Informing Research Participants about the Processing of Their Personal Data
Informing research participants about the processing of their personal data is a crucial part of the transparency principle laid down in the General Data Protection Regulation of the European Union (GDPR). Based on the provided information, the participants must understand how their personal data are being collected, used, stored, disseminated or otherwise made available, or otherwise processed. The significance of forward planning is emphasised in the processing of personal data. Informing research participants can be challenging without thorough consideration of all phases of the research and the applicable regulatory framework before starting research. On the other hand, if personal data processing has been planned thoroughly and systematically in advance, informing participants becomes much more straightforward.
The rules of informing research participants about the processing of their personal data depends on whether personal data are collected from the participant or from some source other than the participant. When planning the provision of information to research participants regarding the processing of their personal data, you should divide the personal data streams into these two categories. This affects the timing of providing the information and partly also the content. Practical differences are described in the paragraphs concerning the timing and content of providing the information.
- Personal data are collected from the research participant when the research participant consciously provides his/her own personal data to the researchers. Usual situations where this applies are when the participant is interviewed or when they fill out a questionnaire. In addition, personal data are received directly from the research participant when data are collected for scientific purposes by observation of the participant, for instance, by audio/video recording a performance or social interaction carried out by the participant.
- Personal data are not obtained from the research participant if the data are received from a source other than the research participant, such as other data controllers, publicly available sources, or other data subjects. Typical situations where this applies are when research data are combined with register data, or when research data are enriched with personal data received from another data controller in a large research project.
Sometimes personal data belonging to both of the above categories are part of the same research project. Example: Contact details of people belonging to the target group of a study are obtained from a third party (organisation, company, association, agency or other equivalent actor). These personal data (i.e. contact details) are not obtained from research participants . Once researchers proceed to interview data subjects, the data gathered in the process are collected from the research participants . In this example, instructions regarding both of the above situations apply.
If the intention is to disclose, disseminate or otherwise make available personal data to another data controller (e.g. a research partner) or to a processor (e.g. a party that carries out data collection and/or combines data to register data, or a company providing transcription services), read carefully the section on recipients or categories of recipients of personal data .
Informing research participants about the processing of their personal data always includes special situations that require more in-depth consideration and cannot be properly taken into consideration in these guidelines. Special situations may be caused by, for instance, any required changes or additions to the information provided to participants. These amendments may be required when there are changes during research that affect the processing of personal data. To recognise these situations, please read the sections relating to content of the information and exceptions to the obligation to provide information .
Other special situations include research concerning children or other persons belonging to vulnerable groups. Additionally, to fulfil the principle of transparency, it may be appropriate in some situations to provide research participants with more detailed information, although it is not explicitly required in the provisions regarding the provided information. This information may concern, for example, risks and safeguards related to personal data processing. If necessary, you can contact the data protection officer in your organisation for more detailed advice.
A general condition for the processing of personal data is that the information regarding the processing is provided to research participants in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The understandability of the information and the transparency of personal data processing are to be considered from the research participant's perspective in particular. When informing research participants about personal data processing, complex phrases, specialised jargon and ambiguous wordings should be avoided whenever possible. The information concerning personal data processing should be kept, if possible, separate from other information. A central prerequisite is that research participants should have access to all parts of the information without having to search for information on their own. In principle, research participants should be provided with the information in writing or electronically unless they ask to receive the information orally.
The required conciseness, clarity and scope of the information can be reconciled by applying a layered approach to providing the information. The main principle is that research participants must be provided with all information required by the GDPR concerning the processing of their personal data. A layered approach means that the information regarding personal data processing is divided into layers based on the importance of the information.
The first layer (e.g. research information sheet) contains the most essential information with regard to your research:
- purpose(s) for which personal data are processed, i.e. research
- identity of the data controller
- rights of research participants
- unexpected impacts of personal data processing.
Aspects or impacts connected to the processing of research participants' personal data that they could find unexpected or surprising include, for instance, limitations based on national legislation to data subjects' rights, or transfers of personal data to a research partner outside the EU/EEA.
Subsequent layers can provide more detailed information about the processing of research participants' personal data in the research. For example, a link to a detailed privacy notice on the website of the research project can be included in the research information sheet given to the research participant. In qualitative research, a detailed privacy notice can be given to research participants as a separate appendix in addition to the information sheet and consent form.
