91�����

If you collect personal data, do the following:

1. Plan what data you need

Understand the objectives of your study both now and in the future. Think about what data you need and also what data you do not need. Think of how you can design your study so that your data is least identifiable while still accomplishing your goals. These  data minimization and privacy by default principles  are core principles of  the General Data Protection Regulation ). More information on what is personal data can be found in: .

2. Plan the entire life cycle of personal data processing

Plan the entire life cycle of personal data processing (including e.g. collecting, storing, usage, research cooperation, further research, archiving, deletion) before you begin to collect or otherwise process any personal data. Aalto’s privacy notice template can be used to help with this planning (please see the list item five below). A Data Management Plan can be used /en/services/data-management-plan-dmp. The can be used to support planning.

The   FSD is a certified research data repository and they give expert advice on personal data in their.

5. Define the legal basis for processing personal data.

You can only process personal data if you have a legal basis provided in the legislation. In scientific research, the legal basis is usually either “performance of a task carried out in the public interest” or “consent”.

• The choice of the legal basis is important, because it affects e.g. your obligations and possibilities in the research.
• If purposes of the scientific research are in the public interest, it is advisable to use as legal basis "scientific research, a task in the public interest". However this legal basis is based on GDPR and national legislation, in EU projects involving other jurisdictions than Finland some universities  may use consent as legal basis.

• If you choose “consent” as the legal basis for processing, you must e.g. enable the participants to revoke the consent and you must be able to remove the personal data if data subject requests deletion of their data.  When consent is the legal basis, use a consent to process personal data form, an example can be found here 

   (login required)

6. Draft a Privacy Notice

When you process personal data fill in and use ”Privacy Notice for Research Study” -document. Give or send Privacy Notice to participants. You also need ethical consent to participate, this is used when the legal basis is scientific research, a task in the public interest. When legal basis is consent, you need a consent to use personal data. 

The Privacy Notice is used to inform the research participants before you start to collect or otherwise process personal data. Information given e.g. in the privacy notice and research and Data Management Plan should not be conflicting. Privacy Notice is also needed as appendix for the ethical review.  Ethical review also requires a separate document Information to participants. This information should only contain practical information and personal data use should be explained in Privacy Notice, in any case there should not be conflicting information.  Remember to inform the research participants with a language they understand. Aalto-template covers the duty to 'document the processing activities' with record of processing activity according to GDPR. 

• Send the privacy notice that you have given to data subjects also to tietosuojailmoitukset@aalto.fi

7. If you process personal data outside of Aalto note the following:

• If the other party processes personal data only for purposes, which are defined by Aalto, e.g. when you transfer personal data for a subcontractor, you must make a Data Protection Agreement (DPA) with that party.  Legal Counsel in your school can help to draft the  Data Protection Agreement or Annex that is needed.
• Where two or more universities or organisations jointly determine the purposes and means of processing, they are joint controllers. They shall in a transparent manner for the data subjects determine their respective responsibilities in the processing of personal data. The Privacy Notice may designate a contact point  for data subjects.  Ask from the Legal Counsel in your School if a Joint Controller Agreement is needed in addition to the Privacy Notice, where the responsibilities of the joint controllers are defined in transparent manner.  
• If you disclose personal data to another university or research institution, which can independently define the purposes for which personal data will be processed, there must be an agreement between the two independent controllers. The Legal Counsel in your School will help you with this agreement.
• Personal data can be transferred outside of the EEA only under certain conditions. For more information, please see: .

8. Inform data subjects about changes and update documentation

Personal data may only be processed for the purposes, which have been informed to the research participant prior to the beginning of the processing (by Privacy notice templates). If you need to process personal data for other purposes, you must inform the research participants on these new purposes and update all documents prior to the processing.

9. Anonymize data prior to archiving or publishing

The   FSD is a certified research data repository serving researchers who wish to archive data. FSD offers advice on data management and management of personal data see : . Other recommended data repositories are listed here:

-> Data publishing repositories

Anonymised data is no longer personal data. Anonymisation results from processing personal data in order to irreversibly prevent identification. In doing so, several elements should be taken into account by data controllers, having regard to all the means "likely reasonably” to be used for identification. See Working Party 29 Opinion 05/2014 on .

Before the anonymization, personal data has to be handled according to the above mentioned legislation, principles and guidelines.

If you wish to collect and reuse personal data that is not wholly anonymized, for example, interviews from professional experts on a certain field, contact the staff to see if archiving could be achieved before you start collecting information, so that research participants can be informed in a manner required by the repository. The staff of the repository can help researchers with data curation and steps leading to a successful collection and preservation of research data. Use of pseudonymised data is still personal data and allowing only restricted access can be used as a measure to archive the data.