Skip to content

Module 2: GDPR and Other Applicable Regulations on Privacy

This page is currently under construction

The training curriculum is currently undergoing final revisions and quality checks. All materials will be released shortly. Until the official release, please refrain from using, distributing, or implementing any part of these resources.

Learning Objectives

  • Learning Objective 1 (LO1): Recognise the basic principles of GDPR and protection of personal data.
  • Learning Objective 2 (LO2): Recognise how GDPR and privacy work in the research context.

Total Module Duration

2 hours 10 minutes

Learning Objective 1

LO1: Recognise the basic principles of GDPR and protection of personal data.

Learning Activities

  • Lecture (30 mins): Introducing General Data Protection Regulation (GDPR) within the EU legal system. Overview of typical scenarios and rules applicable to researchers and research-performing organisations.
  • Exercise (30 mins): Explore complex cases and how to safeguard GDPR.

Materials to Prepare

  • Lecture introducing the basics of GDPR, the purpose of GDPR and the principles for processing personal data.
  • Exercise/case study to balance conflicting interests (using case studies from Resource 1).

Instructor Notes

Lecture:

  • This learning objective is an introduction to GDPR and its applicability to personal data in research. The lecture can start with an introduction to what is GDPR and the principles for processing personal data (Resource 1 – Module 5, Functioning of the GDPR, Resource 2, Resource 4).
  • The right of the research participant and the obligation of the researcher can be discussed (Resource 1 – Module 5, Purpose of GDPR).
  • The instructor can introduce the following:
    • EU Legal Framework on Data and meaning of "research exemptions" in GDPR,
    • to know the meaning of: purpose and scope for Processing Personal Data,
    • legal basis for Processing Personal Data and Informed consent,
    • managing Personal Data in a research project: building data flows, and
    • identifying applicable privacy and data protection regulations on a national and institutional level, including the applicability of any provisions establishing a special regime for researchers.

Exercise:

  • This exercise is meant to introduce learners to an overview of the complexity of GDPR, without going into detail on each point (unless specifically required by their home institutions or roles, and the session is designed to cover more depth). The instructor can re-use a case study with prompts to help learners make their own assessment of the case study (Resource 1 – Module 6 on complex cases can be used for this exercise).
  • An alternative exercise would be to present and discuss various case studies (Resource 3) and discuss the case before providing the learners with the actions taken by the Data Commission on these cases.

Resources

Materials for lecture/exercise:

  1. Course: GDPR 4 Data Support (English) | DANS. https://danstraining.moodlecloud.com/course/view.php?id=7. Accessed 22 Apr. 2025.
  2. General Data Protection Regulation (GDPR) Guidance Note for the Research Sector. Efamro, https://esomar.org/uploads/attachments/ckv2fj3rh001jbw3vejug72q2-efamro-esomar-gdpr-guidance-note-legal-choice.pdf.
  3. "Case Studies | Data Protection Commission." Case Studies | Data Protection Commission, https://www.dataprotection.ie/dpc-guidance/dpc-case-studies. Accessed 23 Apr. 2025.
  4. Habraken, Anja. LibGuides: Research Integrity: C) GDPR. https://libguides.uvt.nl/researchintegrity/gdpr. Accessed 23 Apr. 2025.

For inspiration:

