Legal topics

Legal & ethical aspects in handling research data

© succo || Pixabay
Important notes!

Different areas of law may be relevant in connection with research projects and research data. In particular, questions regarding data protection as well as ethical aspects and intellectual property should ideally be clarified before the start of a research project.

The information on this page is intended to provide you with a rough guide. However, for legally sound information, an examination of the individual case is necessary. Therefore, if you have specific legal questions, please contact the mentioned legal advice centres.

In addition to legal provisions, researchers should above all follow the guidelines on good scientific practice (GWP). In cases of dispute, the ombuds offices should be called in first. As soon as one party involves lawyers, this option is no longer available!

Information and contact points on good scientific practice

General Tips
  • In projects with several participants, we recommend contractually regulating mutual usage rights on jointly acquired research data (including the right to publish) in advance.
  • When working with personal data, please obtain in good time the written consent of the data subjects, formulated in a legally compliant manner. Alternatively, ensure that another legal permission applies before starting your research (e.g. according to § 13 Lower Saxony Data Protection Act).
  • If you make your research data available for re-use by third parties, please issue a licence that clearly regulates the terms of use. We recommend using standard licences, such as the Creative Commons licences.
  • If you use third-party data yourself, please note the licence terms under which the data was made available.
  • If you are entering into a research cooperation with external partners, please mind the "Checkliste Forschungskooperationen" (German only).

Intellectual property

When generating, processing and publishing research data, questions about usage and exploitation rights may arise. Among others, this involves copyright aspects, but industrial property rights or non-disclosure agreements may also play a part.

Copyright concerns the "work", i.e. a personal intellectual creation. Ideas and methods can be protected by patents. Pure information, in turn, is generally not protectable under copyright laws.


The Guidelines for Safeguarding Good Research Practice contain provisions that go beyond the statuary regulations, for example with regard to citing sources or providing public access to research results.

FAQ on intellectual property in research data

  • Who can claim rights of usage and exploitation in data?

    Usage and exploitation rights in protectable research data often (though not always) at first lie with the person who collects or generates them. This depends on the individual case. Under certain circumstances, supervisors, employees, clients and funders (such as employers or funding organisations) can also assert such rights. In the event of a dispute, the following questions, among others, would have to be clarified:

    • Is the data in question legally protectable?
    • In what kind of context was the data collected or generated?
    • Was raw data provided by third parties and if so, on what terms?
    • Which persons were involved in which function and with which employment status?
    • Who financed the work?
    • Have agreements on usage and exploitation rights been made in advance (e.g. cooperation agreement, funding agreement, employment contract, project guidelines, non-disclosure agreement, licencing conditions, etc.)?

    Due to the complex legal situation, uncertainties are considerable in many cases. Hence, providing legally secure information is correspondingly difficult. For this reason, avoid disputes by entering into clear written agreements with all potential rights holders before you start collecting data. You are welcome to seek advice from the legal department for this purpose.

  • What data from third parties may I use and in what form?

    Re-using research data is generally explicitly desired by most funding organisations and is, where possible, preferable to newly generating them. However, check whether the data providers have stipulated usage conditions, for example in the form of a licence. If this is not the case, obtain a written permission from the providers to process (and possibly publish) the data in the way you intend to. This way you avoid potential disputes, even if the data are not statutorily protectable.

    Sometimes, obtaining consent for data use is not practicable. However, copyright provisions may apply that allow usage for research purposes nevertheless, especially in case of data mining. Regarding research involving personal data, data protection laws too know exceptions for certain cases where obtaining the consent of the data subjects can be waived (see section "Data protection").

    The right of quotation allows you to reproduce individual passages from published works by others in your own work, provided that you state the source correctly and address the content of these citations. Make sure that you cite the source correctly, even in cases where the data come with a licence that does not necessarily require you to do so (e.g. CC0). Otherwise, you are disregarding good research practice.

Contact points for questions related to intellectual property

Legal bases

Act on Copyright and Related Rights

Further information

Federal Ministry of Education and Research: Urheberrecht in der Wissenschaft: Was Forschende und Lehrende wissen sollten (German only)
forschungsdaten.info: Urheber­recht - Von Schöpfenden und Schröpfenden und denen, die es gerne wären (German only)

Data protection

The right to informational self-determination, i.e. the essentially sole decision right of the data subject concerning the collection and use of data relating to him or her, has a long tradition, particularly in Germany. Since 2018, the General Data Protection Regulation (GDPR) ensures the protection of personal data throughout the EU. Any information relating to an "identified or identifiable natural person", i.e. a specific individual, is considered "personal data", for example:

  • Name and address
  • IP addresses
  • individual health data
  • Customer numbers and any information linked or linkable to them.

Though there are legal regulations restricting the right to informational self-determination, the processing of personal data in a scientific context generally requires the valid consent of the data subjects. In contrast, completely anonymous or anonymised data that can not (or no longer) be related to a specific individual are not subject to laws regulating the processing of personal data.


If you are unsure whether the data you process is considered personal data or which legal requirements you have to comply with specifically, we recommend using the "interactive Virtual Assistant" by BERD@NFDI. This online tool asks you easy-to-understand yes/no questions. Based on your answers, you will then receive an assessment of the extent to which data protection regulations are relevant to your project.

