Data Protection in Thesis Work

As a university of applied sciences student, you might handle personal data in your thesis work. This guideline helps you consider the impacts of data protection regulations on your thesis work and its implementation.

You can use this guideline also when processing personal data as part of other academic tasks, such as exercises or project work, for which you collect personal data.

Processing of personal data is regulated by data protection legislation:

  • General Data Protection Regulation (GDPR) of the European Union (EU 2016/679)
  • Data Protection Act (1050/2018)
  • Special legislation in different fields

Familiarize yourself with VAMK’s data protection policy: Data Protection Policy – VAMK

Concepts and Definitions of Data Protection
  • Data protection refers to safeguarding privacy when processing personal data.
  • Personal data includes all information by which a person can be directly or indirectly identified. Personal data includes, for example, name, address, personal identification number, email address, or any other information that, alone or in combination with other information, reveals something about an individual. Videos, photographs, or audio recordings are also personal data if an individual can be identified from them.
  • Special (sensitive) personal data includes information about a person’s race or ethnic origin, political opinions, religious or philosophical beliefs, membership in trade unions, health-related information, sexual orientation or behavior, as well as genetic and bio-metric data.
  • Processing of personal data encompasses all actions directed at personal data, such as collection, storage, retention, modification, retrieval, merging, disclosure, and destruction of data. Processing of personal data must always be based on a legal processing basis according to data protection laws. If there is no legal basis, personal data must not be processed. You can only process data that is necessary for the purpose of processing.
Are You Processing Personal Data in Your Thesis Work?

Processing of personal data always requires a lawful processing basis. Processing personal data is justified only when necessary for carrying out the thesis work. Consult with your thesis supervisor or teacher before starting any processing (such as collection) of personal data for your thesis work or other academic tasks. Discuss with your supervisor whether you need research permission.

Create a clear and detailed plan for processing personal data as early as possible. Describe the data processing in your research plan.

When processing personal data, you must inform the research participants (i.e., data subjects). There is no specific prescribed format for this information (e.g., a privacy notice), but generally, the information must be provided in writing. This helps ensure accountability, a key principle of data protection regulation, meaning that the data controller must be able to demonstrate compliance with data protection laws. The privacy notice you create will remain with you and can be used to demonstrate compliance when necessary.

The privacy notice can also serve as a basis for creating information to be provided to participants in the study. You can use the provided template: Example Privacy Notice for Thesis_VAMK You can also use a separate cover letter to inform participants about your thesis related to your study. In online surveys, you can include a separate introduction section explaining general information about the research and details about the processing of personal data.

Do You Need Research Approval?

Research approval is required if your thesis work involves an organization’s personnel, students, or other stakeholders. Check with the respective organization about their research approval practices. Organizations may have their own research approval applications and related procedures. If you are conducting your thesis work as a commissioned project and it involves processing personal data, inquire with the commissioning entity about their research approval practices.

Create the research approval application in collaboration with your supervisor; you can seek assistance from VAMK’s data protection officer.

Note that research permission practices vary by field. Particularly in the field of social and health sciences, careful consideration of research ethics is essential in planning and obtaining permission. For more information, visit:

In addition to the research approval obtained from the organization, you are responsible for obtaining consent from the individuals participating in your thesis work. Even if the target organization grants research approval, each participant decides individually and personally provides consent for participating in the research (e.g., interviews or surveys). You can request participation consent in writing, orally at the beginning of an interview, or as a checkbox in a survey.

For more information about the research approval process for studies involving VAMK’s staff or students, you can read more here: Permit for Research – VAMK

Who Acts as the Data Controller for Personal Data?

The data controller is the entity that determines the purposes and means of processing personal data, either alone or jointly with others. The data controller is the party for whom personal data is processed and who makes decisions about data processing. The data controller is responsible for ensuring that processing is carried out correctly and lawfully, respecting the rights of data subjects.

When conducting independent thesis work, you act as the data controller for the personal data you collect. This means that you are responsible for the legal and appropriate processing of personal data as the researcher. You need to plan in advance the collection, retention, processing, possible disclosure, deletion, and destruction of personal data.

In commissioned research projects (typically with an organization or company), the commissioning party might determine the purposes and means of processing personal data, making them the data controller. In such cases, you need to follow the data protection and security guidelines provided by the commissioning party. If your thesis work is part of a research project led by VAMK, then VAMK acts as the data controller.

If you collaborate with another student or entity and jointly define the purposes and means of processing personal data, you are jointly acting as data controllers.

For What Purpose Do You Collect and Process Personal Data?

