Version of the document: 1.2

Status: 08.01.2019

The following guidelines are intended to provide researchers with an orientation on what must be observed when processing personal data in accordance with the General Data Protection Regulation (GDPR) and the Lower Saxony Data Protection Act (NDSG).

Under no circumstances does this guide replace advice from the data protection officer or another qualified person.

Please send any suggestions or criticism to dsuni@oul.de.

1 What is personal data?

Data protection is always and only relevant where personal data is processed. Anonymised (not: pseudonymised) data may be processed without any restrictions from a data protection perspective. But when does personal data exist?

Art. 4 No. 1 GDPR defines personal data as

"any information relating to an identified or identifiable natural person (hereinafter referred to as "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person".

It is currently disputed whether a personal reference also exists if the data subject could only be identified with an effort that is disproportionate to the significance of the data (previously known as "de facto anonymity"). However, the wording of the GDPR does not differentiate with regard to the effort required, but rather allows it to be sufficient if the data subject can be identified (regardless of the effort involved). It therefore seems legally safer to assume a personal reference in the aforementioned cases for the time being.

Personal data are therefore in particular

- Pseudonymised data. This also applies if you do not know the pseudonymisation key because it is kept by a third party or the subject creates the pseudonym themselves.

- Interviews recorded in audio (tape, MP3, .wav, etc.). Like a person's fingerprint, the voice is unique. There is currently no reliable method that alters a voice in such a way that it can no longer be identified.

- Body fluids (saliva, blood, cerebrospinal fluid) and tissue (hair, skin, bones) because of the genomes they contain

- Information from very small groups of participants (<=5)

- Information if it is collected together with one or more unique characteristics. Example: Students at the university are asked their age, among other things. One of the respondents states 102 years. The combination of student - 102 years is likely to be rather rare among respondents.

- Big data. The more data is collected, the smaller the group of people to whom this information applies in combination. In the case of large amounts of data, this circle can be narrowed down to a single person, so that even in these cases - despite supposedly anonymous collection - personal data is available.

2. data avoidance part 1: Do you have to work with personal data at all or is anonymised data sufficient?

According to Art. 5 para. 1 lit. c. GDPR, personal data must

"adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ("data minimisation")".

The processing of personal data must therefore be reduced to the necessary minimum. The most minimal processing of personal data is logically that which does not take place at all. As a first step, you should therefore check whether your research project can also be realised with anonymous data without any compromises. Quote from the website of the State Commissioner for Data Protection of Lower Saxony:

"Many research projects can manage without personal data without any compromise to the scientific objective. The processing of personal data is only permitted as long as and to the extent that anonymised data is not sufficient for the purpose of the project. It should therefore always be checked whether a research project can be carried out anonymously."

(https://www.lfd.niedersachsen.de/fortbildung_informationsmaterial/empfehlungen_recht/einwilligung/einwilligung-in-ein-medizinisches-forschungsprojekt-56135.html)

3. data avoidance part 2: What personal data do you need?

If it is necessary to process personal data in order to achieve your research objective, the second step is to check which specific data is to be requested. The principle of data avoidance also applies here, i.e. you may only collect the data that is necessary to achieve your research objective. During the conception phase, you should therefore already consider which data fields you specifically want to process.

4 Storage periods: How long do you need personal data for?

The next important question you should ask yourself is how long the processing of personal data is necessary for your research project. As a general rule, personal data must be deleted or anonymised as soon as possible. This may well result in different storage periods for individual data.

Example: You are planning to interview your test subjects over several dates. You record the interviews in MP3 (voice = personalised date) and then transcribe them. Each respondent is assigned a pseudonym so that you can summarise the individual interviews for each person. The recordings should generally be deleted after transcription and verification. The coding list, on the other hand, should only be deleted as soon as the interviews have been completed and you have collated the individual interviews.

5 Data protection impact assessment and data protection concept

Certain processing activities harbour a particularly high risk to the rights and freedoms of data subjects. In these cases, the university is obliged to carry out a data protection impact assessment in accordance with Art. 35 GDPR with the involvement of the data protection officer. It may also be necessary to draw up a data protection concept. Further information can be found on the homepage of the LfD Niedersachsen at

www.lfd.niedersachsen.de/startseite/datenschutzreform/dsgvo/liste_von_verarbeitungsvorgaengen_nach_art_35_abs_4_dsgvo/liste-von-verarbeitungsvorgaengen-nach-art-35-abs-4-ds-gvo-164661.html

If you are not sure whether you need a data protection impact assessment or a data protection concept for your project, please contact the data protection officer. Alternatively, the data protection manager will be happy to answer any questions you may have about the necessity of a data protection impact assessment.

You can find a sample template for a data protection concept here:

A Template for the documentation of a data protection concept can be found here.

