they also will jointly account for informing the data subjects concerned (e.g., an information letter, privacy notice, and where necessary, a consent form). Typically, members of the consortium have a reason to make an agreement on the joint controllership. However, a joint controllership agreement is not absolutely necessary in cooperation among Finnish universities, at least for such research projects that do not require an impact assessment in compliance with the GDPR. Nevertheless, the data subjects need to be informed about joint controllership (i.e., in an information letter, privacy notice). When several organisations are involved in research activities, the flows of personal data (including pseudonymised data) need to be described explicitly.
Data processor
A data processor processes personal data for the data controller, in compliance with any instructions and under the control of the data controller. The data controller—not the processor—defines the purposes and means for the personal data processing.
The term data processor does not refer to the data controller’s own employees who process personal data as part of their work duties.
For example, the provider of the Webropol survey software is a data processor: The University has signed a data processing agreement with Webropol. However, if personal data are to be processed by a party lacking such an agreement, a data processing agreement must be made separately. If a project involves students or others without an employment relationship with JYU and in which personal data is processed for the project, a data processing agreement is required with these persons.
In a contracted research project, the contractor can define the purposes and means for processing personal data. In such a case, the research contractor acts as the data controller of the project while the researcher or University acts as the data processor.
The roles (data controllership) may be reconsidered through juridical practice and authoritative guidelines
Data controllership is not an explicit issue. Thus, these instructions can be updated over time, along with accumulating authoritative guidance or juridical practice concerning the concept of a data controller.
The concept of personal data is broad, and it means all data related to persons from which the research subject (or another third person) can be identified either directly or indirectly. Typically, personal data includes a full name or personal identity code, a video, an email address using both first and last names, an image of the face, voice, a handwritten signature, etc.
The GDPR separately defines special categories of personal data. These include data that indicates:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- genetic or biometric data for uniquely identifying
- health
- sexual behaviour and orientation
It is important to identify and document the types of personal data being processed.
Personal data does not merely refer to any specifically secret or intimate data – what is important is whether or not a person can be identified from the data.
Examples of personal data
Only a person’s family can identify the person from his interview responses. Is this an example of personal data?
Yes. Identifiability does not require that a person is known by everyone or a large group of people.
I am only collecting background variables and conducting a political opinion poll, and I do not know whether or not persons can be identified. What should I do?
In principle, you are collecting data from persons, and to resolve this situation, you should assess whether these persons can be identified from this data, directly or indirectly (e.g. by combining this data with other data). This assessment may be challenging and also change over time (the volume of data available online is constantly increasing). In other words, it should be decided whether it would be safer to process this data as if it were personal data (and take these instructions into account).
I am recording videos of my research subjects, but I am not asking for their names or contact details. Am I processing personal data?
Yes. Persons can be identified from videos at least on the basis of images and possibly also on the basis of their voices.
More information about the concept of personal data:
The Data Protection Ombudsman’s definition of what constitutes,
Within research cooperation transfers of pseudonymised data are regarded as transfers of personal data. Even if it is not possible for the recipient to find out the data subjects’ identity indirectly from the research data or other information available to the recipient.
*There is an appeal (made in July 2023) at the Court of the European union (CJEU). We will follow the process but it will take 15 – 18 months.
Risks
You may not use information systems or services to process personal data that have not been assessed and approved by the Ģֱ if it is a data controller, joint controller or processor of personal data.
Follow the insturctions in the processing confidential information table.
If you have data security questions you can reach data security team via HelpJYU
Remember to be carefull with emails and get familiar with the secure email (it is provided to JYU staff only)
Example of situation where university failed to protect research data.
The processing of personal data must be based on legal grounds about which the research subject must also be informed (in the privacy notice). The GDPR states that processing shall only be lawful if, and to the extent that, at least one of the criteria set for lawful processing is in place. In principle, the selected ground cannot be changed after processing has started. Some of the grounds for processing are defined in the GDPR, and some in the Finnish data protection act. The most significant grounds concerning scientific research conducted at the Ģֱ are presented below.
