Informing Research Participants about the Processing of Their Personal Data
Informing research participants about the processing of their personal data is a crucial part of the transparency principle laid down in the General Data Protection Regulation of the European Union (GDPR). Based on the provided information, the participants must understand how their personal data are being collected, used, stored, disseminated or otherwise made available, or otherwise processed. The significance of forward planning is emphasised in the processing of personal data. Planning is also one of the key principles included in the guidelines of the Finnish National Board on Research Integrity on the ethical principles of research with human participants and ethical review in the human sciences. Informing research participants can be challenging without thorough consideration of all phases of the research and the applicable regulatory framework before starting research. On the other hand, if personal data processing has been planned thoroughly and systematically in advance, informing participants becomes much more straightforward.
The rules of informing research participants about the processing of their personal data depends on whether personal data are collected from the participant or from some source other than the participant. When planning the provision of information to research participants regarding the processing of their personal data, you should divide the personal data streams into these two categories. This affects the timing of providing the information and partly also the content. Practical differences are described in the paragraphs concerning the timing and content of providing the information.
- Personal data are collected from the research participant when the research participant consciously provides his/her own personal data to the researchers. Usual situations where this applies are when the participant is interviewed or when they fill out a questionnaire. In addition, personal data are received directly from the research participant when data are collected for scientific purposes by observation of the participant, for instance, by audio/video recording a performance or social interaction carried out by the participant.
- Personal data are not obtained from the research participant if the data are received from a source other than the research participant, such as other data controllers, publicly available sources, or other data subjects. Typical situations where this applies are when research data are combined with register data, or when research data are enriched with personal data received from another data controller in a large research project. Personal data collected from social media and elsewhere online are also often included in this category.
Sometimes personal data belonging to both of the above categories are part of the same research project. Example: Contact details of people belonging to the target group of a study are obtained from a third party (organisation, company, association, agency or other equivalent actor). These personal data (i.e. contact details) are not obtained from research participants . Once researchers proceed to interview data subjects, the data gathered in the process are collected from the research participants. In this example, rules and instructions regarding both of the above situations apply.
If the intention is to disclose, disseminate or otherwise make available personal data to another data controller (e.g. a research partner) or to a processor (e.g. a party that carries out data collection and/or combines data to register data, or a company providing transcription services), read carefully the section on recipients or categories of recipients of personal data .
Informing research participants about the processing of their personal data occasionally includes special situations that require more in-depth consideration and cannot be properly taken into consideration in these guidelines. Special situations may be caused by, for instance, any required changes or additions to the information provided to participants. These amendments may be required when there are changes during research that affect the processing of personal data. To recognise these situations, please read the sections relating to content of the information and exceptions to the obligation to provide information .
Other special situations include research concerning children or other persons belonging to vulnerable groups. Additionally, to fulfil the principle of transparency, it may be appropriate in some situations to provide research participants with more detailed information, although it is not explicitly required in the provisions regarding the provided information. This information may concern, for example, risks and safeguards related to personal data processing. If necessary, you can contact the data protection officer in your organisation for more detailed advice.
A general condition for the processing of personal data is that the information regarding the processing is provided to research participants in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The understandability of the information and the transparency of personal data processing are to be considered from the research participant's perspective in particular. If the researchers themselves have trouble understanding the information provided on personal data processing, the participants are not likely to understand the information either.
When informing research participants about personal data processing, complex phrases, specialised jargon and ambiguous wordings should be avoided. In principle, research participants should be provided with the information in writing or electronically unless they ask to receive the information orally. When informing children about personal data processing, using other mediums, such as comics and animations, may also be helpful in conveying the information.
The required conciseness, clarity and scope of the information can be reconciled by applying a layered approach to providing the information. The main principle is that research participants must be provided with all information required by the GDPR concerning the processing of their personal data. A layered approach means that the information regarding personal data processing is divided into smaller parts, providing the participants with pieces of information that form an intelligible entity. The layered approach is familiar to many from the digital environment, where more detailed information can often be accessed through a separate link.
The first layer (e.g. research information sheet) contains the most essential information with regard to your research:
- identity of the data controller
- purpose(s) for which personal data are processed (e.g. a specific study)
- rights of research participants
- unexpected impacts of personal data processing.
