When conducting research and the associated data management, there are many things to consider from a legal perspective.

General Data Protection Regulation

From 25 May 2018, the General Data Protection Regulation will apply. This means that, from that date, the same privacy legislation will apply throughout the European Union.

The GDPR provides, among other things:

  • Strengthening and extending privacy rights
  • More responsibilities for organisations
  • The same robust powers for all European privacy regulators, such as the power to impose fines of up to 20 million euros 

The GDPR also has important consequences for working with data. Read more about this under Data and Privacy.

Intellectual Property

Intellectual property is the collective name for rights to intellectual creations, such as texts, pictures, software, inventions, brand names and valuable knowledge. Intellectual property can also play a role in data. You can read more about this under Data and Ownership and Using Data from an External Party.

Consortium Agreement

If you cooperate with other parties in the context of research, a cooperation agreement is highly desirable and sometimes required (e.g. for grant projects). An agreement clearly sets out the rights and obligations of all parties involved, including agreements on the research data, intellectual property rights and liability.

Medical Research Involving Human Subjects Act

Research involving human subjects must undergo a medical-ethical review if it falls under the Medical Research Involving Human Subjects Act (WMO). Research falls under the WMO if the following two conditions are met:

  • Medical scientific research is involved
  • Persons are subjected to actions or imposed rules of conduct

You can read more about the assessment procedure of the WMO on the website of the Central Committee on Research Involving Human Subjects

For more information contact the datastewards of the library.

Data and Ownership

Copyright and Database Right

Copyright protects works that demonstrate a certain creativity or originality. In many cases, it is clear that a work is protected by copyright: when someone writes a book or article, there is always some personal creativity involved. With research data, it is not very clear. After all, data are mostly bare facts. In many cases, therefore, research data will not fall under copyright protection.

Nor is copyright there to protect a researcher who makes a discovery, no matter how creative or original that discovery may be. Copyright cannot be used to protect newly discovered data. Copyright can protect the form in which the discoverer wrote down the bare facts. Then that form must be the result of creative choices. If it is, others may not copy it without permission.

To illustrate: if raw, unprocessed data (legally: bare facts) are put in a table, copyright does not apply. Any other researcher could have made a similar table. A selection or ordering of bare facts may be protected under the Databases Act if it is a selection or ordering with a personal stamp.

In the report 'The legal status of raw data: a guide for the research practice' you will find an overview of the state of affairs based on the most important legislation and case law <


The availability or provision of research data is therefore often not about copyright or database law but about having or giving access to data. One can therefore speak of a great sense of ownership. There is usually no obligation to share research data with others. As a researcher, you can always choose not to make your data available to others so that others cannot use it either. Any contractual arrangements may be relevant here.

  • For example, funders or publishers may demand that you make the data available for consultation by others.
  • With regard to the demands of publishers, it is relevant that The Hague University of Applied Sciences has an open access publication policy in which the copyright law and the Collective Labour Agreement in the area of the copyright of research publications of staff members are followed.
  • Consortium agreements set out agreements between research collaboration partners on the use, reuse and sharing of research data.
Data from an external party

If you use data from an external party for your research, the conditions set by the external party for the use, access and dissemination of their data apply. Take these into account and record them in your data management plan.

Data and Privacy

Ground rules

A number of basic rules apply to researchers dealing with personal data:

  • You do not collect more personal data than you really need for your research.
  • Data subjects have given you permission to collect their data (informed consent).
  • You do not use the personal data for purposes other than those for which you have received permission.
  • You ensure that data subjects can withdraw their consent and that they can easily contact you to do so.
  • You ensure that data subjects can exercise their rights to inspect, correct and delete their personal data and that they can easily contact you for this purpose.
  • You protect your research data containing personal data properly by separating contact information from research data, exercising care in determining who has access to the repository of your research data, and anonymising your data as soon as possible.
Personal Data

Personal data are any data that directly or indirectly identify a person. It can therefore be name, e-mail address, telephone number, location, IP address, etc., but also combinations of data that can lead to a person. So-called 'special' personal data are also (extra) protected: for example, sensitive data about a person's race, religion, health or sexual orientation, such as passport photos and Citizen's Service Number.

Legal basis

The processing of (special) personal data is only allowed when there is a legal basis for it. For the processing of 'ordinary' personal data, you must be able to rely on 1 of the 6 GDPR principles. The processing of 'special personal data' is prohibited unless you can rely on 1 of the 6 GDPR principles and 1 of the 10 statutory exceptions to the ban on processing special personal data.

