Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

HHS.gov
  • About HHS
  • Programs & Services
  • Grants & Contracts
  • Laws & Regulations
  • About OHRP
  • Regulations, Policy & Guidance
  • Education & Outreach
  • Compliance & Reporting
  • News & Events
  • Register IRBs & Obtain FWAs
  • SACHRP Committee
  • International

Breadcrumb

  1. HHS
  2. OHRP
  3. International
  4. Compilation of European GDPR Guidances
  5. Compilation of Guidances on the EU General Data Protection Direct
  • International Compilation of Human Research Standards
  • Spanish Translation: Pre-2018 Common Rule
  • Ethical Codes & Research Standards
  • Equivalent Protections

Compilation of Guidances on the EU General Data Protection Regulation

July 24, 2018

  1. If you are new to the General Data Protection Regulation, you may want to review the text of the regulation to familiarize yourself with basic GDPR concepts and terminology: https://gdpr-info.eu/  Keep in mind that the scope of the GDPR is broader than U.S. privacy laws such as HIPAA.
  2. The names and website addresses of each country’s data protection authority are seen in Rows 1 an 2.
  3. General GDPR Guidance documents are listed in appropriate row. If the information is not available in English, an online translation program can be helpful.
  4. The table lists guidances specific to Research, Legal Basis, Consent, and International Data Transfer. Country-level interpretations and procedures are likely to evolve over time, and data protection authorities may release new guidances.

Name of Data Protection Authority European Data Protection Board
Website https://edpb.europa.eu
General Guidance http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1360
Consent http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623051

Name of Data Protection Authority Data Protection Authority
Website http://www.dsb.gv.at/

Name of Data Protection Authority Data Protection Authority
Website https://www.autoriteprotectiondonnees.be/
Legal Basis https://www.autoriteprotectiondonnees.be/fondement-legal-pour-le-traitement-de-donnees-a-caractere-personnel
Consent https://www.autoriteprotectiondonnees.be/consentement
International Data Transfer https://www.autoriteprotectiondonnees.be/international-0

Name of Data Protection Authority Commission for Personal Data Protection
Website https://www.cpdp.bg/
General Guidance https://www.cpdp.bg/index.php?p=element&aid=1163
Research https://www.cpdp.bg/en/index.php?p=element&aid=1162
Consent https://www.cpdp.bg/en/index.php?p=element&aid=1162

Name of Data Protection Authority Personal Data Protection Agency
Website http://www.azop.hr/
General Guidance http://azop.hr/info-servis/detaljnije/opca-uredba-o-zastiti-podataka-gdpr

Name of Data Protection Authority Commissioner for Personal Data Protection
Website http://www.dataprotection.gov.cy/

Name of Data Protection Authority Office for Personal Data Protection
Website http://www.uoou.cz/
General Guidance https://www.uoou.cz/gdpr-strucne/ds-4843/p1=4843

Name of Data Protection Authority Data Protection Agency
Website http://www.datatilsynet.dk/
General Guidance https://www.datatilsynet.dk/

Name of Data Protection Authority Data Protection Inspectorate
Website http://www.aki.ee/
Research http://www.aki.ee/sites/www.aki.ee/files/elfinder/article_files/When%20do%20I%20need%20permission%20for%20conducting%20scientific%20research.pdf
International Data Transfer http://www.aki.ee/en/guidelines/transfer-personal-data-foreign-country

Name of Data Protection Authority Office of the Data Protection Ombudsman
Website http://www.tietosuoja.fi/en/

