Informing data subjects and privacy notices
Data subjects, i.e. research participants, must be informed about the processing of their personal data before processing begins. In register-based research, this is typically done by publishing a privacy notice on the controller’s website.
The privacy notice must be clear, concise and easy to understand.
It must describe:
why the data are processed
what data are processed
how the data are processed
how long the data are retained
what rights the data subject has
Secondary use of health and social data always requires a dedicated privacy notice
The privacy notice of a patient register usually concerns the primary use of data, such as patient care. If the data are used for scientific research, a separate privacy notice must be prepared for the research project.
If artificial intelligence is used in the research, this must be disclosed in the privacy notice.