It should be noted that the university’s templates require that grounds for processing are selected and also expressed to research subjects. There is no specific order of priority for different grounds for processing in the lawhowever you should avoid using consent and rely on public interest as a legal ground for data processing when conducting scientific research.
Grounds for processing include the following:
Public interest (EU GDPR, 6.1 e + section 4 of the Finnish data protection act); personal data can be processed to conduct research if processing is necessary for scientific or historical research or statistics and it is correctly proportional to the public interest to be attained. For commercial research funded by companies, the applicability of public interest should be considered separately for each study.
Consent (EU 649/2016 6.1 a), which must be a voluntary, individual, conscious and unambiguous expression of will, by which the research subject states, or by means of an action that clearly indicates their consent, accepts that their personal data will be processed. Consent can also be requested verbally or electronically. However, it must be possible to indicate afterwards that the research subject has given their consent so as to fulfil the requirements set for consent. Consent can also be recorded or videoed. It should be noted that consent can only be conscious if the person has obtained all the information about the processing of personal data (notification or privacy notice).
Legitimate interests (EU GDPR, 6.1 f); this requires a balance test (see ). Legitimate interests can be used as grounds for processing when conducting research assigned by a company using its existing customer database, and the company acts as the data controller, or if the university conducts research related to its official authority.
Other grounds for processing include, for example, the performance of a contract and compliance with legal obligations. Although the mission set for universities in section 2 of the Universities Act (558/2009) is to promote independent academic research, the wording of the section is not sufficiently accurate for research conducted at a university to be based on the controller’s legal obligations (6.1 c).
Special categories of personal data
In principle, the processing of personal data belonging to special categories is prohibited in the GDPR. This means that to process such personal data, additional grounds for processing are needed. These include:
Processing is necessary for scientific or historical research purposes in accordance with public interest (EU GDPR, 9.2 j + section 7 of the Finnish data protection act). When processing is based on public interest, it is particularly important that the controller implement the necessary means of protection (e.g. pseudonymisation). The applicable means of protection must be assessed separately in each situation.
Explicit consent (EU GDPR, 9.2 a) (additional requirement ensuring that consent is a voluntary, individual, conscious and unambiguous expression of will).
What should you do in practice?
Usually, one of the grounds for processing must be selected for a single study.
When conducting scientific research, public interest is usually selected as the grounds for processing, and this must also be expressed to the research subject.
The processing of your personal data is necessary to conduct scientific research in accordance with public interest on the basis of section 4(3) of the data protection act. Special categories of personal data are processed for scientific research purposes in accordance with section 6(7) of the data protection act.
In addition, you need to request the research subject to give their consent to their participation in the study (ethical consent). For example, to give consent to participating in a survey, it is sufficient that the research subject obtain information about the processing of personal data (research notification and privacy notice), after which they respond to the survey.
Frequently asked questions concerning grounds for processing
What is the difference between consent as legal grounds for processing and consent to participate in research?
Data-based consent is a key ethical principle. Giving consent to participate and the opportunity to withdraw consent at any time support the principle of voluntariness.
Consent as legal grounds for processing is challenging not only due to the strict requirements set for consent in data protection legislation, but also because personal data about research subjects who have withdrawn their consent should be erased as a rule.
If a research subject only cancels their participation in research, their personal data can still be used for research purposes.
If public interest is selected as grounds for processing, can the processing of personal data for research purposes be described more broadly than for consent?
With regard to the processing of personal data, it is still required that the requirements stipulated in Article 5 of the GDPR are fulfilled, such as the requirement that personal data needs to be collected for a specific purpose.
The research lifespan consists of
- the time needed for the processing of personal data for the study, and
- for how long it is necessary to keep the personal data after the study, for example, to ensure the reliability of the research findings?
