Data protection in research

One would think "Everything makes the DSGVO new", and in fact the data protection basic regulation (DSGVO) that came into force on 25.05.2018 updated the data protection directive (RL 95/46/EC) from 1995 in many areas.

At the same time, the rules for the processing of personal data for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes were also changed. According to the understanding of the DSGVO, the term "research" is to be interpreted broadly: The term is used demonstratively, for example, for processing for technological development and demonstration, basic research, applied research and privately funded research. An important field of application is the linking of data in the medical field, especially since, in the opinion of the European legislator, this can provide valuable insights into widespread diseases such as cardiovascular diseases, cancer or depression.

At the national level, the Data Protection Adaptation Act 2018 and the Data Protection Adaptation Act 2018 - Science and Research (WFDSAG 2018) made significant changes in the area of research. Thus, fundamental data protection provisions were incorporated into the Research Organisation Act (FOG) and individual provisions of research law were adapted into special laws, such as the Medicines Act (AMG) or the Medical Devices Act (MPG).

  • The high penalties of the DSGVO in connection with the assertion of possible claims for damages by affected persons require a high degree of data protection compliance, which must be ensured by the research institution. The following questions arise in particular:
    Which legal bases are applied?
  • Which data are processed or do special data categories exist (e.g. health data or genetic data)?
  • Is it possible to privilege processing according to the FOG or other legal provisions?
  • Which approvals, e.g. from the data protection authority or an ethics committee, are required?
  • How and under what conditions can study participants exercise their rights?
  • How can cooperation between different scientific actors be designed to comply with data protection requirements? Are the individual actors to be regarded as independent or joint data controllers or contract processors?
  • Which data protection agreements are necessary?
  • How should the directory of all processing activities be structured?
  • Is it necessary to appoint a data protection officer?
  • Is the consent of the data subjects necessary for any processing of personal data within the framework of scientific research?
  • May data collected and processed within the framework of another research project also be processed for one's own project?
  • What technical and organisational measures must be taken to ensure data security?
  • How can data be anonymised or pseudonymised in accordance with data protection regulations?

There are also special features if scientific findings are to be obtained with the aid of Big Data, especially since here too the data protection regulations must be complied with in full. In practice, this means finding the fine line between ensuring valid and reliable research results on the one hand and compliance with the principles of data processing (in particular the principles of data minimisation, legality of processing and purpose limitation) on the other.

Contact person
Dr Philipp L. Leitner
PDF file
Download PDF