Research participants must always be given a real possibility to acquaint themselves with the layers that provide more detailed information. The data controller is also accountable for informing research participants in the extent required by the GDPR. The written or electronic privacy notice provided to research participants must include all of the information required by the GDPR in a concise form. However, providing research participants with a privacy notice does not indicate that they have understood all the information they have received. The content of the information regarding personal data processing (written and oral) as well as how and when the information is provided must be justified and documented to demonstrate compliance with the data controller's accountability requirements.
Technical and audiovisual solutions can also be used in informing research participants. Additional information can be given by providing a link to a website or other material introducing the study. A short video presentation may also be a practical way of giving a general introduction to a study for younger research participants.
The timing of informing participants about the processing of their personal data depends on whether the data are collected from the research participant or from some other source. When personal data are collected from research participants, rules on the timing of providing the information are straightforward. When personal data are not received from research participants, more detailed rules apply. If personal data are received from a source other than the research participant, see also the section on exceptions to the obligation to provide information .
- When personal data are collected from research participants , information on the processing of their personal data must be provided at the time of collecting/obtaining the data. The information may be provided, for instance, at the beginning of an interview or questionnaire.
When personal data are received
from a source other than the research participant
, research participants must be informed about the processing of their personal data within a reasonable period of time, however
no later than one month
counting from the point when the personal data are received. The time limit may be shorter depending on specific circumstances relating to processing.
When personal data are received from a source other than the data subjects, there are two situations in which information must be provided to research participants on the processing of their personal data earlier than within a month: Firstly, the information must be provided to research participants immediately when they are first contacted. Even if contacting a research participant regarding the research has been planned for later (for instance, to arrange an interview), the participant must in any case be informed about personal data processing within one month counting from the point when the researcher first receives personal data. Secondly, if personal data are meant to be disclosed to another recipient, research participants must be informed before the end of the time limit. In this case, research participants must also be informed at the latest when the data are disclosed to a recipient for the first time.
In view of the above, it is best to carefully consider the timing of sampling or otherwise obtaining contact details for potential participants. If contact details are to be obtained from a third party, the researcher/research team should plan the timing for obtaining personal data so that it is possible to comply with the time limit of one month for informing data subjects. In spite of the fact that the time limit allows for one month, the recommended interpretation has been that the data controller informs research participants well before the end of the time limit, in accordance with the principle of fairness.Skip table
4.1. Identity and contact information of the data controller
Research participants shall be provided with information on the identity and contact details of the data controller. That is why the roles and responsibilities connected to personal data processing must be determined well before starting the research. Determining the data controller correctly and informing research participants of the identity of the data controller are some of the most essential elements of responsible and transparent processing of personal data.
To comply with the requirement of providing this information, two factors need to be taken into consideration. Firstly, data controllers must be unequivocally identifiable by the research participant. It is often difficult for outsiders to deduce who the data controller is if multiple persons and organisations are mentioned in the information provided to research participants. In addition, conducting the research in the premises of a company or public agency, for instance, may give research participants a false impression on the controller of the personal data processed in the research.
Secondly, sufficient contact details shall be provided on the data controller(s). If possible, research participants should be provided with multiple ways of contacting the data controller, for instance, a telephone number, email address and postal address. When choosing the contact details to be provided, one should consider their permanence and the possibility of reaching the data controller through them. As data subjects, research participants should be able to exercise their rights efficiently without delays caused by insufficient contact information.
A simple solution to the mentioned requirements is to include the following information in the participant information sheet:
Data controller: Organisation, postal address
Contact details: [telephone number], [email address]
If the research is conducted by joint controllers, key information on the arrangement between the controllers must be made available to research participants.
Researchers should be prepared to answer research participants' questions regarding what 'data controller' means. An example of a short answer in plain language could be: The data controller is responsible for the appropriate and lawful processing of the personal data in the research. This can also be included directly in the information provided to participants.
4.2. Contact details of the data protection officer
If the data controller has appointed a data protection officer, research participants must be provided with the data protection officer's contact details. Appointing a data protection officer may be based on the GDPR or other statute, or it can be voluntary for the organisation.
Contact details for the data protection officer must be provided in such a way that research participants can easily contact the officer. Appropriate contact details include, for instance, a postal address as well as a telephone number and/or email address specifically assigned to the data protection officer. If it is possible to contact the data protection officer, for instance, through a contact form, research participants can be informed about it. Find out the recommended way of providing the contact details for the data protection officer in your organisation.
