Basic data management guidelines: What if your material contains personal data?

Get to know the terms

Personal data constitutes any data that can be linked to an individual either directly or indirectly. Examples of personal data include names, the personal identity code and contact information, as well as opinions, a physical or mental characteristic, a photo, vocal recordings or any other information which allows a person to be identified.

Some personal data belong to special categories of personal data. These include:

  • Data concerning health
  • Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership
  • Data concerning a person’s sex life or sexual orientation
  • Genetic data (data about a person’s characteristics obtained from a biological sample)
  • Biometric data (such as a fingerprint or facial image) if they are processed for the purpose of identifying a person

Data subject means the person whose data are processed. People studied for research purposes are data subjects.

Controller means the party in charge of personal data processing in relation to the data subjects.

In the case of theses completed at the University, the University and student are joint controllers, which is also indicated in the privacy notice.


Personal data processing requires advance planning. Before you begin collecting and processing personal data, you must determine

  • The purpose for which you need personal data (your research topic and why it requires processing of personal data)
  • The data required for your research
  • How you will avoid risks and comply with the general principles of data protection (further details below). According to recommendations, theses should not be written on topics that require an impact assessment, meaning that they may result in a high risk to the research subjects.
  • How you will take the research subjects’ rights into consideration

The processing of personal data always requires a legal basis, as specified in data protection legislation.

Possible legal bases for bachelor’s theses and other theses before the master’s level:

  • Consent, if the data are collected directly from the research subject, or
  • A legitimate interest, if the data are not collected directly from the research subject. In this case, you must be able to express the necessity of research and compare it to any harm caused to the research subject (in other words, conduct a balance test).

Possible legal bases for a master’s thesis to be published:

  • Primarily: Scientific research conducted in the public interest (For this legal basis to be used, the thesis must be published.)
  • Consent as the legal basis for a limited measure, such as publishing the research subject’s opinion, including the subject’s name, in the thesis

Legislation relating to research ethics or medical research may require that subjects give their consent for research participation. However, such consent does not mean the same thing as “consent as a legal basis for processing", but is intended to ensure that the subject is adequately informed. Public interest should be used as the legal basis for processing personal data in this case, as well. Ensure that the research subjects understand that although their consent for research participation is requested, public interest is the legal basis for the processing of their personal data.

Read more about the legal bases for processing in Flamma, under Data protection guide for researchers.

Also pay attention to accountability: you must be able to demonstrate your compliance with data protection legislation. You can do so by drawing up a data management plan and data protection notice.


Inform your research subjects about the processing of their personal data before you begin collecting data. You can use the templates for data protection notices available on Flamma, under Data protection guide for researchers. The templates include the information required by law. If the research is not conducted as part of one of the University’s research groups or if you are not employed by the University, indicate yourself and the University jointly as the data controller.

If the research data have not been collected directly from the research subjects, you can depart from the requirement to provide information if it would involve a disproportionate effort (e.g., if you do not have the subjects’ contact information). Please note that a completed data protection notice also serves to demonstrate accountability.


Store personal data only in storage locations and repositories that you know to be secure and ensure that your working methods do not undermine the protection of data. Primarily use the University’s systems and services to process data. Ensure that personal data can only be processed by people with a legitimate reason to do so.

If personal data are to be exceptionally transferred outside the EU, discuss this with your supervisor.
Note that personal data may be transferred if you

  • Use a service provided by a party outside the EU (e.g., commercial cloud services)
  • Submit material outside the EU
  • Grant remote access to the data to a party outside the EU

Publish, remove and store

Ensure that you do not include unnecessary personal data in your publication. If you want to include personal data (e.g., photos or opinions indicating the person’s name) in your final work, you must, as a rule, obtain the person’s consent.

As a rule, when you have finished your thesis and it has been approved, you must destroy any material containing personal data. If you plan to keep your material for later use in a doctoral thesis, for example, you must inform the research subjects in advance.

If, by way of exception, you plan to keep the material after your thesis has been completed and approved, discuss it with your supervisor.

Student's responsibilities

As a student, you are responsible for

  • Informing the research subjects and openly explaining how you will process their data. Draw up a privacy notice and give it to the research subjects.
  • Processing data without causing unreasonable risks to the research subjects or unnecessarily interfering with their privacy. Assess the risks related to processing with your supervisor.
    • Pay attention to any need for a data protection impact assessment. An impact assessment is required if the processing of your research data is likely to result in a high risk to the subjects. You can assess the likelihood of high risk using the ‘Preliminary evaluation – Data protection impact assessment’ form available on Flamma. A topic that poses such a risk is not recommended as a thesis topic. Discuss exceptions with your supervisor.
  • Processing data only for the purpose for which you collected them and as you explained to the research subjects
  • Collecting only the required amount of data
  • Ensuring that the collected data are correct and accurate
  • Storing the data for only as long as necessary (and ensuring the pseudonymisation, anonymisation or appropriate disposal as soon as possible)
  • Answering any questions the research subjects may have about the processing of personal data
  • Ensuring that the completed work to be published does not contain any identifiable data unless the research subjects have given their consent, or another justified reason for it exists
  • Protecting the data appropriately, using systems you know to be safe, and restricting access to the material. Read more about information security.
  • Reporting any information security incidents to Examples of information security incidents include you losing an external hard drive on which you have stored personal data, or your username and password leaking to another person as a result of phishing.

The guidance of students is primarily their supervisors’ responsibility. If required, supervisors can get support for this from the University’s support services.

Supervisor's responsibilities

The supervisor is responsible for

  • Providing assistance and support for planning personal data processing, including risk assessment
  • Training and instructing the student
  • Ensuring that completed theses to be published do not contain unnecessary personal data

University's responsibilities

The University’s support services are responsible for

  • Interacting primarily with the supervisory authority (Data Protection Ombudsman)
  • Providing secure storage space and tools for data processing
  • Helping supervisors instruct and train students
  • Ensuring that the appropriate agreements have been concluded with the University’s service providers
  • Ensuring that any information security breaches targeting the University are investigated and reported to the supervisory authority
  • Submitting an ethics committee statement, if required, especially in the field of medical research