Information Provision for Informed Consent Procedures in Psychological Research Under the General Data Protection Regulation: A Practical Guide

Abstract

Psychological research often involves the collection and processing of personal data from human research participants. The European General Data Protection Regulation (GDPR) applies, as a rule, to psychological research conducted on personal data in the European Economic Area (EEA)—and even, in certain cases, to psychological research conducted on personal data outside the EEA. The GDPR elaborates requirements concerning the forms of information that should be communicated to research participants whenever personal data are collected directly from them. There is a general norm that informed consent should be obtained before psychological research involving the collection of personal data directly from research participants is conducted. The information required to be provided under the GDPR is normally communicated in the context of an informed consent procedure. There is reason to believe, however, that the information required by the GDPR may not always be provided. Our aim in this tutorial is thus to provide general practical guidance to psychological researchers allowing them to understand the forms of information that must be provided to research participants under the GDPR in informed consent procedures.

Keywords

informed consent research ethics data protection privacy GDPR

Much psychological research involves the processing of personal data—data about individuals (see Box 1)—collected directly from research participants.¹ As a rule, the General Data Protection Regulation (GDPR; Regulation 679/2016) applies to psychological research conducted in European Economic Area (EEA) countries—and even, on occasion, to research taking place outside the EEA (see Box 2)—whenever the processing of personal data are involved. This legislation elaborates a series of obligations concerning the forms of information that must be communicated to research participants whenever data are collected directly from them—any failure to meet these obligations will thus constitute a breach of the GDPR. These obligations are predominantly elaborated in Article 13 and in associated guidance, and it will usually make sense that they are fulfilled in the context of an informed consent procedure—regardless of whether the rationale for this procedure is legal, ethical, or both.

Box 1.

Material Scope of the General Data Protection Regulation (GDPR)

The GDPR applies, as a rule, whenever personal data (see Note 1 for a definition) are processed. In essence, the concept encompasses all data that are specifically about, or that can be connected via their combination with other data to, an individual.

For example, an individual’s full name will often be regarded as directly identifiable personal data—although there may be cases in which a name is so common that it alone will not allow identification. Equally, an extensive data set including large amounts of health and demographic data about a specific individual may provide indirectly identifiable personal data even though it does not explicitly include a direct identifier. Certain forms of data are so rich in terms of content (e.g., genome sequence data) that they will generally be regarded as personal data regardless of how they are processed (see Article 29 Data Protection Working Party, 2007, for a more extensive discussion).

Pseudonymous data are personal data that have been subjected to a pseudonymization procedure—a procedure that, according to Article 4(5), essentially ensures “that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures.” In this regard, coded and double-coded data with identifiers removed will usually be pseudonymous data. We highlight that pseudonymous data qualify as, according to Recital 26, personal data—although there are national interpretations that foresee cases in which pseudonymized research data may qualify as anonymous data (see Note 1 for a definition).

In many cases, it will be obvious whether personal data are collected or not. The concept of personal data, however, is complex, and there may be difficult cases in which researchers are unclear as to whether a data set contains personal data or not. In such cases, researchers should seek guidance prior to proceeding.

Box 2.

Territorial Scope of the General Data Protection Regulation (GDPR)

In terms of territorial scope of application, the GDPR, according to Article 3, generally applies to the following:

• Researchers working at institutions located in the European Economic Area (EEA) and conducting research activities in the context of these institutions. The EEA currently includes all 27 European Union member states and three European Free Trade Association states (Iceland, Liechtenstein, and Norway).

• Researchers working at non-EEA institutions conducting research on personal data of individuals located within the EEA, to which the conditions of the GDPR still apply. There are a range of circumstances in which this may occur. This may occur, for example, if the research in question is being conducted on the basis of stable arrangements for data collection within the EEA, such as when one member of the research team is based in the EEA. We highlight that this possibility of extraterritorial application is complex and context dependent. In this regard, further guidance is beyond the scope of this tutorial. We strongly suggest that researchers not based in the EEA, who are conducting research on personal data collected from individuals located in the EEA, and who are not clear as to whether the GDPR applies to their work, should seek guidance from the relevant bodies (for a more extensive discussion, see European Data Protection Board, 2019b).

We have reason to believe, however, that these obligations are frequently not met. We believe that this is not because psychological researchers are seeking to avoid compliance but rather because there is confusion about what is required. In this regard, we seek in the following to provide practical guidance for psychological researchers—as well as other parties with an interest in understanding GDPR requirements, for example, research ethics committees, data protection officers and lawyers—concerning the forms of information that must be provided to research participants, when personal data are collected from them and the GDPR applies, in the context of informed consent procedures.

We begin by providing a brief background to the relationship between psychological research, the GDPR, and the information obligations under discussion. We continue by explaining the problem related to compliance with these obligations and our motivation for writing this practical guidance. We then proceed by setting the scene for the guidance by making a series of preliminary observations concerning limitations to the guidance and as to how the guidance should be used.

We then move on to present the guidance. This consists of three parts: (a) a checklist of types of information to be provided, (b) a more detailed discussion of the content of each of these types of information, and (c) example language relating to each type of information.

Psychological Research, the GDPR, and Information Obligations

There is a range of different types of norms applicable to psychological research. Two are particularly significant: ethical norms—for example, those outlined in the Declaration of Helsinki (World Medical Association, 2013)—and legal norms. These two types of norms may apply simultaneously to a given psychological research project and to a given aspect of research—that is, researchers may be obliged, in a given instance, to consider and follow both ethical and legal norms.²

One piece of legislation applicable to psychological research performed on personal data and conducted within the EEA—as well as, in certain instances, performed outside the EEA (see Box 2 for clarification)—is the GDPR. The GDPR elaborates a wide range of obligations relevant for psychological research, including those concerning the legitimation of processing, how data must be treated following collection, the facilitation of research participants’ exercise of their rights, and transfers of personal data outside the EEA.

One set of obligations relevant for psychological research elaborated by the GDPR concerns the forms of information to be provided to research participants prior to data collection whenever personal data are collected directly from them. Failure to meet these obligations will constitute a breach of the GDPR and will reflect a flaw in a data management plan. These obligations are the subject of this tutorial and are predominantly elaborated in Article 13 of the GDPR and in associated authoritative guidance.

The aim of these obligations, broadly put, is to ensure that the research participant understands what will happen to their personal data following collection and thus understands the consequences and risks involved in processing (see Article 29 Data Protection Working Party, 2018, for a more detailed discussion on purpose). Accordingly, these obligations support the ability of the research participant to make decisions in relation to the proposed research. In this regard, the aim behind these obligations shares much with the aim behind ethical obligations related to information provision in informed consent—that is, the realization of participant understanding and autonomy.

