The following measures and activities may be relevant at different stages of the research project. The listed considerations can help ensure proper implementation of data protection (RatSWD, 2020, pp. 33; Meyermann & Porzelt, 2019, pp. 8).

Research Planning

• Define the research purpose as precisely as possible before data collection.
• Assess personal data considerations:
  • Will personal data be collected, and to what extent?
  • Will personal data be stored permanently, or will contact details be deleted after data analysis and data anonymized?
  • Can the collection and processing of personal data be avoided altogether?
  • How can processing be structured to minimize intrusion for the affected individuals?
• If personal data is processed:
  • Prepare an informed consent form (see article on informed consent).
  • Develop a plan for data storage, retention, and technical protection (including specifying retention periods) (see article on data storage).

Data Collection

• When possible and necessary: obtain informed consent in written form (for legal security) or verbally for recorded interviews (see article on informed consent).
• Collect only as much personal data as required for the research purpose (data minimization!).
• Ensure secure storage of collected data (see article on data storage).

Data Processing and Analysis

Note: As long as data processing and analysis serve the same research purpose as data collection, further processing steps are generally permitted. If new research goals or methods emerge during analysis, additional consent may be required.

• Store direct identifiers separately from research data (see article on data security).
• Implement an anonymization strategy to protect participants‘ identities: anonymize and/or pseudonymize data as early as possible (see article on anonymization and pseudonymization).
• Ensure secure data storage (including versioning and backups) (see article on data storage).
• Evaluate personal research data for its intended research purpose:
  • Has consent been obtained for additional purposes?
  • If not, data must be deleted after the designated period (see article on secure deletion in data security).

Data Publication

• The publication of personal data is only permitted with prior consent for publication.
• Otherwise, anonymized/pseudonymized data may only be published with explicit consent for publishing such anonymized/pseudonymized data (see articles on anonymization and pseudonymization and informed consent).
• Exception/special case: The publication of personal data may be permitted if it is essential for presenting research findings on historical events (RatSWD, 2020, p. 30).

Data Retention and Archiving

• Research data should generally be stored for at least 10 years after project completion (DFG, 2022).
• Data retention is only permissible if participants have consented to archiving in their consent form (see article on informed consent).
• Store and archive research data in secure facilities such as repositories and research data centers within or outside the institution (see article on archiving).
• Implement access and usage restrictions for potential future reuse.

Data Reuse

• Assess whether data can be reused for research purposes beyond the original scope (purpose limitation).
• According to Article 5(1)(b), second clause of the GDPR (DSGVO), further processing of data for scientific research is not considered incompatible with the original purposes. This means reuse is permitted if a legal basis for further processing exists (RatSWD, 2020, p. 32).