A central criterion in evaluating the sufficiency of the contact information provided to research participants is whether it is possible to contact the data protection officer directly without having to contact the data controller. Indicating the data protection officer's name has not been deemed necessary, but in some cases it may be a good practice. One should take into consideration the employee turnover at the organisation when naming the data protection officer. The essential thing, however, is that research participants have a direct way of contacting the data protection officer based on the information that they are given.
4.3. Legal basis for processing personal data
Processing personal data in research must always have a legal basis, and research participants shall be informed of the basis on which their personal data are processed. The legal basis chosen for personal data processing also affects the information that is provided to research participants. The legal basis defines which rights research participants can exercise pertaining to their personal data.
When planning and implementing the provision of information to research participants, two different legal bases for processing personal data have to be considered.
- A legal basis for processing personal data refers to one of the legal grounds listed in article 6, section 1 of the GDPR. This basis is always required when personal data are processed.
- A legal basis for processing special categories of personal data refers to one of the legal grounds listed in article 9, section 2 of the GDPR, which allow for the processing of special categories of personal data. This basis is required in addition to the general legal basis when the special categories of personal data, referred to in article 9, section 1 of the GDPR, are processed.
The data controller is responsible for choosing the suitable legal basis for processing personal data in the research. Only one legal basis should be chosen for each purpose for processing personal data. Estimate carefully which legal basis for processing personal data applies to your research and follow the criteria laid out for its use. You can, for example, contact the data protection officer in your organisation for help with choosing the correct legal basis.
Consent of the research participant.
Consent shall be a freely given, specific, informed and unambigous indication of the research participant's wishes,
by which he/she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal
data relating to him or her. Some further conditions apply for using consent as the legal basis for processing personal data,
and it - as well as other legal bases for processing personal data - should be based on appropriate discretion.
on the preconditions of consent
is available on the website of the Data Protection Ombudsman.
In connection with scientific research, one should note that consent to participate in research is not consenting to personal data processing .
- Compliance with a legal obligation to which the data controller is subject. In some cases, conducting research is part of complying with the data controller's statutory obligations. Using this legal basis for personal data processing requires that basis for processing is laid down in national legislation.
- Processing of personal data is necessary for the performance of a task carried out in the public interest. Using this legal basis for personal data processing requires that it is laid down in national legislation. The Finnish Data Protection Act provides a basis for the processing of personal data when it is necessary for scientific or historical research or for statistical purposes and it is proportionate to the pursued objective in the public interest (Data Protection Act, section 4, paragraph 3).
- Legitimate interests pursued by the data controller. Processing personal data for scientific research can in some cases rely on the legitimate interests of the data controller or a third party as the legal basis. This legal basis for processing personal data does not apply to processing carried out by public authorities in the performance of their tasks. In addition, this legal basis shall not override the interests or fundamental rights and freedoms which require the protection of personal data of research participants. A so-called balancing test can be used in evaluating the legitimacy of the interest of the data controller. Choosing this legal basis for processing personal data requires particularly careful consideration when the data subject is a child. General information regarding the legitimate interests of the controller can be found on the website of the Data Protection Ombudsman.
Special categories of personal data refer to such personal data that reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, data concerning health, or sexual life or orientation. These special categories also include genetic and biometric data for identifying a natural person.
Such personal data should not be processed at all, unless processing is allowed in specific cases set out in the GDPR or in Finnish legislation. The following is a list of specific cases commonly used in scientific research.
- Research participant's explicit consent. The difference here to the consent used as a general legal basis for processing personal data is that, in addition to the general requirements for valid consent, the consent has to be explicit.
- Processing is necessary for scientific research purposes in the public interest. This exemption requires a basis in either EU law or national legislation. According to section 6, subsection 1, paragraph 7 of the Finnish Data Protection Act, the special categories of personal data can be processed for scientific or historical research or statistical purposes.
As part of the information provided to research participants, they shall be informed about the legal basis on which the processing of their personal data is based. The provision of information shall include a general legal basis for processing personal data, and, if special categories of personal data are processed in the research, the specific case relied on for processing the special categories of personal data shall also be indicated. A solution could be to add a paragraph of the following type as part of the information:
The processing of your personal data is necessary for scientific research purposes in the public interest based on section 4, paragraph 3 of the Data Protection Act (1050/2018). Special categories of personal data are processed for scientific purposes in accordance with section 6, subsection 1, paragraph 7 of the Data Protection Act.
Specific rules apply to some legal bases for processing personal data. The first is related to the controller's legitimate interest .
- When using the data controller's or a third party's legitimate interest as a legal basis for processing personal data, research participants shall be informed of the legitimate interest in question.
