General Data Protection Regulation

When doing research, you may process personal data in your dataset.
It may include such direct identifiers as name or different data points (like age, education, position, company), which in combination can indirectly identify an individual and therefore is still considered as personal data. 

If your research involves any data that can directly or indirectly identify an individual, you will need a privacy evaluation from ESHCC Privacy Officer.

Share your data management plan and relevant documentation via and you will receive an assessment within a few working days. The privacy assessment includes evaluation of compliance with GDPR principles and recommendations for appropriate measures to ensure data protection.

If the evaluation indicates high risk for research participants, a Data Protection Impact Assessment (DPIA) must be arranged, signed off by the EUR Chief Privacy Officer.

Privacy assessment of your research is also an important component of your application for ethics approval by the Ethics Review Board.

Before organizing the data collection, be aware of the following rights for individuals provided by General Data Protection Regulation:

  1. The right to be informed – individuals must be well informed about the research purpose, data collection, analysis and retention
  2. The right of access – individuals may request to view the data you have collected about him/her
  3. The right to rectification – individuals may submit corrections to the submitted information
  4. The right to erasure – individuals may request to erase their information from your dataset
  5. The right to restrict processing – if it is not possible to erase the data, individuals may request you to stop processing their data in your research
  6. The right to data portability – individuals may request to transfer their data to another party
  7. The right to object – individuals may object to your data collection and processing
  8. Rights in relation to automated decision making and profiling – if the decision is made solely by automated means, individuals may request human intervention.

Privacy regulation offers exemption for scientific research from the right of access, right to rectification and right to restrict processing.

The right of erasure can be excluded only insofar as it is “likely to render impossible or seriously impair the achievement of the [research] objectives (GDPR Article 17(3)(d))”. Always consult the privacy officer before applying this exemption.

When your research participants are minors, the following rules apply:

  • younger than 16 years: informed consent from parents/guardians is required.
  • older than 16 years: informed consent from the participant.

When collaborating with other organizations for your research, be sure to arrange appropriate agreements regarding the roles, rights and responsibilities. When sharing data with parties outside the European Economic Area, be aware that you must take additional organizational measures. For advice and assistance, please contact the privacy officer via

When collaborating with students for your research, ensure clear working instructions on data collection, storage and sharing. When students use their own devices, they are responsible for protecting their equipment. More information available on the EUR website.

Onepager Data Steward & Privacy Officer

Compare @count study programme

  • @title

    • Duration: @duration
Compare study programmes