Informed consent

You explain to your respondents what your research entails, what their role in the research will be and what the possible consequences of participating are. Then you ask if they agree to participate in your research. This is done on the basis of an informed consent. An informed consent form consists of two parts, the information part and the consent part.

The information part contains all information about the research including all researchers involved and any collaborating organisations. It also explains the reasons and purposes for collecting this data. In addition, the researcher's contact details are provided in case the participant wishes to withdraw his or her consent. It states that he or she has the right to do so without explanation.

In the consent form, you ask the respondent permission for:

  • The collection and processing of his or her data
  • Archiving the data
  • The possible publication of the data (anonymised)
  • Making the data available for reuse by another researcher, if required

Who gives permission?

  • The participant, if over 16 years of age and capable of giving informed consent
  • A parent or guardian, if the participant is under 12 years of age
  • A parent or guardian and the participant, if the participant is between 12 and 16 years of age
  • A representative, if the participant is over 16 years of age but legally incapable

Download here the standard Informed Consent form of The Hague University of Applied Sciences.

Processing of personal data

The GDPR requires The Hague University of Applied Sciences to make a register of all processing of personal data within The Hague University of Applied Sciences. It is therefore mandatory to report any processing of personal data to the Privacy Officer of THUAS. If you have your data processed by a third party, for example if you use an online survey application, draw up a processing agreement. On the Privacy page you will find more information, tools and the procedure for reporting processing operations.

Security measures: pseudonymisation and anonymisation

When working with sensitive data, it is necessary to strengthen the security of this data to avoid disclosing personal data when you want to share your data with others. There are two basic methods: pseudonymisation and anonymisation. The main difference between these two methods is that pseudonymisation can be undone and anonymisation is irreversible. Therefore, according to the GDPR, pseudonymised data must still be treated as personal data.

Pseudonymisation is used when you need the participants' data for reasons other than the analysis itself. For example, it may be useful to obtain additional information about a person later in the research, or to warn someone if there are any medical risks. The National Coordination Point Research Data Management (LCRDM) offers a set of 9 basic steps for pseudonymisation.

Anonymised data are data that no longer relate to individuals at all. In other words, no additional data may be available during anonymisation that would allow someone to link it to a specific person. Not only personal data (directly identifiable elements) must be deleted, but also indirectly identifiable elements. How to anonymise your data can be found on the UK Data Service Anonymisation page and in the Bristol University document Keeping Data Confidential – Anonymising Records.

The GDPR test and a DPIA

It is strongly recommended to do a GDPR test at the beginning of your research in consultation with the Privacy Officer of THUAS. This ensures that you are GDPR compliant right from the start of your research and data processing. If necessary, a Data Protection Impact Assessment (DPIA) is carried out. If your research involves any of the following activities, a DPIA is mandatory:

  • Assessing people on the basis of personal characteristics (evaluation or score assignment)
  • Automated decisions having legal effect or similar consequences
  • Systematic monitoring
  • Large-scale data processing
  • Matching or linking data sets
  • Processing of data on vulnerable persons
  • Use of new technologies or solutions
  • The processing of data leads to the blocking of a right, service or contract

Read here how the DPIA process works within THUAS.

More Information

More information on privacy in research and careful handling of personal data:

Categories of Personal Data

Categories of 'ordinary' personal data
  • Name, address, postal code, town
  • Telephone number, email address
  • Date of birth, place of birth
  • Nationality, gender
  • Profession/job title/salary/CVs
  • Citizen Service Number (BSN; statutory), identity card (copy)
  • Staff/student number/other administrative number
  • Financial data (bank account number, credit card number)
  • Photographs/audiovisual material/video recordings
  • Data obtained from social user profiles (Facebook, Twitter account, etc.)
  • Click and surfing behaviour (cookie/pixel data), IP addresses
  • Lifestyle characteristics (e.g. family structure, living situation, interests, demographic characteristics)
  • Other: ...
Categories of 'special' personal data
  • Special personal data concerning a person's religion or belief, race, political opinion, health, sexual life, personal data concerning membership of a trade union, criminal personal data and personal data concerning wrongful or abusive behaviour in connection with a ban imposed as a result of such behaviour
  • Uniquely identifying data (e.g. biometrics, fingerprints, DNA)
  • Other data for which there is a (derived) increased sensitivity (e.g. credit card information, financial information, inheritance aspects, work or school performance or data subject to a confidentiality obligation)
  • Data on vulnerable groups or persons (e.g. minors <16 years old), mentally disabled, prisoners, people under surveillance, people whose physical safety is at risk)
  • Systematic and large-scale monitoring (e.g. camera surveillance)
  • Other: ...

