Castellum
  • Overview
  • Features
  • Roles
  • Legal basis
  • Pseudonyms
  • Security Measures
  • Comparison to other Systems
  • FAQs

Step-by-step guides

  • Two factor authentication
  • Subject management
  • Study management
  • Study execution
  • Pseudonym management
  • Data protection workflows
  • Managing recruitment consents
  • Study recruitment
  • Appointments: External scheduling
  • Subscribe to Castellum calendars
  • Administration
Castellum
  • Legal basis
  • Edit on GitLab

Legal basis

GDPR only allows processing of personal data if there is at least one legal basis. The available legal bases are defined in Art. 6, Art. 9 GDPR. In the context of Castellum, we consider a very limited set. Except for recruitment consent, the legal basis is deduced from available information.

  • Recruitment consent: The subject has given explicit consent for being contacted for future studies. See Set Recruitment Consent for a Subject.

  • Study consent: This applies if the subject currently participates in a study. This is valid until all pseudonym lists for the study have been deleted or (for subjects who are interested in news about the study) until the study is deleted.

  • Legal representative: As long as a subject is the legal representative for another subject it is assumed that the legal basis for the other subject extends to this one.

  • Subject blocked: In order to guarantee that a subject who has shown inappropriate behavior will not be invited to studies again, the fact that they are blocked can be stored without further consent.

If a subject does not have any legal basis for being in the database they will appear in the data protection dashboard so their case can be reviewed and their data can be deleted from the system.

Previous Next

© Copyright 2018-2025, Max Planck Institute for Human Development.

Built with Sphinx using a theme provided by Read the Docs.