FAQ on data protection

  • Do my research data qualify as personal data?

    Data are considered personal data as long as a reference to an individual can be (re)established, even if a certain amount of effort is required to do so. Pseudonymised data in which, for example, real names have been replaced by IDs or random names, are thus still considered personal as long as a key list exists with which the pseudonyms could be reassigned to a specific person. Combinations of data are also considered potentially personal if the group of persons meeting all characteristics is limited to a few individuals.

    For data to be considered fully anonymous - and thus not protected by the GDPR - they must be sufficiently general so that even such indirect inferences to natural persons are almost impossible. Even in case of seemingly anonymous data, however, it is very often possible to establish a reference to a person, especially with the help of computer-assisted procedures and data available on the internet. Consequently, in practice it is rarely possible to guarantee permanent secure anonymity.

  • Under which conditions may I process personal data for my research?

    In principle, personal data may only be collected or processed if the data subject has consented or the processing is otherwise legitimised by law. Consents of data subjects are only effective if they meet certain requirements of data protection law. So-called "informed consent" is required in any case, because effective consent presupposes that the data subject knows exactly what he or she is consenting to. The staff unit Data Protection is happy to support LUH employees in drafting a consent form and provides model documents (mostly German only).

    In a few special cases, it may be possible to process personal data for research purposes even without the consent of the data subjects as an exception. This applies, for example, to contemporary historical studies on public figures, or if obtaining consent would de facto be impossible or extremely costly while at the same time there is a superior public interest in the research. Before LUH employees invoke such legal exemptions, they should definitely seek counsel from the staff unit Data Protection first!

  • What do I have to consider when handling personal data?

    If you process personal data, you must take technical and organisational security measures to adequately protect these data from unauthorised access. These measures include, for example, encryption, access restrictions, strong passwords and training of data processing staff.

    The more sensitive the data, the higher the level of protection should be. Particularly strict requirements apply to special categories of personal data as defined in Article 9 of the GDPR. For public institutions of the State of Lower Saxony - and thus also for LUH - these requirements are detailed, inter alia, in the Lower Saxony Data Protection Act (in particular § 17).

    In addition to these measures, you have to take into account further rights of the data subjects, in particular regarding information, correction, timely deletion and restriction of processing. Also note that consent given can be revoked at any time, which will usually require the immediate deletion of the data in question.


    If the legal responsibility for the processing of personal data within a research project lies with LUH, one of the following measures is mandatory:

Contact point for questions related to data protection

Legal Bases

General Data Protection Regulation (GDPR)
Lower Saxony Data Protection Act (NDGS, German only)

Manuals, examples and forms

You can find all documents related to data protection on the webpage of the magisterial Data Protection Officer in the Employee Portal (German only).

Please pay particular attention to the "Merkblatt zum Datenschutz in der Forschung" (German only)!

Our Team Research Data Management provides a self-learning course on the handling of personal research data (German only).

Further reading

German Council for Scientific Information Infrastructures: Datenschutz und Forschungsdaten. Aktuelle Empfehlungen (German only)
German Data Forum: Data Protection Guide
German Network of Educational Research Data: Guides (i.a. on data protection, English version under development)


When dealing with research data, also ethical issues may arise. For example, this could be the case if you are conducting research on vulnerable people such as patients or children, or if strong emotions, psychological stress or traumatic experiences could be triggered in the researchers and the research subjects. If you apply for third-party funding for a project touching on ethical aspects, funding bodies such as the DFG require a prior assessment by an ethics committee. As a rule, funding is only possible if the committee's vote is positive.

FAQ on ethics

  • Do I need an ethics vote for my project?

    An ethics vote may be required if any of the following points applies to your project:

    •     You are conducting research on or with particularly vulnerable persons.
    •     You are working with particularly sensitive personal data (e.g. on sexuality or political views).
    •     You are conducting experiments on animals
    •     You are planning medical tests on humans (for example, new medicines or therapeutic methods).

    Ethical questions may also arise in areas where an ethics vote is not currently required. This is especially true if you are researching technologies whose application may also have negative effects on people, society, the environment or the climate (for example, automated facial recognition, fossil fuel extraction, artificial intelligence). In such cases, you can turn to the Committee for Responsibility in Research for collegial advice, if needed.

  • At which point in time do I need an ethics vote?

    In case of proposals addressed to the German Research Foundation, an ethics vote  - where necessary - must be requested at an early stage, usually before the proposal is submitted. Otherwise, there may be considerable delays in the processes of review and funding decision.

  • Where can I request an ethics vote?

    see "Contact points for ethical questions":

    • In case of non-medical research on and about humans: Joint Ethics Committee of LUH and HMTMH.
    • In case of medical research: Ethics Committee of MHH
    • In case of animal experiments: Lower Saxony State Office for Consumer Protection and Food Safety

Contact points for ethical questions

Further reading

DFG infos on ethic votes in the humanities and social sciences

Your person of contact for legal questions on research data (with a focus on copyright issues)

Vanessa Kreitlow
Administrative/Technical Staff
Welfengarten 3
30167 Hannover
Welfengarten 3
30167 Hannover