Guidelines for using personal data from social media

This page was updated in May 2022. Please note that we update these pages regularly.

Here you can find information on how personal data from social media, e.g. Facebook, Twitter, Tik Tok and Instagram, can be used in research projects in accordance with the rules in the General Data Protection Regulation and other relevant legislation.

Research into communication on social media

The use of personal data from social media for research concerns published communication that can be directly or indirectly attributed to a natural person.

You must comply with the rules in the General Data Protection Regulation if you use communication in your research project that has been published on social media and contains personal data. Due to the nature of social media, the General Data Protection Regulation may include special rules which you must take into account, e.g. rules relating to obtaining consent and information duty. You must also comply with the various social media and platforms’ terms and conditions for use of data (Terms of Service/Terms of Use) in connection with research. So, before you start collecting personal data on a social media platform, you must ensure that your collection and use of personal data comply with the terms and conditions for use of the platform. Note that many of the platforms explicitly state their terms and conditions for use of data for research purposes.

Definition of personal data in relation to social media

The General Data Protection Regulation defines personal data as "any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

The definition of personal data includes information about:

‘The principal person’: the person whose personal data is subject to processing.
‘Secondary persons’: information on people who are mentioned or displayed in a photograph made available by the principal person. The legal literature assumes that secondary persons are entitled to the same protection as the principal person according to the rules in the General Data Protection Regulation.

If a person's name is part of a profile on a social medium, or if the profile name can be linked to an identified or identifiable person, e.g. by the photo on their profile and perhaps combined with a search for the photo in a search engine, the profile will be considered personal data.

A statement is generally not personal data. However, depending on the circumstances, it may be considered as personal data if a user tweets about his or her experience with the job centre or his or her disability, or if you conduct a linguistic analysis or a description of a person's statements from a social medium in your research.

Research with personal data from social media with or without a valid consent to data processing

If you use data containing personal data from social media, you must comply with the general principles of the General Data Protection Regulation. Among other things, this means that:

You must not collect more personal data than is necessary to complete your project in accordance with the principle of data minimisation.
The personal data collected may only be used for the relevant research project, unless the individuals concerned have consented to their personal data being used for other purposes, e.g. as part of teaching activities. This is called the principle of purpose limitation.
Note that you must process the data collected in accordance with the rules on finalising research projects.

In addition to complying with the data protection principles, you must have a legal basis for processing. You can conduct research with personal data with and without prior valid consent to data processing from the data subject. Read more about the bases for processing.

Research into personal data from social media with valid consent to data processing

Who do you need to obtain a valid consent to data processing from?

If you choose to obtain a valid consent to data processing from people on social media, you must obtain consent from all the people whose personal data will be included in your project. The consent must comply with the requirements for a valid consent to data processing.

What are the rules for valid consent to data processing in closed groups?

It will not be sufficient only to obtain a consent to data processing from the administrator of a closed Facebook group, for example, as the General Data Protection Regulation does not enable the use of consent by proxy.

There may be groups, in which the members have given the administrator authority to act on their behalf, including authority to give consent to data processing. However, such consent by proxy will be rare. You should therefore always ask the administrator for documentation that they have the authority to give consent on behalf of the members of the group.

Facebook has laid down terms and conditions for the members of Facebook, and the user accepts these when creating a profile. The terms and conditions contain Facebook's rules on privacy protection, which, among other things, state that Facebook uses members' data for "research and innovation for social good". Even though Facebook has laid down such terms and conditions, the members' acceptance of these will not be sufficient to meet the requirements for consent to use personal data from Facebook for specific projects. This is mainly due to the condition from the Danish Data Protection Agency that consent to the processing of personal data must be specific, i.e. given for a specific purpose. Read more about valid consent to data processing. Aarhus University interprets the requirement for specific consent such that the consent must relate to the processing of personal data in the specific research project, i.e. for the specific research purpose or within a recognised scientific field. Depending on the circumstances, there may be other processing purposes that you, as a researcher, want to obtain consent for, e.g. teaching purposes.

Moreover, a member's acceptance of Facebook's terms and conditions will not give the researcher access to process data about secondary persons, i.e. people who are mentioned in a member’s posts, pictures or videos displaying other people than the person who uploaded the picture to Facebook. Finally, it must be assumed that Facebook’s terms and conditions concerning the use of data for research and innovation solely cover research activities launched and financed by Facebook.