When personal data are collected directly from research participants in psychological research, there will usually be an informed consent procedure—as required either by ethics, law, or both—in which research participants agree to take part in the proposed research. The information must be provided prior to the start of processing and will normally happen as part of—within the context of—an informed consent procedure.

The Problem, and the Motivation for This Guidance

Unfortunately, there is reason to believe that compliance with these information obligations may not be the norm in psychological research—not least, perhaps, because the psychological curriculum usually does not cover legal training, nor is there always support infrastructure (e.g., legal counsel) to advise psychologists as they draft information materials for a study.³

Further, we understand that sometimes, perhaps because the GDPR is regarded as somewhat impenetrable and as posing significant compliance obstacles, researchers have been dissuaded from conducting research on data in relation to which the GDPR might apply.⁴ Yet this perspective on the GDPR may not always be warranted. Where this occurs, the fact that research that would otherwise have been conducted is eventually not conducted is a highly undesirable situation.

In this regard, we felt that putting together practical guidance aimed at clarifying the forms of information to be provided to research participants under the GDPR whenever personal data are collected directly from them would be useful in bridging such knowledge gaps and thus to further the interests of all involved in psychological research.

Setting the Scene for the Guidance

Prior to moving to the guidance itself, we offer a series of preliminary observations concerning its limitations and how it should be used:

First, given that each nation will have national laws in addition to the GDPR that regulate data protection, and given that other forms of obligation may be relevant (e.g., ethical requirements), the guidance does not necessarily cover all possible information provision requirements relevant to consent in psychological research where the GDPR applies.

Second, the guidance aims to clarify the GDPR’s information provision obligations that are relevant when personal data are collected directly from research participants. In this regard, the aim of the guidance is not to provide an elaborated discussion as to how psychological research must comply with other forms of obligation elaborated by the GDPR—of which there are many. We have provided certain such clarifications, however, where we thought they would be useful for understanding the information provision obligations under discussion. Accordingly, any such clarifications should not be taken as exhaustive as to how GDPR obligations apply to psychological research.

Third, we have built the guidance around the concrete information provision requirements in the GDPR—outlined predominantly in Article 13 and associated authoritative guidance (Article 29 Data Protection Working Party, 2018; European Data Protection Board, 2020b). These, however, are not an exhaustive list of forms of information that may need to be communicated to research participants according to the GDPR. In special cases, the GDPR may require that supplemental information be provided.

Fourth, this guidance addresses issues only directly connected with the content of information to be provided—we will not go into detail regarding the appropriate presentation of information.

Fifth, this is general practical guidance based on our understanding of relevant legal provisions. Accordingly, it should not be taken as a substitute for context-specific deliberation, and checking, as to what research participants may need to know to understand what is being proposed and as to what is required in a specific context. For example, our guidance does not deal with issues concerning the processing of personal data of children.⁵ Equally, issues may be discussed and recommendations provided that may not be accurate and valid for a specific context—for example, a specific national or institutional context.

In light of the above, we thus recommend four additional steps in order to make effective use of the guidance:

First, researchers should clarify whether, when, and how data protection law applies to their research. Only when data protection law applies to a study (or part of a study) are the requirements of that law relevant. Equally, in order to provide many of the forms of information under discussion, awareness of how the GDPR applies is necessary. Although this may seem obvious, there is often significant confusion regarding key terms defining the applicability of the GDPR, for example, “personal data” and “anonymity.” This tutorial is not the place to offer extensive clarification of the scope and applicability of the GDPR to psychological research. We do, however, offer some preliminary clarifications concerning the scope of the GDPR in Boxes 1 and 2 regarding its territorial scope and the concepts of personal, pseudonymous, and anonymous data.

Second, if researchers encounter anything they are not clear about when using the guidance or encounter any issue concerning the information to be provided that they are not certain about, they should always seek guidance before proceeding instead of simply presuming one way or another.

Third, when it is clear whether and how the GDPR applies and it is clear which information must be provided, researchers should consider how to present information to research participants such that this information is easily accessible and comprehensible. This tutorial is not the place to offer extended guidance on this issue. We recommend, however, that researchers (a) place all information relevant to fulfilling obligations under the GDPR in one clearly identifiable subsection of consent materials; (b) effectively communicate varying data protection conditionalities applying in relation to different types of data collected or in relation to different aspects of a research project; (c) ensure that they do not use conflicting terminology across consent materials, such as conflicting uses of the term “anonymous” (in case of potential conflict, definitions provided in law should be adopted across materials); (d) be aware that active provision of relevant types of information is usually required by law—that is, mere general indications that “data protection conditions apply” or similar may not be adequate (Article 29 Data Protection Working Party, 2018); and (e) try, when considering how to communicate with research participants, to put themselves in the position of a research participant and to consider what they might like or need to know to understand the research in question, the processing involved with the research, and the consequences and risks involved. Researchers might then seek to adapt the presentation and language of communication to this perspective. In certain cases, it may even be useful to involve participants as part of a participant panel in tailoring consent information.

Fourth, if researchers do rely on the guidance to produce participant information materials, researchers should always submit the end product to the relevant internal and external checks before proceeding.

The Guidance

The guidance consists of three parts. The first part is a top-level checklist of 10 types of information to be provided to research participants. The second part contains a more detailed description of the content of each of these 10 types of information. Finally, the third part consists of example language relating to each of the 10 types of information.

Types of information to be provided to research participants

Building from the text of the GDPR and authoritative guidance, we suggest that researchers should provide the following 10 types of information in informed consent materials:

Information about the controller(s) of data

The identity of and contact information for the controller(s) or their representatives

The contact information for the data protection officer

The purposes of the processing

The purposes of processing for which research participants’ personal data have been collected

The legal basis on which this processing occurs

The legitimate interests pursued by the controller if the legitimate basis is Article 6(1)(f) of the GDPR

Risks and safeguards

Recipients of data

Recipients inside the project

Recipients external to the project

Types of personal data that will be collected and processed

Types of data collected directly from the research participants

Types of data that will be generated in the course of research

International transfers

Information as to which personal data will be transferred, who will receive the personal data and their location

Information as to the legal legitimation of the transfer—given that, in principle, transfers of personal data outside the European Union (EU) are legally legitimate only when certain conditions are fulfilled (Chapter V and particularly Articles 44–49 of the GDPR)

Information concerning the conditions; safeguards; and, in the absence of such safeguards, the risks associated with the transfer

Storage periods

The length of time personal data will be stored

The criteria according to which the length of time will be decided

Data subject rights

Range of rights

The right to withdraw consent (see Article 7(3) of the GDPR)

The right to access (see Article 15 of the GDPR)

The right to rectification (see Article 16 of the GDPR)

The right to erasure of personal data (see Article 17 of the GDPR)

The right to restrict processing (see Article 18 of the GDPR)

The right to portability (see Article 20 of the GDPR)

The right to object to processing (see Article 21 of the GDPR)

The right to lodge a complaint with a supervisory authority

Exceptions

Modalities and consequences of exercise of rights

Contractual or statutory requirements

Automated decision-making

Elaboration of types of information to be provided

Below, we attempt to clarify the content of each of the 10 types of information listed above. Our clarifications do not cover all possible questions and issues but are targeted to be as useful as possible and have been drafted in light of (a) our understandings and interpretations of the relevant legal provisions; (b) the aims of the provisions in law—that is, that the provision of information to research participants should allow them to effectively understand the proposed research and processing; (c) issues encountered in participant information materials we have observed and felt it useful to address; and (d) existing fruitful approaches, recommendations, and templates—including those already used by psychological researchers (e.g., by the German Psychological Society; Ethikkommission der Deutschen Gesellschaft für Psychologie, 2021).

