Excursus: Legal aspects in RDM

Various legal aspects are relevant in research data management (RDM) in order to strike a balance between the interests involved. Key legal issues include data protection law and compliance with copyright and labor law regulations.

Data protection

From a data protection perspective, it should be clarified at an early stage whether research data is personal and under what conditions it may be collected, processed, or published. Necessary measures such as anonymization, pseudonymization, confidentiality, and data security must be examined.
Researchers who collect personal or personally identifiable data in the course of their scientific work are subject to strict data protection regulations that protect the right to informational self-determination in Germany. According to Article 4(1) of the General Data Protection Regulation (GDPR) [1], personal data includes all information relating to an identified or identifiable natural person. A person is considered identifiable if they can be identified directly or indirectly, in particular by association with specific information such as names, identification numbers, or one or more specific elements of the physical, physiological, genetic, psychological, economic, cultural, or social identity of that natural person. In addition, special categories of personal data pursuant to Article 9 GDPR—including ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic and biometric data for the unique identification of a person, and data concerning sex life or sexual orientation—require special data protection measures due to their sensitivity.
The processing of such data is only permitted if specific conditions are met, such as the explicit consent of the data subject. Consent must be obtained prior to data collection and covers specific aspects such as data transfer, processing, and archiving. Obtaining informed consent is a key aspect of this. Participants must be informed transparently about the purpose of the collection, the type of data processing, storage, use, and long-term handling of their data. This also includes information about measures to ensure confidentiality, such as anonymization, as well as their rights to revoke consent at any time and request the deletion of their data.

Subject-specific legal and ethical requirements

Compliance with subject-specific legal and ethical requirements in data collection is particularly important in fields such as healthcare and social sciences. In the health sciences, particularly strict data protection requirements apply due to the high sensitivity of the data. The GDPR stipulates that patient data may only be collected and processed on a clear legal basis, which usually requires the explicit consent of the persons concerned. Researchers are also obliged to ensure a high level of data security and to store data only for as long as necessary. In addition, maintaining confidentiality is essential to ensure privacy protection through secure data handling and storage. Legal requirements are also paramount in the social sciences, which include compliance with data protection regulations, especially when collecting sensitive information such as political opinions, sexual orientation, or religious affiliation (Art. 9 GDPR).

Copyrights and ancillary copyrights

In addition to data protection, it is crucial to determine who decides on the handling and publication of research data. Usually, this decision lies with the person to whom the data is assigned, based on copyright, employment contract, or patent law. However, the decision-making authority is not regulated solely by legal requirements, but is largely in the hands of the parties involved. It is advisable to make agreements in advance and to lay down general guidelines in statutes on good scientific practice or research data guidelines/policies. These should specify who has which rights of use and whether there are any restrictions, e.g., through confidentiality agreements. [2]