Informing Research Participants about the Processing of Their Personal Data

1. General Anchor link icon

Informing research participants about the processing of their personal data is a crucial part of the transparency principle laid down in the General Data Protection Regulation of the European Union (GDPR). Based on the provided information, the participants must understand how their personal data are being collected, used, stored, disseminated or otherwise made available, or otherwise processed. The significance of forward planning is emphasised in the processing of personal data. Planning is also one of the key principles included in the guidelines (Opens in a new tab) of the Finnish National Board on Research Integrity on the ethical principles of research with human participants and ethical review in the human sciences. Informing research participants can be challenging without thorough consideration of all phases of the research and the applicable regulatory framework before starting research. On the other hand, if personal data processing has been planned thoroughly and systematically in advance, informing participants becomes much more straightforward.

The rules of informing research participants about the processing of their personal data depends on whether personal data are collected from the participant or from some source other than the participant. When planning the provision of information to research participants regarding the processing of their personal data, you should divide the personal data streams into these two categories. This affects the timing of providing the information and partly also the content. Practical differences are described in the paragraphs concerning the timing and content of providing the information.

  • Personal data are collected from the research participant when the research participant consciously provides his/her own personal data to the researchers. Usual situations where this applies are when the participant is interviewed or when they fill out a questionnaire. In addition, personal data are received directly from the research participant when data are collected for scientific purposes by observation of the participant, for instance, by audio/video recording a performance or social interaction carried out by the participant.
  • Personal data are not obtained from the research participant if the data are received from a source other than the research participant, such as other data controllers, publicly available sources, or other data subjects. Typical situations where this applies are when research data are combined with register data, or when research data are enriched with personal data received from another data controller in a large research project. Personal data collected from social media and elsewhere online are also often included in this category.

Sometimes personal data belonging to both of the above categories are part of the same research project. Example: Contact details of people belonging to the target group of a study are obtained from a third party (organisation, company, association, agency or other equivalent actor). These personal data (i.e. contact details) are not obtained from research participants . Once researchers proceed to interview data subjects, the data gathered in the process are collected from the research participants. In this example, rules and instructions regarding both of the above situations apply.

If the intention is to disclose, disseminate or otherwise make available personal data to another data controller (e.g. a research partner) or to a processor (e.g. a party that carries out data collection and/or combines data to register data, or a company providing transcription services), read carefully the section on recipients or categories of recipients of personal data .

Informing research participants about the processing of their personal data occasionally includes special situations that require more in-depth consideration and cannot be properly taken into consideration in these guidelines. Special situations may be caused by, for instance, any required changes or additions to the information provided to participants. These amendments may be required when there are changes during research that affect the processing of personal data. To recognise these situations, please read the sections relating to content of the information and exceptions to the obligation to provide information .

Other special situations include research concerning children or other persons belonging to vulnerable groups. Additionally, to fulfil the principle of transparency, it may be appropriate in some situations to provide research participants with more detailed information, although it is not explicitly required in the provisions regarding the provided information. This information may concern, for example, risks and safeguards related to personal data processing. If necessary, you can contact the data protection officer in your organisation for more detailed advice.

2. Clarity requirements and form of the information Anchor link icon

A general condition for the processing of personal data is that the information regarding the processing is provided to research participants in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The understandability of the information and the transparency of personal data processing are to be considered from the research participant's perspective in particular. If the researchers themselves have trouble understanding the information provided on personal data processing, the participants are not likely to understand the information either.

When informing research participants about personal data processing, complex phrases, specialised jargon and ambiguous wordings should be avoided. In principle, research participants should be provided with the information in writing or electronically unless they ask to receive the information orally. When informing children about personal data processing, using other mediums, such as comics and animations, may also be helpful in conveying the information.

The required conciseness, clarity and scope of the information can be reconciled by applying a layered approach to providing the information. The main principle is that research participants must be provided with all information required by the GDPR concerning the processing of their personal data. A layered approach means that the information regarding personal data processing is divided into smaller parts, providing the participants with pieces of information that form an intelligible entity. The layered approach is familiar to many from the digital environment, where more detailed information can often be accessed through a separate link.

Information layers

The first layer (e.g. research information sheet) contains the most essential information with regard to your research:

  • identity of the data controller
  • purpose(s) for which personal data are processed (e.g. a specific study)
  • rights of research participants
  • unexpected impacts of personal data processing.

