E. Böker / CC BY 4.0

Legal Issues

An overview of regulations on the collection and use of research data

During the course of a research project, certain legal issues frequently come up. The most common issues include the following questions:

  • Under what conditions can third-party data be re-used for research?
  • Who "owns" the data generated during a research project?
  • What needs to be considered when sharing, publishing and archiving data?
  • How to handle data that contain sensitive/personal information?

The answers to these questions can largely be found in copyright and data protection law.

Copyright Law (UrhG)

Whether reserach data are subject to copyright protection under German law is being controversially discussed amongst legal experts. Unfortunately, it is not possible to give a universal answer; rather, it is essential to examine data on a case-by-case basis. Whereas classical measurement data as they exist in the natural sciences are generally not protected by copyright, research data in the digital humanities will often enjoy such protection. In general, textual materials, illustrations and works of art, but also computer programs/software, are usually protected. In the case of historical objects, however, it should always be borne in mind that they may already have been released into the public domain. For works created before about 1880, this can even generally assumed to be the case.

This involves a databases, software, data storage and the data themselves.
Brettschneider / Legal protection of research data under German law / CC BY 4.0

Tab. 1: Legal protection of reaserach data under German law / Brettschneider / CC BY 4.0

This implies that researchers do not always gain copyright for the research data they collect. Legal scholars are aware of this legal gap. Approaches to close that gap include the idea of a kind of "scientist personal right", which would at least guarantee researchers the right to decide whether and when research data is published as well as a right to be named.

It should also be noted that not only individual data or data sets can be protected, but also the databases in which they are stored and the software required to operate them.

When re-using third-party research data, it must firstly be ensured that the database or software is not subject to copyright. If necessary, the consent of the rights holders must be obtained. This can be done, for example, by means of a licence.

Data Protection Law

Verpixelte Mona Lisa/CC0

The EU Charter of Fundamental Rights and German Constitutional Law grant every person a right to the protection of personal data concerning him or her. This right to protection is directed both against the state and against other data-processing bodies. Therefore, the scientific community is obliged to observe the rules of data protection when processing research data.

However, this only applies if personal data are being processed. According to Art. 4 No. 1 GDPR, this includes all information relating to an identified or identifiable living person. Typical examples of personal research data are health data in medical research or survey results in the social sciences. By contrast, data protection law does not apply to information which either cannot be attributed to a specific person in the first place or which has been rendered anonymous in such a way that identification is no longer possible.

Personal research data may only be processed if the processing can be based on the consent of the person concerned or legal standard:

Consent does not require any special form. However, it must be verifiable - e.g. in the case of a review by the data protection regulatory authority - so that written or electronic documentation is strongly recommended. It should also be noted that consent may be revoked at any time pursuant to Art. 7 No. 3 GDPR.

On the other hand, legal authorisation can be effective without any action on the part of the person concerned. Particular importance is attached to the exceptions for scientific research purposes contained in § 27 BDSG (German Federal Data Protection Law), but also in many state data protection laws (e.g. § 13 LDSG-BW, § 17 DSG-NRW, § 13 NDSG). According to these exceptions, the processing of personal data is permitted if the interests pursued by the research project outweigh those of the persons concerned.


Potential legal problems can, in many cases, be avoided from the outset. However, this requires considering legal aspects of a research project from the very start.

Brettschneider / Legal recommendations / CC BY 4.0

It is therefore advisable to seek legal advice at the beginning of a project. Potential conflicts can be eliminated if contractual arrangements are made at an early stage which bring the diverging interests of all involved parties to a fair balance. In addition, consent required under data protection law should be obtained at the time of data collection. Similarly, the consent required under copyright law for the subsequent use of third-party materials should be obtained before working with them. Last but not least, it is advisable to publish research data under standardized licenses such as Creative Commons licenses, as this reduces legal risks and enhances the visibility of one's own research.