July 24, 2018
- If you are new to the General Data Protection Regulation, you may want to review the text of the regulation to familiarize yourself with basic GDPR concepts and terminology: https://gdpr-info.eu/ Keep in mind that the scope of the GDPR is broader than U.S. privacy laws such as HIPAA.
- The names and website addresses of each country’s data protection authority are seen in Rows 1 an 2.
- General GDPR Guidance documents are listed in appropriate row. If the information is not available in English, an online translation program can be helpful.
- The table lists guidances specific to Research, Legal Basis, Consent, and International Data Transfer. Country-level interpretations and procedures are likely to evolve over time, and data protection authorities may release new guidances.
European Union
Name of Data Protection Authority | European Data Protection Board |
---|---|
Website | https://edpb.europa.eu |
General Guidance | http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1360 |
Consent | http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623051 |
Austria
Name of Data Protection Authority | Data Protection Authority |
---|---|
Website | http://www.dsb.gv.at/ |
Belgium
Name of Data Protection Authority | Data Protection Authority |
---|---|
Website | https://www.autoriteprotectiondonnees.be/ |
Legal Basis | https://www.autoriteprotectiondonnees.be/fondement-legal-pour-le-traitement-de-donnees-a-caractere-personnel |
Consent | https://www.autoriteprotectiondonnees.be/consentement |
International Data Transfer | https://www.autoriteprotectiondonnees.be/international-0 |
Bulgaria
Name of Data Protection Authority | Commission for Personal Data Protection |
---|---|
Website | https://www.cpdp.bg/ |
General Guidance | https://www.cpdp.bg/index.php?p=element&aid=1163 |
Research | https://www.cpdp.bg/en/index.php?p=element&aid=1162 |
Consent | https://www.cpdp.bg/en/index.php?p=element&aid=1162 |
Croatia
Name of Data Protection Authority | Personal Data Protection Agency |
---|---|
Website | http://www.azop.hr/ |
General Guidance | http://azop.hr/info-servis/detaljnije/opca-uredba-o-zastiti-podataka-gdpr |
Cyprus
Name of Data Protection Authority | Commissioner for Personal Data Protection |
---|---|
Website | http://www.dataprotection.gov.cy/ |
Czech Republic
Name of Data Protection Authority | Office for Personal Data Protection |
---|---|
Website | http://www.uoou.cz/ |
General Guidance | https://www.uoou.cz/gdpr-strucne/ds-4843/p1=4843 |
Denmark
Name of Data Protection Authority | Data Protection Agency |
---|---|
Website | http://www.datatilsynet.dk/ |
General Guidance | https://www.datatilsynet.dk/ |
Estonia
Name of Data Protection Authority | Data Protection Inspectorate |
---|---|
Website | http://www.aki.ee/ |
Research | http://www.aki.ee/sites/www.aki.ee/files/elfinder/article_files/When%20do%20I%20need%20permission%20for%20conducting%20scientific%20research.pdf |
International Data Transfer | http://www.aki.ee/en/guidelines/transfer-personal-data-foreign-country |
Finland
Name of Data Protection Authority | Office of the Data Protection Ombudsman |
---|---|
Website | http://www.tietosuoja.fi/en/ |
France
Name of Data Protection Authority | National Commission of Information Processing and Freedoms |
---|---|
Website | http://www.cnil.fr/ |
General Guidance | https://www.cnil.fr/fr/recherches-dans-le-domaine-de-la-sante-la-cnil-adopte-de-nouvelles-mesures-de-simplification |
Research | https://www.cnil.fr/fr/declaration/mr-001-recherches-dans-le-domaine-de-la-sante-avec-recueil-du-consentement |
Legal Basis | https://www.cnil.fr/fr/recherches-dans-le-domaine-de-la-sante-ce-qui-change-avec-les-nouvelles-methodologies-de-reference |