Subsequent layers can provide more detailed information about the processing of research participants' personal data in the research. For example, a link to a detailed privacy notice on the website of the research project can be included in the research information sheet given to the research participant. In qualitative research, a detailed privacy notice can be given to research participants as a separate appendix in addition to the information sheet and consent form. Research participants must always be given a real possibility to acquaint themselves with the layers that provide more detailed information. When information is provided in layers, special attention should be paid to the coherence of the contents.
The data controller is accountable for informing research participants in the extent required by the GDPR. However, providing research participants with a privacy notice does not indicate that they have understood all the information they have received. The content of the information regarding personal data processing as well as how and when the information is provided must be justified and documented to demonstrate compliance with the data controller's accountability requirements.
Technical and audiovisual solutions can also be used in informing research participants. Additional information can be given by providing a link to a website or other material introducing the study. A short video presentation may also be a practical way of giving a general introduction to a study for younger research participants.
The timing of informing participants about the processing of their personal data depends on whether the data are collected from the research participant or from some other source. When personal data are collected from research participants, rules on the timing of providing the information are straightforward. When personal data are not received from research participants, more detailed rules apply. If personal data are received from a source other than the research participant, see also the section on exceptions to the obligation to provide information .
- When personal data are collected from research participants , information on the processing of their personal data must be provided at the time of collecting/obtaining the data. The information may be provided, for instance, at the beginning of an interview or questionnaire.
When personal data are received
from a source other than the research participant
, research participants must be informed about the processing of their personal data within a reasonable period of time, however
no later than one month
counting from the point when the personal data are received. The time limit may be shorter depending on specific circumstances relating to processing.
When personal data are received from a source other than the data subjects, there are two situations in which information must be provided to research participants on the processing of their personal data earlier than within a month: Firstly, the information must be provided to research participants immediately when they are first contacted. Even if contacting a research participant regarding the research has been planned for later (for instance, to arrange an interview), the participant must in any case be informed about personal data processing within one month counting from the point when the researcher first receives personal data. Secondly, if personal data are meant to be disclosed to another recipient, research participants must be informed before the end of the time limit. In this case, research participants must also be informed at the latest when the data are disclosed to a recipient for the first time.
In view of the above, it is best to carefully consider the timing of sampling or otherwise obtaining contact details for potential participants. If contact details are to be obtained from a third party, the researcher/research team should plan the timing for obtaining personal data so that it is possible to comply with the time limit of one month for informing data subjects. In spite of the fact that the time limit allows for one month, the recommended interpretation has been that the data controller informs research participants well before the end of the time limit, in accordance with the principle of fairness.Skip table
4.1. Identity and contact information of the data controller
Research participants shall be provided with information on the identity and contact details of the data controller. That is why the roles and responsibilities connected to personal data processing must be determined well before starting the research. Determining the data controller correctly and informing research participants of the identity of the data controller are some of the most essential elements of responsible and transparent processing of personal data.
To comply with the requirement of providing this information, two factors need to be taken into consideration. Firstly, data controllers must be unequivocally identifiable by the research participant. It is often difficult for outsiders to deduce who the data controller is if multiple persons and organisations are mentioned in the information provided to research participants. In addition, conducting the research in the premises of a company or public agency, for instance, may give research participants a false impression on the controller of the personal data processed in the research.
Secondly, sufficient contact details shall be provided on the data controller(s). If possible, research participants should be provided with multiple ways of contacting the data controller, for instance, a telephone number, email address and postal address. When choosing the contact details to be provided, one should consider their permanence and the possibility of reaching the data controller through them. As data subjects, research participants should be able to exercise their rights efficiently without delays caused by insufficient contact information.
A simple solution to the mentioned requirements is to include the following information in the participant information sheet:
Data controller: Organisation, postal address
Contact details: [telephone number], [email address]
If the research is conducted by joint controllers, key information on the arrangement between the controllers must be made available to research participants.
Researchers should be prepared to answer research participants' questions regarding what 'data controller' means. An example of a short answer in plain language could be: The data controller is responsible for the appropriate and lawful processing of the personal data in the research. This can also be included directly in the information provided to participants.
