Guidelines on processing personal data for studies - frequently asted questions
On this page, you will find answers to frequently asked questions about how to handle personal data in studies as a student.
How to handle personal data in research?
The guidelines are intended for Aalto University researchers and the service staff who support them. Their purpose is to describe the practical questions that researchers must think about and the documents that must prepared if the research collects and processes personal data.
Let's begin by going over a few key concepts.
| Personal data |
Personal data is all the information that can be connected to an individual (or a ‘natural person’), not just data that directly identifies individuals, like names or contact information. In most cases, all research data collected on subjects is personal data, including interview responses, the researcher’s observations of their human subject, notes on the subject’s behaviour or actions, and various kinds of images and measurements taken of the subject.
|
| Pseudonymised personal data | An example of pseudonymisation is when personal data is encoded so that an individual can no longer be identified without the use of a code key. However, the holder of the key can decode the data and easily identify the ‘data subjects’ (i.e. the persons to whom the personal data pertains). Pseudonymised data is still considered personal data, and data protection legislation applies to it just as it does to personal data with direct identifiers. Pseudonymised data should not be confused with anonymised data. |
| Anonymous data | With anonymised data, it is impossible to identify an individual from the data. With anonymisation, the data must be irreversibly rendered so that not even the controller or an outside party with the information in their possession could use the data to identify an individual. ‘Anonymous’ as used here in the legal sense has a different meaning than in everyday speech. The concept of anonymised data must be used carefully because data, once anonymised, is no longer considered personal data and is no longer subject to the data protection regulations. Only rarely is data truly and completely anonymous from the moment of collection in research projects. |
| General Data Protection Regulation (GDPR) | The EU regulation that forms the foundation for all data protection legislation in Europe. |
| Data management plan (DMP) | This is not a document required by the GDPR, but certain funders require a DMP, and it is a useful tool for planning data collection and usage. The document is internal, so it is not distributed to the research subjects. |
| Privacy statement / privacy notice | These terms are often used for the document intended to provide human research subjects (‘data subjects’) with the information required by the GDPR. The GDPR includes a detailed list of information that must always be communicated to the research subject if personal data is collected. The easiest practical way to meet this obligation is by preparing a written privacy notice and making it available to all of the research subjects. |
1. Plan the collection and entire life cycle of the data
Carefully plan what information you need to collect in order to answer your research questions. Note that in a research project it may be necessary to collect both (1) personal data and (2) other data and materials that are not considered personal data. At each stage, it must be clear to you which of your collected data is personal data and which data is not. The GDPR defines the principle of data minimisation, meaning that unnecessary personal data must not be collected or retained.
Before you begin to collect or otherwise process the personal data, plan the complete life cycle of the processing (including the collection, retention (storage), use, distribution, any further research, archiving and erasure phases).
Also plan what IT solutions you intend to use to process and store the personal data you collect. If you have paper-based materials, also plan how to carefully store them.
A data management plan (DMP) is a useful tool for planning the data collection and storage.
Data collected from public sources
Please note that the GDPR applies also to personal data collected from public sources. That is, the GDPR contains no exceptions that would put personal data collected from public sources as being outside its purview. Such sources include social media and discussion platforms and various open websites. If your research includes the collection of such data, you must have a lawful basis for processing any personal data in it, and you are obliged to notify the relevant parties about the data collection and processing, unless notifying them would be unfeasible or require disproportionate effort. For the collection of personal data from public sources, Aalto University recommends that the researcher drafts a privacy notice for the project, and if directly informing the data subjects is impossible or unreasonably difficult, the privacy notice should be published on Aalto’s public website aalto.fi.
You may find webinar about the topic by Aalto University here: .
Data Management Plan (DMP)
Create a Data Management Plan (DMP) to ensure your research data is high-quality and FAIR: findable, accessible, interoperable, and reusable.
2. Assess the processing risks to the participants
The measures in this section apply to research that involves the processing of special categories of personal data (‘sensitive data’) and/or processing that involves unusually large risks.
2.1 What is sensitive personal data?
- Personal data belonging to special categories (‘sensitive data’) includes information pertaining to or revealing:
- Health status
- Political opinions
- Racial or ethnic origins
- Religious or philosophical belief
- Trade union membership
- Genetic or biometric data for the purpose of uniquely identifying a person
-
Sexual behaviour and/or orientation.