Information about the controller(s) of data

The identity of and contact information for the controller(s) or their representatives

This information should be clearly marked (see Box 3). We suggest that it is not adequate to simply provide the contact information for the lead researcher or a project representative without further clarification as to whether this person is the controller or their representative. Should there be a difference in the identity of the controller and other parties mentioned in consent materials as responsible contact points for the project, we suggest that this also be made clear. Where multiple controllers are relevant, each should be clearly listed, and it should be made clear who will have responsibility for each aspect of processing.

Box 3.

Who Are Controllers in Psychological Research?

According to Article 4(7) of the General Data Protection Regulation (GDPR), “‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law” (Regulation 679/2016). According to the European Data Protection Board (2020a), “In practice . . . it is usually the organization as such, and not an individual within the organization . . . that acts as a controller within the meaning of the GDPR. Sometimes . . . a specific person responsible for the implementation of the processing activity [will be appointed]. Even if a specific natural person is appointed to ensure compliance with data protection rules, this person will not be the controller but will act on behalf of the legal entity . . . which will be ultimately responsible in case of infringement of the rules in its capacity as controller” (p. 10). In relation to psychological research, it will often be the case that a specific researcher (e.g., the lead researcher) is responsible for the organization of data processing in relation to a project and, in such cases, it may make sense to list this person as the controller’s representative.

The contact information for the data protection officer

Article 13(1)(b) GDPR requires that the research participant be provided with “the contact details of the data protection officer, where applicable.” The researcher responsible for designing the consent form should find out whether their organization has a data protection officer, or an individual or body that plays a similar role, and if so, whether it is necessary to list the officer in the consent materials. Data protection officers are responsible for ensuring compliance with the GDPR, and their identity and contact information should already be public (Article 29 Data Protection Working Party, 2017a). We suggest that this information be provided unless there is a compelling reason not to do so. When an institution does not have a data protection officer but does have an individual or a body that plays a similar role—for example, a privacy officer—then the contact details of this individual or body should be provided, if possible.

The purposes of the processing

The purposes of processing for which research participants’ personal data have been collected

The researcher designing the consent materials should be as specific as possible with regard to the aim of the processing. If personal data are being collected for a single research project, this will usually constitute a sufficiently specific purpose—although multiple processing operations may then occur within the context of the project. If multiple specific purposes are foreseen at the time of collection—for example, if the aim is to collect personal data for multiple specific research projects either at one point in time or in the future—each of these specific purposes should be communicated separately.

Because data may be collected for research purposes not foreseeable at the moment of collection, broader purposes may, in certain cases, be elaborated—see the possibility in relation to consent as a legal basis elaborated in Recital 33.⁶ The researcher should check, however, whether broader statements of purpose fulfil relevant conditions, including relevant ethical standards (Datenschutzkonferenz, 2019; European Data Protection Board, 2020b). As the scope of this possibility, as well as the relevant safeguards, remains a subject of discussion, are contextually dependent, and are liable to divergent interpretations, we strongly suggest that researchers seek advice before proceeding if they are unclear as to how the possibility applies to them.

In certain cases, it is possible that the means of processing—apart from the purposes—may not be obvious for research participants but may still be relevant to participants’ understanding of research.⁷ In such cases, we suggest that these means of processing also be communicated. For example, if research is aimed at the production of information on “feelings of community” that engages members of a certain religious group as participants, part of the process of the research project involves a methodological step based on psychological constructs related to religion, which are likely to be disputed or objected to by the religious group. Therefore, this step might need to be communicated if it is not implicitly clear from the research goal.

Where multiple parties will process personal data for different purposes, or where different types of personal data will be processed for different purposes, we suggest that this be made clear to research participants. Research that involves deception of research participants or incomplete communication of information requires further consideration (see Box 4 for further discussion).

Box 4.

A Note on Deception and Incomplete Disclosure

Psychologists routinely have reason to leave participants in the dark about the intent of their research to preserve the fidelity of the participants’ responses—whether via actively misleading participants or simply by not providing them with full information. They may, for example, vaguely describe a study on racist stereotypes as “social cognition research,” or give instructions to participants suggesting that they assume the role of a teacher in a study on human learning when the study is actually about obedience to authority. The General Data Protection Regulation (GDPR)–compliant use of methodologies including deception and incomplete disclosure is an issue that currently has no easy and clear answer. The concepts do not appear in the GDPR itself. However, the provisions of the GDPR do not obviously facilitate collecting and processing personal data without providing relevant information as to the purposes of processing to research participants. Certain guidance concerning consent as a legal basis—although not specific to research—seems to clearly suggest that no form of misleading about relevant facts is permissible (European Data Protection Board, 2020b). Accordingly, this is an issue that has been explicitly flagged as requiring further thought and research in authoritative guidance on scientific research and the GDPR (European Data Protection Supervisor, 2020, p. 21). Questions concerning GDPR compliance and deception or incomplete disclosure will not emerge if researchers collect and process only anonymized data (see Box 1). We acknowledge that simply collecting anonymous data instead of personal data may not be possible—at least not without significant changes in a research protocol and the scope of data that can be collected. If use of anonymous data is not possible, we suggest that researchers obtain case-specific guidance from relevant bodies that can give context-specific advice.

The legal basis on which this processing occurs

All processing of personal data under the GDPR requires a legal basis, and all legal bases are listed exhaustively in Article 6 of the GDPR.⁸ When sensitive personal data (see Box 5) are collected and processed, a legal basis will also supplementally—that is, in addition to the legal basis under Article 6—be required under Article 9 of the GDPR.⁹

Box 5.

Sensitive Data

Article 9(1) of the General Data Protection Regulation (GDPR) defines sensitive personal data as any personal data “revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.” This is an exhaustive list, and any personal data that do not fall into one of these categories will not be considered sensitive data.