4.2. Contact details of the data protection officer
If the data controller has appointed a data protection officer, research participants must be provided with the data protection officer's contact details. Contact details for the data protection officer must be provided in such a way that research participants can easily contact the officer. Appropriate contact details include, for instance, a postal address as well as a telephone number and/or email address specifically assigned to the data protection officer. If it is possible to contact the data protection officer, for instance, through a contact form, research participants can be informed about it. Find out whether your organisation has a data protection officer. Additionally, you should find out the recommended way of providing the contact details for the data protection officer in your organisation.
A central criterion in evaluating the sufficiency of the contact information provided to research participants is whether it is possible to contact the data protection officer directly without having to contact the data controller. Indicating the data protection officer's name has not been deemed necessary, but in some cases it may be a good practice. One should take into consideration the employee turnover at the organisation when naming the data protection officer. The essential thing, however, is that research participants have a direct way of contacting the data protection officer based on the information that they are given.
4.3. Legal basis for processing personal data
Processing personal data in research must always have a legal basis, and research participants shall be informed of the basis on which their personal data are processed. The legal basis chosen for personal data processing also affects the information that is provided to research participants. The legal basis defines, for example, which rights research participants can exercise pertaining to their personal data.
When planning and implementing the provision of information to research participants, two different legal bases for processing personal data have to be considered.
- A legal basis for processing personal data refers to the legal grounds listed in article 6, section 1 of the GDPR. This basis is always required when personal data are processed.
- A legal basis for processing special categories of personal data refers to one of the legal grounds listed in article 9, section 2 of the GDPR, which allow for the processing of special categories of personal data. This basis is required in addition to the general legal basis when the special categories of personal data, referred to in article 9, section 1 of the GDPR, are processed.
Different legal bases for processing personal data are defined in both the GDPR and the Finnish Data Protection Act.
TThe data controller is responsible for choosing the suitable legal basis for processing personal data in the research. Estimate carefully which legal basis for processing personal data applies to your research. You can, for example, contact the data protection officer in your organisation for help with choosing the legal basis.
Consent of the research participant.
Consent shall be a freely given, specific, informed and unambigous indication of the research participant's wishes,
by which he/she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal
data relating to him or her. Some further conditions apply for using consent as the legal basis for processing personal data,
and it - as well as other legal bases for processing personal data - should be based on appropriate discretion.
on the preconditions of consent
is available on the website of the Data Protection Ombudsman.
In connection with scientific research, one should note that consent to participate in research is not consenting to personal data processing .
- Compliance with a legal obligation to which the data controller is subject. In some cases, conducting research is part of complying with the data controller's statutory obligations. Using this legal basis for personal data processing requires that basis for processing is laid down in national legislation.
- Processing of personal data is necessary for the performance of a task carried out in the public interest. The Finnish Data Protection Act provides a basis for the processing of personal data when it is necessary for scientific or historical research or for statistical purposes and it is proportionate to the pursued objective in the public interest (Data Protection Act, section 4, paragraph 3).
- Legitimate interests pursued by the data controller. Processing personal data for scientific research can in some cases rely on the legitimate interests of the data controller or a third party as the legal basis. This legal basis for processing personal data does not apply to processing carried out by public authorities in the performance of their tasks. In addition, this legal basis shall not override the interests or fundamental rights and freedoms which require the protection of personal data of research participants. A so-called balancing test can be used in evaluating the legitimacy of the interest of the data controller. Choosing this legal basis for processing personal data requires particularly careful consideration when the data subject is a child. General information regarding the legitimate interests of the controller can be found on the website of the Data Protection Ombudsman.
Special categories of personal data refer to such personal data that reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, data concerning health, or sexual life or orientation. These special categories also include genetic and biometric data for identifying a natural person.
Such personal data should not be processed at all, unless processing is allowed in specific cases set out in the GDPR or in Finnish legislation. The following is a list of specific cases commonly used in scientific research.
- Research participant's explicit consent. The difference here to the consent used as a general legal basis for processing personal data is that, in addition to the general requirements for valid consent, the consent has to be explicit.
- Processing is necessary for scientific research purposes in the public interest. According to section 6, subsection 1, paragraph 7 of the Finnish Data Protection Act, the restriction on processing special categories of personal data is not applied for scientific or historical research or statistical purposes.
