heiBOOKS

Abstract: This paper proposes a concept for the sharing of personal data for scientific research purposes and a potential role of the NFDIxCS infrastructure in that process. The concept takes account of the so-called Research Data Management Container (RDMC) that is developed by the NFDIxCS consortium. The RDMC should incorporate research data together with the corresponding metadata, the research software and the required execution environment. With regard to the proposed concept, the paper discusses some legal and technical issues concerning the transmission of personal data for scientific research purposes. The legal part of the paper addresses the purpose limitation principle that is stipulated, inter alia, by the GDPR. It analyses two distinct legal interpretations for the notion of data collection and further processing under the GDPR: a role-based approach and a data-based approach. The role-based approach ties these legal terms to the controller of the personal data, the data-based approach to the data itself. As explained in
the paper, both approaches may be based on the wording of the GDPR provisions and recitals. The approaches lead to different legal conditions for the transmission of personal data. Our decision in favour of the data-based approach rests on a teleological interpretation of the purpose limitation principle. This is followed by a technical perspective of the requirements and existing solutions to address some of the discussed issues and legal requirements, with a focus on secure data sharing in the context of research containers. After an overview of the challenges has been provided, several potential solutions based on existing technology are presented.

Keywords: data sharing, personal data, purpose limitation principle, data security