Subsequent layers can provide more detailed information about the processing of research participants' personal data in the research. For example, a link to a detailed privacy notice on the website of the research project can be included in the research information sheet given to the research participant. In qualitative research, a detailed privacy notice can be given to research participants as a separate appendix in addition to the information sheet and consent form. Research participants must always be given a real possibility to acquaint themselves with the layers that provide more detailed information. When information is provided in layers, special attention should be paid to the coherence of the contents.

The data controller is accountable for informing research participants in the extent required by the GDPR. However, providing research participants with a privacy notice does not indicate that they have understood all the information they have received. The content of the information regarding personal data processing as well as how and when the information is provided must be justified and documented to demonstrate compliance with the data controller's accountability requirements.

Technical and audiovisual solutions can also be used in informing research participants. Additional information can be given by providing a link to a website or other material introducing the study. A short video presentation may also be a practical way of giving a general introduction to a study for younger research participants.

3. Timing for providing the information Anchor link icon

The timing of informing participants about the processing of their personal data depends on whether the data are collected from the research participant or from some other source. When personal data are collected from research participants, rules on the timing of providing the information are straightforward. When personal data are not received from research participants, more detailed rules apply. If personal data are received from a source other than the research participant, see also the section on exceptions to the obligation to provide information .

  • When personal data are collected from research participants , information on the processing of their personal data must be provided at the time of collecting/obtaining the data. The information may be provided, for instance, at the beginning of an interview or questionnaire.
  • When personal data are received from a source other than the research participant , research participants must be informed about the processing of their personal data within a reasonable period of time, however no later than one month counting from the point when the personal data are received. The time limit may be shorter depending on specific circumstances relating to processing.

    When personal data are received from a source other than the data subjects, there are two situations in which information must be provided to research participants on the processing of their personal data earlier than within a month: Firstly, the information must be provided to research participants immediately when they are first contacted. Even if contacting a research participant regarding the research has been planned for later (for instance, to arrange an interview), the participant must in any case be informed about personal data processing within one month counting from the point when the researcher first receives personal data. Secondly, if personal data are meant to be disclosed to another recipient, research participants must be informed before the end of the time limit. In this case, research participants must also be informed at the latest when the data are disclosed to a recipient for the first time.

In view of the above, it is best to carefully consider the timing of sampling or otherwise obtaining contact details for potential participants. If contact details are to be obtained from a third party, the researcher/research team should plan the timing for obtaining personal data so that it is possible to comply with the time limit of one month for informing data subjects. In spite of the fact that the time limit allows for one month, the recommended interpretation has been that the data controller informs research participants well before the end of the time limit, in accordance with the principle of fairness.

4. Content of the information Anchor link icon

Skip table

4.1. Identity and contact information of the data controller

Research participants shall be provided with information on the identity and contact details of the data controller. That is why the roles and responsibilities connected to personal data processing must be determined well before starting the research. Determining the data controller correctly and informing research participants of the identity of the data controller are some of the most essential elements of responsible and transparent processing of personal data.

The data controller is a natural or legal person, a public authority, agency or other body which, alone or jointly with others, determines the purposes and means of personal data processing. Where two or more data controllers jointly determine the purposes and means of processing, they shall be considered joint controllers.

To comply with the requirement of providing this information, two factors need to be taken into consideration. Firstly, data controllers must be unequivocally identifiable by the research participant. It is often difficult for outsiders to deduce who the data controller is if multiple persons and organisations are mentioned in the information provided to research participants. In addition, conducting the research in the premises of a company or public agency, for instance, may give research participants a false impression on the controller of the personal data processed in the research.

Secondly, sufficient contact details shall be provided on the data controller(s). If possible, research participants should be provided with multiple ways of contacting the data controller, for instance, a telephone number, email address and postal address. When choosing the contact details to be provided, one should consider their permanence and the possibility of reaching the data controller through them. As data subjects, research participants should be able to exercise their rights efficiently without delays caused by insufficient contact information.

A simple solution to the mentioned requirements is to include the following information in the participant information sheet:

Data controller: Organisation, postal address
Contact details: [telephone number], [email address]

If the research is conducted by joint controllers, key information on the arrangement between the controllers must be made available to research participants.

