Personal data is information relating to an identified or identifiable natural person. The person can either be directly or indirectly be identified with this data. This includes, for example, name, address, birth date, email address, telephone number, student ID number, IP address, and academic record.

An official definition can be found in Article 4.1 GDPR.

Special categories of personal data that merit stronger protection include, for example, information about racial or ethnic origin, religion, political opinions, and labor union membership, as well as health, genetic, or biometric data. Article 9.1 GDPR lists the special categories of personal data.

An official definition for genetic and biometric data for example can be found in Article 4.13 and 4.14 GDPR.

The processing of personal data means any action that is performed on personal data. These actions, such as collecting, storing, altering, using, or publishing personal data, may be performed automatically or manually.

An official definition can be found in Article 4.2 GDPR.

When processing personal data, it must be ensured that only the data absolutely necessary for your duties is processed. You must also be careful to comply with the basic principles of the GDPR such as data economy, limited purpose, and security.

For research projects that include personal data, you must ensure that the data subjects are informed about the collection and processing of their data, and if necessary, that you have their consent to do so. If you use a tool in your research project and enter personal data into this program, then you must usually conclude a contract with the service provider known as a Data Processing Agreement in accordance with Article 28 GDPR.

Personal data may only be processed when there is a legal basis for such processing. A legal basis can be, for example, the consent of the data subject. Section 17 of the Berlin Data Protection Act (BlnDSG) often provides a legal basis for processing personal data without consent for scientific or historical research purposes, or for statistical purposes.

Processing personal data for these purposes requires weighing the interests involved. The public interest must considerably outweigh the privacy interests of the data subjects protected by law. The purpose must not be achievable in any other way, and the data may not be processed for other purposes in accordance with Section 1.1.2 BlnDSG.

Data must be anonymized if the research purpose and the statistical purpose permit doing so, unless there are justified interests of the data subjects that would prevent doing so.

See Section 17 BlnDSG for further information.

• A record of processing activities. This stipulates which data are being processed for which purpose and on which legal basis, among other things. You can request a template from the data protection officer.
• A list of the technical and organizational measures for data protection (as an appendix to the record of processing activities) – the standard ones are the current technical and organizational measures (TOM) of FUB-IT as well as those of the service provider, if applicable. This list should be included in the record of processing activities.
• Before data are collected from the subjects, they must be able to be informed of the Data Protection Notice. The data protection officer will provide you with a template. This must be adjusted to fit your particular research project.
• If your data processing relies on the consent of the data subject in accordance with Article 6.1.a GDPR, their consent must be obtained in a documentable manner. For this you need a documented/documentable Declaration of Consent. The data protection officer can provide a template of the Declaration of Consent.
• You will often need a Data Processing Agreement in accordance with Article 28 GDPR if you commission a service provider to process personal data for your research project. A TOM list from the contractor and a list of subcontractors is also required. If the service provider does not provide a Data Protection Agreement, you can request a template agreement from the data protection officer.
• The external data protection officer will check whether a Data Protection Impact Assessment under Article 35 GDPR is necessary with the aid of the completed record of processing activities (see above).
• Further documents may also be required after consultation.

Data not related to a specific person is anonymous data. The data may not allow a person to be specifically identified, not even with the use of additional information. In this case, that person is considered to be no longer identifiable, and the data is anonymous.

Personal data is pseudonymized if it is protected by encryption. For example, a name is replaced by a code. Users cannot have access to the decoding information. It is also important to have special storage for the key, and that it is also secured through technical and organizational measures.

Pseudonymous data is still considered personal data subject to the GDPR because the presence of a key means that the identity of the subjects can theoretically be determined. Anonymous data, on the other hand, is not subject to the GDPR, since the data is not related to any specific person, and the data subject is no longer identifiable.

First, pseudonymizing or anonymizing protects data subjects from the risks associated with theft of or unauthorized access to the data. Second, pseudonymizing in particular eliminates information loss on the part of the data controller. Data that is already pseudonymized can be anonymized easily by irrevocably deleting the relation to specific persons.

Consent must be voluntary, specific, informed, and unambiguous. The data subject must actively agree to consent, such as by checking a box. Consent must be documented and may be withdrawn at any time.

Data subjects have the following rights:

• The right to be informed (Article 15 GDPR)
• The right to notification (Article 16 GDPR)
• The right to erasure/being forgotten (Article 17 GDPR)
• The right to data portability (Article 20 GDPR)
• The right to object (Article 21 GDPR)
• The right to restriction of processing (Article 18 GDPR)

Personal data may only be stored for as long as required to achieve the purposes for which it was collected. Other retention periods may apply if there are statutory retention requirements.

A data protection incident occurs when data are not properly processed, such as the loss of storage devices or documents containing personal data, data leaks (software errors, hacks), unintentional alteration or deletion of personal data. The data protection officer must be notified immediately in such cases to clarify whether it constitutes a data protection incident.

Immediately delete the personal data and inform the sender that (a) the data has been deleted and (b) they should not send unrequested personal data.