Data protection for student projects

page translated with AI support

Who processes personal data must comply with the legal regulations on data protection. These regulations arise for us at the University of Münster, in particular, from the General Data Protection Regulation [GDPR]. The GDPR also applies to students. For example, if they collect and evaluate personal data in a survey for their degree thesis.

Personal data are all information relating to an identified or identifiable, natural (living) person. That is, if it is theoretically possible to identify a person using the data. Examples of personal data are name, place of birth, IP address, voice, handwriting, photos and videos, as well as a person's DNA. Data are also considered personal if a person can only be identified indirectly with them, for example, if the data are combined with background knowledge or information from other sources.

Whether your specific student project falls within the scope of the GDPR can be checked with our instructions below. If this is the case, it must be determined whether the project is to be carried out in the name of the university as the so-called "responsible" party for data protection, or whether you yourself are the "responsible" person in the sense of data protection. How you as the responsible person implement data protection in practice, you can find out below on this page.

Check step 1: Are personal data processed as part of the work or required coursework and degree-relevant examinations?

  • Yes: Proceed to check step 2.
  • No: If no personal data are processed, the planned work does not fall under the scope of the data protection regulations. Therefore, further check steps are waived.

Check step 2: Should research be continued at the University of Münster with the collected data or should it be processed in another way?

  • Yes: In this case, the data collection is to be carried out under the responsibility of the university. The university is also responsible for the subsequent further processing of the data. You are responsible for the processing of the data within the framework of your work. What needs to be considered can be read further below.
  • No: Proceed to check step 3.

Check step 3: Does the task involve the independent collection of data?

  •  Yes: If it is part of the task that you create concepts for data collection and evaluation and carry these out yourself, you are responsible for data protection.
  •  No: If, for example, students collect personal data together with the university instructors or receive it, the university is responsible for data protection.

  • What does it mean to be personally responsible for data protection?

    If the above examination has shown that you are considered the person responsible for data protection, the following framework conditions apply:

    • The data collection must be carried out in your own name
      • Letters to participants, invitations to participate in surveys, data protection and declarations of consent etc. must be written in your own name.
      • You may not use the letterhead and logo of the University of Münster.
      • Supporting persons, such as the university instructors of the University of Münster, can support you in recruiting study participants with cover letters. These cover letters may use the logo and letterhead of the University of Münster. It must be clearly stated that the project is a student's work.
    • Since the university is not responsible for data protection, the Data Protection Office may not advise you on data protection matters.
    • You must ensure the security of the data yourself through technical and organisational measures.
    • You must respect and uphold the rights of the persons whose data you process.
    • If a provider, such as a survey service, processes personal data on your behalf, a data processing agreement may be required. You must conclude this yourself in your own name. Providers usually offer templates for this.

  • How does one implement data protection as a responsible person?

    Establishing the legal basis

    Firstly, it is important to know that the General Data Protection Regulation [GDPR] prohibits any processing of personal data – unless there is a so-called legal basis from the law. Therefore, a legal basis is needed that permits the project. The relevant legal bases can be found in Article 6, paragraph 1 of the General Data Protection Regulation [DSGVO].

    For student work, you should always rely on the consent of the affected persons as the legal basis. If a person, among other things, consents voluntarily and well-informed (see below "Information obligation and data protection declaration"), the processing of their personal data is permitted according to Article 6, paragraph 1 lit. a DSGVO.

    For so-called "special categories of personal data", Article 9 of the DSGVO also applies, which provides special protection for these data. The following sensitive data categories are meant:

    • data from which the origin of a person can be inferred
    • political opinions
    • religious or philosophical beliefs
    • trade union membership
    • genetic and biometric data for the unique identification of a person
    • health data
    • data relating to a person's sexual life or sexual orientation

    If special categories of personal data are processed, a separate legal basis according to Art. 9, paragraph 2 DSGVO must be available for this. If you obtain consent for the processing, Art. 9, paragraph 2 lit. a DSGVO serves as the legal basis for you.