Other examples of sensitive data are data relating to criminal records, personal identity codes or bank account details. A research subject's personal identity code should never be collected without legitimate grounds. Such grounds could include a requirement to notify the tax administration if the subject is paid a fee for their participation.
2.1 Obtain a research ethics review before processing sensitive personal data
If your research involves sensitive personal data, you must obtain an ethical review from Aalto University Research Ethics Committee before beginning the processing. An prior ethical review may also be needed in other cases, as when required by a research partner, publisher or funder. Lack of an ethical review may prevent funding or publication of the research results.
Research ethics review: Research Ethics Committee
Aalto University Research Ethics Committee is responsible for the research ethical evaluation of  the university's non-medical research projects with human participants.
2.2 Prepare a data protection impact assessment (DPIA) when needed
What is a DPIA?
A data protection impact assessment (DPIA) is an internal document meant to help identify, assess and manage the risks associated with personal data processing. A DPIA is not automatically necessary for every research project, but it must be prepared if the planned processing of personal data is likely to involve significant data protection risks for the participants. For example, this may be the case when processing large amounts of data, sensitive personal data, or data involving children.
The page linked below has guidance on how to prepare a DPIA and how to determine whether it is necessary. The page provides guidelines with ten (10) factors that increase risks related to the processing of personal data in the research. If at least two (2) of the conditions are met, a DPIA should be conducted. The page also provides an Aalto template for DPIAs.
Data protection impact assessment (DPIA)
Milloin vaikutustenarviointi (DPIA) henkilötietojen käsittelyn riskeistä on tehtävä, ja mitä sen tekemisessä on otettava huomioon.
3. Draft a privacy notice
3.1 Template and instructions
Researchers must decide on many aspects of their personal data processing, at the latest, when the time comes to draft a privacy notice. The researcher is responsible for filling in the Aalto template and creating the notice. Aalto’s legal services for research can assist if the instructions fail to answer the researcher’s questions or if there are more complex legal issues related to the privacy notice and informing the subjects. Always use Aalto's privacy notice template when Aalto is the controller for the research. The template can also be used in situations where Aalto serves as a joint controller with other research partners. The template itself contains abundant details for filling it in. A few supplementary instructions are given below.
A privacy notice must be drafted separately for each research project that processes personal data. Aalto University does not have a general privacy notice that would cover all research projects at Aalto. In large, lengthy projects that collect data from a variety of participants and use a variety of methods, it may be appropriate to draft separate privacy notices for the different parts of the research. Case-by-case consideration is required to determine the clearest and most practical solution for a given situation and the participants involved.
The privacy notice should be written for persons without specific experience or knowledge of the professional language used in the research field. Therefore, use everyday language that is clear and simple, and avoid difficult professional jargon.
You can find Aalto’s privacy notice templates for research here: (requires login with an Aalto user ID).
If you are conducting medical research (Medical Research Act 488/1999), it is often better to use the template provided by the wellbeing services county or by the HUS Helsinki University Hospital.
Medical research refers to research in which:
- There is an intervention in the integrity (physical or mental) of a human being, human embryo, or fetus; and
- The purpose is to increase knowledge about health, the causes of diseases, symptoms, diagnosis, treatment, prevention, or the nature of diseases in general; and
- It is not a clinical drug trial as defined in the regulation on clinical drug trials.
3.2 How do I know what the GDPR roles are?
Determining the controller in individual research projects is done on a case-by-case basis. Often, several differing conclusions can be justified reasonably from a legal standpoint, so interpreting the ‘correct’ roles is not always straightforward or easy. Below are scenarios to help you determine the roles of each party in your research project.
Please note that a ‘research group’ or ‘project’ is not a legal entity capable of making valid binding commitments or being legally liable. If a research group comprises researchers from three different research organisations and all handle personal data, a GDPR-compliant role must be identified for each of the three. In such a situation, you cannot state in the privacy notice that ‘personal data will not be disclosed outside the research group or Aalto.’ Researchers from other universities are viewed as ‘third parties’ or as ‘external’ from a GDPR perspective, as they are employed by a different organisation.