- Additionally, it is a good practice to inform them about the balancing test related to the data subject's legitimate interest. The layered approach can be used to inform research participants about the balancing test. If the information is not directly provided to research participants, they can be told that they have the possibility to receive information regarding the test, should they want to have it.
Another special rule regarding the information provided to research participants relates to consent .
- If the legal basis for processing personal data is consent, or if the processing of personal data belonging to the special categories is based on explicit consent, research participants must be informed about their right to withdraw their consent at any time. In addition, research participants must be informed that their withdrawal of consent will not affect the lawfulness of the processing of personal data conducted before the withdrawal.
- The information on the possibility to withdraw consent must be provided to research participants before they consent to the processing of their personal data.
4.4. Purpose for processing personal data
Personal data shall only be collected for a specific, explicit and legitimate purpose(s). The purpose specified for personal data processing must be included in the information provided to research participants. In many cases, it is sufficient to inform participants that their personal data are processed for the purposes of a single, specified study.
The relevant thing is to take care that the specified purpose given covers personal data processing in the extent required. Further information on the objective and subject of the study may be given with other information material provided to participants.
4.5. Recipients or categories of recipients of personal data
Research participants must be informed about disclosure of their personal data to recipients. Third parties in particular are defined as recipients of personal data. Third parties include, for instance, all natural persons not part of the research team, legal persons, authorities, public agencies and other bodies. In addition to these, recipients include data controllers, joint controllers and processors of personal data. For example, research partners to whom data are disclosed shall be defined as recipients.
One should note that 'processor' is a special role governed by data protection legislation. For instance, if a person employed by the data controller transcribes the data, he/she is not a processor. If, however, an outside company is commissioned to transcribe the data, the company is considered a processor, of which research participants shall be informed.
When planning research, data flows related to personal data should be charted as early as possible, before data collection and provision of information to participants.
As a principle, data subjects are provided with the names of recipients. In the case that recipients cannot be named, it is possible to provide the category/categories of recipients. In order to demonstrate their accountability, data controllers must be able to provide justification for the decision to use the categories instead of named recipients.
If the data controller provides information to research participants only on the categories of recipients, the categories can be defined with the following criteria:
- type of recipient (e.g. reference to the activities of the recipient)
- sector / sub-sector
When research data are to be archived at the Finnish Social Science Data Archive (FSD), the archive acts as a processor of personal data. In this case, FSD is a recipient of personal data, and research participants shall be informed about this. See the section Informing research participants about archiving for more information.
4.6. Storage period of personal data
Research participants shall be informed about the storage period of their personal data primarily as an explicit period of time. If this is not possible, research participants can be informed about the criteria according to which the storage period is determined. Depending on the case, the period can be related to the provisions relevant to the data controller or, for example, codes of conduct.
When determining the storage period, one should note that research participants should be able to estimate the storage period of their personal data based on the information provided to them. Defining the storage period in a general way, i.e. that the personal data are stored for as long is needed to complete the purpose for processing , may not be sufficient. Consequently, determining that personal data are stored for the duration of the research project, without defining any further criteria for the storage period, should be avoided, if possible. Depending on the details of the research, separate storage periods may be needed for different categories of personal data. Additionally, if the research includes multiple purposes for processing personal data, it is appropriate to indicate separate storage periods for different purposes.
Providing information on the storage period of personal data is related to the GDPR principles of data minimisation and storage limitation. The data controller is also required to work in compliance with the principles of privacy by design and privacy by default, which are closely linked to data minimisation and storage limitation.
4.7. Categories of personal data and information on the source of personal data
In situations where personal data are received from a source other than the research participant, two additional requirements apply to providing information. Both situations are related to the fact that, contrary to the situation where personal data are collected from the research participant, the participant may not be aware of the content and source of the personal data collected from other sources.
The first additional information requirement concerns the categories of personal data collected. The granularity/specificity of the information provided on the different categories should be decided on a case-by-case basis. When determining the extent of the information, one should note that personal data processing must be transparent from the data subject's perspective. Depending on the case, categories of personal data may include, among others, income, address information, employment history, and educational background.
The other additional information requirement concerns the source of the personal data. If it is possible to name the source, it is appropriate to provide this information to participants. If not, information on the type of the source is provided. This includes, depending on the case, information whether the personal data were received from a publicly available source.
