Chapter III of the GDPR sets out the data subjects’ rights that they always have, irrespective of the purpose or the legal basis of the processing. Therefore, a participant in research may submit a request to the researcher about the processing of their data even if pseudonymised data from a public register are used in the research. To avoid confusion, the research team should agree beforehand on the person responsible for the personal data related to the study. That person has to respond to requests. The data subject’s rights are listed and briefly explained below.

2.9.1. Right to be informed about the processing of personal data

Articles 12, 13 and 14 provide for a general right to be informed. The controller has the obligation to draw up and publish their data protection conditions and inform the data subject of them. If it is impossible or disproportionally difficult for the researcher to contact the people, it is sufficient just to make the information publicly available. The provision of information supports the principles of transparency and fairness.

In a research study, the main source of information is the informational material given to the participant when they are asked for consent. However, it is important to consider that data subjects have the right to request information about the processing of their personal data at any time, so that the provision of the informational material or a reference to the data controller’s data protection conditions may not be sufficient, and the data subject must have the possibility to contact the researcher.

Individuals retain the right to be informed about the processing of their data even if the processing is not carried out based on their consent but on another legal basis.

2.9.2. Right of access

Article 15 of the GDPR gives data subjects the right to access the data collected about them, the recipients of the data, the transfers to third countries, the sources (if the data do not originate from the data subject) and the automated decisions made based on the information. They may also ask for more general information concerning the purposes of the survey and the retention period.

When data subjects want to access their data, they must send a request to the controller, who is entitled to identify the applicant before disclosing the data to verify whether it is the same person whose data are requested. If the request is sent by email, it must be digitally signed.

Once identified, the persons have two options to obtain information about their personal data at the University of Tartu: they may come to the university to access the data or receive a copy. The only exception, in which case neither of these options is available, is if showing or providing a copy of the database or environment containing the data subject’s data would harm other people – for example, if another person’s data are visible. In this case, it is not possible to consult the data on the spot, and no copy can be issued. The applicant can only receive a descriptive text. It must be explained to the applicant why they cannot view or get a copy of the data.

According to subsection 6 (6) of the Personal Data Protection Act, the controller may restrict the right of access if compliance would make it impossible or significantly impede the achievement of the purpose of the research.

2.9.3. Right to rectification of data

Under Article 16 of the GDPR, the data subject has the right to demand rectification of inaccurate data and completion of incomplete data. This right is related to the principle of data quality and ensures that decisions about the person are not made based on incorrect or incomplete data.

The controller must always rectify or complete the data at the request of the data subject, except in case the controller considers the information to be complete or accurate. In the latter case, the controller must give reasons for the decision to the data subject.

Subsection 6 (6) of the Personal Data Protection Act allows the controller to restrict the right to rectify data if compliance would make it impossible or significantly impede the achievement of the purpose of the research.

Example

A few days after the interview, an interviewee contacts the researcher and asks to clarify an answer they have given. If it is possible for the researcher to do it and it is feasible at this stage of the study, the researcher should grant the request. However, if the same person repeatedly asks for clarification of one or another of their answers over a period of time, it will start to hamper the research. It is difficult to say precisely where the line between unjustified obstruction and justified clarification is drawn. Data subjects must be given reasons why they can no longer ask to clarify their responses from a specific moment.

2.9.4. Right to erasure of data

Article 17 of the GDPR provides the right to erasure, also known as the right to be forgotten. The erasure of data is one of the most complex rights. It must be done if one of the following circumstances mentioned in the GDPR applies:

  • the purpose of processing has been fulfilled;
  • the processing is unlawful;
  • the person withdraws consent, and there is no other legal basis;
  • the data subject objects to the processing of their data and there is no legal ground for further processing;
  • erasure is necessary to comply with a legal obligation;
  • the data concern the use of an information society service at a time when the data subject was a minor.

However, there are several exceptions to the right to erasure; in this case, the controller can continue processing personal data even if the data subject requests their erasure. For example, if the processing is necessary for scientific research in the public interest, the erasure of the data would make it impossible or seriously interfere with the achievement of the objectives of the study. Erasure is rather exceptional in the context of research.