Name of Data Protection Authority National Commission of Information Processing and Freedoms
Website http://www.cnil.fr/
General Guidance https://www.cnil.fr/fr/recherches-dans-le-domaine-de-la-sante-la-cnil-adopte-de-nouvelles-mesures-de-simplification
Research https://www.cnil.fr/fr/declaration/mr-001-recherches-dans-le-domaine-de-la-sante-avec-recueil-du-consentement
Legal Basis https://www.cnil.fr/fr/recherches-dans-le-domaine-de-la-sante-ce-qui-change-avec-les-nouvelles-methodologies-de-reference
Consent https://www.cnil.fr/fr/declaration/mr-001-recherches-dans-le-domaine-de-la-sante-avec-recueil-du-consentement
International Data Transfer https://www.cnil.fr/fr/declaration/mr-001-recherches-dans-le-domaine-de-la-sante-avec-recueil-du-consentement

Name of Data Protection Authority Federal Commissioner for Data Protection and Freedom of Information
Website http://www.bfdi.bund.de/ 
General Guidance https://www.bfdi.bund.de/DE/Datenschutz/DatenschutzGVO/Aktuelles/Aktuelles_Artikel/DSGVO_Kurzpapiere.html
International Data Transfer https://www.bfdi.bund.de/SharedDocs/Downloads/DE/Datenschutz/Kurzpapier_DatenschutzFolgeabschaetzung.pdf?__blob=publicationFile&v=2

Name of Data Protection Authority Hellenic Data Protection Authority
Website http://www.dpa.gr/

Name of Data Protection Authority National Authority for Data Protection and Freedom of Information
Website http://www.naih.hu/
General Guidance http://www.naih.hu/felkeszueles-az-adatvedelmi-rendelet-alkalmazasara.html

Name of Data Protection Authority Data Protection Authority
Website https://www.personuvernd.is/information-in-english/
General Guidance https://www.personuvernd.is/ny-personuverndarloggjof-2018/

Name of Data Protection Authority Data Protection Commissioner
Website http://www.dataprotection.ie/
General Guidance http://gdprandyou.ie/
Legal Basis http://gdprandyou.ie/gdpr-12-steps/#what-we-mean-when-we-talk-about-a-legal-basis
Consent http://gdprandyou.ie/gdpr-12-steps/#using-customer-consent-as-a-grounds-to-process-data
International Data Transfer https://www.dataprotection.ie/docs/Transfers-Abroad/y/37.htm

Name of Data Protection Authority Guarantor for the Protection of Personal Data
Website http://www.garanteprivacy.it/
Legal Basis https://www.garanteprivacy.it/home/doveri#2

Name of Data Protection Authority Data State Inspectorate
Website http://www.dvi.gov.lv/
General Guidance http://www.dvi.gov.lv/lv/

Name of Data Protection Authority Data Protection Office
Website https://www.llv.li/#/1758/datenschutzstelle

 

Name of Data Protection Authority State Data Protection Inspectorate
Website http://www.ada.lt/

 

Name of Data Protection Authority National Commission for Data Protection
Website http://www.cnpd.lu/
General Guidance https://cnpd.public.lu/fr/dossiers-thematiques/Reglement-general-sur-la-protection-des-donnees/responsabilite-accrue-des-responsables-du-traitement/guide-preparation-rgpd.html

Name of Data Protection Authority Office of the Information and Data Protection Commissioner
Website http://www.idpc.org.mt/
General Guidance https://idpc.org.mt/en/Pages/gdpr.aspx

 

Name of Data Protection Authority Personal Data Authority
Website https://autoriteitpersoonsgegevens.nl/nl
General Guidance https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/avg-europese-privacywetgeving
Name of Data Protection Authority Central Committee on Research Involving Human Subjects
Website http://www.ccmo.nl
Research http://www.ccmo.nl/en/algemene-verordening-gegevensbescherming?5ad0a79c-a970-44d7-8c78-6de7c35ff8ba
Consent http://www.ccmo.nl/nl/nieuwsarchief/aanpassingen-pif-vanwege-nieuwe-europese-privacywetgeving

Name of Data Protection Authority Data Protection Authority
Website https://www.datatilsynet.no/en/

Name of Data Protection Authority Personal Data Protection Office
Website https://uodo.gov.pl/