Information that can replace a named source includes the following:
- information on whether the source is publicly available or not
- organisation type
If it is not possible to inform research participants about a specific source because personal data have been collected from multiple sources, general information regarding the sources shall be provided. However, one should avoid situations where sources cannot be named explicitly. The requirements of privacy by design and privacy by default include defining the source of personal data in an appropriate manner.
4.8. Information on the right to lodge a complaint with a supervisory authority
Research participants have the right to lodge a complaint with a supervisory authority. Information on this right must be provided to participants. They should be provided with at least the following information:
You have the right to lodge a complaint with an authority supervising the processing of personal data if you have a suspicion that your personal data are processed in violation of data protection legislation.
Research participants can also be provided with more detailed information with regard to using this right, for example, by providing a link to the website of the Data Protection Ombudsman (tietosuoja.fi/en). In principle, the complaint is lodged with the supervisory authority either in the EU member state where the research participant's residence or workplace is located or where the alleged violation of the rules regarding personal data processing has taken place.
4.9. Rights of the data subject
Data subjects have certain rights pertaining to the processing of their personal data. The rights available depend on the legal basis for the processing. This means two things from the perspective of the information provided to research participants. Firstly, the rights that data subjects have relating to the legal basis for the processing of personal data must be charted. Secondly, scientific research may, in some specific cases, derogate from the research participants' rights. The provided information on the rights of the research participants has to be in line with the planned processing of personal data.
Below is a list of participant rights relating to typical legal bases for processing personal data in scientific research.
Consent of the research participant
- Right of access
- Right to rectification
- Right to erasure (the GDPR includes an exception to this pertaining to purposes of scientific research)
- Right to restriction of processing
- Right to data portability (only applies to automated processing of personal data)
Processing of personal data is necessary for the performance of a task carried out in the public interest (scientific research, Data Protection Act, section 4, paragraph 3)
- Right of access
- Right to rectification
- Right to restriction of processing
- Right to object processing of personal data
Legitimate interest pursued by the data controller
- Right of access
- Right to rectification
- Right to erasure
- Right to restriction of processing
- Right to object processing of personal data
A special feature of scientific research is that it can derogate in some parts from the rights of data subjects, provided that the preconditions for derogation are met. It is important to note pertaining to the information provided to research participants that derogation from data subjects' rights is not automatic and requires careful consideration. To comply with the principle of transparency in the processing of personal data, research participants should be informed about this. If personal data are processed for the performance of a task carried out in the public interest in accordance with section 4, paragraph 3 of the Finnish Data Protection Act, the following information could be provided to research participants about their rights and the restriction of rights based on national legislation:
You have the right to access your personal data, to have inaccurate personal data rectified, to restrict the processing of your personal data, and to object to the processing of your personal data. In connection with scientific research, restriction of said rights is possible in accordance with national legislation.
If specific contact persons or practices are in place in your organisation for using these rights, you can consider informing research participants about this. In some situations, data subjects may ask what the different rights involve. Using the rights and the content of the rights involve several things to consider. The website of the Data Protection Ombudsman contains further information on data subjects' rights .
4.10. Information relating to the transfer of personal data to third countries
Research participants shall be provided with certain additional information if personal data are to be transferred outside of the EU/EEA to third countries or international organisations. In addition to compliance with other preconditions for the legality of the processing of personal data, transferring the personal data in these situations requires that the transfer has a legal basis referred to in chapter V of the GDPR. This also includes onward transfers of personal data from the receiving country or organisation to a third country or another international organisation.
In scientific research, the transfer may, for example, be based on an adequacy decision of the European Commission on the appropriate level of data protection in the country (article 45). The countries/territories with an adequacy decision currently include Andorra, Argentina, Canada (with limitations), the Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, and Uruguay. Other bases for the transfer can be transfers subject to appropriate safeguards (article 46), binding corporate rules (article 47), and derogations for specific situations (article 49). If the research includes transferring personal data to third countries or international organisations, it is recommended to contact the data protection officer or lawyer in your organisation to ensure the correct application of rules regarding transfers.
The Court of Justice has invalidated Decision 2016/1250 on the adequacy of the protection provided by the EU-U.S. Privacy Shield in its judgement in the so called Schrems II case (C-311/18). The EDPB has adopted a ‘Frequently Asked Questions’ document on the judgement (on EDPB's website).
Information provided to research participants regarding transfers
The content of the information provided to research participants is determined by the mechanism used for the transfer. If personal data are transferred in the way mentioned above, the information provided to research participants must include
- information about the intended transfer of personal data to third countries or an international organisation
- information about the existence or non-existence of an adequacy decision on the appropriate level of data protection
- information about the transfer mechanism corresponding to the GDPR (and the relevant article)
- information about the content of the mechanism used, or where this information is available.