| Controller |
The controller defines the purposes and the means of the processing of personal data (both of these conditions must be met). The controller decides what is researched and how, as well as what data needs to be collected and where it is processed. A crucial factor is which party or parties designed the research and wrote the research plan. |
| Joint controller |
Joint controllership is where two or more controllers jointly determine the purposes and means of processing. A typical example is when researchers from two different universities write up a research plan together and conduct the research in collaboration. In case of joint controllership, both parties are jointly responsible for all of the personal data processing, i.e. each university in the joint controllership is also responsible for the processing carried out by the other university in the joint controllership. It is important that the joint controller be a known and reliable partner, so that Aalto can trust that they will comply with the GDPR requirements. |
| Processor | The processor processes personal data on behalf of the controller and has no independent control over the data they process. Examples of processors include external transcription services, operators of IT environments and platforms, and in some cases, another research organisation if it has no significant independent decision-making authority or role in planning or conducting the research, but merely processes data under the strict supervision of the main research organisation i.e the controller. The processor is responsible for carefully following all instructions from the controller regarding personal data processing. |
| Independent controllers | Sometimes two parties may collaborate in research, each acting on its own as an independent controller. In such cases, the parties independently determine the purposes and means of the personal data processing. The two parties may have their own stand-alone research plans. An example is when Aalto receives data for research purposes from a company that originally collected the data for some other purpose; in such cases, Aalto and the company may act separately as independent controllers. |
3.3 What should I do or keep in mind if I transfer or disclose personal data to a party outside of Aalto?
The answer depends on the role of the recipient of the personal data according to the GDPR. Below are the measures to consider, bearing in mind the role.
| Processor |
Aalto University as the controller transfers data to an external processor: If an external party processes personal data for purposes defined by Aalto, for example, as when personal data is transferred to a subcontractor or another university, then a data processing agreement (DPA) must be made with that party, according to the GDPR. Aalto must ensure that such an agreement is concluded with the external party. Aalto’s legal services for research can assist with drafting a DPA. Aalto University as the processor: If Aalto is the processor of personal data and some other party is the controller, the controller is responsible for drafting the DPA. Aalto’s legal services for research can assist with reviewing a DPA provided by a collaborative partner. It is also possible to use the template provided by Aalto, for example, in cases where the controller does not have a suitable template. Agreement: Data processing agreement (DPA). Legal counsels have the up-to-date template. |
| Joint controllers |
If there are joint controllers, the most important obligation is that the joint controllership be written clearly into the privacy notice, and it is stated clearly which party the research subject can contact with any questions relating to data protection. While a written agreement for joint controllership is not a mandatory requirement in the GDPR, it is recommended. With reliable Finnish partners (such as other Finnish universities), drafting such an agreement is unnecessary. With foreign, lesser known partners, however, such an agreement is prudent for risk management. Aalto’s legal services for research can assist with joint controllership agreements (JCAs). Agreement: Joint controller agreement (JCA), if necessary. |
| Controller – controller |
Sometimes both the party disclosing (transferring) the data and the party receiving the data act on their own as independent controllers. As the GDPR requires no written agreement for these arrangements, the need for an agreement requires case-by-case consideration. It also depends on whether Aalto is the recipient or the disclosing party. If Aalto is in the disclosing role, we need to ensure that we have the right to disclose the personal data to the other party, and that the other party, in the role of recipient, has legitimate grounds for the processing. Agreement: Case-by-case consideration, no standard template. |
3.4 What if I need to transfer personal data beyond the EU/EEA?
Personal data can only be transferred to a party outside the EEA under certain conditions, as there is no guarantee that the level of data protection legislation at the location outside the EU/EEA will be as high as within the EU. This can, of course, create risks for the rights of the data subjects. The data subject must be transparently informed about the transfer. Additionally, the specific grounds for the transfer must be defined.
- First, check if the country to which you are transferring data is listed under the European Commission's adequacy decisions. If the country is on the list, the Commission has determined that the country's data protection legislation is equivalent to the protection level of the GDPR, making the transfer acceptable. Inform the data subject about the transfer in the privacy notice and clearly specify the country to which you will transfer the data. You can find information on the EU website about adequacy decisions, and a list of the countries is given at this link:
- If the country to which you would transfer is not listed, contact Aalto’s legal services for research. They can help you determine the grounds for the transfer based on an individual consideration of your case and help you with documenting the information in the privacy notice.
3.5 How do I choose the correct legal basis for the processing?
In scientific research, the legal basis for processing is usually ‘scientific research in the public interest’. Research performed at Aalto is most often of this kind when the study is conducted by a researcher at no less than a doctoral thesis level and the aim is to publish the results in a scientific journal.