Consent | https://www.cnil.fr/fr/declaration/mr-001-recherches-dans-le-domaine-de-la-sante-avec-recueil-du-consentement |
International Data Transfer | https://www.cnil.fr/fr/declaration/mr-001-recherches-dans-le-domaine-de-la-sante-avec-recueil-du-consentement |
Germany
Name of Data Protection Authority | Federal Commissioner for Data Protection and Freedom of Information |
---|---|
Website | http://www.bfdi.bund.de/ |
General Guidance | https://www.bfdi.bund.de/DE/Datenschutz/DatenschutzGVO/Aktuelles/Aktuelles_Artikel/DSGVO_Kurzpapiere.html |
International Data Transfer | https://www.bfdi.bund.de/SharedDocs/Downloads/DE/Datenschutz/Kurzpapier_DatenschutzFolgeabschaetzung.pdf?__blob=publicationFile&v=2 |
Greece
Name of Data Protection Authority | Hellenic Data Protection Authority |
---|---|
Website | http://www.dpa.gr/ |
Hungary
Name of Data Protection Authority | National Authority for Data Protection and Freedom of Information |
---|---|
Website | http://www.naih.hu/ |
General Guidance | http://www.naih.hu/felkeszueles-az-adatvedelmi-rendelet-alkalmazasara.html |
Iceland
Name of Data Protection Authority | Data Protection Authority |
---|---|
Website | https://www.personuvernd.is/information-in-english/ |
General Guidance | https://www.personuvernd.is/ny-personuverndarloggjof-2018/ |
Ireland
Name of Data Protection Authority | Data Protection Commissioner |
---|---|
Website | http://www.dataprotection.ie/ |
General Guidance | http://gdprandyou.ie/ |
Legal Basis | http://gdprandyou.ie/gdpr-12-steps/#what-we-mean-when-we-talk-about-a-legal-basis |
Consent | http://gdprandyou.ie/gdpr-12-steps/#using-customer-consent-as-a-grounds-to-process-data |
International Data Transfer | https://www.dataprotection.ie/docs/Transfers-Abroad/y/37.htm |
Italy
Name of Data Protection Authority | Guarantor for the Protection of Personal Data |
---|---|
Website | http://www.garanteprivacy.it/ |
Legal Basis | https://www.garanteprivacy.it/home/doveri#2 |
Latvia
Name of Data Protection Authority | Data State Inspectorate |
---|---|
Website | http://www.dvi.gov.lv/ |
General Guidance | http://www.dvi.gov.lv/lv/ |
Liechtenshein
Name of Data Protection Authority | Data Protection Office |
---|---|
Website | https://www.llv.li/#/1758/datenschutzstelle |
Lithuania
Name of Data Protection Authority | State Data Protection Inspectorate |
---|---|
Website | http://www.ada.lt/ |
Luxembourg
Name of Data Protection Authority | National Commission for Data Protection |
---|---|
Website | http://www.cnpd.lu/ |
General Guidance | https://cnpd.public.lu/fr/dossiers-thematiques/Reglement-general-sur-la-protection-des-donnees/responsabilite-accrue-des-responsables-du-traitement/guide-preparation-rgpd.html |
Matla
Name of Data Protection Authority | Office of the Information and Data Protection Commissioner |
---|---|
Website | http://www.idpc.org.mt/ |
General Guidance | https://idpc.org.mt/en/Pages/gdpr.aspx |
Netherlands
Name of Data Protection Authority | Personal Data Authority |
---|---|
Website | https://autoriteitpersoonsgegevens.nl/nl |
General Guidance | https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/avg-europese-privacywetgeving |
Name of Data Protection Authority | Central Committee on Research Involving Human Subjects |
---|---|
Website | http://www.ccmo.nl |
Research | http://www.ccmo.nl/en/algemene-verordening-gegevensbescherming?5ad0a79c-a970-44d7-8c78-6de7c35ff8ba |
Consent | http://www.ccmo.nl/nl/nieuwsarchief/aanpassingen-pif-vanwege-nieuwe-europese-privacywetgeving |
Norway
Name of Data Protection Authority | Data Protection Authority |
---|---|
Website | https://www.datatilsynet.no/en/ |
Poland