The information must be provided in a manner that is as meaningful as possible to research participants. It is a good practice to name the third countries to which the data are to be transferred. Depending on the case, the layered approach can be used in providing the information.
Adequacy decisions on the appropriate level of data protection already made can be found on the European Commission website. Different language versions in the official EU languages are available through the links to the adequacy decisions on the EUR-Lex website.
Example on informing research participants about transfers to third countries
A Finnish data controller participates in an international research project where personal data are transferred to Sweden, Germany and Israel. Pertaining to recipients and categories of recipients of personal data , the rules described earlier are applied. Additionally, rules regarding transfers to third countries apply to this situation. Because Sweden and Germany are part of the EU, no further information regarding transfers to these countries need to be provided to research participants. Israel is not an EU member state, but the European Commission has given an adequacy decision on the appropriate level of data protection concerning Israel. In this case, research participants could be informed about transfers to third countries in the following way:
Your personal data are transferred to Israel, which is not part of the European Union. The transfer is based on an adequacy decision given by the European Commission on the appropriate level of data protection (article 45 of the General Data Protection Regulation). Further information is available in the Commission's decision .
If the transfer of personal data to a third country or an international organisation is based on explicit consent in accordance with article 49 of the GDPR, research participants must be informed, prior to giving consent, that the transfers may pose a risk to them due to the lack of an adequacy decision and the lack of appropriate safeguards.
4.11. Information on the provision of personal data being a statutory or contractual requirement
In situations where personal data are collected from research participants, the participants must be informed if providing personal data is a statutory or contractual requirement or a requirement for concluding a contract. Research participants must also be informed about whether they are obliged to provide the data, along with the possible consequences of not providing the data.
This issue is important because of the generally voluntary nature of research. Informing data subjects about the obligation or voluntariness clarifies the situation in research conducted in, for instance, workplaces, public agencies and institutions. If providing personal data does not involve contractual or statutory requirements, and not providing the data does not have consequences for research participants, the information can be provided in the following way:
Providing personal data is not required on statutory or contractual grounds, or on the grounds of concluding a contract. Not providing the data does not have any consequences for you.
However, if providing the personal data is based on a statutory or contractual requirement, the information provided to research participants must specify the basis of the requirement applied, and the possible consequences of failure to provide the data.
4.12. Automated decision-making and profiling
Providing information related to automated decision-making and profiling has some additional requirements. Further information on definitions can be found on the website of the Data Protection Ombudsman. Detailed instructions are in the document Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 PDF .
If personal data are not used for automated decision-making or profiling in the research, research participants can be informed about this in the following way:
Your personal data are not used for automated decision-making or profiling.
The obligation to provide research participants with information regarding the processing of their personal data has some exceptions. In principle, however, one should refrain from derogating from providing information, unless the derogation is necessary. If you decide to derogate from providing certain information to research participants, it is important to ensure appropriate documenting and justification of these decisions in order to comply with the accountability requirements of the data controller. In uncertain situations, you should contact the data protection officer in your organisation.
When personal data are collected from research participants, derogation is possible insofar as research participants have already received the information. This includes, for example, situations where a research participant has already been in contact with the data controller at an earlier time. However, the data controller must be able to demonstrate how and when the research participant has received the information. Additionally, the data controller must be able to demonstrate that the information has not changed or become outdated. If the situation involves changes in the details of personal data processing, it may be appropriate, depending on the case, to provide all information again in addition to the changed information. In this case, the details that have changed in the provided information should be emphasised to research participants.
Situations where personal data are received from some other source than the research participant involve multiple exceptions for derogation. The situation mentioned above where the research participant has already received the information also applies to personal data received from a source other than the research participant. Other examples for derogation could be a situation where the provision of such information proves to be impossible or would involve a disproportionate effort, when the conditions and safeguards laid down in article 89 of the GDPR are applied, or a situation where the obligation to provide such information is likely to render impossible or seriously impair achieving the scientific objectives of the research. It is recommended to contact the data protection officer in your organisation if you want to apply a derogation, due to the careful consideration, documentation and safeguards needed for this.
