Essential concepts

Essential concepts related to the processing of personal data

The GDPR focuses on the protection of personal data and attempts to prevent undesired consequences for the data subjects while granting them specific rights, which impacts research practices. Understanding the essential concepts related to the processing of personal data is crucial for conducting GDPR-compliant research.

Natural person

A natural person is a living individual. In general, data about companies and data related to deceased persons are not considered personal data under the GDPR. Nevertheless, data about deceased individuals still needs to be treated confidentially as the data may indirectly provide information about living natural persons, such as family members. An example would be medical data revealing information about hereditary diseases.

Personal data

“Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.” (European Commission).

Direct identifiers

Direct identifiers are data that make it easy to identify an individual, such as name, e-mail address, phone number, home address, or IP address.

Indirect identifiers

Indirect identifiers (or: quasi-identifiers) are data that do not directly identify an individual, but could, in combination with other identifiers, be unique to an individual and can therefore lead to identification. For example: Women from Groningen who drive a McLaren car. Combined, the bold identifiers could possibly single out an individual and are, therefore, examples of indirect identifiers.

Examples of indirect identifiers are:

Demographics (date of birth, gender, job occupation, etc.)
Social media photos
Location
Any other background information about a specific person.

Special categories of personal data

Some personal data are sensitive by nature and therefore require extra protection because its exposure could potentially bring undesired consequences for the subject. Examples of sensitive data are provided in, but not limited to, the list of special categories of personal data, as defined in the GDPR (GDPR art. 9(1)):

Racial or ethnic origin
Political opinions
Religious or philosophical beliefs
Trade union membership
Genetic data
Biometric data for the purpose of uniquely identifying a natural person
A person's health
A person's sex life or sexual orientation

Using special categories of data in research

Processing of special categories of personal data is forbidden without explicit consent from the data subject, except if the processing of these data falls under specific exceptions defined in the GDPR. In the context of research, the GDPR allows for the processing of special categories of personal data when it is demonstrated that:

It is necessary for the research purpose;
the processing is proportionate to the aim pursued;
the essence of the right to data protection is respected (compliance with the GDPR);
and the data controller provides suitable and specific measures to safeguard the fundamental rights and interests of the data subjects (e.g. de-identification and encryption).

Processing

The GDPR often refers to the ‘processing’ of personal data. In the GDPR, the term is described in Article 4(2) as follows:

‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

Legal ground

Researchers are 'allowed' to process personal data under certain conditions. Before you start with your research project, you need to make sure that there is a legal basis for the processing of personal data in your research project. In total, there are six legal grounds on which organizations can lawfully process personal data. Researchers of the University of Groningen can make use of two of these legal grounds in their research:

Consent: Consent is the default legal basis for research. 'The data subject has given consent to the processing of his or her personal data for one or more specific purposes'; You can find more information on how you should ask for consent from your data subjects in the Informed Consent section of our website.
Public interest: Sometimes, it might not be feasible to ask for consent from your data subjects (e.g. social media research), or it would severely harm your research project (e.g. covert research). Then it is sometimes allowed to use the legal grounds of public interest. Contact the P&S coordinator of your faculty if you would like to use this legal basis in your research.

Definitions in the GDPR

Data protection principles

Researchers who process personal data at the University of Groningen must follow eight principles:

Purpose specification: be clear on what personal data you will be using, for which purpose, and for how long.
Transparency: let all involved parties know which data are processed, for which purpose, for how long, who will have access to them, and how they will be protected.
Rights of the data subjects : inform data subjects about their rights.
Data minimization: make sure you do not process any more personal data than what is required for the project.
Data quality: take measures to ensure that the personal data are accurate, up-to-date, and complete.
Storage limitation: make sure that only authorized people can access personal data. Revoke access privileges as soon as they are obsolete.
Security measures: make sure personal data are adequately protected. Use techniques such as encryption, anonymization, and pseudonymization. Consult the DCC and the UG research data policy of the University of Groningen.
Accountability: make sure that responsibilities are clear. Roles, tasks, and authorizations have to be assigned.

Last modified:

09 October 2023 2.48 p.m.