FAQ Data protection for doctoral candidates

You can download a blank "Declaration of consent" form from this site (see sidebar).

Short answer: Revocation of consent does not in principle jeopardise the dissertation, as the patient data may in principle be further processed for the preparation of the dissertation even without consent.

In detail:

1. Before the start of the research project, a data protection concept must be drawn up and submitted to the supervisory authority in charge upon request, § 24 para. 1 HDSIG, § 27 para. 1 BDSG.
2. Sensitive data is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation, Art. 9 para. 1 GDPR.
3. In order for the processing of personal or sensitive data to be lawful, a declaration of consent is required, Art. 6 para. 1 lit. a GDPR.
4. The declaration of consent must contain, among other things, the purpose or purposes of the data processing and inform subjects of their laws.
5. Sensitive personal data processed for academic research purposes must be anonymised as soon as this is possible in accordance with the research purpose, unless this conflicts with the entitlement of the data subject. As soon as the research purpose permits this, the characteristics that can be used to establish a personal reference must be stored separately, Section 24 (3) HDSIG, Section 27 (3) BDSG. The characteristics must be deleted as soon as the research purpose admits this, Section 24 (3) HDSIG.
6. If consent has been given, the interviewee has the law to revoke this consent at any time, Art. 14 para. 2 lit. d GDPR. However, this only applies to the future. The processing carried out up to this withdrawal is not affected by this and was and remains lawful.
7. However, the (further) processing of personal, sensitive data is also admitted without consent for academic research purposes if the processing is necessary for these purposes and the interests of the controller in the processing outweigh the interests of the data subject in the exclusion of the processing. The controller shall take appropriate and specific measures to safeguard the interests of the data subject, Section 24 (1) HDSIG, Section 27 (1) BDSG.
8. The doctoral candidate may only publish personal data for academic research purposes if the data subject has consented or if this is essential for the presentation of research results on events in contemporary history.

No. However, the data subject (the interview partner) must be provided with some information at the time of collection, including the name of the controller responsible for processing and, if applicable, the controller's intention to transfer the personal data to a third country or an international organisation (Art. 13 para. 1 lit. f GDPR).

Short answer: No.

Facts: Before the GDPR came into force, the following principle already applied: the processing of personal data is prohibited unless there are legal basics or a declaration of consent for data processing. What about declarations of consent that were signed before the GDPR came into force on 25 May 2018?

Answer: The old, legally valid declarations of consent are probably still valid. However, revised declarations of consent adapted to the GDPR must be used for the processing of personal data after 25 May 2018.

Issue: Data is repeatedly collected and processed by a group.

Answer: Yes, at least for the processing of data that takes place after 25 May 2018, participants must use a declaration of consent that complies with the GDPR.

Issue: There is a need on the part of those responsible for processing personal data to use templates for declarations of consent in order to limit the effort involved and to have legal certainty.

Answer: Templates can be downloaded from this website. However, such a statement must be filled out or customised individually.

If you collect personal data from the experts, you will need both data protection information and a declaration of consent.

We have developed a form for research projects that you can use or use as a guide (see sidebar download "Declaration of consent").

Situation: An expert has personal data that concerns him or herself, but also company employees and other personal data that the enterprise processes. This data is collected in an interview, i.e. it is passed on to the interviewer. The expression "data relating to the enterprise" is not precise enough in the context of the GDPR: the GDPR protects data relating to individuals. Company data can also be financial data, security data, etc., which are not protected by the GDPR, but by other regulations. The facts of the case interpret the question to mean that personal data is affected.

Answer: If no legal basis for the collection of personal data passes, data processing is prohibited unless a corresponding declaration or declarations of consent have been obtained. This means that no matter what personal data is involved - whether the expert names their own data or data of other people - it must be explicitly permitted to process this data. If declarations of consent are required, it does not matter whether the expert or others, e.g. the interviewer, obtains them. These consents must be given by the individuals, not the organisation or enterprise. However, the organisation or enterprise can, for example, store and administer these declarations of consent.