In the first instance, we highlight that multiple legal bases may be relevant in relation to processing operations connected to the overarching purpose (see above). See, for example, the discussion of the different possible bases that may be relevant in relation to processing operations connected to a single primary research purpose in European Data Protection Board (2019a, pp. 4–7). Researchers, however, need to identify only one legal basis in relation to each aspect of processing. In this regard, researchers should check which legal bases are relevant to them, check which aspects of processing these legal bases might legitimate, and communicate each of these to research participants. When necessary, researchers should highlight any national laws diverging from, or specifying, the GDPR relevant for the legitimation of processing.

We highlight that although consent may be used as a legal basis for psychological research in certain cases—consent is listed as a legal basis in both Article 6 and Article 9—it is not always available for all types of psychological research.¹⁰ In this regard, there are certain conditions that may exclude its use as a legal basis in a given context—for example, in cases in which a power imbalance between researcher and research participant precludes the possibility of offering freely given consent and in cases in which an effective withdrawal of consent is not possible (for further discussion, see, e.g., Directorate-General for Health and Food Safety, 2019; European Data Protection Board, 2019a, 2020b). We highlight, however, that national interpretations as to when this basis might be used vary, and psychological researchers should find out what conditions apply to them.

We further highlight that simply because research participants are asked to provide informed consent in relation to a research project, (a) this does not necessarily mean consent is the legal basis under Articles 6 and 9 of the GDPR relevant for legitimating processing—see Box 6 for a discussion and explanation—and (b) the mere fact that consent is requested is not a reason to fail to provide information as to the legal basis (European Data Protection Board, 2019a).

Box 6.

The Ethics of Informed Consent and Consent as a Legal Basis for Processing Under the General Data Protection Regulation (GDPR)

We highlighted that both ethical and legal rules may be applicable to a given research project and in relation to a given aspect of research. These rules will often correspond, but this is not always the case—the goals of ethics and law are not always identical, the instruments of ethics and law are drafted and adopted by different parties and via different procedures, etc. Accordingly, in a given case of psychological research, there may be, for example, an ethical requirement to obtain informed consent from the research participant. When the GDPR also applies to such a case, then all processing of personal data will need to be legitimated under Article 6—and if sensitive personal data are processed, researchers will also need for this to be legitimated under Article 9. However, consent can be relied on only as a legitimate basis if a certain set of conditions specific to consent in the GDPR are fulfilled. If these conditions cannot be fulfilled, another legal basis must be found to legitimate processing, but the ethical requirement to obtain informed consent may still be valid. Accordingly, a situation may emerge in which there is an informed consent procedure relevant to a research project but that consent is not the legal basis legitimating processing under the GDPR. Should this situation arise, we suggest that this be clearly communicated to research participants so that they do not assume that consent is the legal basis under the GDPR.

The legitimate interests pursued by the controller if the legal basis is Article 6(1)(f) of the GDPR

When the legal basis for processing in a project is Article 6(1)(f) of the GDPR—“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party”—the researcher should list the legitimate interests according to which they are processing the personal data. These legitimate interests include the conduct of scientific research. We highlight, however, that this legal basis may not be appropriate for psychological research conducted in public institutions.¹¹ In this regard, we strongly suggest that any psychological researchers considering using this legal basis check their institutional status and whether the basis is available to them.

Risks and safeguards.¹²

Risks

Researchers should be clear about any risks related to processing for the purposes of their research that may not be immediately clear to participants. In certain cases, processing for research purposes may not pose obvious direct risks. In many cases, however, and despite best efforts, there will be some risk that unauthorized parties will gain access to personal data—whether by gaining access to personal data held by researchers, by reidentifying anonymized published data sets, etc. This risk will increase as the richness of a data set increases (El Emam et al., 2011). With this observation, we do not wish to suggest that risks of unauthorized external use will necessarily be likely to occur. Indeed, in many cases, the likelihood may be very small. Nevertheless, when such risks cannot be excluded, we suggest that this be communicated to research participants.

Safeguards

Researchers should also be clear as to the measures in place to ensure that risks are minimized, that personal data are used only for the purposes for which they are collected, and that personal data are accessed only by authorized individuals. We suggest that researchers communicate the presence of these safeguards to research participants. These safeguards can be technical—such as access controls, pseudonymization, and encryption—or organizational—such as researcher training and ethical review procedures.

Recipients of data

Recipients inside the project

Identification of different types of recipients need not include a list of all possible researchers who will access the data. However, if there are different types of researchers—for example, those conducting different kinds of research or researchers from different institutions—who may access the data, or if there are different types of nonresearch entities that will access the data as part of the project, we suggest that these parties and their roles be communicated. Eventually, it should be clear to research participants who will have access to which data and what they will do with the data.

Recipients external to the project

This includes external researchers and external parties connected with the research process—such as quality control authorities. This also includes actors who may access personal data for purposes other than those connected to research—for example, law enforcement authorities (Dranseika et al., 2016). Researchers should check carefully in advance the range of external parties that may, even only theoretically, have access to the data they hold. Each of these parties, as well as, we suggest, the conditions under which they will access personal data, should be communicated to research participants. If researchers find that third parties can access personal data, a categorical statement to the effect that data will not be transferred to third parties will be inaccurate.

Types of personal data that will be collected and processed

Types of data collected directly from research participants

As a rule, participants should be aware of the range of types of facts about them that will be collected. In terms of the detail of breakdown of information collected, researchers should exercise discretion but should seek to provide participants with information of sufficient granularity that they can understand the full range of facts collected from them. Some raw data sets collected from participants could be subject to a range of different analyses and produce a range of different facts about them (e.g., genetic data; Hallinan, 2020). In such cases, we suggest that researchers clarify to participants the forms of data that will be collected, the forms of information that will be extracted from these data in the course of research, and the other types of information that might potentially be extracted from the collected data—even if not planned within the context of the study in question. In certain cases, the forms of information that may be extracted may be extensive and even uncertain at the moment of collection (e.g., because of scientific advances; Article 29 Data Protection Working Party, 2004). In such cases, we suggest that researchers highlight these facts to research participants and provide them with information sources that will allow them to understand the current and prospective situation, should they wish to. We suggest that the sources be chosen, as far as possible, such that they are accessible to laypersons. If sensitive data, in the meaning of the GDPR, are collected (see Box 5), we suggest that researchers mention this specifically, as these forms of personal data are subject to a specific legal regime.