Researchers should be prepared to answer research participants' questions regarding what 'data controller' means. An example of a short answer in plain language could be: The data controller is responsible for the appropriate and lawful processing of the personal data in the research. This can also be included directly in the information provided to participants.

4.2. Contact details of the data protection officer

If the data controller has appointed a data protection officer, research participants must be provided with the data protection officer's contact details. Contact details for the data protection officer must be provided in such a way that research participants can easily contact the officer. Appropriate contact details include, for instance, a postal address as well as a telephone number and/or email address specifically assigned to the data protection officer. If it is possible to contact the data protection officer, for instance, through a contact form, research participants can be informed about it. Find out whether your organisation has a data protection officer. Additionally, you should find out the recommended way of providing the contact details for the data protection officer in your organisation.

A central criterion in evaluating the sufficiency of the contact information provided to research participants is whether it is possible to contact the data protection officer directly without having to contact the data controller. Indicating the data protection officer's name has not been deemed necessary, but in some cases it may be a good practice. One should take into consideration the employee turnover at the organisation when naming the data protection officer. The essential thing, however, is that research participants have a direct way of contacting the data protection officer based on the information that they are given.

Processing personal data in research must always have a legal basis, and research participants shall be informed of the basis on which their personal data are processed. The legal basis chosen for personal data processing also affects the information that is provided to research participants. The legal basis defines, for example, which rights research participants can exercise pertaining to their personal data.

When planning and implementing the provision of information to research participants, two different legal bases for processing personal data have to be considered.

  1. A legal basis for processing personal data refers to the legal grounds listed in article 6, section 1 of the GDPR. This basis is always required when personal data are processed.
  2. A legal basis for processing special categories of personal data refers to one of the legal grounds listed in article 9, section 2 of the GDPR, which allow for the processing of special categories of personal data. This basis is required in addition to the general legal basis when the special categories of personal data, referred to in article 9, section 1 of the GDPR, are processed.

Different legal bases for processing personal data are defined in both the GDPR and the Finnish Data Protection Act.

TThe data controller is responsible for choosing the suitable legal basis for processing personal data in the research. Estimate carefully which legal basis for processing personal data applies to your research. You can, for example, contact the data protection officer in your organisation for help with choosing the legal basis.

Typical legal bases for processing personal data in scientific research

  • Consent of the research participant. Consent shall be a freely given, specific, informed and unambigous indication of the research participant's wishes, by which he/she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Some further conditions apply for using consent as the legal basis for processing personal data, and it - as well as other legal bases for processing personal data - should be based on appropriate discretion. General information on the preconditions of consent (Opens in a new tab) is available on the website of the Data Protection Ombudsman.
    In connection with scientific research, one should note that consent to participate in research is not consenting to personal data processing .
  • Compliance with a legal obligation to which the data controller is subject. In some cases, conducting research is part of complying with the data controller's statutory obligations. Using this legal basis for personal data processing requires that basis for processing is laid down in national legislation.
  • Processing of personal data is necessary for the performance of a task carried out in the public interest. The Finnish Data Protection Act provides a basis for the processing of personal data when it is necessary for scientific or historical research or for statistical purposes and it is proportionate to the pursued objective in the public interest (Data Protection Act, section 4, paragraph 3).
  • Legitimate interests pursued by the data controller. Processing personal data for scientific research can in some cases rely on the legitimate interests of the data controller or a third party as the legal basis. This legal basis for processing personal data does not apply to processing carried out by public authorities in the performance of their tasks. In addition, this legal basis shall not override the interests or fundamental rights and freedoms which require the protection of personal data of research participants. A so-called balancing test can be used in evaluating the legitimacy of the interest of the data controller. Choosing this legal basis for processing personal data requires particularly careful consideration when the data subject is a child. General information regarding the legitimate interests of the controller (Opens in a new tab) can be found on the website of the Data Protection Ombudsman.

Special categories of personal data refer to such personal data that reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, data concerning health, or sexual life or orientation. These special categories also include genetic and biometric data for identifying a natural person.

Such personal data should not be processed at all, unless processing is allowed in specific cases set out in the GDPR or in Finnish legislation. The following is a list of specific cases commonly used in scientific research.