From a data protection perspective, a scanned signature of the test person is sufficient, for example if this signature is used as evidence.

From a data protection perspective, a scanned signature of the person responsible is also sufficient, e.g. if this signature is used as evidence.

[Renewal of question] This concerns the following individual cases:

1. the consent forms, some of which had to be signed by more than one person, were printed out incompletely (e.g. margins cut off), signed by all required persons and then sent by post to the researcher.

2. the consent forms, some of which had to be signed by several people, were printed out in full by the first person, signed, scanned, forwarded electronically to the second person, printed out by them with the signature of the first person, also signed and only this printout was forwarded to the researcher by post.

3. the consent forms, some of which had to be signed by several people, were printed out by two people individually, each person only signed their own printed copy and sent it to the researcher by post.

In such cases, the researcher followed up several times in order to obtain complete signatures on the same document from all those involved where necessary. In some cases, however, she was unsuccessful and now fears that these participants could withdraw their consent if she were to follow up further.

The question is whether the above three cases are invalid declarations of consent in every case, or whether they could still be valid in individual cases?

Answer

From a data protection perspective, the decisive factor is whether the responsible researchers can clearly demonstrate and, if necessary, prove that they have received consent from whom and for what purpose. This does not necessarily have to be vouched for in a document.

If margins have been cut off, the text itself is still legible and it is clear which text was provided by the researcher, this is sufficient from a data protection perspective; the same applies if only the signatures are available and it is recognisable from the page number, for example, that this was a multi-page document that is similar to other statements of consent in the same context.

The multifunctional devices (with printers and scanners), including those of the departments, are linked exclusively to the university email addresses. As long as you are within the university network, this use of scanners or scans is compliant with data protection regulations.

If the processing of personal data is a contract-based activity for Fulda University of Applied Sciences (and not a private activity), this can also be carried out by a student assistant; the university remains the controller.
If a processor who is not employed by the university carries out this processing, a number of regulations must be observed, Art. 28 GDPR, § 47 HDSIG. For example, the processor must guarantee suitable technical and organisational measures to protect the laws of the data subject, a contract must be concluded, etc.
If you use certain software tools or similar, especially online, to process personal data, you must refer the data subjects to the relevant data protection information provided by the company offering the tool.

If such data processing has not previously been authorised in the declaration of consent, it may not be passed on.

1. Make contact with test subjects
2. Create a data protection concept, possibly with RDMO (an online tool from HLB)
3. Have a declaration of consent signed (download sample)
4. Manage interviews
5. Further processing, possibly by a third party
6. Anonymise / pseudonymise
7. Take / store data securely (the IT Support can help here)
8. Archive anonymised data and delete personal data when the purpose has been fulfilled

Situation: There is raw audio data with personal and/or sensitive data that is to be (further) processed.

Response:

In principle, personal data may not be published. The doctoral candidate must modify sensitive data (e.g. on ethnic origin) in such a way that it is no longer possible to identify the person concerned as soon as this is possible in accordance with the research or statistical purpose, Section 24 (3) HDSIG (anonymisation / pseudonymisation). The doctoral candidate may only publish (or admit to publish) personal data for academic or historical research purposes if the person concerned has consented or if this is essential for the presentation of research results on events in contemporary history, Section 24 (4) HDSIG. If none of these conditions are met (no consent, no events of contemporary history), the personal data may not be published. In this case, the personal data must be attached to the dissertation, e.g. for the reviewers, but publication must be prevented in any case, in this case by means of a blocking notice.

Short answer: The data must be deleted as soon as the purpose of the research permits.

In detail:

If special categories of personal data (health data) are to be processed (Art. 9 GDPR), Section 24 (3) sentence 2 HDSIG is relevant here (Section 24 Data processing for academic or historical research purposes and for statistical purposes). This states: "As soon as the research or statistical purpose allows, the characteristics that can be used to establish a personal reference must be stored separately; the characteristics must be deleted as soon as the research or statistical purpose admits this."