Personal data can be retained for longer periods if they have been anonymised or a decision is made to retain them for archiving purposes (see 4.1). However, at the time of collecting personal data, the person must be informed of how and for how long the data will be stored.

2.9.5. Right to restriction of processing

Under Article 18, the data subject has the right to restrict the processing of personal data in four cases. In the context of research, three of them are relevant:

  • If the accuracy of the data is contested, processing can be restricted for the time it takes to verify the accuracy of the data;
  • If the processing of data is contested, the processing can be limited for the time to verify whether the controller’s interests override those of the data subject;
  • If the processing of personal data is unlawful, i.e. there is no legal basis for processing, it is possible to request the restriction of processing instead of erasure.

The GDPR lays down a few exceptions which nevertheless allow the controllers to process data with the restriction of processing: in particular, with the consent of the data subject, for legal claims, the protection of the rights of others, or reasons of substantial public interest.

According to subsection 6 (6), the controller does not have to comply fully with the right to restrict the processing of personal data if this would make it impossible or significantly hinder the achievement of the purpose of the research. The restriction of processing in the research context is very exceptional and unlikely. It can happen when a person withdraws their consent to the processing of their data but decides to request the restriction of processing instead of erasure. In such cases, the data may be retained, but their use must be limited. However, since the erasure of data mostly concerns cases where there is no legal basis for the processing, further processing would be prohibited anyway.

2.9.6. Right to data portability

Article 20 of the GDPR allows data subjects to have their data transmitted from one controller to another. This operation is subject to a few restrictions:

  • Only data processed on the legal basis of consent or a contract can be transferred;
  • The processing of the required data must be automated, and the transfer from one processor to another must be technically feasible;
  • The transferred data must be in a structured, commonly used and machine-readable format;
  • The data subject can request the transfer of only such data that the data subject has personally provided to the controller. As most research studies are based on consent and automatic data processing, people can, in principle, always demand the transfer of their data.

Example

A person relocates to another EU member state and intends to spend the rest of their life there. Having deposited a gene sample to the biobank years ago, the person wishes to transfer all their personal data to a similar biobank in the new country of residence, so that their new doctor can obtain information about them more easily. It is only possible to transfer data the person has given to the biobank themselves, i.e. only the person’s medical history, but not the genetic data generated by the biobank based on additional analyses.

2.9.7. Right to object

Article 21 of the GDPR lays down the right of the data subject to object to the processing of their data on the grounds of legitimate interest or public interest task, irrespective of the extent to which these legal grounds have been substantiated. If the objection is successful, the legal basis is cancelled, the processing becomes unlawful, and the right to request erasure or restriction arises. It is possible to request a restriction of processing while the objection is being assessed.

Based on subsection 6 (6) of the Personal Data Protection Act, the controller may restrict the right to object if compliance would make it impossible or significantly impede the achievement of the research objectives. Since objecting to the legal basis will inevitably hinder the achievement of the research objectives, it is not entirely clear what the controller should do when they receive such a request. However, it is essential to remember that if the request is not considered, the data subject may bring the matter before the Data Protection Inspectorate or the court to defend their rights.

2.9.8. Right to be protected against automated decision-making

Article 22 of the GDPR does not completely prohibit the automated processing of personal data. However, making decisions based solely on automated processing, including profiling (Article 4 (4)), is not permitted if such a decision produces significant effects or legal consequences for the data subject.

There are three exceptions, however. Making decisions based on automated processing is not prohibited if it is

  • necessary for making or performing a contract;
  • permitted by law;
  • based on the data subject’s explicit consent, given for automated decision-making. Such consent must be given separately from any other conditions on the consent form.

There are no exceptions to this right in the context of research. Therefore, the automated processing of personal data, including profiling, is prohibited if the decisions made during or as a result of such processing significantly impact data subjects or produce legal consequences (for example, restricting access to public services). In most cases, research does not involve making such decisions about individuals. However, in some types of applied research studies, it is theoretically possible to create and develop automated processing methods that can be later used to make decisions about individuals.

  • No labels