Skip to content

11 Legal Aspects

Levels of Regulation

Depending on the nature of the data, legal and ethical frameworks, which operate at very different levels, must be considered closely in research data management (see Figure 6). For example, when it comes to personal data, the European General Data Protection Regulation (GDPR), the German federal data protection act called Bundesdatenschutzgesetz (BDSG), the Landesdatenschutzgesetze, which are the federal data protection acts of the 16 German states, and, if applicable, their respective state higher education acts apply, as well as, depending on the specific case, further data protection regulations, for example in the Social Code, Genetics Law, Pharmaceuticals Law, and School Law. However, there may also be guidelines, policies, or even specific ethical guidelines at institutional level. Basically, researchers are subject to the "Guidelines for Safeguarding Good Research Practice" of the German Research Foundation.

Legal fields in data publication1

  • Patent law - What has to be considered when research data (can) reach patentability?
  • Copyright law - Is research data even subject to copyright law?
  • Competition law - Is data used unfairly in business transactions?
  • Data protection - Which research data is sensitive and needs special protection?
  • Science law - Can licensing and publication requirements for research data be mandated?
  • Fundamental rights - Which constitutional constraints have to be considered?
  • International law - What legal regulations exist outside Germany?
  • EU law - What are the benefits of e.g. the "European Data Economy" for research data?
  • Contract law - Are there agreements on the "intellectual property" of research data?
  • Labor/Service law - Who "owns" the research data collected at universities?
  • Terms of funding - What conditions are set by funding bodies (DFG; industry)?
  • Policies - What legal obligations can policies develop?

In some cases, it is useful to restrict access to the data if ethical or legal aspects are involved. Furthermore, the research itself may be subject to confidentiality agreements, e.g. contract research.

Data and Privacy Protection

In some fields, data protection aspects can determine and limit the handling of data, for example in the social sciences and in medicine. This is always the case when processing personal data or data that could relate to individuals. Article 4 of the GDPR (DSGVO in German) defines personal data as "any information relating to an identified or identifiable natural person". Persons are considered identifiable if they can be recognized, directly or indirectly, in particular by means of association with an identifier such as a name, an identification number, location data, online identification or one or more characteristics which reveal the physical, psychological, genetic, mental, economic, cultural, or social identity of these natural persons. Sensitive personal data are specific personal data which require enhanced protection. According to article 9 GDPR, this includes “data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership” and “genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.” Therefore, the personal details must be permanently removed from the data or the person in question must have given his or her "informed consent" to the processing and use of the data.

The EU General Data Protection Regulation (EU GDPR) which has been in effect since May 2018 largely harmonizes European data protection law and aims to protect the fundamental rights and freedoms of natural persons, in particular their right to the protection of personal data. The EU GDPR generally prohibits the handling of personal data, unless another legal regulation or the consent of the person affected permits this. Such consent is an informed and unequivocally given consent in the form of a declaration or other unambiguous act.

With an informed consent, the person is informed about his/her rights, the processing of his/her data, its use and the purpose of the study. Only when informed does the person agree to participate in the study under these conditions. The information can also be given verbally (for example, in the case of children or illiterate persons). If the publication of research data is planned, this information will be included in the disclosure. It is vital to include all planned purposes of use in the consent (e.g. long-term archiving, data publication, further analyses on other issues, etc.), as it is often not feasible to obtain the extension of consent afterward.

In order to facilitate the handling of the data, there are various ways of changing the data so that they no longer contain any references to specific persons. For example, numerical data may be anonymized or aggregated. For this purpose, the personal information is either completely removed or replaced by other information that cannot be traced back to individual persons (e.g. zip code instead of street address). Video and audio recordings could also be edited and also anonymized or depersonalized. Some examples are the modification (pixelation, black bar) of people or information, as well as the revision of sound recordings in order to distort voices. Using pseudonyms, i.e. replacing a piece of information with a similar piece of information that is no longer person-related, is also a way of processing qualitative data without informed consent.

Anonymization and Pseudonymization Guidance

Besides, there exists an interactive Virtual Assistant (iVA) that can support researchers in understanding the protection and regulation of research data in context of legal conditions. This tool contains two consecutive modules. iVA 1 can assist in achieving compliance with relevant data protection regulations, while iVA 2 guides researchers to receive a lawful consent for data processing by identifying important requirements.

Further protective measures include access restrictions by means of password protection and the assignment of access rights. For example, access to the data can be granted only to certain IPs or only to defined groups of people.

The rapid evolution of digital media today leads more than ever to careless publication of personal data – for example in the form of photographs or videos. The right to one's own image, however, includes the right of every individual to decide what happens to images or other forms of representation of oneself in public. These may only be distributed or published with a consent. A consent can be both: financial compensation or answering questions in front of a camera. Exceptions to this rule:

  • contemporary historical images
  • pictures in which the person is only depicted incidentally and not as the main motif
  • pictures of meetings or similar

Copyright law aims to protect the creative output of creative people and the creative industries. It grants authors the sole right to publish, process, reproduce, perform and distribute their work. In order for a work to be considered "protected by copyright", it must be the result of a creative effort and originality. According to art. 2 paragraph 1 of the German Act on Copyright and Related Rights (UrhG) 91 this includes "works of literature, science and art". Accordingly, ideas or information are not protected by copyright, since they only lay the foundation of a work, but are not the work itself. The copyright expires at the latest 70 years after the death of the author, and the work is then considered to be in the public domain.

The so-called ancillary copyrights – also called "related rights" – are protective rights for e.g. photographers, singers, interpreters or mediators of creative contents. The ancillary copyright protects artistic or scholarly achievements and includes, among other things, the protection of database creators, the protection of photographs or the protection of the producer of audio recordings (further protection rights can be found in the German Act on Copyright, part 2 "Related rights”). The ancillary copyrights are entitled to the person who has carried out the respective protected work.

In addition to copyright aspects, research data management may also require commercial property rights to be considered. For example, employment contracts might have been formulated in such a way that the institution at which they work, rather than the researchers themselves, holds the legal rights of use for the data. Furthermore, contractual regulations on the rights of use are also to be found in the funding guidelines of sponsors or in the policies of groups, departments or institutions involved. Nonetheless, the copyright remains with the creators of the data. It is therefore advisable to check who will be the rights holder of the data before starting the research. Within the framework of cooperation agreements, these rights can be written down (see contract law).

If the research or its results are likely to be commercially viable, it is advisable to contact the office for knowledge transfer of your own institution. They can clarify how the licensing and reuse of the data is regulated. They also provide detailed information on patent law.

Contract law

Further rights and obligations for the handling of research data may arise from existing contractual agreements. These might be contracts with funding agencies as well as with scientific or economic cooperation partners.

Recommendations for a jump start

Jump start

Make use of informed consent when working with personal data (e.g. in the Social Sciences)
Consider measures for access controll
Consider copyright issues before collecting data

  1. Thomas Hartmann: „terra incognita – digitale Forschungsdaten auf der Suche nach einer rechtlichen Heimat“. Contribution to the workshop "Legal aspects of digital research data" on 31.01.2018, Europa-Universität Viadrina, Frankfurt (Oder), http://www.forschungsdaten.org/index.php/Datei:Hartmann_TerraIncognita-Forschungsdaten-RechtlicheHeimat.pdf