Art. 5 para. 1 lit. e) GDPR applies to other personal data: Personal data must be "kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data are processed solely for archiving purposes in the public interest or for academic and historical research purposes or statistical purposes in accordance with Article 89(1), subject to the implementation of appropriate technical and organisational measures required by this Regulation to safeguard the rights and freedoms of the data subject ('storage limitation')"

The methods used and the findings must be documented and stored for a period of ten years. Precise logging and documentation of the academic research procedure and results applies in particular to experimental work for which the repeatability of the investigations is an essential feature. (Fulda University of Applied Sciences statute on safeguarding good academic practice dated 22 May 2002)

The dissertation must contain the relevant research data of an experimental and statistical nature that managed to gain academic knowledge. They should be included as an appendix. If necessary, a blocking note can be applied for from the doctoral committee. (Doctoral degree regulations of the doctoral centres, usually in § 6 para. 5 of the PromO).

The so-called network drives of the Fulda University of Applied Sciences are recommended due to their security, private laptops or safes are not.

In principle, IT Support administrators have access to the files on the network drives. If concerns pass here, the files can be taken in encrypted form so that even the administrators do not have access.

The separate network drive with an authorisation concept for users is sufficiently secure from a data protection perspective.

Short answer: The processor of the data is obliged to keep this key file separately and to take technical and organisational measures to ensure that the personal data is not allocated to an identified or identifiable natural person, Art. 4 no. 5 GDPR. The extent to which a vault is necessary for this depends on the circumstances of the individual case and cannot be answered in general terms here.

Situation: The data processor has two files: One file contains the contents of the transcripts, but no personal data. The other file contains the keys that can be used to establish the personal reference that was destroyed by the anonymisation.

Answer:

1. A definition of the term "anonymisation" can be found in Section 2 (4) HDSIG.
2. According to the facts of the case, there is no anonymisation here, but a pseudonymisation, because the "file where the encryption is noted" is additional information within the meaning of Art. 4 No. 4 GDPR, with the help of which a re-identification of the data subject is possible. There is no such encryption in the case of anonymisation. Incidentally, pseudonymisation, like anonymisation, is a procedure with many individual steps that is not quite so simple and for which there are recommendations that should be taken seriously.
3. On anonymisation: data loses its status as "anonymous data" if a person can be identified. This is measured by the following standard, Section 2 (4) HDSIG: "A natural person is identifiable if, taking into account all the means likely to be used by the controller or any other person, the natural person can be identified, directly or indirectly. In determining whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, in particular the cost of identification and the time needed to do so, taking into account the technology available and technological developments at the time of processing."
4. on pseudonymisation and storage of the key file: the processor of the data is obliged to keep this key file separately and to take technical and organisational measures to ensure that the personal data is not allocated to an identified or identifiable natural person, Art. 4 no. 5 GDPR. The extent to which a vault is necessary for this depends on the circumstances of the individual case and cannot be answered in general terms here.

Situation: There is raw audio data with personal and/or sensitive data that is to be (further) processed.

Response:

1. Personal data must be "processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures ('integrity and confidentiality')" (Art. 5 para. 1 lit. f GDPR) See also Art. 32 GDPR. Storing the data in a safe is one way of preventing unauthorised access to the data if no unauthorised person can or may open this safe. However, given the technical possibilities, it should also be examined whether storing the data in a secure, monitored and maintained digital storage location is not the better option.
2. As long as the research or statistical purpose requires it. The Fulda University of Applied Sciences statute on safeguarding good academic practice of 22 May 2002 requires 10 years (§ 1 para. 2 no. 2). The exact retention period must be decided on a case-by-case basis, especially for sensitive data. Note: The statutes will be amended soon.