FontsA A
ContrastA A
Newsletter sign-up [mc4wp_form id="1441"]

Challenge: Responses to data requests

This scenario shows how a researcher can respond to requests concerning personal data

Petr is a Czech researcher, and he is processing data about people for scientific purposes in the context of a research project. Petr is subject to European data privacy legislation that protects citizens’ rights, namely the GDPR.  

Petr receives a request from one of the data subjects involved, Fatima, concerning her own data.  

Petr transmits Fatima’s request to Tereza, the Data Protection Officer of his institution, whose responsibility is to ensure that the institution is correctly protecting individuals’ personal data according to legislation. 

Tereza communicates with Fatima. Tereza can answer in an electronic way whether possible or through a written answer or through an oral one, after conducting a security check as regards the manners for providing the response. Tereza must focus on which right Fatima intends to exercise.  

  • If Fatima is asking for access to her own data, Tereza must evaluate which interest prevails: in case the legitimate interest of Petr’s institution prevails in the light of the purposes of scientific research, Tereza shall submit his evaluation to the Research Ethics Committee (REC), a panel of experts and independent body, which could decide to restrict the right to access or to suspend and postpone it or even to negate it, according to a proportionality test. If Fatima’s interest prevails, the exception of data processing for the purpose of scientific research does not apply. 
    • If Fatima asks for rectification, such a right shall be guaranteed, since the exception for scientific research is not applicable to suspend or limit this right.  
  • If Fatima asks to see her data deleted, Tereza shall examine if the research is performed in the public interest: if not, that right shall be granted, and the exception of scientific research does not apply; if instead the research is performed in the public interest, Tereza must evaluate if the acceptance of Fatima’s request to delete her data would make impossible or seriously endanger the fulfillment of the scientific goal. In case that there is no risk for the fulfillment of goals, Fatima will see the deletion of her data. Otherwise, the DPO will submit his evaluation to the REC, which considering the impossibility or serious risk for the fulfillment of scientific goals, will deny Fatima’s right to erasure.  
  • If Fatima requests the restriction to process, Tereza shall examine if Petr needs the personal information for the original purpose: if so, it is not possible to accept Fatima’s request and the REC will evaluate the denial to the right of restriction. If Petr does not need the data for the original purpose but Fatima needs data for performance, determination, or application of legal claims, the REC again will deny Fatima’s right. Instead, if Fatima does not need data for performance, determination, or application of legal claims, she will see the recognition of her right to restriction of the processing.  
  • If Fatima requests the right to portability, which would allow Fatima to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, it has to be evaluated if Fatima’s personal data are processed automatically: if so and if such processing is based on Fatima’s consent or contract performance, then data portability shall be granted. If data are processed automatically but not on the basis of Fatima’s consent or contract (so for instance on the basis of legitimate interest), the right to portability may be refused provided that the REC decides about it. The same thing occurs if data are not processed automatically and so the transfer to another IT environment is not technically possible.  
  • If Fatima wants to object to some data, which means that she wants to stop or prevent Petr from processing her personal data, it must be evaluated if the processing is necessary to accomplish the tasks performed in the public interest: if not, the REC may deny such right to object. If instead the processing is necessary to accomplish the tasks, but Fatima’s objection does not refer to the publication of specific data or she has not proven that her rights prevail over the interest of data publication, the REC may deny her right to object. Finally, if she has proven that her request refers to the publication of specific data and that her right to object prevails over publication, her right to object shall be granted.  

In all these cases, Tereza must answer Fatima’s request within one month: within the REC, she must process the request, charge a fee based on costs, elaborate on the answer by accepting or rejecting the request with the appropriate motivation, or decide not to comment and inform Fatima about the possibility to lodge a complaint or seek legal protection or inform Fatima that the case is delicate and requires an extension of time for maximum 2 months for examining and giving proper advice.  

Other possible requests

  • Petr receives a request from one of his Processors, which processes personal data on behalf of the controller Petr. So, Petr answers the processor’s request according to the contract that binds them. 
  • Petr receives a request from the Office for Personal Data Protection, which is the national Data Protection Authority in the Czech Republic. In this case, the Data Protection Officer of Petr’s institution, Tereza, interacts with the authority and cooperates in the investigation if needed and in providing the answer to the request.  
  • Petr receives a request from the police: he has the legal duty to cooperate and investigate on the request for providing a proper answer.  
  • Petr receives a request from the Court in the context of legal action against the decision of an administrative authority or against unlawful interference or for failure to act or in the context of a criminal or civil complaint. In all these cases, Petr is obliged to provide the Court with the requested data.  


Ask our team a question

The website was co-funded within ADOPT BBMRI-ERIC, a project that has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 676550.
We use cookies to analyse the traffic on our websites. All personal data is anonymized and not shared with third parties! Click here for more information.