What is personal data?

Personal data are all information that allow you to directly or indirectly identify a living human being. This is determined by the Dutch privacy regulation (AVG), based on the European privacy regulation (GDPR). Examples of personal information are:

  • Name
  • Date of birth
  • Contact details, e.g. address or phone number

It is important to know that there are special categories of personal data, also called sensitive data:

  • data that reveals a persons racial or ethnic origin, political opinions, religious or philosophical beliefs;
  • data that reveals a persons trade-union membership;
  • genetic data, biometric data processed solely to identify a human being;
  • health-related data;
  • data concerning a person’s sex life or sexual orientation.

According to the law, is it by default forbidden to process sensitive personal data, unless your research meets one of the legal conditions.

The following types of data are always considered sensitive data:

  • Genetic data, such as DNA sequences
  • Biometrical data, such as finger prints

Ask for consent

If possible, you should ask for the consent of the persons whose data you will collect or process. These persons are called 'respondents' or 'research persons'. Besides asking whether they consent to participate in your research, you are also obliged to provide information about your research project. This is called 'informed consent'. Explain in the information letter:

  • The purpose of your research 
  • The role of respondents/research persons in the research
  • Potential consequences of their participation in the research
  • Which measures are taken to protect their integrity during and after the research is conducted

Finally, you ask for written consent to participate in the research, as it is required to be able to proof that the informed consent of all respondents/research persons. The Hanze UAS provides this template for informed consent (in Dutch) for researchers, which can be used as an example. 

Privacy by design


Radboud University, 2017. This video is designed by Rikkert Veldman.

Anonymization and pseudonymization of data


In some cases, it is possible to anonymize data with personal information. This means that you remove all information that can be used to identify individual human beings. Anonymization implies that the removal of this information is irreversible: it won't be possible to restore the original dataset. Don't forget to also remove the data from the trash bin of your personal devices.


Not all data can be anonymized, for example if that would prevent you from analyzing the data. Or because personal information is required for further research. An alternative to anonymization is pseudonymization of the data. 



To pseudonymize a dataset, you create a 'key' to the information that can be used to identify individual persons. You do this by linking a unique code to the information of each respondent. After that, you will create two different sets of data:

  • The pseudonymized data: The personal information for identification is removed and replaced by the key
  • The key: This version contains only the personal information that can be used for identification, and is linked to the key as well