  1. EDPB Guidelines 05/2020 on consent under Regulation 2016/679. https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-052020-consent-under-regulation-2016679_en.
  2. Foggetti, N., Gerin Laslier, M., Di Giorgio, S., Haile Gebreyesus, N., Müller, S., van Nieuwerburgh, I., Romier, G., Van Wezel, J., Hönegger, L., Bodlos, A., & Vernet, M. (2021). Legal and Policy Framework and Federation Blueprint. Zenodo. https://doi.org/10.5281/zenodo.5647948 pp 72-85
  3. Sganga, C., Gebreyesus, N. H., van Wezel, J., Foggetti, N., Amram, D., & Drago, F. (2022). EOSC-Pillar Legal Compliance Guidelines for Researchers: a Checklist (interactive digital version). Zenodo. https://doi.org/10.5281/zenodo.6327668.
  4. Drążewski, K., COLCELLI, V., Brizioli, S., Fernandes, E., Karabuga, E., Margoni, T., & Schirru, L. (2024). D3.7 - Coordinated set of guides, fact-sheets and FAQs on ELSI aspects for Civil Servants and Policy Makers. Zenodo. https://doi.org/10.5281/zenodo.13467302 p. 12 et seq.
  5. European Union, 'Protecting data and opening data - General Data Protection Regulation (GDPR) as a supporter for Open Data'. https://data.europa.eu/en/publications/datastories/protecting-data-and-opening-data.
  6. Kuchinke, W.; EUDAT Sensitive Data Working Group. (2017). How can e-infrastructures deal with the sensitive data challenge (Working Paper) [Data set]. https://b2share.eudat.eu. https://doi.org/10.23728/B2SHARE.3D1DFB9B889C4022AE7B308DF009FCC9.
  7. OpenAIRE, How to deal with sensitive data. https://www.openaire.eu/sensitive-data-guide.

Learning Objective 2

LO2: Recognise how GDPR and privacy work in the research context.

Learning Activities

  • Exercise (40 mins): The instructor should give the learners a fictional case (for instance, track students studying habits via an app, making a study about mental health of Master students via qualitative interviews). Some suggestions are provided in Resource 1, the instructor may choose a different example as well. Once the learners have chosen a fictional research project, ask them to reflect on the data protection principles and to draft a consent form covering the various aspects of GDPR and privacy, such as:
    • What data will be collected?
    • Why is it needed?
    • How will it be stored and protected?
    • Who will access it?
    • What rights do participants have under GDPR?
  • Lecture (30 mins): Introduction to Data Protection Impact Assessment (DPIA) and using it to conduct risk assessments of collecting, storing personal data.

Materials to Prepare

  • Exercise: prepare some fictional or real cases studies for analysis.
  • Lecture on DPIAs and how they help to protect privacy.

Instructor Notes

Exercise:

  • This exercise is meant to address the misconception often seen with non-legal researchers who tend to downplay the importance of privacy and data protection.
  • The exercise is an evaluation of a research project from the perspective of the affected data subjects – framed through a consent form. The instructor can use Resource 1 as inspiration for some examples to discuss (Resource 1).

Lecture:

  • The instructor can introduce DPIAs, which are a good way to anticipate risks before data is collected (Resource 2).
  • The instructor can demonstrate how DPIAs help organisations show that they are complying with:
    • principles of data protection (such as data minimisation, storage limitation),
    • data subject rights (for instance access, erasure, objection), and
    • accountability requirements (keeping records of decisions and assessments).
  • To dive deeper into this topic, there is an opportunity to discuss the risks of disclosing personal data in Horizon and other EU-funded research projects which mandate open access publishing – and to have a discussion on how this impacts the rights of data subjects.
  • Key takeaways:
    1. Based on the description of intended work by a researcher, provide details and guidance on compliant data handling.
    2. Help researchers navigate the legal framework and support them in matching legal advice and support with data stewardship practice. This could be done by asking learners to reflect on stakeholders within their organisation they could approach for more advice.
    3. Evaluate possible conflicts of interest between Open Data vs GDPR and be able to assist in evaluating the good practice and propose solutions (Resource 3).

Resources

Input for exercise and lecture:

  1. DPIA - Case Studies and Examples. https://www.linkedin.com/pulse/dpia-case-studies-examples-siddharth-srinivasan. Accessed 24 Apr. 2025.
  2. Data Protection Impact Assessment (DPIA). GDPR.Eu, 9 Aug. 2018, https://gdpr.eu/data-protection-impact-assessment-template/.
  3. Protecting Data and Opening Data | Data.Europa.Eu. https://data.europa.eu/en/publications/datastories/protecting-data-and-opening-data. Accessed 24 Apr. 2025.