Rights of data subjects

Researchers must inform their human data subjects about their research, risks and measures to protect the privacy of their data subjects.

Rights of human data subjects

The main objective of the GDPR is to protect the rights and freedoms of data subjects (i.e., human, living individuals). To reach this goal, the GDPR defines a set of rights that individuals can exercise regarding their personal data. For researchers, it is important to be aware that these rights also apply to human data subjects in their research projects.

Communication about the rights

Researchers must inform their human data subjects carefully and thoroughly about their research, risks and measures to protect the privacy of their data subjects. This also includes the communication of the rights to data subjects in your research project to enable them to exercise their rights.

Restriction of the rights

In some situations, it might negatively affect your research if your data subject would exercise their rights (e.g., right to erasure: keeping data for verification purposes). The GDPR recognizes the importance of scientific research and therefore also defines exceptions specifically for scientific research (art. 89-2 of the GDPR). The exceptions are not an exemption to all requirements in the GDPR; they only aim to provide exceptions to specific data subjects' rights in specific situations. The use of these exceptions requires additional safeguards (art. 89-1 of the GDPR), for which you as a researcher are responsible.

The DCC can help you choose and implement these safeguards.

Right to transparent information

GDPR Article	Summary
Article 12	Obligation to communicate information to the data subject in a clear way, facilitating the exercise of the data subject’s rights.

Implications for research
The GDPR art. 13 and art. 14 include a list of points that researchers need to provide ‘to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language’ (art. 12(1)). This also includes information on your data subjects' rights. A common way to provide the data subject with information about a research project is to include this information in your informed consent form. If it is not possible to inform the data subjects directly or it would involve a disproportionate effort (the number of data subjects, the age of the data, and any appropriate safeguards adopted should be taken into consideration, rec. 62), this may include making the information publicly available (e.g., via a website).

Implications for research

The GDPR art. 13 and art. 14 include a list of points that researchers need to provide ‘to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language’ (art. 12(1)).

This also includes information on your data subjects' rights. A common way to provide the data subject with information about a research project is to include this information in your informed consent form. If it is not possible to inform the data subjects directly or it would involve a disproportionate effort (the number of data subjects, the age of the data, and any appropriate safeguards adopted should be taken into consideration, rec. 62), this may include making the information publicly available (e.g., via a website).

Right to access, rectification & restriction of processing

GDPR article	Summary
Article 15	Gives data subjects the right to request a copy of any of their personal data which are being processed.
Article 16	If personal data is inaccurate or incomplete, data subjects have the rights to rectification and completion.
Article 18	Right to restriction of processing of personal data.

Implications for research
Right to access Requests for access are usually granted. If it is still possible to identify specific individuals in your dataset, it is common practice to de-identify data as soon as possible to protect the privacy of your data subjects. If a participant requests access to their data after the data has been de-identified and there is no longer a direct connection between this participant and the research data, the UG can appeal to the exception for scientific research. Right to rectification and completion In some research fields (e.g. anthropology), it is common practice to ask data subjects to review interview transcriptions and questionnaire answers. This way data subjects can delete or revise information they would not like to share or deem incorrect. This practice makes it easier to be transparent about the deadline until the data subjects can exercise this right. Right to restriction of processing A possible scenario where the right to restriction of processing applies is when data are made available for reuse. Data subjects might have consented to reuse, but later changed their minds and asked the researcher to restrict the use of their data to the current project. Another example is the right to restrict processing by a third party, such as a transcription service. In most cases, restriction would not heavily impact the research project itself and therefore the researcher is obligated to grant the request. In both examples the data will not be removed (see right to be forgotten), but a participant restricted how the data can be used by the researcher. Assessment of exception to these rights Sometimes exercising the rights of data subjects might negatively impact the outcomes of the research (e.g., covert research or research about undesirable behavior). Therefore, the Dutch Implementation Act (art. 44) defines that these rights may not always be applicable to scientific research. Before the start of your research project, it is important to assess whether and explain why exercising these rights would negatively impact the outcome of your research. In addition, it is mandatory to have safeguards in place to protect the privacy of your data subjects (GDPR, art. 89-1). This may include encryption, data minimization, and de-identification. The DCC can help you choose and implement these safeguards.

Implications for research

Right to access

Requests for access are usually granted. If it is still possible to identify specific individuals in your dataset, it is common practice to de-identify data as soon as possible to protect the privacy of your data subjects. If a participant requests access to their data after the data has been de-identified and there is no longer a direct connection between this participant and the research data, the UG can appeal to the exception for scientific research.

Right to rectification and completion

In some research fields (e.g. anthropology), it is common practice to ask data subjects to review interview transcriptions and questionnaire answers. This way data subjects can delete or revise information they would not like to share or deem incorrect. This practice makes it easier to be transparent about the deadline until the data subjects can exercise this right.