6 The legal basis for processing

The processing of personal data is generally prohibited unless it is exceptionally authorised by a legal basis. In the area of research, two legal bases are available:

- the consent of the data subject (Art. 6 para. 1 lit. a. GDPR) and

- the overriding scientific interest (Art. 6 para. 1 lit. e. in conjunction with § 13 NDSG)

6.1 Consent (Art. 6 para. 1 lit. a. GDPR)

Consent is one of the two legal bases on which you can base the processing of personal data. Similar to consent to medical treatment, consent to the processing of personal data is only effective if the data subject has been informed in advance of the scope and extent of the interference (in this case, the right to informational self-determination instead of physical integrity). A significant innovation based on Art. 5 para. 2 GDPR (so-called accountability obligation) is that the data controller must be able to prove the consent of the data subject. Although consent can also be given verbally or through conclusive behaviour, you should therefore either obtain consent in writing (see below) or, in the case of online questionnaires/registration masks, for example, design the procedure technically in such a way that the test persons only reach the questionnaire if they have previously consented to the data processing.

You can find a sample template for a GDPR-compliant declaration of consent here.

Further information on consent can be found in the GDD practical guide GDPR XIII, which you can obtain free of charge at the following link

www.gdd.de/downloads/praxishilfen/GDD-Praxishilfe_DS-GVO_13.pdf

Special case: data collection at schools

The collection of data at schools in Lower Saxony requires the consent of the pupils or teachers affected by the collection as well as the authorisation of the responsible state school authority in accordance with the decree of the Ministry of Education and Cultural Affairs. If you have any questions about this procedure, you can contact the state school authorities in Lüneburg, Hanover, Braunschweig or Osnabrück directly.

6.2 The overriding scientific interest (Art. 6 para. 1 lit. e. in conjunction with § 13 NDSG)

According to Section 13 (1) sentence 1 NDSG, public bodies may

"process personal data, including data within the meaning of Article 9 (1) of the General Data Protection Regulation, for a specific scientific or historical research project or transmit them to other bodies for this purpose if the nature and processing of the data indicate that the data subject's legitimate interest does not conflict with the processing of the data for the research project or that the public interest in carrying out the research project outweighs the data subject's legitimate interest."

In essence, this means weighing up the scientific interest against the interest of the data subject in not having their personal data processed. If there is no legitimate interest in not processing or if the scientific interest prevails, the processing of personal data is permitted. The result of this assessment and the justification must be documented (Section 13 (1) sentence 2 NDSG). In addition, the data protection officer must be informed (Section 13 (1) sentence 3 NDSG).

Please note that the overriding scientific interest is likely to be subject to judicial review and that courts may weigh things differently than the researcher. In the author's opinion, it is therefore more legally secure (and incidentally more polite) to ask the data subjects for their consent.

Further information on Section 13 NDSG can be found on the website of the LfD Niedersachsen at

www.lfd.niedersachsen.de/themen/forschung/datenschutz-und-forschung-56093.html

7 The record of processing activities, Art. 30 GDPR

As the controller, the University of Oldenburg is obliged under Art. 30 (1) GDPR to keep records of all processing activities for which it is responsible. They describe the processing activities and the measures taken to protect the processed personal data in more detail. This obligation also applies to scientific activities. The directories are created by the head of the respective research project (so-called process owner) and forwarded to the data protection management officer. The data protection management officer advises on all questions relating to the register of processing activities. Further information and a sample template can be found at

uol.de/dism/dsm/basics/procedure-description

8. information obligations, Art. 13 and 14 GDPR

If personal data is collected from the data subject, the data subject must be informed at the time of collection in accordance with Art. 13 GDPR. However, if the data is collected from third parties (e.g. residents' registration office, health insurance companies, hospitals, etc.), the data subjects must be informed in accordance with Art. 14 GDPR within a reasonable deadline, but at the latest within one month of receipt of the data. For scientific purposes, it may be possible to dispense with information in accordance with Art. 14 GDPR (but not in accordance with Art. 13 GDPR). If the information pursuant to Art. 14 GDPR is to be waived, the relevant considerations must be documented. Before you refrain from providing information in accordance with Art. 14 GDPR, please contact the data protection officer.

• Templates for information in accordance with Art. 13 and Art. 14 GDPR

9. the emergency: notification of data breaches

As the data controller, the University is obliged to report data breaches to the LfD Niedersachsen immediately and, if possible, within 72 hours of becoming aware of them.

Data breaches can be, for example

- Sending an email with a larger group of recipients in the "To:" or "CC" field without it being necessary for the other recipients to be able to see who received the email apart from them.

- Loss of a laptop or USB stick containing personal data.

- Accidental shredding of documents containing personal data.

- In the event of a fire (through no fault of your own), data carriers and/or documents containing personal data burn.

If you notice a data breach, please contact the data protection management officers immediately, whose contact details can be found at

uol.de/dism

can be viewed. They are responsible for reporting to the LfD.

10 During and after the research project: Trust is good, control is better

During and after your research project, you must ensure that the measures you describe in the record of processing activities, in particular compliance with deletion deadlines, are actually implemented. The best measures are useless if they only exist on paper.

11 Last but not least

Last but not least, I wish you every success with your research project!

Your data protection officer