The purpose of processing means that personal data is collected only for a specific purpose. In this case, the purpose is carrying out the thesis work. Note that data protection legislation requires that data is used only for the specified purpose (purpose limitation).

If the personal data you collect is intended to be used for a different purpose after the completion of your thesis work, this must be taken into account from the beginning. Inform participants about this during the data collection phase.

What Is the Legal Basis for Processing Personal Data?

There must always be a lawful basis for processing personal data, and this must be determined before the processing begins. The basis cannot be changed to another after processing has been tied to a specific basis. The processing basis affects the rights of the data subjects in relation to the data controller. In thesis work, the legal processing basis is usually the consent of the participants.

Note that even if the legal basis for processing personal data is consent, you must still request consent for research participation from all individuals from whom you are collecting data. Consent for participation can be obtained in writing, at the beginning of an interview orally, or as a checkbox in a survey.

What Personal Data Do You Need for Your Thesis Work?

Collect only the personal data necessary for your thesis work. Do not collect unnecessary or excessive personal data. Follow the principle of data minimization as outlined in data protection regulations.

Discuss with your supervisor if your thesis work involves processing sensitive (so-called special category) personal data. In such cases, you may need to conduct a data protection impact assessment, evaluating the risks posed to the research participants due to the processing of personal data. More information about impact assessments can be obtained from VAMK’s data protection officer.

How Do You Collect Personal Data?

You can collect personal data using various methods, such as:

  • Questionnaires
  • Interviews
  • Observations
  • Gathering data from online platforms (social media, organizational websites, etc.)

Note that even in anonymous survey research, personal data is being collected if respondents can be directly or indirectly identified from the collected information. Simply collecting background information can lead to the identification of an individual (e.g., age, gender, location, occupation, workplace). Identification doesn’t require that a large group can identify an individual; it’s enough if the individual’s close circle can identify them.

Whenever possible, offer respondents the option to answer anonymously. Also, if possible, avoid sending survey links to individual participants. Creating an email distribution list for a survey is also considered personal data processing. It’s recommended to send the survey link to a general email address within the target organization or group for further forwarding.

How Are Personal Data Stored and Protected?

Store data in a secure location and ensure its proper protection. Describe in detail in your research plan and when informing data subjects how the data will be stored and protected to prevent unauthorized access.

It’s advisable to anonymize or pseudonymize thesis materials.

Anonymization means processing personal data in a way that individuals cannot be identified from it. Personal identifiers are removed from the data, and individual-specific information is not identifiable. It must be impossible to reverse the anonymization, ensuring that data controllers or other parties cannot revert the information back to an identifiable form.

Pseudonymization involves processing personal data so that it cannot be linked to a specific individual without additional information. This additional information must be kept separate from the personal data. Even if the data is pseudonymized, it is still considered personal data and subject to data protection regulations.

Process personal data anonymously whenever possible if the identity of the data subjects is not necessary for your thesis work.

How Long Are Data Retained?

Taking care of the lifecycle of personal data is crucial. After the research is completed, research data containing personal information must not be retained unnecessarily and should be securely destroyed (as a general rule), ensuring it does not fall into the hands of unauthorized individuals.

Plan the lifecycle of personal data in your thesis work in advance and document it in your research plan and privacy notice to inform data subjects.

If the data is intended to be retained or reused, obtain permission from research participants during the data collection phase. If the data could be useful for future use, remove identifiable information irreversibly (anonymization) and store it according to your supervisor’s instructions.

Are Personal Data Transferred or Disclosed?

Generally, in students’ thesis works, personal data is not transferred or disclosed. As a student, you are the only one processing the data. However, if there is a need to transfer or disclose collected data (e.g., for further use), this must be acknowledged and participants must be informed.

Ensure that data does not need to be transferred outside the EU/EEA area. Such transfers are restricted. If you use cloud storage, for example, data on your own device might be transferred outside the EU/EEA area, which is prohibited without the required protective measures as set by the legislation.

Ensure Data Security

If personal data is lost or accessed by unauthorized parties, it constitutes a data security breach. If you suspect that this has occurred, immediately inform the data controller or VAMK’s data protection officer to receive further guidance.

A data breach also occurs when the storage medium is lost or stolen (e.g., phone or computer).

To minimize risks, only collect and process personal data for which you can ensure secure handling.

Remember that you have a confidentiality obligation regarding the confidential personal data you receive from participants and should not discuss it with third parties. An exception is your thesis supervisor, with whom you can review the data if necessary, as they are not external to your thesis work.