Research into personal data from social media without valid consent to data processing

How can I collect and process personal data from social media without valid consent to data processing?

It is possible to collect and process personal data from social media without valid consent to data processing from the relevant people. The General Data Protection Regulation includes two different rules that allow processing of personal data from social media in research without obtaining prior consent to data processing:

‘Scientific research purposes’ as the legal basis for processing personal data, i.e. rules that make processing of ordinary and sensitive personal data in scientific studies lawful.

The rule on published personal data when the data clearly has been published by the person himself or herself. This rule only applies to the processing of sensitive personal data, e.g. political opinions or data concerning health. To the extent that you also process ordinary personal data, e.g. name, age, etc., you can process this information according to the rule of performing a task in the public interest (Article 6 (1) (e) of the Data Protection Regulation).

It is important to note that different social media may have laid down different terms and conditions for use of data. For example, it may be required to notify the members of the social medium in advance or to obtain prior consent before data is collected. The terms and conditions for use of data mean that collecting and processing personal data from the relevant social medium without meeting the terms and conditions will not be lawful.  

How can I research into published data?

It is possible to collect and process sensitive personal data without valid consent to data processing from the person if ‘processing relates to data which is manifestly made public by the data subject’ (Article 9(2) (e) of the General Data Protection Regulation).

Note that this rule only applies if the person himself/herself has posted the data on the social medium. Regardless of whether personal data has been made public by the data subject himself/herself, the research project must be registered on the university’s internal record of processing activities and the basis for processing must be determined to article 6 (1) (e) (task in the public interest) and article 9 (2) (e) (personal data, which is clearly published by the data subject) of the Data Protection Regulation, and it must be necessary to process the personal data collected to realise the purpose of the research project.

‘Published’ personal data means that the relevant data is publicly available or is in a closed forum with a group of members/’friends’ who are not actual friends. The size of the closed forum may also affect whether the information is deemed to have been published. It has not been formally decided when closed forums on social media are considered to be actually open. Given the lack of a formal decision, a ‘rule of thumb’ would be that closed forums with more than 200 members should be considered open. This means that personal data posted by a person in a closed forum with more than 200 members is generally considered to have been published by the person himself or herself.

However, remember to consider whether this conflicts with the principle of protection of private life in the European Convention on Human Rights. Private life means physical and mental integrity, the person's home, family and relationships as well as correspondence. Information about the person and this person’s circumstances is also covered by this protection. If the processing of personal data provides undue access to the private life of members in open forums, the processing of data could interfere with the protection of privacy. Such use of personal data may conflict with Article 8 of the European Convention on Human Rights if it reveals matters of a private or confidential nature, e.g. location, movement patterns, interaction with other people, affiliation with groups or communities, habits and preferences as well as health and lifestyle, which cannot be considered as in proportion to the research purpose (the principle of proportionality).

Whether a forum on a social medium is closed or open must ultimately be assessed on a case-by-case basis. Forums requiring authorisation or approval of participants are generally considered closed. However, this will depend on the purpose of the forum, the people in the forum, the information, opinions, etc. being shared, and whether the participants have a reasonable expectation of confidentiality in the forum.

The administration of a forum can also play a role:

Who is the administrator of the forum?
What are the requirements for becoming a member?
Is the forum supervised?
Can the administrator exclude people, delete information etc.?
There may be an expectation of confidentiality in a forum for people with a particular diagnosis or special interest, even though there are 200 or more participants.

The Terms of Use of the platform may also be important:

How much access does the social medium have to forums?
How much does it control content and dialogue?
And can it delete content and members or close the forum?

It will not be possible to process data on, and photos and videos of, ‘secondary persons’ according to the rule on personal data published by the person himself or herself. ‘Secondary persons’ includes people who are mentioned on social media without having posted the information on the social medium.

As can be seen, the use of the legal basis for processing personal data, which has clearly been published by the data subject, can give rise to both doubt and uncertainty. Therefore, as a rule, it will be more wise to use scientific research purposes as the legal basis for processing personal data when collecting information on social media.

What are the rules for closed groups on Facebook if I have not obtained valid consent to data processing?

In the case of closed groups, e.g. on Facebook, your access to personal data will require that you gain access to the information found in the closed group.

Applying for membership of the group without clearly stating your intentions (‘pretending’) and using the membership to collect personal data in the closed group would conflict with the principles of fair data processing and, in particular, the requirement for transparent processing of personal data.