Types of data that will be generated in the course of research

If analysis conducted by researchers is likely to result in the generation of new information about research participants—that is, novel information not collected from participants—we suggest that this information should be explicitly communicated. For example, if psychologists appear to collect information only about a simple game but plan to analyze this information to make inferences about participants’ personalities or social capabilities, the fact that this new information will be generated should be communicated. This is especially true if information is generated that research participants would not expect to be generated from the personal data they have provided and their knowledge of the purposes of processing (e.g., implicit measures). We suggest that researchers also indicate the types of scientific conclusions they aim to generate. If incidental findings, which may be of importance to the individual (e.g., a diagnostic finding resulting from a functional MRI scan), may be generated, we suggest that such findings be communicated to the research participants along with the consequences if they occur.¹³

International transfers

Transfers

When personal data may be transferred outside the borders of the EEA, this should be communicated to research participants as specifically as possible. This includes (a) information as to which personal data will be transferred, who will receive the personal data, and their location; (b) information as to the legal legitimation of the transfer, given that, in principle, transfers of personal data outside the EU are legally legitimate only after certain conditions are fulfilled (Chapter V and particularly Articles 44–49 GDPR)—for example, if an adequacy decision is in place regarding the fact that the level of data protection in a third country is equivalent to that in the EU; and (c) information concerning the conditions, safeguards, and, in the absence of such safeguards, the risks, associated with the transfer (European Data Protection Board, 2020b)—risks that may vary depending on the transfer in question. We suggest that researchers planning to share data in a public repository provide participants with specific information about the conditions and risks involved (see Box 7).

Box 7.

Data Sharing

Researchers are routinely expected to share research data with others, either because of their commitment to professional guidelines (American Psychological Association, 2017, Section 8.14) and journal policies (Giofrè et al., 2017) or because of changing norms in psychology toward openness and transparency (Kidwell et al., 2016). Accordingly, when researchers have collected personal data with the intention of sharing these data—even if they plan to anonymize the data prior to sharing—they should make sure that participants have relevant information concerning sharing, including (a) the parties with which personal data will, or may, be shared; (b) the risks that may arise from sharing; (c) measures that will be taken to protect participants’ rights in shared data sets (e.g., technical measures aimed at restricting identifiability in a data set, such as pseudonymization); (d) conditions of data access, such as who might access the data and how; and (e) restrictions on the purposes of future data uses or reuses. Relevant conditions can vary depending on the context of research and on the national laws according to which research is conducted. Accordingly, researchers who are not clear as to which conditions related to sharing are relevant to them should seek advice before proceeding. Where sharing is likely, we recommend avoiding promises such as “strict confidentiality”—which may be unrealistic to achieve—or being overly restrictive in terms of lists of (potential) recipients. Sharing of data collected and processed in fully anonymized fashion, will not fall under the General Data Protection Regulation (GDPR) and will not need to be communicated to research participants. However, it may still be good practice—or required under other applicable laws or ethical requirements—to inform research participants a priori about such plans and to obtain their consent.

Storage periods

The length of time personal data will be stored

We suggest that, as far as possible, the reason for the storage period (e.g., months, years) is provided—for example, the period is identified as the best practice by a relevant body or organization (see, e.g., the recommendations for psychological research in Germany by the German Psychological Society; Schönbrodt et al., 2016). We also suggest that it be made clear precisely what will happen to personal data after this time period—whether the data will be anonymized or destroyed. Should personal data be sent to third parties in the course of the project, we suggest that it be made clear whether these parties will also respect this storage period and, if not, what differences are relevant.

The criteria according to which the length of time will be decided

If it is not possible to list a specific time period of storage in advance, research participants should be provided with the criteria that determine the period of storage—for example, if personal data will be deleted following the end of data evaluation in a project.

Data subject rights

Range of rights

Participants should be informed that they have a set of rights under the GDPR in relation to their personal data—we highlight here that participants do not have such rights in relation to data that have been generated from these data but that themselves are not personal data, such as scientific conclusions. Information concerning the content of rights should be provided to a degree of granularity that allows participants to understand what each right means for them. In certain cases, this will be self-explanatory, and a mere listing of rights and top-level descriptions of content will suffice. When, however, the specifics of a research project mean that top-level information will be insufficient to provide understanding, further information should be offered. As a rule, the following rights are relevant:

The right to withdraw consent (see Article 7(3) of the GDPR). Information as to this right technically (according to the GDPR) needs be provided only when the participant’s consent is the legal basis on which personal data are processed. We suggest that this right be discussed even when consent is not the legal basis on which personal data are processed. Researchers should also clearly differentiate other rights to withdraw from the study (e.g., simply discontinuing participation at some point in the process) from the right to withdraw consent under the GDPR.¹⁴ Should personal data be transferred to third parties, we suggest that it be made clear what this means in relation to a withdrawal of consent.

The right to access (see Article 15 of the GDPR). This includes the right to obtain confirmation as to whether personal data are being processed. In many cases under discussion in these guidelines, this may be obvious to the research participant, and, in such cases, the right is thus unlikely to actually be used to merely obtain confirmation of processing. The right to access also includes the right to obtain (a) a range of information concerning processing (see Article 15(1) of the GDPR for a list) and (b) a copy of the personal data being processed.

The right to rectification (see Article 16 of the GDPR). This includes the possibility of having any incorrect data corrected or updated as necessary and even the possibility of including a supplementary statement concerning personal data, should this be warranted.

The right to erasure of personal data (see Article 17 of the GDPR). This includes the possibility of having personal data erased when the participant withdraws consent (and consent is the legal basis) and when the retention of personal data is no longer necessary in relation to the proposed research.

The right to restrict processing (see Article 18 of the GDPR). This includes the possibility of restricting processing when the participant believes that the personal data being processed are inaccurate.

The right to portability (see Article 20 of the GDPR). This includes the possibility for the participant to obtain a copy of the personal data they provided or to have their data transferred to a third party in a commonly used format (Article 29 Data Protection Working Party, 2017c).

The right to object to processing (see Article 21 of the GDPR). This includes the possibility for research participants to object to processing given certain legal bases in Article 6 of the GDPR on the basis of factors specific to their situation. The right does not apply, however, if consent is the legal basis for the processing of personal data under the GDPR.

The right to lodge a complaint with a supervisory authority. The researcher should provide contact information for the relevant supervisory authority—the responsible data protection authority, a national regulator dealing with data protection law.

Exceptions

Certain rights may not apply to certain cases of psychological research—for example, if legitimate national law deviating from the GDPR foresees such exceptions. In such cases, we suggest that research participants be informed that certain rights are not applicable and be provided with a justification for nonapplicability.¹⁵

Modalities and consequences of exercise of rights

Researchers should already have procedures in place by which research participants’ rights can be exercised. These procedures should be made clear to research participants such that they can understand how their rights can be exercised and what consequences exercising them would have. The issue of consequences is particularly relevant to the right to withdraw consent and whether exercising this right will result in retention, anonymization, or destruction of personal data. We consider that, as a rule, a withdrawal of consent should lead to destruction of personal data (see above on the right to erasure). We recognize, however, that destruction may not be possible in certain instances (e.g., where personal data have already been used in research) and that, in such instances, exceptions to this rule may come into play. Researchers who are unclear as to how exceptions apply to them and what these exceptions permit should seek guidance from the relevant bodies.