The estimated, sufficient length of the study is provided by the researcher to the data subjects in the privacy notice. Be aware that what you tell a data subject about data privacy is a commitment that sets limits on the processing of personal data in your study.
The research lifespan includes data collection and analysis, publishing the results, and storing the data. When the study is completed, you need to consider what needs to be done with the research data, specifically personal data (e.g., erasure, anonymising, archiving).
The research lifespan should be planned and stated as being long enough to allow sufficient time to keep the data for analysis and publishing. If the study involves processing personal data, the stated length must be within reasonable limits and in line with data protection legislation. However, longitudinal studies can last, in principle, for a person’s entire lifetime. Thus, when keeping the data, the arrangements may depend on what has been agreed with the research funder.
What does archiving mean?
You should distinguish between keeping a data set for its original purpose (i.e., to carry out the study according to the research plan) and the archiving stage following it (i.e., typically permanent storage and the potential utilisation of archived material in new research). As a rule, archiving takes place when the set of personal data is no longer in active use for the original purpose (i.e., the study for which it was originally collected).[1] In principle, it is possible to archive data while the study is still ongoing if it is considered appropriate.
According to the Data Protection Act, Section 32, data subject rights can be restricted if personal data are processed and archived for the purpose of public benefit. However, for the data controller to invoke the restriction of the subjects’ rights, the controller must define in advance and be able to demonstrate that the personal data has been transferred to archival use in accord with the public benefit.
How to proceed in archiving an anonymous data set
The anonymisation procedure must be described in the anonymisation plan at least when you are responsible for anonymising the data (when, e.g., the archive does not check whether the anonymisation was successful). In drafting the anonymisation plan, you can use the template of the Finnish Social Science Data Archive (FSD)
Information about data archiving once the study is complete is provided in the privacy notice given to the research subjects. According to the FSD guidelines, for example, the information can be stated as follows:
“After the study, the research data will be transferred to the Finnish Social Science Data Archive (FSD), which acts as the processor of personal data. The researcher anonymises the data, but FSD evaluates the archivability of the data and makes further erasures where necessary, modifying the data so that it becomes applicable for long-term storing and further usage.
FSD can deliver data (choose one of the options below for the data)
- to be used by anybody.
- to be used for research, teaching, and learning purposes.
- to be used in research and for graduate-level theses.”
Even if data protection legislation does not require any separate permission for archiving anonymous data, it is a good ethical practice. Archiving permission for qualitative data can be requested as follows, for example:
”Permission for archiving the anonymised interview/text in the Finnish Social Science Data Archive:
▢ My interview text file/writing may be archived in FSD and thereby available for research, learning, and teaching purposes.
▢ My interview/text may not be archived in FSD.”
Familiarise yourself with the FSD guidelines for the archives of data. Correspondingly, if you are going to archive anonymised data in some other archive, familiarise yourself with the relevant guidelines.
It is recommended to save an anonymised data set in some archive to enable its wider use and ensure regular evaluation for any remaining risks related to the anonymisation.
Anonymisation can be easy to promise but often difficult to carry out. Does the nature of data allow anonymising and publishing with reasonable efforts and gain? Anonymisation often calls for more than just erasing the pseudonymisation key. The more the pseudonymised interviews and texts include possible identification information (depending on the case, e.g., “my sister-in-law works as a journalist in town X” combined with a description the informant gives elsewhere in the data about his/her own somewhat rare occupation), the more effort and advance planning the systematic removal of such information requires. You should have a clear plan as to how and at which stage you can release resources to carry out this.
How to proceed in archiving a set of personal data
Archiving is possible on the grounds of complying with the Data Protection Act. Processing personal data is necessary for an archiving purpose serving public interests, based on the Data Protection Act, Section 4.4. In archiving, exceptions to the restrictions are made for the processing of personal data of special categories in accordance with the Data Protection Act, Section 6.8.