    Observe the information obligation and provide a data protection declaration

    The persons whose data is to be processed have a legally anchored right to be informed about the processing of their data in a transparent and traceable manner (Art. 5, paragraph 1 lit. a GDPR). This results in an information obligation that you must fulfil as a responsible person. For this purpose, you can write a data protection declaration and make it available to the affected persons before the data collection. We provide non-binding templates for this further below on this page.

    The data protection declaration must contain at least the following information:

    • name and contact details of the responsible person
    • purposes of the processing
    • legal basis for the processing
    • categories of data that are processed
    • categories of recipients of the personal data (both within and outside the university – without naming individual persons. For example, it must also be transparently stated here if the data is to be published, such as in a publication or on social media).
    • duration of data storage or criteria for determining the storage duration
    • reference to the rights of the data subjects (information, correction, deletion, restriction of processing, objection)
    • reference to the right to withdraw consent. Reference to the fact that the lawfulness of the processing based on consent is not affected until the withdrawal.
    • reference to the right to lodge a complaint with a supervisory authority (specification of the specific supervisory authority is not required)

    Obtain consent

    The consent must be given by the persons whose data you wish to process, informed and actively ("opt-in"). In addition, you must be able to prove that consent was actually given. It is therefore advisable to obtain consent in writing, for example, in advance of interviews by signature under the declaration of consent.

    In online surveys, consent can also be obtained by clicking. It is important that the respondents must actively click themselves and that they cannot call up the survey without consent. You will find a text module as a template for this further below.

    Protect data appropriately

    As a responsible person, you must protect the personal data that you process appropriately. In particular, from access by unauthorised persons and from loss. You can find information on protective measures, for example, on the website of the Information Security Office.

    Delete data

    As described above, a deadline for the deletion of the data must be specified in the data protection declaration. The GDPR requires that personal data be deleted when it is no longer necessary for the purpose of processing. You must therefore also delete the data at the specified time. A specific deletion period in years cannot be recommended – when the data is no longer required depends on the respective project.

  • Special considerations for data from minors and surveys in schools

    Minors must be especially protected in terms of the processing of their personal data. They may be less aware of the risks and their rights regarding the processing of their data (see also Recital 38 GDPR). Therefore, for all minors, the consent of the parent or legal guardian must be obtained on their behalf. If a person with parental responsibility signs alone, they must certify in writing that they are also acting on behalf of the other person with parental responsibility. The template documents provided on this page already include the relevant fields for consent by the parent or legal guardian.

    If the data subjects are between the ages of 14 and 18, they should additionally consent to the processing of their data themselves.

    If you plan to conduct a survey in schools, you must consider further legal frameworks, such as the School Act of North Rhine-Westphalia. Therefore, inform yourself in good time about the laws applicable to your project and the resulting framework conditions. For example, surveys in schools are generally subject to approval and must be submitted to the school management in advance.

  • What does it mean if the university is responsible for collecting personal data?

    If the above examination has determined that the university is considered the "data controller" under data protection law, the following key conditions apply:

    • Supporting persons, such as university instructors, should support students in implementation. The data must be collected lawfully to ensure lawful further use.
    • Data collection can be carried out on behalf of the university, and template documents in the corporate design may be used.
      • Letters to participants, invitations to participate in surveys, data protection declarations and declarations of consent etc. may be created on behalf of the university.
      • The letterhead and logo of the University of Münster may be used.
      • Template documents from the intranet may be used (accessible here for staff).
    • Since the university is responsible for data protection, the Data Protection Office may support the project through data protection advice.
    • The regulations on information security at the university must be observed. Particular emphasis is placed on the guideline and the guidelines for the classification of information, which you can find on this page.
    • If a provider, such as a survey service, processes personal data on behalf, a data processing agreement may be required. This will also be concluded with the university under the responsibility of the university. Providers usually offer templates for this. The contracts can be checked by the Data Protection Office.

    Further information on the topic of data protection can be found by university staff on this page in the intranet.

  • Templates

    Template for a Data Protection Office declaration of consent for adults [de]

    Template for a Data Protection Office declaration of consent for minors [de]

    Template for a Data Protection Office declaration without declaration of consent (e.g. if consent is given online by clicking) [de]

    Text module for consent by clicking in online surveys [de]