Specific cases for processing special categories of personal data

  • Research participant's explicit consent. The difference here to the consent used as a general legal basis for processing personal data is that, in addition to the general requirements for valid consent, the consent has to be explicit.
  • Processing is necessary for scientific research purposes in the public interest. According to section 6, subsection 1, paragraph 7 of the Finnish Data Protection Act, the restriction on processing special categories of personal data is not applied for scientific or historical research or statistical purposes.

As part of the information provided to research participants, they shall be informed about the legal basis on which the processing of their personal data is based. The provision of information shall include a general legal basis for processing personal data, and, if special categories of personal data are processed in the research, the specific case relied on for processing the special categories of personal data shall also be indicated. A solution could be to add a paragraph of the following type as part of the information:

The processing of your personal data is necessary for scientific research purposes in the public interest based on section 4, paragraph 3 of the Data Protection Act (1050/2018). Special categories of personal data are processed for scientific purposes in accordance with section 6, subsection 1, paragraph 7 of the Data Protection Act.

Specific rules apply to some legal bases for processing personal data. The first is related to the controller's legitimate interest .

  • When using the data controller's or a third party's legitimate interest as a legal basis for processing personal data, research participants shall be informed of the legitimate interest in question.
  • Additionally, it is a good practice to inform them about the balancing test related to the data subject's legitimate interest. The layered approach can be used to inform research participants about the balancing test. If the information is not directly provided to research participants, they can be told that they have the possibility to receive information regarding the test, should they want to have it.
  • If the legal basis for processing personal data is consent, or if the processing of personal data belonging to the special categories is based on explicit consent, research participants must be informed about their right to withdraw their consent at any time. In addition, research participants must be informed that their withdrawal of consent will not affect the lawfulness of the processing of personal data conducted before the withdrawal.
  • The information on the possibility to withdraw consent must be provided to research participants before they consent to the processing of their personal data.

4.4. Purpose for processing personal data

Personal data shall only be collected for a specific, explicit and legitimate purpose(s). The purpose specified for personal data processing must be included in the information provided to research participants. In many cases, it is sufficient to inform participants that their personal data are processed for the purposes of a single, specified study.

The relevant thing is to take care that the specified purpose given covers personal data processing in the extent required. Further information on the objective and subject of the study may be given with other information material provided to participants.

4.5. Recipients or categories of recipients of personal data

Research participants must be informed about disclosure of their personal data to recipients. Third parties in particular are defined as recipients of personal data. Third parties include, for instance, all natural persons not part of the research team, legal persons, authorities, public agencies and other bodies. In addition to these, recipients include data controllers, joint controllers and processors of personal data. For example, research partners to whom data are disclosed shall be defined as recipients.

One should note that 'processor' is a special role governed by data protection legislation. For instance, if a person employed by the data controller transcribes the data, he/she is not a processor. If, however, an outside company is commissioned to transcribe the data, the company is considered a processor, of which research participants shall be informed.

When planning research, data flows related to personal data should be charted as early as possible, before data collection and provision of information to participants.

As a principle, data subjects are provided with the names of recipients. In the case that recipients cannot be named, it is possible to provide the category/categories of recipients. In order to demonstrate their accountability, data controllers must be able to provide justification for the decision to use the categories instead of named recipients.

If the data controller provides information to research participants only on the categories of recipients, the categories can be defined with the following criteria:

  • type of recipient (e.g. reference to the activities of the recipient)
  • industry
  • sector / sub-sector
  • location

When research data are to be archived at the Finnish Social Science Data Archive (FSD), the archive acts as a processor of personal data. In this case, FSD is a recipient of personal data, and research participants shall be informed about this. See the section Informing research participants about archiving for more information.

4.6. Storage period of personal data

Research participants shall be informed about the storage period of their personal data primarily as an explicit period of time. If this is not possible, research participants can be informed about the criteria according to which the storage period is determined. Depending on the case, the period can be related to the provisions relevant to the data controller or, for example, codes of conduct.

When determining the storage period, one should note that research participants should be able to estimate the storage period of their personal data based on the information provided to them. Defining the storage period in a general way, i.e. that the personal data are stored for as long is needed to complete the purpose for processing , may not be sufficient. Consequently, determining that personal data are stored for the duration of the research project, without defining any further criteria for the storage period, should be avoided, if possible. Depending on the details of the research, separate storage periods may be needed for different categories of personal data. Additionally, if the research includes multiple purposes for processing personal data, it is appropriate to indicate separate storage periods for different purposes.

