General Data Protection Regulation

Introduction

The General Data Protection Regulation (GDPR) is a European legislation that lays down rules relating to the protection of natural persons with regard to the processing of personal data. The Dutch Implementation Act for the GDPR (UAVG) describes the implementation of the GDPR for the Netherlands.

Definitions

  • Personal data refers to any information relating to an identified or identifiable natural person (‘data subject’). See also the definition of ’personal data’ according to the official text of the GDPR.
  • Data processing refers to any action performed on data, such as collecting, storing, modifying, distributing, deleting data. See also the definition of ‘processing’ according the official text of the GDPR.
  • Direct and indirect identification: Some identifiers enable you to single out an indiviual directly, such as name, address, IP-address etc. Individuals can also be identifed indirectly through:
    • a combination of information that uniquely singles out an individual (e.g. a male with breast cancer in a breast cancer registry, a pregnant individual over 50 etc.), this includes information in one record and information across different data files or datasets
    • unique information or patterns that are specific to an individual (e.g. genomic data, a very specific occupation, such as the president of a large company, repeated physical measurements or movement patterns that create a unique profile of an individual or measurements that are extreme and could be linked to subjects such as high-level athletes)
    • data that are linked to directly identifying information through a random identification code or number
  • Pseudonymous data: Data that are indirectly identifiable are generally considered to be pseudonymous; this means that they are NOT anonymous and still qualify as personal data. Therefore privacy laws, such as the GDPR, do in fact apply to these data. This is for example the case when direct identifiers are removed from the research data and put into a key file (or what is usually called a subject identification log in medical research) with which the direct identifiers can be mapped to the research data through unique codes, so that reidentification is possible. These data are therefore pseudonymous, and not anonymous. The LCRDM has made a reference card that illustrates the difference between pseudonymous and anonymous data.

Background information

Privacy in research - Privacy five-step plan

Where research requires the collection of personal data, the researcher has to follow the Privacy five-step plan to make sure to carry out the research in line with the GDPR.

VSNU Code of Conduct for using personal data in research

The VSNU’s Code of Conduct for Research Integrity (Dutch, English, 2018) includes a reference to the GDPR and its Dutch implementation law UAVG. An updated Code of Conduct for Using Personal Data in Research which complies with GDPR is still work in progress.

Support in your faculty: Privacy Champions

Each faculty has one or more Privacy Champions, who are the first point of contact for questions relating to privacy and the GDPR. The Privacy Champions can help you with completing a Data Protection Impact Assessment, registering your research in the record of processing activities, designing informed consent forms and other questions relating to the GDPR. The 🔒 list of Privacy Champions can be found on the VU website.

More information

On the VU page Working with personal data, you can find more information about how VU Amsterdam protects personal data.