Dear all,
Frequently my colleagues and myself receive invitations to review articles submitted to journals or conferences. Very often, corresponding editors create an account for us in a certain submission system to foster the review process.
However, the editor needs to enter my personal data into these submission systems, most often my email address, name, and maybe also information about my personal expertise, or conflict of interests.
According to my experience, some editors do not ask in advance whether I’m confident with submitting these personal data into a submission system (maybe some system I’ve never heard about). I have then no idea about how the system processes my data. I’m wondering whether creating an account by using my personal data without my active consent (i.e., permission or instruction to do so) actually violates the GDPR requirements?
While I highly acknowledge that a thorough review process is fundamental for the scientific community, I have some concerns regarding the practice of using my personal data without permission. If my assumptions are correct (at least to a certain degree) than editors should be more cautious because creating accounts without permission can then fire back to them.
Do you have any thoughts on this issue? Maybe some legal experts can comment on, or substantiate or reject my assumptions.
All the best
Sebastian
One of the main principles of the GDPR is that persons should be informed which personal data are stored. Another is that it must be possible to request the deletion of the data. Finally, the storage of data must be safe so that other persons cannot access without permission. To invite you as reviewer, the editors have to know a minimum of your data, and they will store these in their computer. Whether this is in a database or in a file is not of relevance concerning GDPR requirements, I think. The database may have the advantage that you can easily check which data were stored. I am not a legal expert, but from my knowledge of the GDPR I would say that it is not violated in this case.
As an editor, I can tell that we have had many discussions on this topic and did not come to a conclusion that is fully backed up by legal regulations. Our journal submission system (we use OJS) requires us to create a new account for a reviewer, if we want to invite them. The account persists, even if they decline this review invitation. The reviewer can ask us to delete the account which we will do.
We have decided to proceed like this with the reasoning, that we use only published professional contact data (work e-mail address from potential reviewer) which we get from either their current institutional website or from previous publications they have been corresponding author on. We assume, that this contact data has been published with consent of the respective scientist to be contacted for professional reasons. A review invitation is such a professional reason.
On another note, if I write a simple e-mail outside the submission system to ask for permission, the personal data of said reviewer is also stored on my computer.
Sebastian Lins Technically (I also am not a lawyer), when creating an account on behalf of an other, the one creating the account must be entitled to act on behalf of the other, and some situations evidence of this entitlement would be required. Relying on the fact that the data is in a public profile to justify the creation of the account before receiving permission is shaky ground. Surely, creating the account could be done after the potential reviewer has responded to a request to participate, preferably by reviewers themselves, but possible by the editors if the request to reviewers made that option clear.
The UK ICO provides significant background on the GDPR and ‘commissioned data processing.’ This link is their interactive tool that shows users the depth of the questions that need to be resolved:
https://ico.org.uk/for-organisations/gdpr-resources/lawful-basis-interactive-guidance-tool/
And:
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/
Cheers,
Leo
- Badges
- Science topic
- Similar topics
- Correction