Moreover, gaining access to data in closed groups without consent from the members conflicts with the principle of protection of private life in the European Convention on Human Rights, and this may be punishable under the rules on protection of private life in the Danish Criminal Code.

Some closed groups will have regulations or similar rules regulating who can become members of the group and the authority of the administrator. If the administrator can give you access to data, this will be based on the rules in the regulations of the group.

Information duty when using data from social media

A fundamental principle is that processing of personal data must be ‘transparent’. As a general principle, data subjects must be able to predict and know what their personal data will be used for.

In practice, this principle means that the data controller has an information duty towards the data subjects.

Different rules apply depending on whether you collect data directly from the person himself or herself, or whether you collect data about the person from others than the person himself or herself. When collecting data via a social medium, it is assumed that you are collecting data from others than the person himself or herself, ie. indirect collection of personal data.

See more information on the information duty.

FAQ on research scenarios with personal data from social media

1. What will I need to examine and consider when I start a new project with data from social media?

You will have to find out whether the social medium requires that the members (data subjects) be notified about the research project in advance.
You will have to find out whether the social medium requires consent from the members (data subjects) to use their data, or whether this concerns data from a closed group which always requires consent.
If the social medium does not require consent, you should consider whether to base your processing of personal data on consent or use ‘scientific research purpose’ as the legal basis for processing personal data.
You should consider how to comply with the information duty.

Social media as a data source

2. Is there a difference between using Facebook or Snapchat to collect research data?

There is no difference in relation to the data protection rules, but there may be differences in the rules set out by the various social media in their terms and conditions for use (Terms of Use/ToU or Terms of Service/ToS).
You can use social media to collect data if it is not inconsistent with the terms and conditions for use of the specific medium. The research project must have a specific purpose, and the project must be registered in the university's record. Consider whether the participants (data subjects) should give their consent in accordance with the platform’s terms and conditions. Read more about consent.
The research project must be lawful according to the General Data Protection Regulation and the Danish Data Protection Act (the data protection rules). This means that the personal data you collect must be necessary for the research project, and the project must be of importance to society.

3. If a user deletes his or her post on a social medium or edits the post, does a dataset containing this post have to be updated?

As a general rule, you must consider the principle in Article 5(1)(d) of the General Data Protection Regulation, stating that the personal data collected must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay (‘accuracy’). This will often coincide with the research project's interest in having accurate data. However, the data subject is not entitled to obtain rectification of inaccurate data when your legal basis for processing is ‘scientific research purpose’. This follows from section 22(5) of the Danish Data Protection Act.

4. Who is responsible to the data subject according to the General Data Protection Regulation?

The research institution is the data controller according to the General Data Protection Regulation. In practice, the head of the research project is responsible for ensuring that processing of personal data in the project complies with the data protection rules.

5. Who is responsible for complying with the guidelines of the social medium (ToS/ToU?)

The research institution (AU) is. The head of the research project is responsible for ensuring that the institution complies with the requirements in the ToS/ToU.

6. Am I allowed to use personal data by following profiles from Instragram that are publicly available and visible to everyone?

Yes, you are, but you must ensure the following:

That you comply with the ToS from the relevant social medium.
That your research project has a specific purpose and is registered in the university’s record before harvesting data.
That you have a legal basis for processing in accordance with the data protection rules. Read about the bases for processing.
That you comply with the information duty according to the data protection rules. Read more about the information duty. See also questions 32 and 33.

7. Does the content of pictures affect how I should act, i.e. if the pictures contain people (and what if the pictures include more people than those we are primarily following (secondary persons)) or objects/places?

Pictures may be personal data, and in that case you must comply with the data protection rules.
If personal data is processed with valid consent to data processing from the participants (data subjects) in the research project, and the pictures include more people than those who have given their consent, valid consent to data processing must be obtained from all of the people in the picture before the pictures are processed.
It is possible to collect and process personal data without obtaining consent. However, you should be aware of the information duty.

8. I want to follow a closed online forum with many members (+ 200), but this requires access to the forum. When is a forum considered closed?

Forums requiring authorisation or approval of participants are generally considered closed. However, this should be based on a specific assessment, taking into account:

The purpose of the forum,
The people in the forum,
The information, opinions, etc. being shared, and
Whether the participants have a reasonable expectation of confidentiality in the forum. For example, there may be an expectation of confidentiality in a forum for people with a particular diagnosis or special interest, even though there are 200 or more participants.

