Copyright & Data Privacy

In this section we provide some basic information on copyright considerations in the context of research data as well as a systematic overview on the legally relevant corner stones for data protection compliant research. This includes a short description of relevant sections within the BDSG and relevant cross-references to the EU-GDPR as well as useful hands-on descriptions for carrying out a data protection impact assessment or writing a consent form.

Copyright – Relevant paragraphs of the Federal Data Protection Act (BDSG)

In general, primary data are not subject to copyright concerns (Guibalt & Wiebe, 2013; Hillegeist, 2012; Spindler & Hillegeist, 2011). However, before publishing data, questions about rights of use should be clarified. In this context, the following paragraphs of the Federal Data Protection Act (BDSG) should be considered:

§ 27 BDSG (cf. Art. 89 EU-GDPR): Data processing for scientific or historical research and
statistical purposes

• includes regulations regarding the processing of personal data for scientific or historical research and statistical purposes
• the processing of personal data within the aforementioned contexts can be conducted without consent if the interests of the responsible person to process these data outweighs the interests of the data subjects to exclude the processing of their data
• the rights of the data subjects addressed within §§15, 16, 18, and 21 EU-GDPR are restricted to the extent that they render the intended research impossible
• the personal data have to be anonymized as soon as the research or statistical purpose allows for it and no justified interests of the data subject are opposed to this

§ 46 (cf. Art. 4 EU-GDPR) Definitions

§ 47 (cf. Art. 5 EU-GDPR) General guidelines for the processing of personal data

Personal data must be

• processed in a lawful manner and in good faith,
• collected for specified, explicit and legitimate purposes and not processed in a way incompatible with those purposes,
• adequate to the purpose of the processing, necessary for achieving that purpose and their processing not disproportionate to that purpose,
• accurate and, where necessary, kept up to date, with all reasonable steps taken to ensure that personal data which are inaccurate having regard to the purposes of their processing are erased or rectified without undue delay
• kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed, and
• processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing, accidental loss, destruction or damage by appropriate technical and organizational measures.

§ 50 (cf. Art. 89 EU-GDPR) Processing of personal data for archival, scientific and statistical purposes

• Personal data may be processed in archival, scientific or statistical form within the scope of the purposes specified in § 45 if there is a public interest in this and suitable safeguards (e.g., anonymization, taking precautions against unauthorized access) are provided for the legal interests of the data subjects

§ 64 Data processing security requirements

• regulates the technical and organizational measures (TOMs) that have to be implemented in order to ensure an adequate level of protection of the personal data processed (e.g., pseudonymization, access control, user control, etc.)

Carrying out a data protection impact assessment

According to §67 BDSG a data protection impact assessment has to be conducted if the processing of personal data results in a risk to the legal interests of the data subject. In this case the responsible person must provide an assessment of the consequences of the individual processing steps for the data subject before carrying out the data processing. Moreover, it is recommended to include the data protection officer in this process.

A data protection impact assessment has to include the following aspects:

1. a systematic description of the planned processing steps and the processing purposes
2. an evaluation of the necessity and proportionality of the processing operations in relation to their processing purpose
3. an evaluation of the risks for the legal assets of the data subject
4. the measures to adress existing threats (e.g., procedures to ensure the protection of personal data, TOMs, etc.)

Informed Consent

The legal basis for an informed consent is § 51 BDSG and Articles 7 and 8 EU-GDPR. According to these legal constraints, but also for ethical reasons (DGPs, 2018; Gollwitzer et al., 2020) it is of the utmost importance that participants are explained the following aspects in a clear and comprehensible language:

1. Benefits and risks
2. the data collection process
3. data processing purposes
4. storage of data
5. data reuse

Moreover, the voluntary nature of the participation must always be guaranteed and participants should be able to withdraw their participation at any time. The consent has always to be given on a voluntary basis and the responsible persons are required to document the given consent (cf. Gollwitzer et al., 2020). Besides giving an informed consent for participating under the described conditions, participants should give their broad consent for the reuse of their data by other people after completion of the data collection process. The consent for data reuse can naturally only be provided via a broad consent because purpose, type and scope of the reuse are often not clear at this moment. Due to ethical consideration such a consent should not only be obtained for the reuse of non-anonymized data, but for all data published for reuse. In order to allow participants to view their data and to withdraw their consent in the processing of their data for the intended purposes, it may be useful to maintain a list allowing for the identification of participants by the assignment of pseudonymization codes. After a pre-defined time-period, which has also been communicated to participants, this list has to be deleted. The German ethics council distinguishes different consent models (RatSWD, 2020; p. 27) that will be described below:

Blanket consent

In case of a blanket consent study participants agree to future use and disclosure of the data with indefinite content.

Broad consent

The possibility of “broad” consent was created specifically for scientific research in recital 33 of the GDPR. In doing so, the European legislator assumes that it may be more common that the purpose of processing personal data for scientific research purposes cannot be fully specified at the time the personal data is collected. Therefore, it allows the possibility for research subjects to give “broad” consent (a) for specific areas of scientific research or for parts of research projects, (b) to the extent permitted by the purpose pursued, and (c) in compliance with recognized ethical standards of scientific research. In this context, the “specific area” must have a connection with the original research objective.

Dynamic consent

Study participants are contacted several times to get their consent for different research questions.

Cascading consent

The cascading or meta-consent is an expansion of the dynamic consent and aims at getting the broadest consent possible. A cascading consent process might, for instance, be starting by asking study participants for their blanket consent. If participants are not willing to give this nearly unrestricted consent, they are asked to give their broad consent for specific research areas. Then, if participants want an even more restricted form of consent, participants can be asked to give informed consent to process their data for specific research questions (cf. Loe, Robertson, & Winkelman, 2015).