The 6 GDPR Principles

The GDPR has 6 principles for the processing of personal data:

The 6 GDPR Principles for Processing Personal Data
  1. Permission of the person concerned.
  2. The data processing is necessary for the execution of the agreement.
  3. The data processing is necessary for compliance with a legal obligation.
  4. The data processing is necessary for the protection of vital interests.
  5. Data processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
  6. The data processing is necessary for the protection of legitimate interests.

As a researcher, you are responsible for assessing whether you can base the processing of personal data on 1 of the 6 principles.

On this site, under when you’re allowed to process data, you will find information for each principle to assess when you can use it.

The 10 GDPR Legal Exceptions

The GDPR contains 10 exceptions to the ban on processing special personal data. This means that the ban on processing special personal data does not apply if you can rely on 1 of the 6 principles for processing 'ordinary' personal data and:

The 10 legal exceptions to the ban on processing special personal data
  1. A person has given express consent to the processing of his/her personal data
  2. The processing is necessary for the performance of obligations and the exercise of specific rights of you or the person concerned. This concerns labour law and social security and social protection law
  3. The processing is necessary in order to protect the vital interests of the person concerned or of another natural person. This only applies when the person is physically or legally incapable of giving his or her consent
  4. The processing is carried out by a foundation, an association or another non-profit making body operating in the political, philosophical, religious or trade union field, and that organisation processes data in the course of legitimate activities and with adequate safeguards
  5. The processing relates to personal data which are manifestly made public by the data subject
  6. The processing is necessary for the establishment, exercise or substantiation of legal claims, or when courts are acting within the scope of their jurisdiction
  7. The processing is necessary for an important public interest
  8. The processing is necessary for purposes of preventive or (labour) medicine such as assessing fitness for work and/or providing health care
  9. The processing is necessary for reasons of public interest in the area of public health
  10. The processing is necessary for archiving in the public interest, scientific or historical research or statistical purposes

Using Data from an External Party

You can use already existing data from an external party for (part of) your research. Below is a (non-exhaustive) overview of sources that provide potentially relevant data.

Data directories and data portals
Dutch Data Archives
  • NARCIS: offers access to data sets from the repositories of Dutch universities, KNAW, NWO, various scientific institutions and a number of data archives including DANS and 4TU.ResearchData (see below). You can filter by accessibility (open access, closed access and restricted access) and by specialisation
  • Survey Data Netherlands: makes surveys and related data from large Dutch research projects findable and accessible. You can search full text or filter by language (Dutch or English), subject or source
  • DANS: Search in EASY, online archiving system for the deposit and reuse of research data in the Netherlands. Contains data sets from the humanities, health sciences, social and behavioural sciences, oral history and spatial sciences, among others. Among other things, it unlocks the collections of the former Netherlands Historical Data Archive (NHDA) and the Steinmetz Archive, and provides access to the secure microdata of Statistics Netherlands (CBS, see below). You can filter by accessibility (open access, access after registration, closed access and restricted access) by specialisation and by collection. DANS is a certified archive (CoreTrustSeal).
  • 4TU.ResearchData: A joint data management initiative of the Dutch technical universities. Contains data sets from technical universities. Contains data sets from technical sciences. You can filter by collections, year, location or subject. 4TU.ResearchData is a certified archive (CoreTrustSeal).
Statistical data
  • Statline: the database of Statistics Netherlands (CBS). Figures on the Dutch economy and society, from inflation to population development. The information is clearly classified by topic. The open data portal allows you to download large quantities of figures. The portal also provides information on automated retrievals. Statline is also included in the A-Z databases/digital resources list of the library of The Hague University of Applied Sciences.
  • List of (inter)national statistical organisations of the Economic Commission for Europe of the United Nations (UNECE): organisations comparable to the CBS in other countries that provide statistical data. A wealth of statistical data can also be found at international organisations such as WHO, OECD, UN, etc. UNECE provides an overview of national and international statistical organisations.
  • Euromonitor Passport: The library of The Hague University of Applied Sciences offers access to the international statistical source Euromonitor Passport. Via the tiles Search all categories and Explore statistics under the various tabs, you can download market data, demographic data, socio-economic data and (retail) trade data. Euromonitor Passport is included in the A-Z databases/digital resources list.
Quality and findability of external party data

Data archives must meet quality standards for the data they store and provide access to. To assess the quality of a data archive, you can check the following:

  • The policies and guidelines of the archive
  • Whether it is certified, e.g. with the CoreTrustSeal or ISO/DIN standards
  • The use of persistent identifiers such as Digital Object Identifiers (DOIs), which guarantee the findability of the data