As part of the information provided to research participants, they shall be informed about the legal basis on which the processing of their personal data is based. The provision of information shall include a general legal basis for processing personal data, and, if special categories of personal data are processed in the research, the specific case relied on for processing the special categories of personal data shall also be indicated. A solution could be to add a paragraph of the following type as part of the information:
The processing of your personal data is necessary for scientific research purposes in the public interest based on section 4, paragraph 3 of the Data Protection Act (1050/2018). Special categories of personal data are processed for scientific purposes in accordance with section 6, subsection 1, paragraph 7 of the Data Protection Act.
Specific rules apply to some legal bases for processing personal data. The first is related to the controller's legitimate interest .
- When using the data controller's or a third party's legitimate interest as a legal basis for processing personal data, research participants shall be informed of the legitimate interest in question.
- Additionally, it is a good practice to inform them about the balancing test related to the data subject's legitimate interest. The layered approach can be used to inform research participants about the balancing test. If the information is not directly provided to research participants, they can be told that they have the possibility to receive information regarding the test, should they want to have it.
Another special rule regarding the information provided to research participants relates to consent .
- If the legal basis for processing personal data is consent, or if the processing of personal data belonging to the special categories is based on explicit consent, research participants must be informed about their right to withdraw their consent at any time. In addition, research participants must be informed that their withdrawal of consent will not affect the lawfulness of the processing of personal data conducted before the withdrawal.
- The information on the possibility to withdraw consent must be provided to research participants before they consent to the processing of their personal data.
4.4. Purpose for processing personal data
Personal data shall only be collected for a specific, explicit and legitimate purpose(s). The purpose specified for personal data processing must be included in the information provided to research participants. In many cases, it is sufficient to inform participants that their personal data are processed for the purposes of a single, specified study.
The relevant thing is to take care that the specified purpose given covers personal data processing in the extent required. Further information on the objective and subject of the study may be given with other information material provided to participants.
4.5. Recipients or categories of recipients of personal data
Research participants must be informed about disclosure of their personal data to recipients. Third parties in particular are defined as recipients of personal data. Third parties include, for instance, all natural persons not part of the research team, legal persons, authorities, public agencies and other bodies. In addition to these, recipients include data controllers, joint controllers and processors of personal data. For example, research partners to whom data are disclosed shall be defined as recipients.
One should note that 'processor' is a special role governed by data protection legislation. For instance, if a person employed by the data controller transcribes the data, he/she is not a processor. If, however, an outside company is commissioned to transcribe the data, the company is considered a processor, of which research participants shall be informed.
When planning research, data flows related to personal data should be charted as early as possible, before data collection and provision of information to participants.
As a principle, data subjects are provided with the names of recipients. In the case that recipients cannot be named, it is possible to provide the category/categories of recipients. In order to demonstrate their accountability, data controllers must be able to provide justification for the decision to use the categories instead of named recipients.
If the data controller provides information to research participants only on the categories of recipients, the categories can be defined with the following criteria:
- type of recipient (e.g. reference to the activities of the recipient)
- sector / sub-sector
When research data are to be archived at the Finnish Social Science Data Archive (FSD), the archive acts as a processor of personal data. In this case, FSD is a recipient of personal data, and research participants shall be informed about this. See the section Informing research participants about archiving for more information.
4.6. Storage period of personal data
Research participants shall be informed about the storage period of their personal data primarily as an explicit period of time. If this is not possible, research participants can be informed about the criteria according to which the storage period is determined. Depending on the case, the period can be related to the provisions relevant to the data controller or, for example, codes of conduct.
When determining the storage period, one should note that research participants should be able to estimate the storage period of their personal data based on the information provided to them. Defining the storage period in a general way, i.e. that the personal data are stored for as long is needed to complete the purpose for processing , may not be sufficient. Consequently, determining that personal data are stored for the duration of the research project, without defining any further criteria for the storage period, should be avoided, if possible. Depending on the details of the research, separate storage periods may be needed for different categories of personal data. Additionally, if the research includes multiple purposes for processing personal data, it is appropriate to indicate separate storage periods for different purposes.
4.7. Categories of personal data and information on the source of personal data
In situations where personal data are received from a source other than the research participant, two additional requirements apply to providing information. Both situations are related to the fact that, contrary to the situation where personal data are collected from the research participant, the participant may not be aware of the content and source of the personal data collected from other sources.