Name of Data Protection Authority | Personal Data Protection Office |
---|---|
Website | https://uodo.gov.pl/ |
Portugal
Name of Data Protection Authority | National Commission for Data Protection |
---|---|
Website | https://www.cnpd.pt/ |
General Guidance | https://www.cnpd.pt/bin/rgpd/rgpd.htm |
Legal Basis | https://www.cnpd.pt/bin/faqs/faqs.htm |
Romania
Name of Data Protection Authority | National Supervisory Authority for Personal Data Processing |
---|---|
Website | http://www.dataprotection.ro/ |
General Guidance | http://www.dataprotection.ro/?page=Regulamentul_nr_679_2016 |
Slovakia
Name of Data Protection Authority | Office for Personal Data Protection |
---|---|
Website | http://www.dataprotection.gov.sk/ |
General Guidance | https://dataprotection.gov.sk/uoou/sk/main-content/nariadenie-gdpr |
Slovenia
Name of Data Protection Authority | Information Commissioner |
---|---|
Website | https://www.ip-rs.si/ |
General Guidance | https://www.ip-rs.si/varstvo-osebnih-podatkov/projekti/rapidsi/ |
Spain
Name of Data Protection Authority | Agency for Data Protection |
---|---|
Website | https://www.agpd.es/ |
General Guidance | https://www.servicios.agpd.es/AGPD/view/form/MDAwMDAwMDAwMDAwMDE3NjUwNzcxNTMyNDU2MTM5ODQ2?updated=true |
Name of Data Protection Authority | Department of Medications for Human Use |
---|---|
Website | https://www.aemps.gob.es/ |
Research | https://www.aemps.gob.es/investigacionClinica/medicamentos/docs/anexo8c-Ins-AEMPS-EC.pdf |
Consent | https://www.aemps.gob.es/investigacionClinica/medicamentos/docs/anexo8c-Ins-AEMPS-EC.pdf |
International Data Transfer | https://www.aemps.gob.es/investigacionClinica/medicamentos/docs/anexo8c-Ins-AEMPS-EC.pdf |
Sweden
Name of Data Protection Authority | Data Inspection Board |
---|---|
Website | http://www.datainspektionen.se/ |
General Guidance | https://www.datainspektionen.se/lagar--regler/dataskyddsforordningen/ |
International Data Transfer | https://www.datainspektionen.se/lagar--regler/dataskyddsforordningen/tredjelandsoverforing/ |
United Kingdom (Data Protectioon Act of 2018)
Name of Data Protection Authority | Information Commissioner’s Office |
---|---|
Website | https://ico.org.uk |
General Guidance | https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/ |
Legal Basis | Legitimate Interests: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/ |
Consent | https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/ |
International Data Transfer | https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/international-transfers/ |
Name of Data Protection Authority | NHS Health Research Authority |
---|---|
Website | https://www.hra.nhs.uk |
Legal Basis | https://www.hra.nhs.uk/planning-and-improving-research/policies-standards-legislation/data-protection-and-information-governance/gdpr-guidance/what-law-says/consent-research/ |
Consent | https://www.hra.nhs.uk/planning-and-improving-research/policies-standards-legislation/data-protection-and-information-governance/gdpr-guidance/what-law-says/consent-research/ |
Disclaimer: Though this Compilation contains information of a legal nature, it has been developed for informational purposes only and does not constitute legal advice or opinions as to the current operative guidelines of any jurisdiction. In addition, because new guidelines are issued on a continuing basis, this Compilation is not an exhaustive source of all current applicable guidelines relating to the General Data Protection Regulation. While reasonable efforts have been made to assure the accuracy and completeness of the information provided, researchers and other individuals should check with local authorities and/or research ethics committees before starting research activities.