Personal data = any information relating to an identified or identifiable person.
NB: the rules for personal data protection do not apply to deceased persons.
Principles to respect (Article 5 GDPR) when processing personal data:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Data retention limitation
- Integrity and confidentiality
Processing is lawful if it meets at least one of the following conditions:
- The data subject has given consent.
- Processing is necessary to respect a contract to which the data subject is party or to carry out pre-contractual measures at the request of the data subject.
- Processing is necessary to fulfil a legal obligation to which the controller is subject.
- Processing is necessary to safeguard the vital interests of the data subject or of another person.
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
It is important to understand that consent is not always required!
However, when consent is the basis of the lawfulness of the processing, it must be freely given, specific, informed and unequivocal. It must be a clear affirmative act. There can therefore be no consent in cases of silence or inactivity.
It can be withdrawn at any time.
In principle, it is forbidden to process sensitive data (= data relating to racial or ethnic origin, political, philosophical or religious opinions, trade union membership, genetic and biometric data, health, and sex life) EXCEPT under certain conditions listed exhaustively in Article 9 of the GDPR. One of these conditions is scientific research, provided that it is accompanied by appropriate safeguards (Articles 9 and 89 of the GDPR).
The GDPR requires the controller to provide a certain amount of information to the person whose data is being processed. This information is as follows:
- identity and contact information of the controller or his or her representative;
- contact information for the data protection officer, if there is one;
- the collected data;
- processing purposes and legal basis;
- recipients of the personal data;
- possible transfer to a third country or an international organisation;
- retention duration or criteria for determining it;
- existence of the data subject’s rights (access, rectification, deletion, limitation, opposition, portability + right to withdraw consent at any time);
- existence of the right to lodge a complaint with the supervisory authority;
- existence of automated decision-making.
The same applies when the data have not been collected from the data subject. HOWEVER, in the field of research, the person responsible for subsequent processing is exempted from the obligation to provide information when the provision of such information proves impossible or would require disproportionate efforts.
Persons whose data is processed have different rights. However, these may be limited (access, rectification, limitation, opposition and deletion) if they render impossible or seriously impede the achievement of research objectives.
Personal data may be stored for longer periods of time provided they are processed solely for the purpose of scientific research and:
- the research objectives can be reached via processing that does not allow or no longer allows for the identification of the persons concerned;
- appropriate safeguards exist.
Contact: for questions regarding the GDPR, please contact Michèle Remy, UCLouvain GDPR Delegate, firstname.lastname@example.org