4.7. Categories of personal data and information on the source of personal data

In situations where personal data are received from a source other than the research participant, two additional requirements apply to providing information. Both situations are related to the fact that, contrary to the situation where personal data are collected from the research participant, the participant may not be aware of the content and source of the personal data collected from other sources.

The first additional information requirement concerns the categories of personal data collected. The granularity/specificity of the information provided on the different categories should be decided on a case-by-case basis. When determining the extent of the information, one should note that personal data processing must be transparent from the data subject's perspective. Depending on the case, categories of personal data may include, among others, income, address information, employment history, and educational background.

The other additional information requirement concerns the source of the personal data. If it is possible to name the source, it is appropriate to provide this information to participants. If not, information on the type of the source is provided. This includes, depending on the case, information whether the personal data were received from a publicly available source.

Information that can replace a named source includes the following:

  • information on whether the source is publicly available or other
  • organisation type
  • industry
  • sector

If it is not possible to inform research participants about a specific source because personal data have been collected from multiple sources, general information regarding the sources shall be provided. However, one should avoid situations where sources cannot be named explicitly.

4.8. Information on the right to lodge a complaint with a supervisory authority

Research participants have the right to lodge a complaint with a supervisory authority. Information on this right must be provided to participants. They should be provided with at least the following information:

You have the right to lodge a complaint with an authority supervising the processing of personal data if you have a suspicion that your personal data are processed in violation of data protection legislation.

Research participants can also be provided with more detailed information with regard to using this right, for example, by providing a link to the website of the Data Protection Ombudsman (tietosuoja.fi/en). In principle, the complaint is lodged with the supervisory authority either in the EU member state where the research participant's residence or workplace is located or where the alleged violation of the rules regarding personal data processing has taken place.

4.9. Rights of the data subject

Data subjects have certain rights pertaining to the processing of their personal data. The rights available depend on the legal basis for the processing. This means two things from the perspective of the information provided to research participants. Firstly, the rights that data subjects have relating to the legal basis for the processing of personal data must be charted. Secondly, scientific research may, in some specific cases, derogate from the research participants' rights. The provided information on the rights of the research participants has to be in line with the planned processing of personal data.

Below is a list of participant rights relating to typical legal bases for processing personal data in scientific research.

  • Consent of the research participant
    • Right of access
    • Right to rectification
    • Right to erasure (the GDPR includes an exception to this pertaining to purposes of scientific research)
    • Right to restriction of processing
    • Right to data portability (only applies to automated processing of personal data)
  • Processing of personal data is necessary for the performance of a task carried out in the public interest (scientific research, Data Protection Act, section 4, paragraph 3)
    • Right of access
    • Right to rectification
    • Right to restriction of processing
    • Right to object processing of personal data
  • Legitimate interest pursued by the data controller
    • Right of access
    • Right to rectification
    • Right to erasure
    • Right to restriction of processing
    • Right to object processing of personal data
With regard to consent and the legitimate interest of the data controller, read the section on the legal basis for processing personal data for additional information concerning information provision to research participants.

A special feature of scientific research is that it can derogate in some parts from the rights of data subjects, provided that the preconditions for derogation are met. It is important to note pertaining to the information provided to research participants that derogation from data subjects' rights is not automatic and requires careful consideration. To comply with the principle of transparency in the processing of personal data, research participants should be informed about this. If personal data are processed for the performance of a task carried out in the public interest in accordance with section 4, paragraph 3 of the Finnish Data Protection Act, the following information could be provided to research participants about their rights and the restriction of rights based on national legislation:

You have the right to access your personal data, to have inaccurate personal data rectified, to restrict the processing of your personal data, and to object to the processing of your personal data. In connection with scientific research, restriction of said rights is possible in accordance with national legislation.

If specific contact persons or practices are in place in your organisation for using these rights, you can consider informing research participants about this. In some situations, data subjects may ask what the different rights involve. Using the rights and the content of the rights involve several things to consider. The website of the Data Protection Ombudsman contains further information on data subjects' rights (Opens in a new tab) .

