Skip to ContentSkip to Navigation
Digital Competence Centre
your one-stop for research IT and data
Digital Competence Centre Privacy & Data Protection GDPR & Research

Roles & responsibilities

The GDPR, the Uitvoeringswet Algemene Verordening Gegevensbescherming (UAVG) and the Higher Education and Research Act (WHW) shape the responsibilities for research. These responsibilities are elaborated in the UG Data Protection Policy, and they are in interplay with Codes of conduct on research integrity, ethical code of conduct and discipline-specific data management policies.

Internal responsibilities

Researcher

Researcher

As a researcher, you are responsible for the privacy maturity of your research project. This means that you must make sure that your project complies with privacy laws and regulations, professional codes of conduct, and faculty policy. Part of this responsibility is assessing whether your research needs the approval of the faculty ethics committee. Researchers can contact the UG Digital Competence Centre (UG DCC) for tailor-made advice, in addition to regular support that is available within the faculty.

Data steward

Data steward

Data stewards of the UG DCC offer expertise to researchers and support staff of the UG on the topics of research data management, research software, privacy and (research) data protection and related IT solutions. Data stewards contribute to making research outputs accessible and reusable (‘FAIR’) by sharing best practices and organizing training and community events. They also provide advice to faculties about (the implementation of) research data policy. 

The UG DCC combines central support with decentral (‘embedded’) data stewardship in faculties. Embedded data stewards offer support tailored to the needs within a specific discipline. 

UG researchers and support staff can contact the UG DCC for advice on:

  • Research data management planning
  • How to comply with funder requirements, UG and faculty data policies, the GDPR
  • Storing, processing and sharing your data
  • Data archiving and publishing
  • How to deal with (privacy-)sensitive data
  • Finding appropriate IT solutions
Ethics committee

Ethics committee

Ethics committees are responsible for assessing whether a (proposed) research project lives up to the standards for ethically responsible research and scientific integrity at the UG. Most faculties have their own ethics committees. They perform ethical assessments on behalf of the faculty board. If you (plan to) do research with personal data, your project must first be assessed by an ethics committee to check whether it satisfies all necessary requirements and may actually be carried out. You will find more information about your faculty’s ethics committee on the faculty page

Privacy & security coordinator

Privacy & Security Coordinator

The Privacy & Security Coordinator (P&S coordinator) is the first point of contact for privacy-related questions from all staff members of a faculty. Every faculty within the UG has at least one P&S coordinator who supports the privacy-proofing for that faculty and coordinates the execution of the duties of their board or directorate. For more information and contacts consult the Privacy Portal.

Data Protection Officer

Data Protection Officer

The Data Protection Officer (DPO) is responsible for supervising compliance with the privacy laws and regulations and the privacy policy. The DPO provides advice to all administrative layers of the University and, together with the information security manager and the IT auditor, advises the board of the University on the annual action plan of the faculty or service department for information security and privacy protection. 

Although the DPO works for the UG, he has an independent position under the law. The UG must provide him with the means and powers that are necessary to carry out his duties properly.

GDPR roles and responsibilities

In addition to the internal responsibilities that are defined above, the GDPR also defines certain roles and responsibilities that you need to consider when you are collecting, sharing and storing personal data. For each role, the GDPR establishes a set of obligations regarding the protection of the rights and freedoms of the person concerned. It is important to be aware that these roles are fulfilled by the organizations involved and not by individuals affiliated with these organizations (such as a researcher, PI or member of the board) who may be acting on behalf of the organization.

Data controller

Data controller

The data controller ‘alone, or jointly with others, determines the purposes and means of the processing of personal data’. When researchers affiliated with the UG determine these purposes and means, they do this on behalf of the UG. This means that it is in fact the UG that qualifies as the data controller. The European Data Protection Board in September 2020 provided guidance on the concepts of controller and processor in the GDPR

Joint controllers

Joint controllers

When two or more researchers from different organizations jointly determine the purposes and the means of the processing of personal data, the two organizations are joint controllers. The guidance document on concepts of controller and processor shows examples of research collaborations where there is a joint responsibility (joint controllers, art. 26 GDPR). When there is a joint responsibility, it is necessary to clarify these responsibilities and inform your data subjects about them. See this checklist for further advice and consult the DCC to help you in this process.

Data processor

Data processor

A ‘data processor processes personal data on behalf of the controller’. Examples of processors in scientific research are transcription services or tools that process data outside of the servers of the university. The UG is obligated to have a contractual agreement with processors. You can consult the guidance document on concepts of controller and processor and ask the P&S coordinator of your faculty for help in deciding whether it is necessary to set up a processing agreement.

Last modified:21 May 2024 4.06 p.m.