Linking community and technology to enable FAIR data

RDM Portal login

Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

 You need a lawful basis before you start processing personal data

One of the key principles of the GDPR is that personal data shall be processed lawfully, fairly and in a transparent manner in relation to individuals. In order to comply with this principle you must determine a lawful basis before you start processing personal data. There are six available lawful bases for processing. No single basis is ’better’ or more important than the others.

More information about data processing

Contents of this page

Table of Contents

Why is the lawful basis for processing important?

If no lawful basis applies to your processing, your processing will be unlawful. Individuals also have the right to erase personal data which has been processed unlawfully. The individual’s right to be informed under Article 13 and 14 requires you to provide people with information about your lawful basis for processing. This means you need to include these details in your privacy notice.

What is the lawful basis for the processing of medical research data?

Explicit (informed) consent is the leading legal basis

Processing medical research data has to be qualified as processing special data. According to the GDPR special categories of personal data are more sensitive and thus need more protection. There are ten conditions for processing special categories of personal data in the GDPR itself, but the Dutch Uitvoeringswet AVG (UAVG) introduces additional conditions and safeguards. There are two possible lawful bases/conditions that apply when processing medical research data. According to article 24 of the UAVG, article 9 (2) (a) of the GDPR is leading: the data subject has given explicit consent to the processing of those personal data for one or more specified purposes.

What is a data processing agreement?

A document to govern the processing activities for your research project

When a researcher or employee of the university and/or hospital, uses the services of a processor in order to carry out specific processing activities for his or her research project, the processing activities of the processor should be governed in a data processing agreement/contract. The contract shall be in writing, including in electronic form and should at least set out the following matters:

  • the subject-matter and duration of the processing

  • the nature and purpose of the processing 

  • the type of personal data and categories of data subjects 

  • the obligations and rights of the controller

How can I conclude a data processing agreement?

The university and the hospital both have a standard mandatory model. The university model is based on the SURF format. The model of the hospital is based on the NVZ format.
For assistance, advice or more information about (concluding) a processing agreement please contact or the legal and administrative support office of the hospital via

What is a data controller?

The one who determines the ‘’purposes and means” of the processing of personal data. The university or hospital is a data controller when it determines the ‘’purposes and means” of the processing of personal data. In other words, when you decide how and why personal data should be processed. A data controller is the (legal) person who literally has the responsibility for GDPR compliance. For more information also check the decision tree (schedule 3) on page 12 of the GDPR instruction guide of the central government.

What is a processor?

The processor processes personal data on behalf and only on documented instructions of the controller. For example, when the university and/or the hospital use the services of a cloud provider for the storage of personal data, the cloud provider can be qualified as a processor. This is also the case when a trusted third party takes care of the pseudonymisation of personal (research) data on your behalf (controller e.g. UM researcher).

What is a sub-processor?

A sub-processor is engaged by the processor to carry out specific data processing activities on behalf of the processor. The processor shall not engage another sub-processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the controller the opportunity to object to such changes. In the case a sub-processor fails to fulfill its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that sub-processor's obligations.  

How do I know if I am a joint controller?

There is a joint controllership when two or more controllers jointly determine the purposes and means of the processing of personal data. They shall in a transparent manner, for example in a joint arrangement, determine their respective responsibilities for compliance with the obligations under the GDPR. In a multi-center study, for example, there may be a joint controllership because each participating institution has a share in determining the purposes and means of the processing of the personal data in the study. Besides it can often be a pragmatic choice to agree on a joint controllership because it is almost impossible to distinguish the processing- and controller roles within such complex data processing activities. Among other things, because of the intensive collaboration in the MUMC+ partnership, the university and the hospital for example, decided on a joint controllership in the field of scientific research and education. This joint controllership is laid down in the joint controllership arrangement UM en azM (2019).

Page properties

QuestionWhat is meant with lawful processing of personal data?
AnswerYou need a lawful basis before you start processing personal data.