The Office of the Data Protection Ombudsman, which is the Finnish authority supervising personal data processing, has taken the view that a data protection impact assessment (DPIA) shall be carried out in specific situations where these exceptions are applied to the obligation to provide information. Situations where an impact assessment is required include, but are not limited to, research where personal data are processed on a large scale, where the processing of personal data includes matching or combining datasets, where personal data of vulnerable individuals are processed, or where personal data are processed in the innovative use or application of new technological or organisational solutions. Further information on processing operations that require impact assessment is available on the website of the Data Protection Ombudsman.
When the plan is to archive the data at the Finnish Social Science Data Archive (FSD), the archive works as a processor of personal data. In this case, FSD is a recipient of personal data, and research participants shall be informed about this. For the transfer of data, the researcher and FSD will enter into an agreement on the terms and conditions regarding personal data processing. Regardless of whether the researcher considers all personal data to have been removed from the research data, the agreement is nevertheless always made in case that the data still contain, for instance, indirect identifiers that may enable identifying research participants.
Archiving should be mentioned in the privacy notice, for instance in the following way:
After the research has been completed, the research data are deposited at the Finnish Social Science Data Archive, which acts as a processor of personal data. The Archive reviews the anonymisation carried out by the researcher, removes any further identifying information if necessary, and processes the data to be suitable for long-term preservation and reuse.
Information on archiving should be written into the section of the privacy notice that provides information on the recipients of personal data. This information may be under different headings in templates of different research organisations (for example: Disclosure of data outside the research team / Transfers and disclosures / Recipients and categories of recipients of personal data / Disclosure of personal data / Disclosure of data from research registries)
Information on archiving the data at FSD may also be written into the section of the privacy notice that provides information on the processing of personal data after the research project has ended or information on the storage period of the data or personal data. The researcher should record FSD as the place where the data are archived and stored. The storage time should be recorded as Permanent and the form as Anonymous, i.e. without personal data.
In some cases, archived data can contain personal data. Data collected from newspapers and periodicals can be archived with personal data. The same applies to data where the research publications based on it contain personal data (for instance, expert and artist interviews and data under copyright). However, any unnecessary personal data should be removed from interview and textual data that are archived with participant names (minimisation).
When qualitative data are collected for a study, research participants are informed in the information sheet or in other information provided for them about the subsequent removal of personal data, and their consent for archiving is asked separately (for example, in connection with consent for participation):
Consent for archiving interview/text at Finnish Social Science Data Archive
▢ I consent to the archiving of my interview/text at the Finnish Social Science Data Archive for reuse in research, study and teaching.
▢ I do not consent to the archiving of my interview/text at the Finnish Social Science Data Archive.
If you want to restrict the reuse of the archived data to research only, the first option in the consent for archiving form outlined above should read as follows: "I consent to the archiving of my interview/text at the Finnish Social Science Data Archive for reuse in research or scientific theses including dissertations and master's theses."
At FSD, we strive to ensure data security in reuse of research data and to prevent the risk of disclosure of research participants' personal data. Our User Services review the anonymity of each archived dataset. See FSD's Guidelines for depositing data for more information.
If you are planning to collect data that are not intended to be anonymised and you wish to archive them at FSD, please contact FSD User Services before commencing your research (asiakaspalvelu.fsd ( at ) tuni.fi, +358 29 452 0411).
The Finnish National Board on Research Integrity (TENK) has issued the Ethical principles of research with human participants and ethical review in the human sciences in Finland guidelines, which should be followed when the research involves human participants. According to the guidelines, the fundamental starting point of research involving human participants is the participants' trust in researchers and science. To retain the trust, the human dignity and rights of individuals participating in research should be respected.
Every time a research participant interacts with the researcher, an informed and ethical consent to participate in research is required. Interaction takes place between a participant and the researcher in interviews, in participant observations or in research where the participant is asked to fill out a questionnaire, write texts, or disclose personal data. Interaction also takes place when the researcher requests permission to use data that concerns the participant and in other kinds of participation.
Participants can give an informed and ethical consent to participate in research only if they have received sufficient information on the research. For the consent to be ethically valid, the researcher should protect the participant's ethical rights in addition to the rights detailed in the GDPR.
For the participant to give their consent to participate in research, they should receive information on
- the researcher and content of the research
- the processing of personal data, and
- how the research will be conducted in practice and what participation in the research means for the participant.
An ethically valid consent to participate in research ensures the participant's
- right to participate voluntarily but also to refuse to participate
- right to discontinue their participation temporarily without suffering any negative consequences
- right to withdraw their consent to participate in the research
- right to receive an understandable and truthful view of the aims of the research and any potential harm and risks
- right to be aware that they are participating in research, especially in situations in which the researcher has a role other than that of a researcher in relation to the participant (for example, the participant's superior, teacher, colleague, social worker etc.)
