Essential concepts

Natural person

A natural person is a living individual. In general, data about companies and data related to deceased persons are not considered personal data under the GDPR. Nevertheless, data about deceased individuals still needs to be treated confidentially as the data may indirectly provide information about living natural persons, such as family members. An example would be medical data revealing information about hereditary diseases.

Personal data

“Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which, collected together, can lead to the identification of a particular person, also constitute personal data.” (European Commission). 

Direct identifiers

Direct identifiers are data that make it easy to identify an individual, such as name, e-mail address, phone number, home address or IP address.

Indirect identifiers

Indirect identifiers (or: quasi identifiers) are data that do not directly identify an individual, but could, in combination with other identifiers, be unique to an individual and can therefore lead to identification. For example: Women from Groningen who drive a McLaren car. Combined, the underlined identifiers could possibly single out an individual and are, therefore, examples of indirect identifiers.

Examples of indirect identifiers are: 

• Demographics (date of birth, gender, job occupation, etc.)
• Social media photos
• Location
• Any other background information about a specific person.

Special categories of personal data

Some personal data are sensitive by nature and therefore require extra protection because its exposure could potentially bring undesired consequences for the subject. Examples of sensitive data are provided in, but not limited to, the list of special categories of personal data, as defined in the GDPR (GDPR art. 9(1)):

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic data
• Biometric data for the purpose of uniquely identifying a natural person
• A person's health
• A person's sex life or sexual orientation

Using special categories of data in research

Processing of special categories of personal data is forbidden without explicit consent from the data subject, except if the processing of these data falls under specific exceptions defined in the GDPR. In the context of research, the GDPR allows for the processing of special categories of personal data when it is demonstrated that:

• It is necessary for the research purpose.
• The processing is proportionate to the aim pursued;
• The essence of the right to data protection is respected (compliance with the GDPR).
• The data controller provides suitable and specific measures to safeguard the fundamental rights and interests of the data subjects (e.g. de-identification and encryption).

Processing

The GDPR often refers to the ‘processing’ of personal data. In the GDPR, the term is described in Article 4(2) as follows:

‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

Legal ground

Researchers are 'allowed' to process personal data under certain conditions. Before you start with your research project, you need to make sure that there is a legal basis for the processing of personal data in your research project. In total, there are six legal grounds on which organizations can lawfully process personal data. Researchers of the University of Groningen can make use of two of these legal grounds in their research:

• Consent: Consent is the default legal basis for research. 'The data subject has given consent to the processing of his or her personal data for one or more specific purposes'. You can find more information on how you should ask for consent from your data subjects in the Informed Consent section of our website.
• Public interest: Sometimes, it might not be feasible to ask for consent from your data subjects (e.g. social media research), or it would severely harm your research project (e.g. covert research). Then it is sometimes allowed to use the legal grounds of public interest. Contact the P&S coordinator of your faculty if you would like to use this legal basis in your research.

1. Lawfulness, fairness and transparency

• Lawfulness: Ensure that you have a legal basis to collect, process and share personal data.
• Fairness: Processing personal data should be in the interest of the data subjects and considered reasonably expected.
• Transparency: Let all involved parties (including data subjects) know which data are processed, for which purpose, for how long, who will have access to them, and how they will be protected.

2. Purpose limitation

Be clear about what personal data you will be collecting, processing and sharing, for which purpose and for how long. The data should not be processed further by you or other researchers in a manner that is incompatible with this purpose. Archiving for research purposes is not considered incompatible with initial purposes (art. 89 (1)).

3. Data minimization

Make sure you do not process any more personal data than what is required for the project.

• For practical advice on how to apply this principle to your research, refer to the data minimisation and de-identification guide.

4. Data quality

Take measures to ensure that the personal data are accurate, up-to-date, and complete.

5. Storage limitation

Only keep personal data for as long as it is necessary for the purpose of your research project. Consider applying de-identification or the deletion as soon as possible. Keep in mind that you should not delete data that are necessary for verification of your research.

• For specific requirements of your faculty, refer to the data management policy of your faculty.

• For practical advice on how to apply this principle to your research, refer to the data minimization and de-identification guide. 

6. Confidentiality and integrity

Make sure personal data are adequately protected against unauthorised access, unlawful processing, and destruction, loss or damage of the data. 

• For data protection measures that you can apply to your research, refer to the data protection section of this website.