How to handle personal data in research?

Recognize whether you are processing personal data. Personal data is all data relating to an identified or identifiable natural person, such as video image or voice of a person, IP-address, location data of a person or a combination data from which a person can be recognized (e.g. occupation and place of residence).

Definition of personal data

If you collect information from or of  persons, assume that it is personal data. Also pseudonymised data is personal data. More information on what is personal data can be found in:

European Data Protection Supervisor : A Preliminary Opinion on data protection and scientific research

The European Data Protection Supervisor ( EDPS ) considers that respect for personal data is wholly compatible with responsible research. Data protection is intended to serve as a safety net for individuals whose data are needed to support science. This Preliminary Opinion builds on the work of the EDPB and its predecessor the Article 29 Working Party to promote a more informed discussion between the research and data protection communities.

A Preliminary Opinion on data protection and scientific research

National guidelines

Finnish Office of the Data Protection Ombudsman has issued guidelines on the protection of personal data in scientific research. These guidelines provide guidance, among other things, on defining the purpose for processing of personal data, choosing the basis for processing personal data and implementing the rights of the data subject. The website also includes information on the obligation to demonstrate compliance with data protection legislation, responsibilities when transferring data outside EU or EEA and appropriate ways to destroy, anonymize or archive the research data.

Aalto University follows these national guidelines:

Scientific research and data protection - Data Protection Ombudsman’s Office (

If you are processing personal data, do the following:

    1. Plan what data you need

    Understand the objectives of your study both now and in the future. Think about what data you need and also what data you do not need. Think of how you can design your study so that your data is least identifiable while still accomplishing your goals. These  data minimization and privacy by default principles  are core principles of  the General Data Protection Regulation (GDPR)         

    2. Plan the entire life cycle of personal data processing

    Plan the entire life cycle of personal data processing (including e.g. collecting, storing, usage, research cooperation, further research, archiving, deletion) before you begin to collect or otherwise process any personal data. Aalto’s privacy notice template can be used to help with this planning (please see the list item five below). A Data Management Plan can be used 

    The Finnish Social Science Data Archive  FSD is a certified research data repository and they give expert advice on personal data in their research data management instructions.

    3. Take care of data security and use Aalto University approved information systems

    Ensure adequate security measures and use only Aalto University approved information systems. Review the security measures described on the pages linked below:

    • General instructions for secure processing of personal data, especially sections 3, 9, 11, 12 and Special Instructions 1 and 2.

    • Further information is on the page Cyber Security for research

    General instructions for secure processing of personal data

    These instructions contain the key issues related to the processing and data security of personal data.

    Use only approved IT systems to handle personal data. These services are good for most cases (expect for the sensitive personal data that needs extra security measures):

    • For Aalto internal projects: Teamwork folder with access restricted to project team members.
    • For projects with external collaboration: Eduuni workspace with access restricted to project team members.

    Additional IT services are listed in Pikaohje tiedon luokittelemiseen. Systems approved for confidential ("luottamuksellinen") and secret ("salainen") data are suitable for personal data.

    File storage space for research and groups (TeamWork)

    Researchers, research groups and projects can use the specific TeamWork file service. Features are adjusted to meet the needs of each group.

    People in Learning Center

    Eduuni - Teamwork environment

    The Eduuni workspace includes Microsoft SharePoint workspaces for use by organisations, networks, projects and teams. Eduuni is used mostly for EU-wide, international research projects, because it enables cooperation also with parties outside of Aalto University. If the information stored is not confidential, it is advisable to use Microsoft Teams for teamwork.

    General instructions for secure processing of personal data

    These instructions contain the key issues related to the processing and data security of personal data.

    4. Evaluate risks to data subjects 

    4.1 Get ethical pre-evaluation 

    If sensitive personal data is processed in your research project, you must get an ethical pre-evaluation of Aalto Research Ethics Committee. Even in other cases a research partner,  publisher or funder may require ethical review. Lack of ethical review can prevent publishing or funding of the project.  

    • Sensitive personal data is special category data or data related to criminal records, social security number, bank account details.
    • Special category data is data concerning health or revealing political opinions, data which reveals racial or ethnic origin, religious or philosophical belief, trade union membership,  genetic data,  biometric data, when it is  processed for the purpose of unambiguous identification of a natural person, and data concerning sex behavior or sexual orientation.

    4.2 Carry a data protection impact assessment (DPIA) when needed

    Research Ethics Committee

    Aalto University Research Ethics Committee is responsible for the ethical evaluation of  the university's non-medical research projects in human sciences.


