Citizen-science is a rapidly expanding approach to knowledge production that increasingly involves the collection of personal data in various forms. This processing of personal data invokes relevant data protection laws and, specifically, the designation of data controller, the person(s) or organisation(a) who determine if and how personal data is to be processed and hence are charged with the legal responsibility for compliance with the General Data Protection Regulation (GDPR). Traditionally, in the context of research, professional researchers would be designated controllers, and research participants whose data was processed would be “data subjects” and hence enjoy the GDPR's protections. Yet, citizen-scientists adopt a dual role, acting both as participants and as researchers. This paper maps the implications this dual role has from the perspective of data protection law and research ethics. We explain how the data protection concept of controller has been interpreted very broadly. As a result, in their dual role, citizen scientists can be both data subjects entitled to protection and data controllers, sometimes of their own data, tasked with data protection compliance obligations. If citizen scientists share the objectives of research projects they participate in or co-shape those objectives, it is likely that they – together with the professional researchers - will be considered controllers, and held responsible for the processing of personal data in compliance with the GDPR. The paper discusses how this can affect both the quality of protections provided to participants (including participant-researchers), thus undermining the fundamental goal of research ethics, generally, as well as the practice of citizen science itself. We analyse this question of citizen scientists as data controllers as both a matter of law and research ethics. We conclude with policy recommendations that can be applied both on the level of data protection law (to reconsider how the role of controller is assigned) and research ethics guidelines that should take a nuanced approach to the circumstances of assignment of the status of data controller in citizen science projects as an important step toward responsible and ethical participatory research.

公民科学是一种快速扩展的知识生产方法，越来越多地涉及各种形式的个人数据收集。这种个人数据的处理援引了相关的数据保护法，特别是数据控制者的指定，即决定是否以及如何处理个人数据的个人或组织，并因此承担法律责任遵守通用数据保护条例 (GDPR)。传统上，在研究背景下，专业研究人员将被指定为控制者，而数据被处理的研究参与者将成为“数据主体”，因此享有 GDPR 的保护。然而，公民科学家扮演着双重角色，既充当参与者又充当研究人员。本文从数据保护法和研究伦理的角度描绘了这种双重角色的影响。我们解释了如何广泛地解释控制器的数据保护概念。因此，在双重角色中，公民科学家既可以是有权受到保护的数据主体，也可以是数据控制者，有时是他们自己的数据，并承担数据保护合规义务。如果公民科学家分享他们参与的研究项目的目标或共同制定这些目标，那么他们与专业研究人员一起很可能被视为控制者，并负责根据 GDPR 处理个人数据。本文讨论了这如何影响为参与者（包括参与研究人员）提供的保护质量，从而损害总体研究伦理的基本目标以及公民科学本身的实践。我们将公民科学家作为数据控制者的问题作为法律和研究道德问题进行分析。最后，我们提出了政策建议，这些建议既可以应用于数据保护法层面（重新考虑如何分配控制者的角色），也可以应用于研究道德准则，这些准则应该对数据控制者地位的分配情况采取细致入微的方法。公民科学项目是迈向负责任和有道德的参与性研究的重要一步。