4.10. Information relating to the transfer of personal data to third countries

Research participants shall be provided with certain additional information if personal data are to be transferred outside of the EU/EEA to third countries or international organisations. In addition to compliance with other preconditions for the legality of the processing of personal data, transferring the personal data in these situations requires that the transfer has a legal basis referred to in chapter V of the GDPR.

In scientific research, the transfer may, for example, be based on an adequacy decision of the European Commission on the appropriate level of data protection in the country (article 45). Adequacy decisions on the appropriate level of data protection (Opens in a new tab) already made can be found on the European Commission website. Translated versions are available in the official EU languages and can be accessed on the EUR-Lex website by following the link above.

Other bases for the transfer can be transfers subject to appropriate safeguards (article 46), binding corporate rules (article 47), and derogations for specific situations (article 49). If the research includes transferring personal data to third countries or international organisations, it is recommended to contact the data protection officer or lawyer in your organisation to ensure the correct application of rules regarding transfers. For more information, visit the webpage of the Data Protection Ombudsman (Opens in a new tab) .

Information provided to research participants regarding transfers

The content of the information provided to research participants is determined by the mechanism used for the transfer. If personal data are transferred in the way mentioned above, the information provided to research participants must include

  • information about the intended transfer of personal data to third countries or an international organisation
  • information about the existence or non-existence of an adequacy decision on the appropriate level of data protection
  • information about the transfer mechanism corresponding to the GDPR (and the relevant article)
  • information about the content of the mechanism used, or where this information is available.

The information must be provided in a manner that is as meaningful as possible to research participants. It is a good practice to name the third countries to which the data are to be transferred. Depending on the case, the layered approach can be used in providing the information.

Example on informing research participants about transfers to third countries

A Finnish data controller participates in an international research project where personal data are transferred to Sweden, Germany and Israel. Pertaining to recipients and categories of recipients of personal data , the rules described earlier are applied. Additionally, rules regarding transfers to third countries apply to this situation. Because Sweden and Germany are part of the EU, no further information regarding transfers to these countries need to be provided to research participants. Israel is not an EU member state, but the European Commission has given an adequacy decision on the appropriate level of data protection concerning Israel. In this case, research participants could be informed about transfers to third countries in the following way:

Your personal data are transferred to Israel, which is not part of the European Union. The transfer is based on an adequacy decision given by the European Commission on the appropriate level of data protection (article 45 of the General Data Protection Regulation). Further information is available in the Commission's decision (Opens in a new tab) .

If the transfer of personal data to a third country or an international organisation is based on explicit consent in accordance with article 49 of the GDPR, research participants must be informed, prior to giving consent, that the transfers may pose a risk to them due to the lack of an adequacy decision and the lack of appropriate safeguards.

4.11. Information on the provision of personal data being a statutory or contractual requirement

In situations where personal data are collected from research participants, the participants must be informed if providing personal data is a statutory or contractual requirement or a requirement for concluding a contract. Research participants must also be informed about whether they are obliged to provide the data, along with the possible consequences of not providing the data.

This issue is important because of the generally voluntary nature of research. Informing data subjects about the obligation or voluntariness clarifies the situation in research conducted in, for instance, workplaces, public agencies and institutions. If providing personal data does not involve contractual or statutory requirements, and not providing the data does not have consequences for research participants, the information can be provided in the following way:

Providing personal data is not required on statutory or contractual grounds, or on the grounds of concluding a contract. Not providing the data does not have any consequences for you.

However, if providing the personal data is based on a statutory or contractual requirement, the information provided to research participants must specify the basis of the requirement applied, and the possible consequences of failure to provide the data.

4.12. Automated decision-making and profiling

Providing information related to automated decision-making and profiling has some additional requirements. Further information on definitions (Opens in a new tab) can be found on the website of the Data Protection Ombudsman. Detailed instructions are in the document Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 (Opens in a new tab) PDF .

If personal data are not used for automated decision-making or profiling in the research, research participants can be informed about this in the following way:

Your personal data are not used for automated decision-making or profiling.

5. Exceptions to the obligation to provide information Anchor link icon

The obligation to provide research participants with information regarding the processing of their personal data has some exceptions. In principle, however, one should refrain from derogating from providing information, unless the derogation is necessary. If you decide to derogate from providing certain information to research participants, it is important to ensure appropriate documenting and justification of these decisions in order to comply with the accountability requirements of the data controller. In uncertain situations, you should contact the data protection officer in your organisation.