The administration of the forum can also be included in the specific assessment:

Who is the administrator of the forum?
What are the requirements for becoming a member?
Can the administrator exclude people, delete information etc.?

The Terms of Use of the platform may also be important:

How much access does the social medium have to an individual forum?
How much do they control content and dialogue, and
Can they delete content and members or close a forum?

9. May I collect all posts from a specific user about (that mention) a specific person without his or her consent?

See the answer to question 6.

10. Question 9: Can I use social media to get in touch with relevant research subjects (data subjects) by contacting them via the social medium?

Yes, unless this is prohibited by the ToS of the relevant social medium.

11. Do the same rules apply regardless of whether I use quotations (not anonymised) from social media from public figures and private persons?

The full question:

I want to follow public figures on social media and use their posts in my research. Do the same rules apply regardless of whether I use quotations (not anonymised) from social media from public figures (e.g. Donald Trump or someone who writes as part of their office – e.g. the rector writes about university development) and private individuals (e.g. students who comment on private opinions about university politics/activism, for example)?

Answer:

Statements from public figures must be processed like all other personal data on social media.

12. Can I assume that users of a social media platform comply with the conditions of the platform? For example, can I assume that a user on Facebook is 13 years old as required in Facebook’s Terms of Use?

The full questions:

Can I assume that users of a social media platform comply with the conditions of the platform? For example, can I assume that a user on Facebook is 13 years old as required in Facebook’s Terms of Use, or do I have to make sure that the user complies with the conditions of the social medium in relation to age requirement?

Answer:

No, the terms and conditions of social media do not exempt you from your liability according to the data protection rules and other obligations and rules.

13. Can I use social media to obtain consent?

Yes, there are no formal requirements for obtaining consent, but a number of conditions must be met in order for the consent to be valid.

The relationship between the GDPR and the terms of service (TOS)

14. Would it be inconsistent with the data protection rules and other legislation if I acted against the Terms of Service (ToS) of a social medium, if these ToS have more stringent restrictions on consent than the data protection rules, for example?

The full question:

Would it be inconsistent with the data protection rules and other legislation if I acted against the Terms of Service (ToS) of a social medium, if these ToS have more stringent restrictions on consent than the data protection rules, for example? Is this something the data protection rules take into account apart from the platform being allowed to impose sanctions (e.g. exclusion from the platform)?

Answer:

No, the data protection rules or other legislation do not take this into account. If the ToS provide more mandatory protection (for the benefit of the user) than the data protection regulations and other legislation, the relationship between users and the social medium is regulated solely by the ToS.

15. How can I follow the rules e.g. for information duty on social media when practices, designs and rules on these platforms are constantly being changed?

As a user of social media, you are obligated to follow their ToS. As the person responsible for a research project, you are responsible for continuously monitoring any changes to the ToS.

16. How do I check the age of my research subjects (data subjects) when I use social media to collect data or observe people, and what is my responsibility with regard to ensuring that users are 13 years old, for example?

You may collect personal data for research projects without obtaining consent from the people affected if your legal basis for processing personal data is ‘scientific research purposes’, and this is in accordance with the ToS/ToU of the platform in question. This also applies if you collect data on children. You always have to carry out a risk assessment and, if appropriate, an impact assessment before you collect data. The risk assessment must include whether data on children is collected from closed groups or is processed in such a way that the dataset can be disclosed to unauthorised people.

If data is collected with consent from the child or the holder of the parental responsibility, you must assess whether the child is mature enough to give consent. Normally, children over 15 years will be mature enough to give consent. Read more about the conditions for valid consent. The General Data Protection Regulation contains no specific age limit for consent to processing, but age has a significant influence on whether the consent is specific, informed and an unambiguous indication of the data subject’s wishes. As a responsible researcher, it must also be clear to you that consent has been given, and you must ensure documentation of the given consent.

17. What do I do if the data protection rules or national rules conflict with the guidelines of the social media platform?

If the rules conflict, you must refrain from using the social media concerned.

Territorial scope

18. What are my options if I want to use data collected from a social media platform domiciled outside the EU (i.e. outside the scope of the data protection rules)?

This is not important because the social medium is the source from which you obtain the information. Therefore, you must comply with all requirements in accordance with the data protection rules. The data protection rules apply when personal data is processed in Denmark or in another country within the EU/EEA, regardless of whether the people affected live or reside outside the EU/EEA.

