Who’s involved?
Who’s involved?
Within the GDPR different roles are being defined. The most important roles are:
- Data controller
- Joint data controller
- Processor
Considering the different responsibilities and duties of data controllers and processors, it is important to clearly define these roles (together with other partners in your research) at the start of your research.
Data controller
The data controller is defined as the institution/organisation/person who decides on the purpose and resources of the processing. Please note, only providing research funding (like the FWO, EU, …) is insufficient to be considered as a data controller in the context of your research.
For example: you are a FWO PhD fellow and together with your supervisor, who is professor at your university, you determine the purpose of your research. Despite your research is funded by the FWO, your university will be data controller. The FWO is merely a funder.
Joint data controller
Concerning joint data controllers, the purpose and the resources are determined by two or more organisations or institutions. In this situation, it is important to establish in a transparent manner, together with the other controller(s), who is responsible for providing information to data subjects and who data subjects can contact if they want to exercise their rights.
For example: you conduct research together with another university in Belgium or abroad, where both partners design the research plan (to a greater or lesser extent). This is not a situation where one university is merely a supplier of data or only carries out a specific contract for subcontracting.
Processor
Finally, an institution, an organisation or a researcher can act as a processor. In this case, the institution, organisation or researcher processes personal data commissioned by another organisation. For example: contract research, services commissioned by private companies, or some types of policy relevant research. This other organisation determines the purpose and the resources of the research.
For example: contract research, services commissioned by private companies, or some types of policy relevant research.
As part of a research project or a research collaboration, you may also work with processors to collect, process, store or make personal data available. For example: researchers contract with a company to send surveys to data subjects, or to analyse certain results of interviews and surveys. In this case, your university will act as the controllers and the company as the (sub)processor.
It is important to stipulate all agreements in a contract between (joint) data controller(s) and processor(s) and subprocessor(s).
Which specific roles are there within the institution?
As a researcher within a research institution, you are responsible to make sure that your research is in line with the applicable guidelines. For specific advice in relation to the application of the GDPR, you can contact the ‘Data Protection Officer (DPO)’. For legal advice you can contact the valorisation/legal services of your institution. In some institutions, you can contact Data Stewards for further support on research data management.
When you share research data with another researcher or institution, in the context of your research, you have to be sure that this other researcher or institution holds the same safe and integer level of protection so that the rights and freedoms (including privacy) of the data subjects are guaranteed. In a joint project in which personal data are processed at different institutions/universities, it is also important that the processing of personal data at each institution is registered in a GDPR register.
Local collaborations
Although the GDPR applies to everyone who processes personal data in Belgium, the process for compliance of these requirements can be different. For example, the GDPR Register of one university can differ to some extent from the register of another university or research institution.
Interdisciplinary collaborations
Take into account, when dealing with the processing of personal data, different disciplines can have additional (ethical) requirements when it comes to processing personal data (e.g. medical or health data). In addition, not every ethics committee will review these ethical requirements associated with the processing of personal data in its ethical advice.
International collaborations
In research projects where organisations/institutions from different Member States are involved, you should always take a look at the national legislation of all Member States involved and perform the processing in line with these national requirements. When you collaborate with (researchers from) countries outside the European Economic Area (EEA), you have to take into account any third country or international legislation. Moreover, you will have to take extra measures in order to guarantee that the research data are protected in a safe and integer manner (e.g. by an EU model agreement).