The processing must be necessary and proportionate to the aim of public interest pursued and to the rights of the data subject. What is said above does not concern the archiving of genetic data, and specific legislation may include special stipulations on archiving these data. However, the grounds for complying with the Data Protection Act apply to most research conducted at the Ģֱ.
1. The researcher needs to justify that the archiving of research material containing personal data (pseudonymised material is considered to include personal data) is necessary and in the right proportion to the intended public benefit. In practice, research data are thus subjected to a value assessment. The leader of the research project is responsible for this value assessment. Fundamental materials from research projects of major scientific or historical significance are kept permanently. There needs to be a written evaluation.
2. Sets of personal data are not archived because anonymisation would be arduous. The grounds for public benefit can be reviewed in relation to public needs for knowledge (societal or research-oriented justification) and to the nature of the data (e.g., highly private or not).
3. The privacy notice must inform the data subjects about the archiving of research material with personal data (to a named archive). If the specific archive is still unknown, at least the recipient group should be stated.
4. The grounds for further use of the archived material must be defined in the privacy notice.
5. Materials must be minimised before archiving (i.e., consider and document the extent to which personal identifying data and any coding/categorisation are necessary for public benefit).
6. An archiving and data processing agreement must be signed with the archiving body. Consider the archiving target carefully. Contact the chosen archive before starting your data collection and check their requirements for the materials to be archived. For example, do they accept anonymous data only or also identifiable data with the subjects’ consent? Mention a specific data archive in your privacy notice only if you are sure that your data will meet the criteria of that particular archive. If you do not know in advance which archive would be ideal for you, consider using a broader phrasing in your privacy notice so that a well-established and curated data archive in your discipline will possess the information security standards that meet the requirements of data protection legislation. The specific information can be updated in the privacy notice when the archive is confirmed.
Where can I archive my data set?
Recommendable data archives include, for instance:
–service portal maintained by . In most cases, this site archives anonymous data (excluding data pertaining to freedom of speech, such as media materials). According to FSD, it is possible to archive sets of personal data in exceptional cases; however, you need to contact FSD before starting the study.
–also accepts sets of personal data to be archived. See and
(in English)–a service maintained by European Data Infrastructure. Accepts anonymised data only. Any data published in the service is publicly accessible and must therefore be anonymised in accordance with the GDPR.
For possible field-specific archives, archiving must be considered separately.
Not an actual archive: CSC (in English) for data and descriptive information. (in English) and a (in English) are available. For archiving, the CSC beta stage SD services are designed for data management and analysis at the phase of active research. Services for long-term access (PAS) are meant for storing only, not archiving. (Using these services would call for a separate agreement between the organisation and CSC.)
Ģֱ
A data set can also be archived at the University.
What about a longitudinal study? When should the data be archived?
As a rule, the data set from a longitudinal can be archived only when it is no longer in active use for its original purpose, that is, for the study for which it was collected. For example, if the collected data will be compared to data collected at a follow-up stage, the original data remains active for as long as the study lasts. In practice, this could mean that, at the beginning of the study, the researcher cannot tell whether the data will be anonymised or archived with identifiable content, or what the designated archive will be. The implementation of follow-up stages may also depend on funding. In such cases, it may be reasonable to describe the length of the study and state to the data subjects that they will be informed separately about archiving in the future when the study is complete. This way the data subjects will receive specific information about the archiving plan and can apply their rights at that stage, and the researcher avoids guessing what will happen to the data decades later. As regards archiving, while the significance of the data set must be evaluated separately if it contains personal data, making the evaluation several years beforehand may be difficult. The data subjects should receive an estimation of the length of the study and when the data subject can expect to get further information about archiving.
[1] Only rarely is the archiving period directly stipulated in law. Current legislation indicates that non-implementative device trials are held for 10 years and implementative device trials are held 15 years. If the research pertains to a drug trading license in the EU area, the material must be kept for at least 2 years after receiving the final trading license in the EU area and/or 2 years from the end of the product research.