The first additional information requirement concerns the categories of personal data collected. The granularity/specificity of the information provided on the different categories should be decided on a case-by-case basis. When determining the extent of the information, one should note that personal data processing must be transparent from the data subject's perspective. Depending on the case, categories of personal data may include, among others, income, address information, employment history, and educational background.
The other additional information requirement concerns the source of the personal data. If it is possible to name the source, it is appropriate to provide this information to participants. If not, information on the type of the source is provided. This includes, depending on the case, information whether the personal data were received from a publicly available source.
Information that can replace a named source includes the following:
- information on whether the source is publicly available or other
- organisation type
If it is not possible to inform research participants about a specific source because personal data have been collected from multiple sources, general information regarding the sources shall be provided. However, one should avoid situations where sources cannot be named explicitly.
4.8. Information on the right to lodge a complaint with a supervisory authority
Research participants have the right to lodge a complaint with a supervisory authority. Information on this right must be provided to participants. They should be provided with at least the following information:
You have the right to lodge a complaint with an authority supervising the processing of personal data if you have a suspicion that your personal data are processed in violation of data protection legislation.
Research participants can also be provided with more detailed information with regard to using this right, for example, by providing a link to the website of the Data Protection Ombudsman (tietosuoja.fi/en). In principle, the complaint is lodged with the supervisory authority either in the EU member state where the research participant's residence or workplace is located or where the alleged violation of the rules regarding personal data processing has taken place.
4.9. Rights of the data subject
Data subjects have certain rights pertaining to the processing of their personal data. The rights available depend on the legal basis for the processing. This means two things from the perspective of the information provided to research participants. Firstly, the rights that data subjects have relating to the legal basis for the processing of personal data must be charted. Secondly, scientific research may, in some specific cases, derogate from the research participants' rights. The provided information on the rights of the research participants has to be in line with the planned processing of personal data.
Below is a list of participant rights relating to typical legal bases for processing personal data in scientific research.
Consent of the research participant
- Right of access
- Right to rectification
- Right to erasure (the GDPR includes an exception to this pertaining to purposes of scientific research)
- Right to restriction of processing
- Right to data portability (only applies to automated processing of personal data)
Processing of personal data is necessary for the performance of a task carried out in the public interest (scientific research, Data Protection Act, section 4, paragraph 3)
- Right of access
- Right to rectification
- Right to restriction of processing
- Right to object processing of personal data
Legitimate interest pursued by the data controller
- Right of access
- Right to rectification
- Right to erasure
- Right to restriction of processing
- Right to object processing of personal data
A special feature of scientific research is that it can derogate in some parts from the rights of data subjects, provided that the preconditions for derogation are met. It is important to note pertaining to the information provided to research participants that derogation from data subjects' rights is not automatic and requires careful consideration. To comply with the principle of transparency in the processing of personal data, research participants should be informed about this. If personal data are processed for the performance of a task carried out in the public interest in accordance with section 4, paragraph 3 of the Finnish Data Protection Act, the following information could be provided to research participants about their rights and the restriction of rights based on national legislation:
You have the right to access your personal data, to have inaccurate personal data rectified, to restrict the processing of your personal data, and to object to the processing of your personal data. In connection with scientific research, restriction of said rights is possible in accordance with national legislation.
If specific contact persons or practices are in place in your organisation for using these rights, you can consider informing research participants about this. In some situations, data subjects may ask what the different rights involve. Using the rights and the content of the rights involve several things to consider. The website of the Data Protection Ombudsman contains further information on data subjects' rights .
4.10. Information relating to the transfer of personal data to third countries
Research participants shall be provided with certain additional information if personal data are to be transferred outside of the EU/EEA to third countries or international organisations. In addition to compliance with other preconditions for the legality of the processing of personal data, transferring the personal data in these situations requires that the transfer has a legal basis referred to in chapter V of the GDPR.
In scientific research, the transfer may, for example, be based on an adequacy decision of the European Commission on the appropriate level of data protection in the country (article 45). Adequacy decisions on the appropriate level of data protection already made can be found on the European Commission website. Translated versions are available in the official EU languages and can be accessed on the EUR-Lex website by following the link above.
Other bases for the transfer can be transfers subject to appropriate safeguards (article 46), binding corporate rules (article 47), and derogations for specific situations (article 49). If the research includes transferring personal data to third countries or international organisations, it is recommended to contact the data protection officer or lawyer in your organisation to ensure the correct application of rules regarding transfers. For more information, visit the webpage of the Data Protection Ombudsman .
