Let’s start off very crudely: In principle, you can do almost anything with the data, as long as the interlocutors consent. This statement is not wrong. First of all, according to the GDPR, it is not forbidden to get permission to publish interviews on Facebook or Youtube. Just so as not to be misunderstood: We would not recommend this! It holds some pitfalls and raises many legal questions, but in principle it is not prohibited. And it is precisely these pitfalls that we would like to illustrate here using three specific questions as examples.
The “whitelist” for possible countries?
For the transfer of data outside the EU, there are legally swollen so-called Adequacy resolutions. These resolutions say that an adequate level of data protection can be expected from these countries. The so-called Privacy Shield for U.S. service providers was adopted by the EuGH incidentally, declared insufficient in July 2020.
So far, so good. Conversely, this means that all countries that are not on this list are excluded for the time being. If a country is on this list, you can’t start yet, you have to pay attention to additional points:
If I obtain consent, then the purpose of the collection must be stated transparently here. If I pass on data to a third-party provider who will use the data for their own purposes (we are thinking here, for example, of Google, where voice data is used for their own technical development), this does not correspond to the purpose limitation of the research project. For this, therefore, a separate consent would have to be given just as transparently and prominently as for the research project.
Revocation and other rights
According to the GDPR, it must be possible to withdraw consent at any time. According to Art. 7 (2), this must be as simple as giving consent.
In addition, the data subject has far-reaching rights to information, i.e. also about what has happened to his or her data. Here, in case of doubt, it seems to us that the researcher is responsible for enforcing this claim against the service providers as well.
Within Europe, the GDPR provides a common basis for enforcing these rights abroad as well. Outside the EU, it would be necessary to check and ensure that these rights are also legally granted in the respective country.
Storage and deletion periods
According to the GDPR, deadlines for the duration of processing and deletion must be specifically agreed. Processing may not be carried out beyond the agreed purpose. In the (admittedly quite cumbersome) contracts for commissioned data processing according to the GDPR, precisely such issues are discussed and thus documented transparently. In our experience, however, many service providers, both within and outside the EU, do not include such information either in their GTCs or in their data protection notices. Therefore, we consider it questionable to what extent the use under these circumstances can be considered DSGVO-compliant.
We have given three examples that raise many questions. This list is not exhaustive. With the appropriate effort and knowledge, as well as legal advice, it is certainly possible to process, store, etc. data outside the EU. So much for the theory. In practical terms, if you are not a data protection expert, make sure that the data you collect stays within the EU. In this context, “within the EU” also means on servers within the EU – so be vigilant when selecting cloud providers and make sure to conclude a contract for commissioned data processing. Many providers already offer this on their own.
Just to be on the safe side: We give this advice as social scientists with experience in dealing with the GDPR, it is not legally binding information. In case of doubt, please ask your data protection officer.
Further information, e.g. our DSGVO-compliant template for a declaration of consent.