Name of Data Protection Authority National Commission for Data Protection
Website https://www.cnpd.pt/
General Guidance https://www.cnpd.pt/bin/rgpd/rgpd.htm
Legal Basis https://www.cnpd.pt/bin/faqs/faqs.htm

Name of Data Protection Authority National Supervisory Authority for Personal Data Processing
Website http://www.dataprotection.ro/
General Guidance http://www.dataprotection.ro/?page=Regulamentul_nr_679_2016

Name of Data Protection Authority Office for Personal Data Protection
Website http://www.dataprotection.gov.sk/
General Guidance https://dataprotection.gov.sk/uoou/sk/main-content/nariadenie-gdpr

Name of Data Protection Authority Information Commissioner
Website https://www.ip-rs.si/
General Guidance https://www.ip-rs.si/varstvo-osebnih-podatkov/projekti/rapidsi/

Name of Data Protection Authority Agency for Data Protection
Website https://www.agpd.es/
General Guidance https://www.servicios.agpd.es/AGPD/view/form/MDAwMDAwMDAwMDAwMDE3NjUwNzcxNTMyNDU2MTM5ODQ2?updated=true
Name of Data Protection Authority Department of Medications for Human Use
Website https://www.aemps.gob.es/
Research https://www.aemps.gob.es/investigacionClinica/medicamentos/docs/anexo8c-Ins-AEMPS-EC.pdf
Consent https://www.aemps.gob.es/investigacionClinica/medicamentos/docs/anexo8c-Ins-AEMPS-EC.pdf
International Data Transfer https://www.aemps.gob.es/investigacionClinica/medicamentos/docs/anexo8c-Ins-AEMPS-EC.pdf

Name of Data Protection Authority Data Inspection Board
Website http://www.datainspektionen.se/
General Guidance https://www.datainspektionen.se/lagar--regler/dataskyddsforordningen/
International Data Transfer https://www.datainspektionen.se/lagar--regler/dataskyddsforordningen/tredjelandsoverforing/

Name of Data Protection Authority Information Commissioner’s Office
Website https://ico.org.uk
General Guidance https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
Legal Basis Legitimate Interests: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/
Consent https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/
International Data Transfer https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/international-transfers/
Name of Data Protection Authority NHS Health Research Authority
Website https://www.hra.nhs.uk
Legal Basis https://www.hra.nhs.uk/planning-and-improving-research/policies-standards-legislation/data-protection-and-information-governance/gdpr-guidance/what-law-says/consent-research/
Consent https://www.hra.nhs.uk/planning-and-improving-research/policies-standards-legislation/data-protection-and-information-governance/gdpr-guidance/what-law-says/consent-research/

Disclaimer: Though this Compilation contains information of a legal nature, it has been developed for informational purposes only and does not constitute legal advice or opinions as to the current operative guidelines of any jurisdiction. In addition, because new guidelines are issued on a continuing basis, this Compilation is not an exhaustive source of all current applicable guidelines relating to the General Data Protection Regulation. While reasonable efforts have been made to assure the accuracy and completeness of the information provided, researchers and other individuals should check with local authorities and/or research ethics committees before starting research activities.

Content created by Office for Human Research Protections (OHRP)
Content last reviewed August 2, 2018
Back to top
  • Contact HHS
  • Careers
  • HHS FAQs
  • Nondiscrimination Notice
  • HHS Archive
  • Accessibility
  • Privacy Policy
  • Viewers & Players
  • Budget/Performance
  • Inspector General
  • Web Site Disclaimers
  • EEO/No Fear Act
  • FOIA
  • The White House
  • USA.gov
  • Vulnerability Disclosure Policy

Sign Up for Email Updates

Receive the latest updates from the Secretary, Blogs, and News Releases.

Sign Up
HHS Logo

HHS Headquarters

200 Independence Avenue, S.W.
Washington, D.C. 20201
Toll Free Call Center: 1-877-696-6775​