    Ethical review of research and DPIA

    Information when and how to prepare DPIA in research as an appendix for research ethics statement request

    Kaksi henkilöä pöydän ääressä kirjojen ja kannettavien tietokoneiden kanssa.

    5. Define the legal basis for processing personal data.

    You can only process personal data if you have a legal basis provided in the legislation. In scientific research, the legal basis is usually either “performance of a task carried out in the public interest” or “consent”.

    • The choice of the legal basis is important, because it affects e.g. your obligations and possibilities in the research. If you choose “consent” as the legal basis for processing, you must e.g. enable the participants to revoke the consent and you must be able to remove the personal data if data subject requests this. 
    • If purposes of the scientific research are in the public interest, it is advisable to use as GDPR legal basis "scientific research, a task in the public interest".

    6. Draft a Privacy Notice

    When you process personal data fill in and use ”Consent to Participate” AND ”Privacy Notice for Research Study” -documents. Give or send documents to participants.

    The Privacy Notice is used to inform the research participants before you start to collect or otherwise process personal data. Information given e.g. in the privacy notice and research and Data Management Plan should not be conflicting. Privacy Notice is also needed as appendix for the ethical review. 

    • Send the privacy notice that you have given to data subjects also to [email protected]

    7. Document the processing activities

    Document the systems you used for storing and for other processing of personal data.

    “Record of Processing Activity” -form

    • Use the form above to document the systems and processing activities (login required)
    • Send the filled form together with the privacy notice to [email protected].

    8. If you disclose or transfer personal data to be processed outside of Aalto note the following:

    • If the other party processes personal data only for purposes, which are defined by Aalto, e.g. when you transfer personal data for a subcontractor or to cloud storage service, you must make a data protection agreement (DPA) with that party.

    • If you transfer personal data to another university or to a research institution, which together with Aalto defines the purposes for which personal data will be processed or Aalto and the other university have a joint personal data filing system, which can be used independently by both Aalto and the other university, both universities are considered to be controllers.

    • If you disclose personal data to another university or research institution, which can independently define the purposes for which personal data will be processed, you must agree in detail on e.g. the purpose for processing personal data and information of research participants before you disclose any personal data.

    • Personal data can be transferred outside of the EEA only under certain conditions. For more information, please see:

    Aalto templates (login required):

    The same person, who signs the main agreement, shall sign these agreements. Privacy agreements must be sent to: [email protected].

    9. Inform data subjects about changes and update documentation

    Personal data may only be processed for the purposes, which have been informed to the research participant prior to the beginning of the processing (by Privacy notice templates). If you need to process personal data for other purposes, you must inform the research participants on these new purposes and update all documents prior to the processing.

    10. Anonymize data prior to archiving or publishing

    The Finnish Social Science Data Archive  FSD is a certified research data repository serving researchers who wish to archive data. FSD offers advice on data management and management of personal data see : Other recommended data repositories are listed here:

    Data publishing repositories

    Anonymised data is no longer personal data. Anonymisation results from processing personal data in order to irreversibly prevent identification. In doing so, several elements should be taken into account by data controllers, having regard to all the means "likely reasonably” to be used for identification. See Working Party 29 Opinion 05/2014 on anonymisation techniques.

    Before the anonymization, personal data has to be handled according to the above mentioned legislation, principles and guidelines.

    If you wish to collect and reuse personal data that is not wholly anonymized, for example, interviews from professional experts on a certain field, contact the FSD repository staff to see if archiving could be achieved before you start collecting information, so that research participants can be informed in a manner required by the repository. The staff of the repository can help researchers with data curation and steps leading to a successful collection and preservation of research data. Use of pseudonymised data is still personal data and allowing only restricted access can be used as a measure to archive the data.

    Further information on handling personal data

    In addition to this guidance, please orient yourself with the best practices of your own field of science, Aalto's general data protection instructions and with Aalto’s Data Protection policy.

    If you need further assistance, please contact your school’s lawyer or Aalto’s data protection officer.


    Aalto University Data Protection Policy

    The purpose of this personal data policy is to define the main principles, responsibilities and procedures that will be followed when personal data is processed at the university.


    Data Protection, personal data (EU General Data Protection Regulation)

    The EU General Data Protection Regulation (GDPR) is applied as of 25 May 2018 in all of the EU member states.

    This service is provided by:

    Research and Innovation Services

    Did you find what you were looking for? If not, please contact us.
    • Published:
    • Updated:
    URL copied!