In Module 3 ‘Principles relating to the processing of personal data’, we discussed the Metro Map. The majority of all research projects go through the regular Orange Line on this map; in such projects, it is usually clear within a short period of time what measures are needed to ensure proper protection of the personal data.

And that is precisely why special research projects are particularly interesting: that is where you as research support staff can really make a difference! What measures are necessary if it is not entirely clear what type of personal data you are actually working with or if the research contains multiple high-risk criteria?

These are the types of research projects that we refer to here as complex cases. They serve as the perfect practice material for testing out all that you have learnt in the previous modules.


It is time to put things into practice! Each of the following pages describes a complex case. It is up to you to determine how the seven principles from GDPR Article 5 should be safeguarded and what technical and organisational measures should be taken to protect personal data as well as possible.

Each complex case is structured as follows:

●       You first read a brief outline of the research project

●       Based on this information, you answer the question of what type of personal data is being processed in the project, what the basis is, and whether the research is high risk or not

●       Following this, you are asked seven questions relating to the GDPR Article 5 principles where, for each principle, you must indicate how the researchers have safeguarded this principle in the research project

●       Finally, you answer the question as to what technical and organisational measures you think should be implemented in the project.

All questions are followed by a right and a wrong answer. After you have made your choice, you will immediately get to see whether it was the right choice. Good luck!