The aim of protecting personal data (also: ‘data protection’) is to protect individuals and their privacy. The right to the protection of personal data is laid out in the Treaty on the Functioning of the European Union and the Charter of Fundamental Rights of the European Union as an independent fundamental right, which unambiguously demonstrates its relevance and importance.
For the purposes of this guide, data protection is a field of law governing the use of personal data. On the one hand, it includes principles that may seem self-evident: for example, the principle of voluntariness, which means that individuals must not be asked to consent to the processing of their data by threat or coercion; or respecting the person’s autonomy, which means that everyone should be able to control the use of their personal data. On the other hand, personal data protection conflicts with several other important goals and interests, such as maintaining public order, doing research or business. There are exceptions, rules and principles for dealing with conflicting interests, but they may not be self-evident.
This guide explains the exceptions that apply to processing personal data in scientific research. It is important to remember that the data protection field is broad, and new issues are constantly emerging with advances in society and technology.
Data protection at the University of Tartu
Short guidelines on various topics of personal data protection are available on the University of Tartu’s intranet. The university’s wiki pages provide an overview of the main data protection principles by topics (in Estonian). A data protection module for testing and improving one’s knowledge has been prepared for university staff. The data protection policy is available on the university’s website. Chapter IX of the university’s documentary procedure rules explains the university employees’ rights and responsibilities when processing personal data. The university’s public wiki pages describe what to do in the event of information security and data protection incidents.