Applying GDPR in research

If personal information about people is collected or used in research, then the General Data Protection Regulation (GDPR) applies, if:

  • a researcher based in the EU collects personal data about a participant anywhere in the world
  • a researcher outside the EU collects personal data on EU citizens

Information on the principles, requirements and definitions of the GDPR can be read here.

The GDPR makes provisions for processing personal data for research and archiving purposes as long as certain safeguards are in place. The safeguards include technical and organisational measures, data minimisation and pseudonymisation.

Further processing of personal data for the purposes of archiving, scientific or historical research purposes and statistical purposes is not considered to be incompatible with the initial purposes of data collection, even when this purpose has not been expressly mentioned earlier. Also, in research personal data may be stored for longer periods.

We provide here practical guidance, examples and question/answers on how to apply GDPR in research.

Personal data can only be processed when there is a valid legal basis to do so. The GDPR recognises six grounds (bases). If a research project collects personal data, the processing ground does not have to be consent. We give here examples for research for each legal ground.

Legal basis

Possible examples in research

Consent of the data subject

A small, researcher-led survey designed to capture public opinion on a public issue, whereby email addresses are collected to contact respondents at a later stage.

A qualitative study on a sensitive topic such as violence against women, in which the respondents may be identifiable from the collected information.

A oral history project where people’s real names are used.

Necessary for the performance of a contract

Unlikely to be applicable in research. An example is processing personal data as part of an employment contract.

Legal obligation placed upon controller

Unlikely to be applicable in research. An example is processing personal data as part of a health and safety report/incident.

Necessary to protect the vital interests of the data subject

Unlikely to be applicable in research. An example is: a hospital that is treating a patient after a serious road accident can search for his/her ID to check whether that person exists in the hospital's database to find previous medical history or to contact his next of kin.

Carried out in the public interest or in the exercise of official authority (public task)

A longitudinal study of people living with dementia and their carers, to identify how people would like to be supported. Findings inform and support the caring strategy and public advocacy.

Legitimate interest pursued by controller

A research project that is fully funded and is being undertaken by a private corporation to look at the effects of smoking on car passengers.


Back to top  

Helpdesk queries and support services will be restricted on Monday 26 July 2021 and will fully resume on Tuesday 27 July 2021.