Information provided to research participants regarding transfers
The content of the information provided to research participants is determined by the mechanism used for the transfer. If personal data are transferred in the way mentioned above, the information provided to research participants must include
- information about the intended transfer of personal data to third countries or an international organisation
- information about the existence or non-existence of an adequacy decision on the appropriate level of data protection
- information about the transfer mechanism corresponding to the GDPR (and the relevant article)
- information about the content of the mechanism used, or where this information is available.
The information must be provided in a manner that is as meaningful as possible to research participants. It is a good practice to name the third countries to which the data are to be transferred. Depending on the case, the layered approach can be used in providing the information.
Example on informing research participants about transfers to third countries
A Finnish data controller participates in an international research project where personal data are transferred to Sweden, Germany and Israel. Pertaining to recipients and categories of recipients of personal data , the rules described earlier are applied. Additionally, rules regarding transfers to third countries apply to this situation. Because Sweden and Germany are part of the EU, no further information regarding transfers to these countries need to be provided to research participants. Israel is not an EU member state, but the European Commission has given an adequacy decision on the appropriate level of data protection concerning Israel. In this case, research participants could be informed about transfers to third countries in the following way:
Your personal data are transferred to Israel, which is not part of the European Union. The transfer is based on an adequacy decision given by the European Commission on the appropriate level of data protection (article 45 of the General Data Protection Regulation). Further information is available in the Commission's decision .
If the transfer of personal data to a third country or an international organisation is based on explicit consent in accordance with article 49 of the GDPR, research participants must be informed, prior to giving consent, that the transfers may pose a risk to them due to the lack of an adequacy decision and the lack of appropriate safeguards.
4.11. Information on the provision of personal data being a statutory or contractual requirement
In situations where personal data are collected from research participants, the participants must be informed if providing personal data is a statutory or contractual requirement or a requirement for concluding a contract. Research participants must also be informed about whether they are obliged to provide the data, along with the possible consequences of not providing the data.
This issue is important because of the generally voluntary nature of research. Informing data subjects about the obligation or voluntariness clarifies the situation in research conducted in, for instance, workplaces, public agencies and institutions. If providing personal data does not involve contractual or statutory requirements, and not providing the data does not have consequences for research participants, the information can be provided in the following way:
Providing personal data is not required on statutory or contractual grounds, or on the grounds of concluding a contract. Not providing the data does not have any consequences for you.
However, if providing the personal data is based on a statutory or contractual requirement, the information provided to research participants must specify the basis of the requirement applied, and the possible consequences of failure to provide the data.
4.12. Automated decision-making and profiling
Providing information related to automated decision-making and profiling has some additional requirements. Further information on definitions can be found on the website of the Data Protection Ombudsman. Detailed instructions are in the document Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 PDF .
If personal data are not used for automated decision-making or profiling in the research, research participants can be informed about this in the following way:
Your personal data are not used for automated decision-making or profiling.
The obligation to provide research participants with information regarding the processing of their personal data has some exceptions. In principle, however, one should refrain from derogating from providing information, unless the derogation is necessary. If you decide to derogate from providing certain information to research participants, it is important to ensure appropriate documenting and justification of these decisions in order to comply with the accountability requirements of the data controller. In uncertain situations, you should contact the data protection officer in your organisation.
When personal data are collected from research participants, derogation is possible insofar as research participants have already received the information. This includes, for example, situations where a research participant has already been in contact with the data controller at an earlier time. However, the data controller must be able to demonstrate how and when the research participant has received the information. Additionally, the data controller must be able to demonstrate that the information has not changed or become outdated. If the situation involves changes in the details of personal data processing, it may be appropriate, depending on the case, to provide all information again in addition to the changed information. In this case, the details that have changed in the provided information should be emphasised to research participants.
Situations where personal data are received from some other source than the research participant involve multiple exceptions for derogation. The situation mentioned above where the research participant has already received the information also applies to personal data received from a source other than the research participant. Other examples for derogation could be a situation where the provision of such information proves to be impossible or would involve a disproportionate effort, when the conditions and safeguards laid down in article 89 of the GDPR are applied, or a situation where the obligation to provide such information is likely to render impossible or seriously impair achieving the scientific objectives of the research. It is recommended to contact the data protection officer in your organisation if you want to apply a derogation, due to the careful consideration, documentation and safeguards needed for this.
