Information on Legal Aspects of Research Data Management

Data protection must be taken into account in any research projects involving the processing of personal data of living individuals.

If such data is processed (e.g., collected, stored, or deleted), you always need a legal basis such as personal consent or a legal provisions legitimizing data processing.

We not only help you identify a legal basis for your research, but also provide consultation and offer templates, for example for mandatory data protection notices and consent forms.

We also support you with the necessary documentation (record of processing activities (RoPA) and the necessary technical and organizational measures (TOM) for data protection.

• If data is processed by a third party in a research project (for example, stored in a cloud or collected on your behalf by a survey institute), a so-called data processing agreement (DPA) must be concluded.
• If data is processed jointly with a third party, e.g., as part of a research collaboration, an agreement on shared responsibilities must be concluded.
• Specific situations, such as data processing outside the scope of the General Data Protection Regulation (GDPR), the fulfillment of data subjects' rights, and data breaches.

For further information, please see our intranet page.

There are special ethical and legal requirements with regard to research that involves people or the processing of personal data. The main focus is on protecting the dignity, rights, and safety of the respective individuals.

In accordance with section 6 of the Statutes of the Ethics Committee of the University of Mannheim (PDF), an ethical review is required, in particular, if research involves physical interventions, psychological stress, health risks or the processing of personal data. A statement must also be obtained for sensitive topics, such as research with particularly vulnerable groups or if there is a potential risk to third parties.

Personal data refers to any information relating to an identified or identifiable natural person. This also applies if identification is only possible indirectly, for example based on characteristics such as age, gender, origin, or state of health. Pseudonymized data is also legally considered personal data if a connection to the person can still be established. Data is only exempt from data protection law if it is completely anonymized. Personal data is considered to be completely anonymized if it can no longer be linked to an identified or identifiable person, even indirectly via a separate allocation list. Only then are they exempt from data protection law.

Personal data cannot be processed solely on the basis of consent. Though consent is often a key requirement under data protection law, it is not always necessary. In certain cases, for example where there is a legal basis for permission for research or quality assurance purposes, processing may also be permitted without the explicit consent of the individuals whose personal data is going to be processed. The key factor is that there is a legal basis and that data processing complies with the principle of proportionality.

Safety-related aspects must also be taken into account in the ethical assessment. These include possible mental strain, the risk of discrimination or stigmatization or conflicts with the protection interests of third parties. Research in private areas of life such as health, sexuality, or social problems is particularly sensitive.

Therefore, the Ethics Committee not only examines legal requirements such as the compliance with the GDPR, but also whether the project is ethically responsible, for example with regard to transparency, voluntary participation, handling of queries or risks, and appropriate safety measures. The aim is to balance freedom of research with the protection of those involved and to ensure the quality of academic work.

Cooperation with researchers employed at other institutions generally requires a (cooperation) agreement between the University of Mannheim and the respective institutions, which regulates the framework conditions for the cooperation and, in particular, the rights to the research results. This applies in particular, but not exclusively, if the research project is financed/funded by the research partner or by third parties, if funds are to be distributed, and/or if data is to be shared within the framework of the research project. Division I (Department of Research Services) will assist you with legal regulations, support the organization and review of the appropriate contract, and help with negotiations if necessary (possibly in cooperation with other departments). The department will also ensure that the contract is finalized by university management, with the legally binding signature usually provided by the Executive Vice President. Further information on responsibilities and contact persons can be found on the intranet pages of Division I.

If you wish to use data from statistical offices, companies or other providers, you must conclude a contract with the providers of the data that regulates the framework conditions for the use of the data. You must also comply with budgetary and public procurement regulations when procuring data. The UB supports you in the procurement process and negotiates and concludes data use agreements for you. Information on the procedure can be found on the website of the University Library.

Research data may be subject to copyright or related property rights. Copyright-protected data may only be copied, distributed, made accessible, or used in a similar manner with the consent of the copyright holder, unless otherwise permitted by law. This can be relevant if you want to subsequently use existing data or make your own data available to other researchers. If you have any questions regarding copyright for research data, please contact the University Library (UB).