Contractual or statutory requirements

Research processing based on informed consent will likely seldom take place on the basis of contractual requirements. Researchers should find out, however, whether personal data may need to be processed in the course of research on the basis of contractual or statutory obligations. In such a case, this should be communicated to research participants in advance. We suggest that researchers also communicate to participants what this means in relation to their consent.¹⁶

Automated decision-making

As a rule, whenever automated decision-making—including profiling—which “produces legal effects concerning [an individual] or similarly significantly affects [an individual]” (Article 22(1) of the GDPR), is involved in a research protocol, research participants should be given information as to the logic involved in the decisions and as to the possible consequences of the automated decision-making. Put simply—although there is some uncertainty as to the terms—“automated decision-making” relates to decisions made about individuals solely on the basis of automated processing without any human involvement in the decision-making process, “legal effects” might be understood as any effects that serve to alter participants’ legal status or that prevent participants from enjoying legal rights, and “similarly significantly affects” might be understood as referring to significant effects on participants’ lives (Article 29 Data Protection Working Party, 2017b). We highlight, however, that we consider automated decision-making that produces such effects likely to seldom be relevant in relation to psychological research.

Example language

The following provides example language for each of the 10 types of information to be provided to research participants. This example language is intended only as an aid to psychological researchers in envisioning how the clarifications offered in the above sections might look in concrete form. In this regard, we highlight that the examples (a) do not cover all possible aspects of information provision; (b) do not necessarily build on each other to form a cogent whole (e.g., there is repetition across categories); (c) given the diversity of psychological research, as well as the various possible ethical, legal, and institutional requirements concerning information provision, may not be suitable for use in a specific case; and (d) may not be suitable for certain types of participants (e.g., they may be formulated in a way that is too complex for certain types of research subject). In this regard, we stress that the below is not intended as a consent template and the examples are not intended as copy-paste sentences that merely need to be filled in by psychological researchers before use. Accordingly, psychological researchers should always ensure that language used is relevant for their specific research context, as well as for their specific national and institutional context.¹⁷

Information about the controllers of data

“The controllers are (a) ____, which is responsible for ____ and which will be represented in relation to all processing related to the proposed research by ____; (b) ____, which are responsible for ____ and which will be represented in relation to all processing related to the proposed research by ____; (c) etc.”

“The data protection officer for ____ is ____ and can be contacted at ____. The data protection officer for ____ is ____ and can be contacted at ____.”

The purposes of the processing

“Personal data will be collected and processed for the following purposes: (a) ____, which has the aim of ____ and will involve ____; (b) ____, which has the aim of ____ and will involve ____; (c) etc.”

“Personal data may be used for other purposes in the future: (a) ____, which has the aim of ____ and will involve ____, under the following conditions: ____; (b) ____, which has the aim of ____ and will involve ____, under the following conditions: ____; (c) etc.”

“Different parties will process personal data for different purposes: (a) ____ will process ____ for the purpose of ____; (b) ____ will process ____ for the purpose of ____; (c) etc.”

“In the course of the proposed research, the following means for/approaches to processing personal data will be used, of which research participants should be aware of ____.”

“In relation to the above purposes, the following types of processing activity will take place: (a) ____; (b) ____; (c) ____. The relevant legal bases under the GDPR/national law in relation to these types of processing are (a) ____ in relation to ____; (b) ____ in relation to ____; (c) etc.”

“In relation to processing for which the legitimate legal basis is Article 6(1)(f) of the GDPR, the legitimate interests pursued by the controller are ____.”

Risks and safeguards

“The following risks exist in relation to the processing of personal data related to the described purposes: (a) ____; (b) ____; (c) ____.”

“Despite best efforts, and although we believe this is unlikely, we cannot fully exclude the possibility that unauthorized access to/reidentification of personal data may occur. To minimize risks to research participants, the following technical and organizational safeguards have been put in place: (a) ____; (b) ____; (c) ____.”

Recipients of data

“As part of the proposed research project, the following parties will receive research participants’ personal data: (a) ____ will receive the following forms of personal data: ____ and will engage in the following forms of processing: ____; (b) ____ will receive the following forms of personal data: ____ and will engage in the following forms of processing: ____; (c) etc.”

“The following parties who are external to the research project will also receive research participants’ personal data: (a) ____ will receive the following forms of personal data: ____ for the purposes of ____ and will engage in the following forms of processing: ____; (b) ____ will receive the following forms of personal data: ____ for the purposes of ____ and will engage in the following forms of processing: ____.”

“The following parties who are external to the research project may receive research participants’ personal data: (a) ____ may receive the following forms of personal data: ____ for the purposes of ____, if ____, and will engage in the following forms of processing: ____; (b) ____ may receive the following forms of personal data: ____ for the purposes of ____, if ____, and will engage in the following forms of processing: ____; (c) etc.”

“The following forms of personal data may be published in the following ways: (a) ____ will be published in the following types of repository/journal: ____ under the conditions that ____ and will be subject to access by ____; (b) ____ will be published in the following types of repository/journal: ____ under the conditions that ____ and will be subject to access ____; (c) etc.”

Types of personal data that will be collected and processed

“The following types of personal data will be collected from research participants: (a) ____; (b) ____; (c) ____.”

“The following types of personal data that will be collected can be subjected to analysis that could reveal further information about research participants: (a) ____, which will be analyzed in the course of the proposed research to produce the following information about research participants: ____ but which could, in principle, also be analyzed to produce further information about research participants, such as ____; (b) ____, which will be analyzed in the course of the proposed research to produce the following information about research participants: ____ but which could, in principle, also be analyzed to produce further information about research participants, such as ____; (c) etc.”

“In relation to the following forms of personal data, future developments may allow new forms of information about research participants to be produced—although the production of such new forms of information is not planned as part of this research: (a) ____; (b) ____. For more information, research participants should consult (a) ____; (b) ____.”

“The following forms of sensitive data, in the meaning of Article 9 of the GDPR, will be collected: (a) ____; (b) ____.”

“In the course of the proposed research, the following new forms of information about research participants will be generated via analysis of personal data collected directly from research participants: (a) ____; (b) ____.”

“The following types of scientific conclusions will be generated from the processing of research participants’ personal data: (a) ____; (b) ____; (c) ____.”

“In the course of the proposed research, it is possible that the following incidental findings will be generated: (a) ____, in which case ____ will happen; (b) ____, in which case ____ will happen; (c) etc.”

International transfers

“The following types of personal data will be transferred outside the European Economic Area to the following recipients, located in the following countries: (a) ____ will be transferred to ____ located in ____; (b) ____ will be transferred to ____ located in ____; (c) etc.”

“The following transfers will take place on the basis of the following legal legitimations: (a) ____ will take place on the basis of ____; (b) ____ will take place on the basis of ____.”

