Before starting the research, it is necessary to find out what kind of personal data processing documentation is needed for the planned study. The relevant possible and required documents are listed below. In addition, it may be necessary to describe the personal data processing elsewhere, for example, in applications and reports submitted to funders.
2.
...
2.1. Data management plan
A data management plan is a tool for describing the data and the work done with the data. The planning starts with the most general answers about where and how the data will be obtained, what types of data will be used and how they are related, what data formats will be used, how much data will be stored, what software will be used and where, how and for how long the data will be stored.
...
See also:
|
2.
...
2.2. Data protection policy
All institutions that process personal data must publish their data protection conditions. It may also be necessary to draw up separate data protection conditions for more extensive research projects. For example, the university’s data protection policy provides general information, but data processing in the context of a large-scale research project should be described separately. In international research, this is usually done.
...
Read more:
|
2.
...
2.3. Overview of personal data processing
Each controller and processor have the obligation to maintain records of the processing of personal data, according to Article 30 of GDPR3. Generally, making a separate overview for each study or project is not justified or necessary. However, the university may not actually know how exactly personal data are processed in a large-scale study or project. Also, the university may share the responsibility for personal data with numerous other research institutions. Therefore, it may be necessary to write an overview of the processing of personal data for a single research project, especially if it involves the processing of sensitive data or the use of higher-risk processing methods.
Read more: Data Protection Inspectorate’s general guidelines for data processors, chapter 4 “Overview of personal data processing” |
2.
...
2.4. Ethics committee’s approval
Several Estonian law acts have tasked ethics committees to assess whether the proposed research study complies with data protection requirements. The ethics committee’s approval is either mandatory or voluntary, depending on the research. In an approval request, the researchers must describe, among other things, what personal data are processed, on what legal basis, and how and for how long (see also 2.13).
2.
...
2.5. Data protection impact assessment
If the research data processing poses a high risk to people’s rights and interests, a data protection impact assessment may be prepared to protect them. The data protection impact assessment is mandatory for the controller. The researcher should contact the data protection officer if they think an impact assessment might be necessary for the planned research.
...
A data protection impact assessment is a specific obligation, which does not mean that other types of risk assessment are not necessary. Depending on the situation, a data security or ethical risk assessment may also be necessary (see also 2.14).
2.
...
2.6. Informed consent
Consent is one of the possible legal bases for processing personal data in research. An informed consent sheet must contain the most relevant information on the processing of personal data. Sometimes it is necessary to make several versions of the same information sheet; for example, one for adults and one for children. It may also be necessary to translate the information into different languages.
3 Instead of the term recording of processing activities used in Article 30 of GDPR, the terms personal data processing overview and overview of personal data processing are preferred in Estonia. These have also been used in this guide.
The informed consent form with a person’s consent is an official document that must be appropriately kept. A researcher may need to provide evidence of a data subject’s consent if, for example, the person contests the processing of their data. Also, the ethics committee or funders may request access to the informed consent form to assess its compliance.
The consent can be withdrawn, and such withdrawal must also be documented (see the following subchapter).
...
3 Instead of the term recording of processing activities used in Article 30 of GDPR, the terms personal data processing overview and overview of personal data processing are preferred in Estonia. These have also been used in this guide.