The GDPR emphasises the importance of giving information to data subjects and the importance that this information can be easily understood. Ensure that you give information to your research subjects before collecting or processing any personal data. Edit different templates suitable for your research:
- Research notification template
- Privacy notice template
- Simplified template (notification, privacy notice and consent) example to children (fill in the privacy notice also because of legal reasons if you provide the simlified version to data subject)
- Consent forms
Inform data subjects about processing (templates) | Ģֱ (jyu.fi)
Provide your research subjects with a research notification and privacy notice (information about the processing of personal data). The privacy notice and information sheet must also be sent to the Registry Office kirjaamo(at)jyu.fi to ensure that the Ģֱ has information about the studies for which personal data is used if it a data controller or joint data controller in a study. Data subjects can contact the data protection officer in matters related to the processing of personal data. The supervisory authority can request data or it can be used for internal control purposes.
Use the most recent template version available on the data protection pages. The pages also include an illustrated template for giving information to children and the elderly (plain language notification). If you use the plain language notification, prepare a separate description of the processing of personal data as well (a privacy notice).
If you use templates of other organisations (e.g. as defined in any consortium agreement), send complete versions to kirjaamo@jyu.fi if university is data controller or joint data controller.
If you request an opinion from the ethics committee of the Central Finland Health Care District or from another ethics committee, use the forms of the Health Care District as it requires.
When is it unnecessary to inform research subjects of the processing of personal data?
No information (research notification or privacy notice) needs to be given if this is impossible or unreasonably difficult, or if this is likely to prevent the fullfilment of the research goal or make this significantly more difficult. This derogation only applies if the data is not collected from the data subject. If the derogation applies you will need to will out privacy notice an make it publicly available (on the internet).
These exceptional situations are interpreted to a limited extent, and any non-provision of information needs to be justified (documentation obligation).
Example
When is it unreasonable to provide information?
History researchers who aim to study a family history on the basis of last names have access to large volumes of data, consisting of personal data about 20,000 data subjects. However, this data was collected 50 years ago, and it has not been updated since. Furthermore, no contact details are included. Considering the size of the database and especially the age of the data, it would be unreasonable if the researchers needed to trace every data subject to provide them with information about the processing of personal data.
As a basic rule, data subjects have their rights set out in the GDPR with regard to scientific and historical research.
The recommendation is not to derogate from the rights.
According to section 31 of the Finnish data protection act, these rights can be deviated from under certain conditions. If the controller processes special categories of personal data, or personal data related to criminal convictions or activities and wishes to deviate from the rights of data subjects, the controller must also conduct a data protection impact assessment and send it to the Data Protection Ombudsman (the national supervisory authority) before any processing.
According to section 31 of the Finnish data protection act, the rights of data subjects to access their data, the right to have data corrected, the right to have processing restricted and the right to object to processing can be deviated from if:
- processing is based on a proper research plan;
- the study in question has a responsible person or group; and
- personal data is only used and disclosed for purposes of conducting historical or scientific research or for other similar purposes, and it is otherwise ensured that no data about any specific person is disclosed to unauthorised parties.
It is only possible to deviate from the rights of data subjects insofar as these rights are likely to prevent these specific purposes from being fulfilled or make this significantly more difficult, and such deviation is necessary to fulfil these purposes. The need to deviate from the rights of data subjects must therefore be assessed separately in each situation.
The rights of data subjects are also restricted in the GDPR:
- deviation from the right of data subjects to obtain information about the processing of personal data (Article 14(5)(b));
- deviation from the right to be forgotten (if the right is likely to prevent the processing of personal data or makes it significantly more difficult) (Article 17(3)(d)); and
- deviation from the right to object to processing (Article 21(6)).
These deviations are directly possible on the basis of the GDPR.
If any special categories of personal data are processed, deviating from the rights of data subjects is always subject to an impact assessment.