“The following transfers will take place according to the following conditions and safeguards and may pose the following risks: (a) ____ will take place under ____ conditions, subject to ____ safeguards, and may pose the following risks: ____; (b) ____ will take place under ____ conditions, subject to ____ safeguards, and may pose the following risks: ____; (c) etc.”

Storage periods

“The following forms of personal data will be stored for the following periods for the following reasons: (a) ____ will be stored for ____ days/months/years in accordance with ____; (b) ____, will be stored for ____ days/months/years in accordance with ____; (c) etc.”

“In relation to the following types of personal data, the following criteria for the duration of storage will apply: (a) ____ will be stored until ____; (b) ____ will be stored until ____; (c) etc.”

“Following the end of the storage period, the following actions will occur: (a) in relation to ____, personal data will be ____; (b) in relation to ____, personal data will be ____; (c) in relation to ____, personal data will be ____.”

“Personal data transferred to third parties will be subject to the same storage periods and will be ____ following these periods.”

“The following forms of personal data transferred to third parties will be subject to the following storage periods: (a) ____ transferred to ____ will be stored for ____ and, following the end of this storage period, will be ____; (b) ____ transferred to ____ will be stored for ____ and, following the end of this storage period, will be ____; (c) etc.”

Data subject rights

“Research participants have the following rights in relation to their data processed in relation to the purposes listed above: (a) ____, including the possibility to ____; (b) ____, including the possibility to ____.”

“The following rights, which are usually applicable under the GDPR, are not applicable in this case: (a) ____ due to ____; (b) ____ due to ____; (c) etc.”

“Research participants can exercise their rights by contacting ____ and by performing the following actions: (a) ____; (b) ____.”

“The consequence of exercising rights will be as follows: (a) Exercise of ____ will result in ____; (b) exercise of ____ will result in ____.”

“The consequence of exercising the right to withdraw consent will be (a) in relation to ____ used for ____, the consequence will be ____ erasure/anonymization/retention of data/further processing of data; (b) in relation to ____ used for ____, the consequence will be ____ erasure/anonymization/retention of data/further processing of data; (c) in relation to ____ used for ____, the consequence will be ____ erasure/anonymization/retention of data/further processing of data.”

“After exercise of the right to withdraw consent, the following will happen to personal data transferred to third parties: (a) ____ transferred to ____ will be ____; (b) ____ transferred to ____ will be ____; (c) etc.”

Contractual or statutory requirements

“The following processing operations, which will occur as a result of the collection, and processing for the purposes listed above are required by statute: (a) ____, the relevant statute is ____; (b) ____, the relevant statute is ____; (c) etc.”

“Where ____ takes place, this will have the following implications for your informed consent: ____.”

We believe that psychological research will seldom take place on the basis of contractual requirements. Accordingly, when such requirements are relevant, context-specific language and explanations will likely be important. For this reason, we will not offer any examples in relation to this type of information.

Automated decision-making

We believe that automated decision-making of the form under discussion will seldom be relevant in relation to psychological research. Accordingly, when such decision-making is relevant, context-specific language and explanations will likely be important. For this reason, we will not offer any examples in relation to this type of information.

Conclusion

The GDPR is, in principle, applicable to psychological research in the EEA—and in some cases outside the EEA. When personal data are collected directly from research participants, the GDPR outlines a series of obligations concerning the forms of information that should be provided to them. These obligations will usually be fulfilled in the context of an informed consent procedure—whether the rationale for this procedure is ethical, legal, or both. In this regard, the above constitutes general practical guidance as to the types of information that psychological researchers should provide to research participants under the GDPR in consent procedures.

We will end by saying that we do not presume that our guidance already presents an ideal approach—consideration of which will ensure that psychological researchers can provide ideal information to research participants and which will guarantee compliance with the GDPR. Rather, we hope only that our guidance can constitute a small step toward bridging the knowledge gap between psychological research and data protection law and can assist psychological researchers in the design of better consent materials.

Footnotes

Acknowledgements

We thank Dr. Cyril Pernet, Dr. Julia Rohrer, and Nele Borgert for comments on earlier versions of this article.

Transparency

Action Editor: Rogier A. Kievit

Editor: David A. Sbarra

Author Contributions

Dara Hallinan: Conceptualization; Writing – original draft; Writing – review & editing.

Franziska Boehm: Conceptualization; Writing – original draft; Writing – review & editing.

Annika Külpmann: Conceptualization; Writing – original draft; Writing – review & editing.

Malte Elson: Conceptualization; Funding acquisition; Writing – original draft; Writing – review & editing.

ORCID iD

Malte Elson

Notes

References

American Psychological Association. (2017). Ethical principles of psychologists and code of conduct. https://www.apa.org/ethics/code/ethics-code-2017.pdf

Article 29 Data Protection Working Party. (2004, March 17). Working document on genetic data. https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2004/wp91_en.pdf

Article 29 Data Protection Working Party. (2007, June 20). Opinion 4/2007 on the concept of personal data. https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf

Article 29 Data Protection Working Party. (2014, April 10). Opinion 05/2014 on Anonymisation Techniques. https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf

Article 29 Data Protection Working Party. (2017a, April 5). Guidelines on Data Protection Officers (‘DPOs’). https://ec.europa.eu/newsroom/article29/items/612048/en

Article 29 Data Protection Working Party. (2017b, October 3). Guidelines on automated individual decision-making and profiling for the purposes of Regulation 2016/679. https://ec.europa.eu/newsroom/article29/items/612053/en

Article 29 Data Protection Working Party. (2017c, October 27). Guidelines on the right to data portability. https://ec.europa.eu/newsroom/article29/items/611233/en

Article 29 Data Protection Working Party. (2018, April 11). Guidelines on transparency under Regulation 2016/679. https://ec.europa.eu/newsroom/article29/items/622227

Bundesministerium der Justiz. (2017). Federal data protection act (BDSG). https://www.gesetze-im-internet.de/bdsg_2018/BJNR209710017.html

10.

Data Protection Commission. (2020, December 18). Children front and centre: Fundamentals for a child-oriented approach to data processing. https://www.dataprotection.ie/sites/default/files/uploads/2020-12/Fundamentals%20for%20a%20Child-Oriented%20Approach%20to%20Data%20Processing_Draft%20Version%20for%20Consultation_EN.pdf

11.

Datenschutzkonferenz. (2019, April 3). Beschluss der 97. Konferenz der unabhängigen Datenschutzaufsichtsbehörden des Bundes und der Länder zu Auslegung des Begriffs „bestimmte Bereiche wissenschaftlicher Forschung“ im Erwägungsgrund 33 der DS-GVO [Resolution of the 97th Conference of Independent Data Protection Supervisors of the Federal Government and the Länder for the interpretation of the term “certain areas of scientific research” in Recital 33 of the GDPR]. https://www.datenschutzkonferenz-online.de/beschluesse-dsk.html

12.