When personal data are collected from research participants, derogation is possible insofar as research participants have already received the information. This includes, for example, situations where a research participant has already been in contact with the data controller at an earlier time. However, the data controller must be able to demonstrate how and when the research participant has received the information. Additionally, the data controller must be able to demonstrate that the information has not changed or become outdated. If the situation involves changes in the details of personal data processing, it may be appropriate, depending on the case, to provide all information again in addition to the changed information. In this case, the details that have changed in the provided information should be emphasised to research participants.

Situations where personal data are received from some other source than the research participant involve multiple exceptions for derogation. The situation mentioned above where the research participant has already received the information also applies to personal data received from a source other than the research participant. Other examples for derogation could be a situation where the provision of such information proves to be impossible or would involve a disproportionate effort, when the conditions and safeguards laid down in article 89 of the GDPR are applied, or a situation where the obligation to provide such information is likely to render impossible or seriously impair achieving the scientific objectives of the research. It is recommended to contact the data protection officer in your organisation if you want to apply a derogation, due to the careful consideration, documentation and safeguards needed for this.

The Office of the Data Protection Ombudsman, which is the Finnish authority supervising personal data processing, has taken the view that a data protection impact assessment (DPIA) (Opens in a new tab) shall be carried out in specific situations where these exceptions are applied to the obligation to provide information. Situations where an impact assessment is required include, but are not limited to, research where personal data are processed on a large scale, where the processing of personal data includes matching or combining datasets, where personal data of vulnerable individuals are processed, or where personal data are processed in the innovative use or application of new technological or organisational solutions. Further information on processing operations that require impact assessment (Opens in a new tab) is available on the website of the Data Protection Ombudsman.

6. Informing research participants about archiving Anchor link icon

The research participants must always be informed about the archiving and reuse of the research data. Information on archiving and reuse may be written into one or more of the research documents. These documents may include, for example, the research brochure, cover letter, consent form, privacy notice, or privacy statement. It is essential that the research participants are provided with sufficient, correct, and understandable information on the reuse of the research data. To ensure that the rights of the participants are respected and to secure data reuse, contradictory information between different research documents should be avoided.

There are at least three significant points regarding archiving and reuse on which the research participants need to be informed. These include:

  • Where the research data will be archived (e.g. Finnish Social Science Data Archive)
  • Who will be granted access to the archived data for reuse (e.g. registered clients of FSD)
  • For which purposes of reuse the archived data will be disseminated (e.g. for research, teaching, and study purposes)

The above information tells the research participants who will be responsible for archiving the data after the study has been completed. The participants are also informed about who will be granted access to the data after archiving as well as for which purposes of reuse the data may be disseminated. Providing the participants with the above information ensures that their right of being extensively informed about the life cycle of the research data is respected, regardless of whether the data contain personal information when delivered for archiving. Informing research participants of these matters is also required by the ethical principles of research with human subjects (Opens in a new tab) .

Research organisations have different templates and instructions for privacy notices. Check your organisation’s instructions or contact the data protection officer of your organisation to ascertain how and where in the privacy notice the participants should be informed of the archiving of the data at FSD.

Datasets archived at FSD have different access conditions, which determine how the data may be reused (see part II. Conditions for disseminating research data for further use in the deposition agreement ). The researcher defines the purposes for which the data may be reused. The examples below may be used as direction when informing research participants about archiving and reuse in the research documents. Select only one alternative and use it consistently in all documents.

EXAMPLE 1:
The research data are offered for permanent archiving without personal data at the Finnish Social Science Data Archive. The Archive may hand over the data for reuse to registered clients for research, teaching and study.
EXAMPLE 2:
The research data are offered for permanent archiving without personal data at the Finnish Social Science Data Archive. The Archive may hand over the data for reuse as openly available for all users.
EXAMPLE 3:
The research data are offered for permanent archiving without personal data at the Finnish Social Science Data Archive. The Archive may hand over the data for reuse to registered clients for research only (including Master's, doctoral and Polytechnic/University of Applied Sciences Master's theses).

