FAQ GDPR and research

  • Are there guidelines for students who carry out surveys within the framework of research?

    Explanatory notes:
    Sometimes students carry out a survey as part of their graduation assignment without having implemented the education methodology.

    The supervisor is responsible for making sure students comply with the privacy policy.

    More information is available on the Cyber Safety website, under Privacy, including the Guideline Privacy Rules.

  • How should we handle graduation research by students using personal data?

    Some graduation assignments require the processing of personal data.
    If the student is going to participate in an existing project, the processing has already been registered by the responsible employee and is known by the Data Protection Officer team. In that case, the student does not need to take any further action.
    However, if the research leads to a new processing, the student must register the processing, where the supervisor is recorded as the contact person. Report the processing via the registration button for processing, here you will also find the accompanying manual.
    In any graduation study involving personal data, the supervisor must inform the student of internal appointments and safe practices and indicate the GDPR (General Data Protection Regulation). The supervisor points out to the student what is expected of him / her when working with personal data. More information about this, such as the guidelines privacy rules and the poster Personal data research protocol’ is available at the Cyber Safety website

  • Data that are collected at the UT for business goals, is sometimes of interest to researchers. How should we deal with the request from a researcher to use these data?

    The GDPR states that the use of collected data for statistic or scientific research are compatible lawful processing operations, if the right measures are taken. We need to anonymize the data and we need to minimize the use of data in relation to the purpose of the research. We also need to erase the data as soon as possible. It is important to record the processing in the register of processings. Maybe a DPIA (Data Protection Impact Assessment) is necessary. Furthermore, we need to inform the data subjects about the use of their data for research.

  • Can a participant in scientific research withdraw his/her consent to process his/her personal data?

    When a processing operation is based on the legal ground ‘consent’, the data subject (in this case: the participant in scientific research) has the right to withdraw his/her consent. The data subject must be able to do so in a way that is as easy as the way he/she gave his/her consent.

    It depends on the moment of the withdrawal how this should be dealt with. Withdrawal of consent has no retroactive effect; the processing operation that (based on the consent) took place before withdrawal of that consent, is still legitimate.

    Withdrawal before the start of the scientific research:

    All personal data of the data subject must be erased. These may not be used in the research.

    Withdrawal during the scientific research:

    In principle, the personal data of the data subject must be erased, unless this (threatens to) make(s) it impossible or seriously impedes the achievement of the purpose of the research. In such cases, the data must be anonymised.

    Withdrawal after the scientific research:

    Personal data must be anonymised. The research data of personal who withdrew their consent may not be used for future research either.