When personal data is processed, any risks to data subjects must always be assessed. If these risks are not identified, protective measures cannot be planned. Risk assessment is a continuous activity. The sufficiency of actions must be assessed at all times, and they need to be adjusted when necessary. Risks mean the consequences of any disclosure of data for research subjects:
- identity theft
- fraud
- financial losses
- social harm, such as the loss of reputation/family/employment
You can avoid any risks by being thorough and planning the processing of personal data and its protection in accordance with its lifecycle. The GDPR emphasises technical and organisational protection. This means compliance with guidelines, training, pseudonymisation and the use of secure processing environments approved by the Ģֱ.
Check whether you need to prepare a separate impact assessment
A data protection impact assessment (DPIA) is necessary if the planned processing of personal data is likely to involve significant data protection risks for the research subjects (data subjects). For example, this may be necessary when processing large volumes of data, personal data about children or special categories of broadly personal data.
You will always need to do a separate check to determine if DPIA is mandatory.
The DPIA must be reviewed with the data protection officer (tietosuoja@jyu.fi) if university is data controller or joint data controller and there are high risks for the research participants before any processing.
If the DPIA indicates that the study presents significant risks to research subjects, it must also be sent to the supervisory authority. The DPIA must also be sent to the supervisory authority if special categories of personal data or personal data related to criminal convictions or activities are processed, and certain rights of data subjects are deviated from (the rights to access data, have data corrected, have processing restricted and object to processing).
Research subjects must be informed of any transfer of personal data (including disclosure). If there are significant defects in the information given, they may prevent the personal data from being transferred and, therefore, the study from being completed.
In practice, when planning a study, it is important to identify any data flows and partners related to personal data as early as possible.
Find out from UNO which type of contract is needed in your research project.
All signed agreements (data processing agreements and agreements on joint controllers) must always be sent to the registry office of the Ģֱ.
Transferring personal data outside the EU/EEA
Personal data can only be transferred outside the EU/EEA under certain conditions. For more information, please visit
If you need help evaluating data tranfer or safeguards contact: tietosuoja@jyu.fi.
Comments on these instructions were requested through the vice deans of faculties (research) and heads of faculty administration between 11 and 25 April 2019.
These instructions were discussed in the data security development group on 29 April 2019.
These instructions will be revised on the basis of feedback and interpretation practices related to the data protection legislation.
Guidance has been updated in May 2022 with regards to the preservation and archiving of the research data
Feedback: tietosuoja(at)jyu.fi
Sources:
Researchers aim to conduct their studies to ensure that no significant risk, loss or harm is presented to the studied individuals or communities, or to other research subjects (TENK – research ethics in human sciences).
The use of the concept of race in the GDPR does not mean that the EU accepts any theories that aim to define the existence of different human races.
The Personal Data Act (1999/523, repealed) defined consent as the primary grounds for processing. For the purposes of historical or scientific research, personal data can be processed on grounds other than consent if consent cannot be obtained from data subjects due to the large volume of data, its age or other similar reason (section 14).
Individual means that the purpose of the processing of personal data is pre-defined. Conscious means that information about the processing of personal data has been given separately from any other information, using simple and understandable language. The person giving their consent cannot be pressurised to give their consent. Unambiguous means an active approach. With regard to special categories of personal data, express consent must be given (e.g. a signature). In addition, consent must be documented (with subsequent provability) and withdrawable (the opportunity to withdraw consent must be stated separately).
It is not always possible to obtain consent.
In addition, it should be noted that a study which violates the integrity of a person or a person’s embryo or foetus and the purpose of which is to increase information about health, causes of illnesses, symptoms, diagnostics, treatment, prevention or the essence of diseases in general, i.e. medical research on humans, cannot be conducted without the informed written consent of the research subject (section 6 of the Medical Research Act, 488/1999).
Guidelines on Transparency under Regulation 2016/679, p. 32.
Source: Office of the Data Protection Ombudsman