19. Do I need to observe the data protection rules if I want to collect data from social media from users outside Denmark?

Yes, as a researcher in Denmark, you are covered by the data protection rules, regardless of where your research subjects (data subjects) are.

20. How should I act in relation to national legislation in the countries in which the research subjects (data subjects) are? Which rules should I follow?

As a researcher in Denmark, you must comply with the data protection rules and other national rules.

Publication and anonymisation

21. I want to publish data collected from social media, e.g. a Tweet or a TikTok video. What is required?

There is no standard for when information in an online post is no longer individually identifiable. Therefore, you must ensure anonymisation of the data.

If you base your processing on ‘scientific research purposes’, you can apply to the Danish Data Protection Agency for authorisation to publish pseudonymised personal data.

It is very difficult to anonymise short videos. You can publish such videos by obtaining a data protection consent for the publication. Note that this will require that all your processing of personal data be based on consent.

Storing and sharing data

22. How can I store raw data collected from social media?

You must follow the same rules as for processing of other data. Read more about storing and classifying data.

23. How can I store processed data from social media?

You must follow the same rules as for processing of other data. Read more about storing and classifying data.

24. Can I share data from social media with my AU colleagues who are not part of my research project?

You must follow the same rules as for processing of other data. Read more about the disclosure of personal data (LINK AVAILABLE SOON).

25. Can I share data with students?

Within a certain framework, you are allowed to share personal data with a student to be used in an assignment/a Master's thesis.

You may only share personal data from a research project with students in three situations:

If the personal data in question is anonymous.
Personal data is considered anonymous when you have deleted the key that connects the individual person with the specific information. Usually, this does not happen until five years after the research project is completed.
If you have obtained consent from the participants of the project to use the personal data in connection with teaching.
If, as a supervisor, you confirm that a student will be processing the personal data for scientific/scholarly research. You must sign a form that confirms that the student is conducting a piece of scientific/scholarly work. Please contact TTO at tto@au.dk.

Other platforms

26. Can I use other platforms with better integration of social media which are GDPR compliant, but with which AU does not have a data processing agreement?

The social media platform is a source of data and not a data processor. Therefore, it is not necessary to have a data processing agreement.

If the social media platform is not to be used as a source, but rather as a tool, the platform will process the personal data to fulfil your purpose with the tools determined by you and according to your instructions. You are therefore obligated to enter into a data processing agreement covering the use.

27. I want to collect questions through a questionnaire on social media, because my target group is on Facebook and LinkedIn. Are there any problems in this?

28. Social media has led to a lot more statements being uttered in video clips and similar. How can I receive, process and store such data?

See the answer to question 6.

You must store and process data from social media like all other data containing personal data. Read more about storing data.

Teaching

29. Can I share data collected from social media with students who need to use the data for a project?

If data collected from social media is processed on the basis of a consent that covers educational purposes, you can share data with students. The requirement for consent applies to all personal data.

30. If my students collect data from social media for use in their studies and exam assignments will they have to sign a data processing agreement, and how should they process the data?

Students do not have to enter into a data processing agreement with the university. The university only has to make a secure environment available. The requirements for processing personal data collected by a student on social media are the same as for other personal data.

Information duty when collecting personal data on social media

31. Do I need to notify a person (e.g. a member of a particular group on social media) that I am collecting social media data about this person? E.g. statements from the person, mentions by others, etc.

You must generally notify all research subjects (data subjects), including secondary persons, that you are collecting personal data about them. When collecting personal data indirectly, e.g. from social media, in some cases you need not meet your information duty.

32. Do I need to notify a public figure (e.g. a politician) that I am collecting social media data about him or her? E.g. news articles, mentions by others, etc.

33. Should "secondary persons" (persons who is not the subject of the processing of personal data, but instead only acts ancillary in connection with information about the data subject) be informed that information about them is being collected?

In most cases, it will not be necessary to carry out the duty to provide information directly to secondary persons. If you do not carry out the duty of disclosure directly, you must instead make the information publicly available, e.g. by publishing the information on the project website.

Example: In a post in a Facebook group for dachshund owners, a member of the group mentions that her uncle, Peter, used to have a wire-haired dachshund. In this case, it is not necessary to search for the uncle to notify him about the processing of the personal data in your research project. However, you must make the information publicly available, e.g. on the project website.

Revised 21.07.2023

Webredaktionen, Universitetsledelsens Stab