Right to restriction of processing

A possible scenario where the right to restriction of processing applies is when data are made available for reuse. Data subjects might have consented to reuse, but later changed their minds and asked the researcher to restrict the use of their data to the current project. Another example is the right to restrict processing by a third party, such as a transcription service. In most cases, restriction would not heavily impact the research project itself and therefore the researcher is obligated to grant the request. In both examples the data will not be removed (see right to be forgotten), but a participant restricted how the data can be used by the researcher.

Assessment of exception to these rights

Sometimes exercising the rights of data subjects might negatively impact the outcomes of the research (e.g., covert research or research about undesirable behavior). Therefore, the Dutch Implementation Act (art. 44) defines that these rights may not always be applicable to scientific research.

Before the start of your research project, it is important to assess whether and explain why exercising these rights would negatively impact the outcome of your research. In addition, it is mandatory to have safeguards in place to protect the privacy of your data subjects (GDPR, art. 89-1). This may include encryption, data minimization, and de-identification. The DCC can help you choose and implement these safeguards.

Right to be forgotten

GDPR Article	Summary
Article 17	Data subjects have the right to have their personal data erased.

Implications for research
The unlimited application of ‘the right to be forgotten’ would negatively impact the feasibility, and reproducibility of scientific research, because datasets and therefore results could change every time someone would exercise their right to be forgotten. Therefore, the GDPR (Art. 17-3-d) states that scientific research projects may restrict the application of this right if it is likely to render impossible OR seriously impair the purposes of this processing. When assessing the application of this right to your research, it is important to think about your research planning. When will you start to process the data of your data subjects to such an extent that removing the data of one data subject would either be practically impossible (e.g., due to de-identification), or would impact the outcome of your research (e.g., you are already analyzing the data and generating the results of your research). You can use this planning to explain to your data subject until when, and how they can exercise this right.

Implications for research

The unlimited application of ‘the right to be forgotten’ would negatively impact the feasibility, and reproducibility of scientific research, because datasets and therefore results could change every time someone would exercise their right to be forgotten. Therefore, the GDPR (Art. 17-3-d) states that scientific research projects may restrict the application of this right if it is likely to render impossible OR seriously impair the purposes of this processing.

When assessing the application of this right to your research, it is important to think about your research planning. When will you start to process the data of your data subjects to such an extent that removing the data of one data subject would either be practically impossible (e.g., due to de-identification), or would impact the outcome of your research (e.g., you are already analyzing the data and generating the results of your research). You can use this planning to explain to your data subject until when, and how they can exercise this right.

Right to object to processing

GDPR article	Summary
Article 21	Right to object to the processing of personal data in case of processing on the legal basis of public interest.

Implications for research
This right is not applicable to research projects that use consent as a legal ground. Do you want to process personal data on the basis of a different ground than consent? Please contact the P&S coordinator of your faculty. They can provide you with more information about how to inform your data subjects about this right.

Implications for research

This right is not applicable to research projects that use consent as a legal ground.

Do you want to process personal data on the basis of a different ground than consent? Please contact the P&S coordinator of your faculty. They can provide you with more information about how to inform your data subjects about this right.

Right to not be subject to automated decision making

Right to not be subject to automated decision-making

GDPR article	Summary
Article 22	Right to not be subject to a decision based solely on automated processing.

Implications for research
This right applies to automated decision-making that would affect someone's personal life (e.g. whether a person will get a loan based on a decision-making algorithm). This almost never applies to research. Are you using automated decision-making that might impact someone's personal life? A Data Protection Impact Assessment (DPIA) is mandatory. Please contact the DCC for advice.

Implications for research

This right applies to automated decision-making that would affect someone's personal life (e.g. whether a person will get a loan based on a decision-making algorithm). This almost never applies to research.

Are you using automated decision-making that might impact someone's personal life? A Data Protection Impact Assessment (DPIA) is mandatory.

Please contact the DCC for advice.

Right to data portability

GDPR article	Summary
Article 20	Right to obtain personal data from a data controller in a format that makes it easier to reuse the information in another context.

Implications for research
Similar to requests for access, requests to obtain personal data in a format that makes it easy to be used by another controller (e.g. other research institute) can be granted if it is still possible to identify specific individuals in your dataset.

How can data subjects exercise their rights?

It is important to realize that your data subjects may exercise their rights. Any questions, complaints or objections involving the rights of data subjects who take part or have participated in scientific research conducted by staff of the University of Groningen should be addressed to the privacy officers of the legal department of the University of Groningen through privacy rug.nl. This information will always be shared with the Data Protection Officer (DPO) of the University of Groningen.

Last modified:

05 February 2024 1.45 p.m.