Data protection in research
Data protection is a central component of responsible and excellent research. It protects the rights of study participants, strengthens trust in science and is at the same time a legal prerequisite for many projects. As soon as you work with personal data, the requirements of the GDPR and the relevant Austrian laws must be complied with – from planning and data collection to evaluation, archiving and deletion.
Data Protection Coordination supports you in taking these requirements into account with foresight so that you can carry out your research safely, legally compliant and efficiently.
What does it involve?
Planning: Data minimization, clear purposes, legal bases (e.g., consent, public interest).
- Protective measures: pseudonymization/anonymization, access concepts.
- Documentation: Information sheets, consents, order processing agreements, data protection impact assessment (DPIA) if applicable.
- Rights of data subjects: Transparent information, access, rectification, deletion, objection – and procedures to guarantee these rights.
- Life cycle: retention periods, reproducibility, and secure archiving or deletion.
How we help
- Checklists, guidelines and sample texts (consent, information, contracts)
- Support with DPIA, data processing contracts and data transfers
- Training and personal advice (by appointment)
Contact us at an early stage – the sooner we are involved, the easier and faster we will find pragmatic solutions for your project.
Data protection enquiries
In order for us to be able to process your enquiry quickly and in a targeted manner, please fill out our enquiry form in advance. The more complete and precise your information is, the faster the Data Protection Coordination can classify your request and make appropriate recommendations.
Helpful information is in particular:
- Short description of the project including timetable
- Types of data and groups of persons concerned
- Purpose(s) of the processing
- Involved bodies/partners as well as tools/service providers used
- Data flows (collection, storage, transmission, retention/deletion)
After checking the information, we will contact you and explain what data protection requirements exist for your project. We will clarify open questions in the further proceedings.
The requirements for data protection can be more complex depending on the scope of the research project. The more complex a research project is, the more coordination and testing effort is necessary. The following features contribute to the complexity:
Special categories of personal data (e.g. health, genetic or biometric data) or criminal data
- Research with vulnerable groups (e.g., minors, patients) or small populations with an increased risk of re-identification
- Large amounts of data, many data sources or links of data sets
- Wearables/tracking, sensor technology or new technologies (e.g. AI, automated evaluation/profiling)
- International cooperation, data transfers to third countries or use of cloud/US services
- Use of IT products/software that are not provided by the ZID
- Several parties involved (joint controllers), complex distribution of roles or missing/unresolved contracts (DPAs, joint controller agreements)
- Unclear or changing purposes, further or secondary use, open science/sharing of data or publication of data sets
- High data protection requirements or special security requirements
- Need for a Data Protection Impact Assessment (DPIA) or ethical/funding requirements with a tight timeline
If any of these points apply, please contact us as early as possible and provide the relevant details in the questionnaire. This allows us to quickly plan the necessary steps (e.g. contracts, TOMs, legal basis, DPIA) and provide you with targeted support.
Templates and information
If you have any questions or uncertainties, please contact the Data Protection Coordination.
- Formular Datenschutzanfragen
- Datenschutzinformation Forschungsprojekt ohne Einwilligung
- Datenschutzinformation Forschungsprojekt mit Einwilligung
- Rollen im Datenschutz
- Checkliste Privacy by Design and Privacy by Default
- Datenschutzkonzept für das Forschungsprojekt
Data security
Data protection and data security belong together: In addition to legal requirements, the secure handling of research data is also crucial. These include, in particular, secure storage, protection against unauthorized access, the controlled transfer of data and a reliable deletion or archiving strategy.
As early as the project planning stage, you should determine where data will be stored, who will have access, and what technical and organizational measures will be required. If you have any questions about secure tools, storage options or the handling of sensitive research data, data protection coordination and information security will support you.
Technical measures include:
Encryption
- Access restriction (rights and role management in the team)
- Pseudonymization
- secure transmission
- Backup and recoverability
- Logging if necessary
- Use of approved university infrastructures
- Device Security