When qualitative data are collected for a study, a separate consent for archiving may be obtained from the research participants. This is not required by data protection legislation when archiving anonymous data, but doing so is considered an ethically responsible practice. Consent for archiving may be asked, for instance, in the following way:

Consent for archiving interview/text at Finnish Social Science Data Archive

▢ I consent to the archiving of my interview/text at the Finnish Social Science Data Archive for reuse in research, study and teaching.

▢ I do not consent to the archiving of my interview/text at the Finnish Social Science Data Archive.

If you want to restrict the reuse of the archived data to research only, the first option in the consent for archiving form outlined above should read as follows: "I consent to the archiving of my interview/text at the Finnish Social Science Data Archive for reuse in research or scientific theses including dissertations and master's theses."

6.1. Archiving pseudonymous data

In longitudinal studies, FSD can archive data from different collection waves even before the study concludes and the research team permanently deletes all personal information. Also, when the research team retains archived data related to study participants’ personal information for other reasons, the datasets can be archived for future use. In both cases, data are pseudonymous.

Regarding informing participants about the archiving and subsequent use of pseudonymous data, it is essential that they understand which entities handle the data and for what purposes. The data controller is responsible for the dataset, while FSD acts as the processor. In privacy notices and research consents or other documents intended for research participants, it should be clearly and comprehensibly explained how the data will be transferred to the Finnish Social Science Data Archive for further use. To achieve this, the following questions can be helpful:

  • 1. Who handles the data? In addition to the research group, the Finnish Social Science Data Archive (FSD) and those who have obtained permission to use the dataset (registered clients of FSD) handle the archival material. Research projects often involve other data processors as well.
  • 2. For what purposes is the data processed? The data is processed for the original research, creating an archival version at FSD, and for subsequent research and higher-level theses (the latter usage may be more restricted and precisely specified).
  • 3. Under what conditions can the data be obtained? The process of obtaining a permit for use the dataset is explained, including whether the data can be transferred for further use outside the EU/EEA area. If transfers are planned, the applicable GDPR-compliant transfer mechanisms and conditions are described.
  • 4. When the research concludes and personal data is destroyed, for what purposes can FSD provide anonymous data?

Simplified Model for Longitudinal Research Datasets:

Research data is offered for archiving at the Finnish Social Science Data Archive (FSD) without personal information.

During the research project until the end of the year 20NN, usage permissions are granted exclusively to registered clients of the FSD within the European Economic Area (EEA) solely for research purposes.

The research team evaluates each usage request individually and informs the Data Archive about the granting or denial of permissions. FSD then facilitates the dissemination of materials for further use in accordance with the research team’s decisions.

After the research project has ended, starting from the beginning of the year 20NN, the FSD can directly provide the data to registered clients for educational, study, and research purposes, regardless of the client’s country of origin.

In the privacy notice, equivalent details should be provided more explicitly. In the simplified model above, the assumption is that each research team, acting as the representative of the data controller (even if the data controller is an organization), makes decisions regarding usage permissions. However, this arrangement must be described exactly as planned, following the data protection guidelines of the respective organization.

6.2. Archiving the research data including personal data

Sometimes, albeit rarely, it may be justified to include personal data in the archived dataset. The FSD collaborates with researchers in advance to assess whether there are grounds for archiving and further use of the data containing personal information. During this evaluation, the following questions are considered with the researcher:

  • Have the research subjects contributed to or decided on the archiving of their personal data for further use?
  • Are the research subjects publicly known and recognized within the target group?
  • What is the nature of the content in the dataset? Does it involve sensitive information or, for example, are data partially protected by copyright?
  • Are there generally and socially significant justifications for including personal data in the dataset?
  • Can the researcher assess that the publication of information contained in the dataset will not have adverse consequences for the research subjects.

Datasets containing personal information must always be minimized. All unnecessary personal data related to understanding the content of the dataset and any information concerning private third parties are removed. Regarding privacy notice and informing research participants, the same principles as those applied to pseudonymous datasets are followed (except for point 4 mentioned above). In addition, the FSD requests justification from the data controller for extending the retention need of datasets containing personal information every 10 years.

If you are planning to collect data that contain research participants’ personal information, and you do not intend the data to be anonymised but wish to archive them at FSD, please contact FSD User Services before commencing your research (asiakaspalvelu.fsd ( at ) tuni.fi, +358 29 452 0411).

See FSD's Guidelines for depositing data for more information.