The Office of the Data Protection Ombudsman, which is the Finnish authority supervising personal data processing, has taken the view that a data protection impact assessment (DPIA) shall be carried out in specific situations where these exceptions are applied to the obligation to provide information. Situations where an impact assessment is required include, but are not limited to, research where personal data are processed on a large scale, where the processing of personal data includes matching or combining datasets, where personal data of vulnerable individuals are processed, or where personal data are processed in the innovative use or application of new technological or organisational solutions. Further information on processing operations that require impact assessment is available on the website of the Data Protection Ombudsman.
The research participants must always be informed about the archiving and reuse of the research data. Information on archiving and reuse may be written into one or more of the research documents. These documents may include, for example, the research brochure, cover letter, consent form, privacy notice, or privacy statement. It is essential that the research participants are provided with sufficient, correct, and understandable information on the reuse of the research data. To ensure that the rights of the participants are respected and to secure data reuse, contradictory information between different research documents should be avoided.
There are at least three significant points regarding archiving and reuse on which the research participants need to be informed. These include:
- Where the research data will be archived (e.g. Finnish Social Science Data Archive)
- Who will be granted access to the archived data for reuse (e.g. registered clients of FSD)
- For which purposes of reuse the archived data will be disseminated (e.g. for research, teaching, and study purposes)
The above information tells the research participants who will be responsible for archiving the data after the study has been completed. The participants are also informed about who will be granted access to the data after archiving as well as for which purposes of reuse the data may be disseminated. Providing the participants with the above information ensures that their right of being extensively informed about the life cycle of the research data is respected, regardless of whether the data contain personal information when delivered for archiving. Informing research participants of these matters is also required by the ethical principles of research with human subjects .
In some cases, information on archiving may be included exclusively in the research cover letter. This may be the case, for example, when a professional data collection organisation collects the data and delivers an already anonymised dataset to the researcher. However, when the data have been collected by the researcher, it is usually necessary that the data are also reviewed at FSD. In these cases, the research data are processed at FSD to remove any personal information left in the data, and the research participants must be informed of archiving in the privacy notice as well.
Research organisations have different templates and instructions for privacy notices. Check your organisation’s instructions or contact the data protection officer of your organisation to ascertain how and where in the privacy notice the participants should be informed of the archiving of the data at FSD.
Datasets archived at FSD have different access conditions, which determine how the data may be reused (see part II. Conditions for disseminating research data for further use in the deposition agreement ). The researcher defines the purposes for which the data may be reused. The examples below may be used as direction when informing research participants about archiving and reuse in the research documents. Select only one alternative and use it consistently in all documents.
The research data are offered for permanent archiving without personal data at the Finnish Social Science Data Archive. The Archive may hand over the data for reuse to registered clients for research, teaching and study.
The research data are offered for permanent archiving without personal data at the Finnish Social Science Data Archive. The Archive may hand over the data for reuse as openly available for all users.
The research data are offered for permanent archiving without personal data at the Finnish Social Science Data Archive. The Archive may hand over the data for reuse to registered clients for research only (including Master's, doctoral and Polytechnic/University of Applied Sciences Master's theses).
When qualitative data are collected for a study, a separate consent for archiving may be obtained from the research participants. This is not required by data protection legislation when archiving anonymous data, but doing so is considered an ethically responsible practice. Consent for archiving may be asked, for instance, in the following way:
Consent for archiving interview/text at Finnish Social Science Data Archive
▢ I consent to the archiving of my interview/text at the Finnish Social Science Data Archive for reuse in research, study and teaching.
▢ I do not consent to the archiving of my interview/text at the Finnish Social Science Data Archive.
If you want to restrict the reuse of the archived data to research only, the first option in the consent for archiving form outlined above should read as follows: "I consent to the archiving of my interview/text at the Finnish Social Science Data Archive for reuse in research or scientific theses including dissertations and master's theses."
See FSD's Guidelines for depositing data for more information.
If you are planning to collect data that contain research participants’ personal information, and you do not intend the data to be anonymised but wish to archive them at FSD, please contact FSD User Services before commencing your research (asiakaspalvelu.fsd ( at ) tuni.fi, +358 29 452 0411).