An informed and ethical consent to participate in research can be requested in writing or orally, or the ethical consent can be given by otherwise implying active consent. For example, an interview participant can give either a written consent with their signature or an oral consent. If oral consent is given, it should be recorded. Otherwise implying active consent refers to, for example, filling out a questionnaire and returning it to the researchers or replying to a request to write a text for research purposes.
Make sure to check whether your organisation or its ethics committee has templates for requesting ethical consent to participate in research. At its simplest, a written consent to participate in an interview can, for example, be of the following type:
Consent to participate in an interview in research X
I have received information on the content of the research and its aims, how the interview will be conducted in practice, and the topics which the interview covers. I have been given the chance to ask additional questions about the research.
have received information on the processing of personal data in the research. I have been promised that my personal data will be processed carefully and according to data safety guidelines, and that they will not be disclosed to outsiders.
I am aware that my participation in the interview is voluntary. If I want to, I can leave some questions unanswered, and I can discontinue the interview or withdraw my consent to participate in the research.
Location and date
I consent to the interview
Recipient of the consent
Consent for archiving
▢ I consent to the archiving of my interview at the Finnish Social Science Data Archive for reuse in research, study and teaching.
▢ I do not consent to the archiving of my interview at the Finnish Social Science Data Archive.
If you want to restrict the reuse of the archived data to research only, the first option in the consent for archiving form outlined above should read as follows: "I consent to the archiving of my interview/text at the Finnish Social Science Data Archive for reuse in research or scientific theses including dissertations and master's theses."
The privacy notice and other information provided to research participants should include the details related to the consent for archiving (e.g. concerning anonymisation).
Discontinuing participation and the use of already gathered data
Discontinuing participation in the research is not synonymous with withdrawing consent to participate. When the participant expresses that they do not want to continue or participate in the research, it should be made clear with the participant whether they mean to discontinue participation or withdraw consent to participate.
Discontinuing participation refers to the participant's right to withdraw from the research or an individual phase of the research permanently or for a temporary period. It is usual in longitudinal studies that every participant cannot or does not want to, for some reason or other, participate in each phase of the study. In ethnographic research the participation of research participants can also vary from actively participating to not participating at all. Discontinuing participation in the research does not prevent the use of research data that have already been gathered.
Withdrawing consent to participate and the use of already gathered data
Withdrawing ethical consent to participate in the research is always possible. If the participant withdraws their consent to participate before any actual research data have been gathered, the researcher must remove any personal data concerning the participant who withdrew their consent. In other words, the researcher erases all contact information and possible correspondence about participation in the research that concerns the participant who withdrew their consent.
If research data have already been gathered, the use of the data of the participant who withdrew their ethical consent to participate in the research depends on the chosen legal basis for processing personal data:
Consent of the research participant as legal basis for processing personal data does not enable the processing of the personal data of a participant who withdrew their consent to participate, which means that the research data can be included in the research only if anonymous. If the participant's personal data has not been removed from the research data, any data that relates to the participant must be removed. However, it is good to remember that any processing of personal data that has taken place prior to the point when the participant withdrew their consent to participate has been legal on the basis of the consent of the participant. If, for example, a doctoral thesis has already been submitted for preliminary examination, it is possible to conclude that the thesis has been legally completed on the basis of the consent of the research participants. In unclear situations it is always best to assess the consequences of a participant withdrawing consent to participate with the lawyer of your organisation.
Other legal bases for processing personal data (for example, research carried out in the public interest or legitimate interests pursued by the data controller) enable the application of the restriction in Article 17 in the GDPR: the right to erasure does not apply when the personal data are processed for scientific or historical research purposes in accordance with Article 89 (1), in so far as the right to erasure is likely to render the processing impossible or seriously impair the achievement of the objectives of that processing . According to Article 89 (1), the appropriate safeguards for processing personal data are technical and organisational data safety measures, and data minimisation. The safety measures may also include pseudonymisation or anonymisation.
The participant's ethical consent to participate in the research is a safety measure irrespective of the legal basis for processing personal data. The EU's Data Protection Directive (95/46/EC) did not include an explicit mention of ethical principles. However, the recognised ethical standards for scientific research are explicitly mentioned in the General Data Protection Regulation (2016/679) in recital 33. Nearly all Finnish universities, higher education institutions and research institutions are committed to the guidelines issued by the Finnish National Board on Research Integrity (TENK) in 2019.