FAIR principles and data protection. How can FAIR data management be compatible with General Data Protection Regulation (GDPR)?
Disclaimer: The fact sheets are for informational purposes only and do not replace individual legal advice.
FAIR
Good data management enables scientific knowledge gain and innovation (Wilkinson et al., 2016). Therefore, the following four principles have been defined as the basis for good data management: findability, accessibility, interoperability, and reusability. Data that has these characteristics promotes and ensures the quality of research activities on the one hand and enables the reuse of data for further research projects on the other.
General Data Protection Regulation (GDPR)
In order to simplify the exchange of data within the EU and to standardize the protection of personal data in the EU, the General Data Protection Regulation (GDPR) was adopted as an overarching set of rules. On this basis, the states developed local legislation, such as the Federal Data Protection Act (BDSG), which is linked to the GDPR. The GDPR grants individuals control over their data while also taking social interests into account. For example, there are exceptions for non-commercial research that allow data exchange under certain conditions.
Data is divided into four categories: (1) sensitive personal data (e.g., genetic data, see Art. 9 GDPR), (2) general personal data (e.g., names and addresses, see Art. 4 GDPR), (3) pseudonymized data (see Art. 4 (5) GDPR), and (4) anonymous or anonymized data (see Recital 26 GDPR). While the process of anonymization generally constitutes the processing of personal data, the resulting anonymized data and completely anonymous data are not covered by the protection of the GDPR and are not considered further in the following pages.
The persons or bodies that decide on the purpose and means of processing are referred to as “controllers” (Art. 4 No. 7 GDPR). Even before data is collected, they must comply with the regulations of the GDPR, such as those relating to the legal basis for processing.
Compatibility of FAIR and GDPR
Compliance with the FAIR principles does not automatically lead to the free availability of data for reuse, because legal requirements and ethical considerations are the basis on which the FAIR principles are founded and, at the same time, the framework within which they operate and achieve their goals. The FAIR principles are therefore not in conflict with applicable law or ethical standards for the reuse of data. Instead, they are shaped and supplemented by these principles. Only well-described (FAIR) data can then be used in a manner that complies with data protection regulations.
The following fact sheets provide an overview of the interaction between the FAIR principles and the provisions and considerations relating to the protection of personal data.
Factsheets
These are currently only in German, but the English versions (links) will follow soon.
Factsheet 1 – Consent: FAIR and GDPR-compliant: https://zenodo.org/records/15912755
Factsheet 2 – Methods for FAIR and GDPR-compliant handling of personal data: https://zenodo.org/records/15916957
Factsheet 3 – Data Linkage: FAIR and GDPR-compliant: https://zenodo.org/records/15917014