‘C´Ç²Ô²õ±ð²Ô³Ù‘ should only be used as the legal basis for processing if the research does not meet the criteria of scientific research or if there are some other special grounds.
The choice of the legal basis is crucial as it has an effect on, among other things, the obligations of the researcher and the options that the researcher has available. Keep in mind that with consent-based processing of personal data, the consent can be withdrawn and thereby eliminate the legal basis, whereupon the researcher is obliged to delete the personal data collected from the subject. This automatic obligation to delete the data does not exist if the legal basis is scientific research, for then, if a participant withdraws from the study, the data collected up to that point can still be used in the research.
3.6 How is the privacy notice communicated to the subjects?
Ensure that data subjects are informed before you begin to collect or otherwise process the personal data. Remember, the information should be provided in a language understood and used by the subjects. Aalto University's privacy notice template includes a section for describing processing activities, as required by the GDPR, so a carefully completed privacy notice will also fulfil this obligation for documentation.
4. Anonymise the data before archiving, do not publish personal data and remember to delete it
Information that can be counted as personal data may not be freely published, for example, in a scientific article or open data repository. Information that can be regarded as personal data is always confidential.
Once data is anonymised, it is no longer considered to constitute personal data. Anonymisation means processing personal data in such a way that the identities of the individuals in the data are permanently irrecoverable. Merely removing the name of a participating subject from the data does not automatically make it anonymous; a much closer examination is required for anonymisation. A number of factors need to be taken into account when evaluating whether data has been rendered anonymous, including consideration of all means ‘reasonably likely’ to be used to identify an individual in the data. The bar for anonymised data is quite high, and much data that might initially appear anonymous are not truly anonymous upon closer inspection. Therefore, you should not rely on your data being anonymous until you are thoroughly familiar with the definition and fully understand what it entails.
The article by the Finnish Social Science Data Archive covers the subject of anonymised research data extensively. The Finnish Social Science Data Archive (FSD) is a separate unit of Tampere University and a national service provider for Finland on behalf of CESSDA (Consortium of European Social Science Data Archives), which serves researchers internationally.
FSD’s data archive also has other comprehensive guidelines and articles on research data management, such as
Time limit for erasing the data
You must specify in the privacy notice the time when the personal data will be erased (deleted). In doing so, you make a binding commitment to erase the personal data at the time stated to the subjects. Another option is to anonymise the data (see the above). Anonymous data is no longer considered to constitute personal data, so it is tantamount to data erasure.
Where can I get help?
| I need help drafting a data protection impact assessment (DPIA) | Data protection officer |
| I suspect that a data protection incident or data breach has occurred in my research project. | security@aalto.fi (send an email from your Aalto email account) |
| A subject has wishes to exercise their GDPR rights, such as the right to access the data. |
Data protection officer |
| I need assistance with a data management plan. | Aalto data agents |
| I need help anonymising my research data. | Aalto data agents |
| I need help with data protection matters, such as drafting an agreement for an individual project. | Legal services for research, and the legal counsel for your school and department |
| I need assistance with transferring personal data outside of the EU/EEA as part of a research collaboration. | Legal services for research, and the legal counsel for your school and department |
| I have questions related to data security and IT solutions. | IT Services for Research |
| I have questions about obtaining a research ethics statement | Research Ethics Committee secretary |
Contact information and links
| Data protection officer | Sirpa Syrjälä, dpo@aalto.fi |
| Legal services for research and the legal counsel for your school | The name of the legal counsel for your school and their contact details are here: Legal Services |
| Data agents | The contact details for Aalto’s data agents are here: Data agents |
| Research Ethics Committee secretary | Research Ethics Committee |
| IT services for research | IT Serivices for Research |
Links ºÚÁÏÍø University webinars about the topic:
- ()
Bachelor's and master's level guidance for handling personal data in studies
This guidance is intended for researchers at Aalto University, starting from doctoral candidates. Bachelor's and master's level students have separate guidance for handling personal data in studies, as well as instructions for survey and interview coursework or thesis where personal data is collected.
Guidelines on processing personal data for studies - key concepts
Guidelines on processing personal data for studies - key concepts
This service is provided by:
Research and Innovation Services
For further support, please contact us.