Compilation of Guidances on the EU General Data Protection Regulation

July 24, 2018

  1. If you are new to the General Data Protection Regulation, you may want to review the text of the regulation to familiarize yourself with basic GDPR concepts and terminology:  Keep in mind that the scope of the GDPR is broader than U.S. privacy laws such as HIPAA.
  2. The names and website addresses of each country’s data protection authority are seen in Columns B and C.
  3. General GDPR Guidance documents are listed in Column D. If the information is not available in English, an online translation program can be helpful.
  4. The table lists guidances specific to Research (Column E), Legal Basis (Column F), Consent (Column G), and International Data Transfer (Column H). Country-level interpretations and procedures are likely to evolve over time, and data protection authorities may release new guidances.
Country Name of Data Protection Authority Website General Guidance Research Legal Basis Consent International Data Transfer
European Union European Data Protection Board  
Austria Data Protection Authority          
Belgium Data Protection Authority
Bulgaria Commission for Personal Data Protection  
Croatia Personal Data Protection Agency        
Cyprus Commissioner for Personal Data Protection          
Czech Republic Office for Personal Data Protection        
Denmark Data Protection Agency        
Estonia Data Protection Inspectorate
Finland Office of the Data Protection Ombudsman          
France National Commission of Information Processing and Freedoms and
Germany Federal Commissioner for Data Protection and Freedom of Information
Greece Hellenic Data Protection Authority          
Hungary National Authority for Data Protection and Freedom of Information        
Iceland Data Protection Authority        
Ireland Data Protection Commissioner
Italy Guarantor for the Protection of Personal Data    
Latvia Data State Inspectorate        
Liechten-stein Data Protection Office          
Lithuania State Data Protection Inspectorate          
Luxem-bourg National Commission for Data Protection        
Malta Office of the Information and Data Protection Commissioner        
Nether-lands Personal Data Authority        
Nether-lands Central Committee on Research Involving Human Subjects  
Norway Data Protection Authority          
Poland Personal Data Protection Office          
Portugal National Commission for Data Protection    
Romania National Supervisory Authority for Personal Data Processing        
Slovakia Office for Personal Data Protection        
Slovenia Information Commissioner        
Spain Agency for Data Protection        
Spain Department of Medications for Human Use
Sweden Data Inspection Board
United Kingdom (Data Protection Act of 2018) Information Commissioner’s Office   Legitimate Interests:
United Kingdom (Data Protection Act of 2018) NHS Health Research Authority  


Disclaimer: Though this Compilation contains information of a legal nature, it has been developed for informational purposes only and does not constitute legal advice or opinions as to the current operative guidelines of any jurisdiction. In addition, because new guidelines are issued on a continuing basis, this Compilation is not an exhaustive source of all current applicable guidelines relating to the General Data Protection Regulation. While reasonable efforts have been made to assure the accuracy and completeness of the information provided, researchers and other individuals should check with local authorities and/or research ethics committees before starting research activities.

Content created by Office for Human Research Protections (OHRP)
Content last reviewed