Directorate-General for Health and Food Safety. (2019, April 10). Question and answers on the interplay between the Clinical Trial Regulation (CTR) and the General Data Protection Regulation (GDPR). https://health.ec.europa.eu/latest-updates/question-and-answer-interplay-between-clinical-trial-regulation-ctr-and-general-data-protection-2019-04-10_en

13.

Dranseika

Piasecki

Waligora

(2016). Forensic uses of research biobanks: Should donors be informed? Medicine, Health Care, and Philosophy, 19(1), 141–146. https://doi.org/10.1007/s11019-015-9667-0

14.

El Emam

Jonker

Arbuckle

Malin

. (2011). A systematic review of re-identification attacks on health data. PLOS ONE, 6(12), Article e28071. https://doi.org/10.1371/journal.pone.0028071

15.

Elson

Hallinan

Külpmann

Boehm

(2021). (Un)informed consent: To what degree are research participants ‘informed’ by common consent procedures in psychology under EU data protection law? PsychArchives. https://doi.org/10.23668/PSYCHARCHIVES.4875

16.

Ethikkommission der Deutschen Gesellschaft für Psychologie. (2021, November 23). Datenschutzrechtliche Empfehlungen zur Erstellung einer Einwilligungserklärung im Rahmen von Forschungsvorhaben [Data protection recommendations for consent forms in scientific research]. https://zwpd.transmit.de/zwpd-dienstleistungen/zwpd-ethikkommission

17.

European Data Protection Board. (2019a, January 23). Opinion 3/2019 concerning the questions and answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection Regulation (GDPR) (Art. 70.1.b)). https://edpb.europa.eu/our-work-tools/our-documents/opinion-art-70/opinion-32019-concerning-questions-and-answers_en

18.

European Data Protection Board. (2019b, November 12). Guidelines 3/2018 on the territorial scope of the GDPR (Article 3). https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article-3-version_en

19.

European Data Protection Board. (2020a). Guidelines 07/2020 on the concepts of controller and processor in the GDPR. https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-072020-concepts-controller-and-processor-gdpr_en

20.

European Data Protection Board. (2020b, May 4). Guidelines 05/2020 on consent under Regulation 2016/679 (Version 1.1). https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-052020-consent-under-regulation-2016679_en

21.

European Data Protection Board. (2021a, March 16). EDPB Work Programme 2021/2022. https://edpb.europa.eu/our-work-tools/our-documents/strategy-work-programme/edpb-work-programme-20212022_en

22.

European Data Protection Board. (2021b, June 18). Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (Version 2.0). https://edpb.europa.eu/our-work-tools/our-documents/recommendations/recommendations-012020-measures-supplement-transfer_en

23.

European Data Protection Supervisor. (2020, January 6). A preliminary opinion on data protection and scientific research. https://edps.europa.eu/data-protection/our-work/publications/opinions/preliminary-opinion-data-protection-and-scientific_en

24.

Gefenas

Lekstutiene

Lukaseviciene

Hartlev

Mourby

Cathaoir

K. Ó

. (2022). Controversies between regulations of research ethics and protection of personal data: Informed consent at a cross-road. Medicine, Health Care, and Philosophy, 25(1), 23–30. https://doi.org/10.1007/s11019-021-10060-1

25.

Giofrè

Cumming

Fresc

Boedker

Tressoldi

(2017). The influence of journal submission guidelines on authors’ reporting of statistics and use of open research practices. PLOS ONE, 12(4), Article e0175583. https://doi.org/10.1371/journal.pone.0175583

26.

Hallinan

(2020). The genomic data deficit: On the need to inform research subjects of the informational content of their genomic sequence data in consent for genomic research. Computer Law & Security Review, 37, Article 105427. https://doi.org/10.1016/j.clsr.2020.105427

27.

Hallinan

(2021). A normative framework for the reconciliation of EU data protection law and medical research ethics. Medical Law Review, 29(3), 446–467. https://doi.org/10.1093/medlaw/fwab019

28.

Kidwell

M. C.

Lazarević

L. B.

Baranski

Hardwicke

T. E.

Piechowski

Falkenberg

L.-S.

Kennett

Slowik

Sonnleitner

Hess-Holden

Errington

T. M.

Fiedler

Nosek

B. A.

(2016). Badges to acknowledge open practices: A simple, low-cost, effective method for increasing transparency. PLOS Biology, 14(5), Article e1002456. https://doi.org/10.1371/journal.pbio.1002456

29.

Regulation 679/2016. The protection of natural persons with regard to the processing of personal data and on the free movement of such data. European Parliament, Council of the European Union. https://eur-lex.europa.eu/eli/reg/2016/679/oj

30.

Schönbrodt

Gollwitzer

Abele-Brehm

(2016, November 9). Data management in psychological science: Specification of the DFG guidelines. https://www.dgps.de/schwerpunkte/stellungnahmen-und-empfehlungen/empfehlungen/details/der-umgang-mit-forschungsdaten-im-fach-psychologie-empfehlungen-zu-einem-offenen-und-nachhaltigen-datenmanagement/

31.

World Medical Association. (2013). Declaration of Helsinki: Ethical principles for medical research involving human subjects. JAMA, 310(20), 2191–2194. https://doi.org/10.1001/jama.2013.281053

Information Provision for Informed Consent Procedures in Psychological Research Under the General Data Protection Regulation: A Practical Guide

Abstract

Keywords

Psychological Research, the GDPR, and Information Obligations

The Problem, and the Motivation for This Guidance

Setting the Scene for the Guidance

The Guidance

Types of information to be provided to research participants

Elaboration of types of information to be provided

Information about the controller(s) of data

The identity of and contact information for the controller(s) or their representatives

The contact information for the data protection officer

The purposes of the processing

The purposes of processing for which research participants’ personal data have been collected

The legal basis on which this processing occurs

The legitimate interests pursued by the controller if the legal basis is Article 6(1)(f) of the GDPR

Risks and safeguards. 12

Risks

Safeguards

Recipients of data

Recipients inside the project

Recipients external to the project

Types of personal data that will be collected and processed

Types of data collected directly from research participants

Types of data that will be generated in the course of research

International transfers

Transfers

Storage periods

The length of time personal data will be stored

The criteria according to which the length of time will be decided

Data subject rights

Range of rights

Exceptions

Modalities and consequences of exercise of rights

Contractual or statutory requirements

Automated decision-making

Example language

Information about the controllers of data

The purposes of the processing

Risks and safeguards

Recipients of data

Types of personal data that will be collected and processed

International transfers

Storage periods

Data subject rights

Contractual or statutory requirements

Automated decision-making

Conclusion

Footnotes

Acknowledgements

Transparency

ORCID iD

Notes

References

Risks and safeguards.¹²