Compilation of Guidances on the EU General Data Protection Direct

July 24, 2018

If you are new to the General Data Protection Regulation, you may want to review the text of the regulation to familiarize yourself with basic GDPR concepts and terminology: https://gdpr-info.eu/ Keep in mind that the scope of the GDPR is broader than U.S. privacy laws such as HIPAA.
The names and website addresses of each country’s data protection authority are seen in Rows 1 an 2.
General GDPR Guidance documents are listed in appropriate row. If the information is not available in English, an online translation program can be helpful.
The table lists guidances specific to Research, Legal Basis, Consent, and International Data Transfer. Country-level interpretations and procedures are likely to evolve over time, and data protection authorities may release new guidances.

Name of Data Protection Authority	European Data Protection Board
Website	https://edpb.europa.eu
General Guidance	http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1360
Consent	http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623051

Name of Data Protection Authority	Data Protection Authority
Website	http://www.dsb.gv.at/

Name of Data Protection Authority	Data Protection Authority
Website	https://www.autoriteprotectiondonnees.be/
Legal Basis	https://www.autoriteprotectiondonnees.be/fondement-legal-pour-le-traitement-de-donnees-a-caractere-personnel
Consent	https://www.autoriteprotectiondonnees.be/consentement
International Data Transfer	https://www.autoriteprotectiondonnees.be/international-0

Name of Data Protection Authority	Commission for Personal Data Protection
Website	https://www.cpdp.bg/
General Guidance	https://www.cpdp.bg/index.php?p=element&aid=1163
Research	https://www.cpdp.bg/en/index.php?p=element&aid=1162
Consent	https://www.cpdp.bg/en/index.php?p=element&aid=1162

Name of Data Protection Authority	Personal Data Protection Agency
Website	http://www.azop.hr/
General Guidance	http://azop.hr/info-servis/detaljnije/opca-uredba-o-zastiti-podataka-gdpr

Name of Data Protection Authority	Commissioner for Personal Data Protection
Website	http://www.dataprotection.gov.cy/

Name of Data Protection Authority	Office for Personal Data Protection
Website	http://www.uoou.cz/
General Guidance	https://www.uoou.cz/gdpr-strucne/ds-4843/p1=4843

Name of Data Protection Authority	Data Protection Agency
Website	http://www.datatilsynet.dk/
General Guidance	https://www.datatilsynet.dk/

Name of Data Protection Authority	Data Protection Inspectorate
Website	http://www.aki.ee/
Research	http://www.aki.ee/sites/www.aki.ee/files/elfinder/article_files/When%20do%20I%20need%20permission%20for%20conducting%20scientific%20research.pdf
International Data Transfer	http://www.aki.ee/en/guidelines/transfer-personal-data-foreign-country

Name of Data Protection Authority	Office of the Data Protection Ombudsman
Website	http://www.tietosuoja.fi/en/

Name of Data Protection Authority	National Commission of Information Processing and Freedoms
Website	http://www.cnil.fr/
General Guidance	https://www.cnil.fr/fr/recherches-dans-le-domaine-de-la-sante-la-cnil-adopte-de-nouvelles-mesures-de-simplification
Research	https://www.cnil.fr/fr/declaration/mr-001-recherches-dans-le-domaine-de-la-sante-avec-recueil-du-consentement
Legal Basis	https://www.cnil.fr/fr/recherches-dans-le-domaine-de-la-sante-ce-qui-change-avec-les-nouvelles-methodologies-de-reference
Consent	https://www.cnil.fr/fr/declaration/mr-001-recherches-dans-le-domaine-de-la-sante-avec-recueil-du-consentement
International Data Transfer	https://www.cnil.fr/fr/declaration/mr-001-recherches-dans-le-domaine-de-la-sante-avec-recueil-du-consentement

Name of Data Protection Authority	Federal Commissioner for Data Protection and Freedom of Information
Website	http://www.bfdi.bund.de/
General Guidance	https://www.bfdi.bund.de/DE/Datenschutz/DatenschutzGVO/Aktuelles/Aktuelles_Artikel/DSGVO_Kurzpapiere.html
International Data Transfer	https://www.bfdi.bund.de/SharedDocs/Downloads/DE/Datenschutz/Kurzpapier_DatenschutzFolgeabschaetzung.pdf?__blob=publicationFile&v=2

Name of Data Protection Authority	Hellenic Data Protection Authority
Website	http://www.dpa.gr/

Name of Data Protection Authority	National Authority for Data Protection and Freedom of Information
Website	http://www.naih.hu/
General Guidance	http://www.naih.hu/felkeszueles-az-adatvedelmi-rendelet-alkalmazasara.html

Name of Data Protection Authority	Data Protection Authority
Website	https://www.personuvernd.is/information-in-english/
General Guidance	https://www.personuvernd.is/ny-personuverndarloggjof-2018/

Name of Data Protection Authority	Data Protection Commissioner
Website	http://www.dataprotection.ie/
General Guidance	http://gdprandyou.ie/
Legal Basis	http://gdprandyou.ie/gdpr-12-steps/#what-we-mean-when-we-talk-about-a-legal-basis
Consent	http://gdprandyou.ie/gdpr-12-steps/#using-customer-consent-as-a-grounds-to-process-data
International Data Transfer	https://www.dataprotection.ie/docs/Transfers-Abroad/y/37.htm

Name of Data Protection Authority	Guarantor for the Protection of Personal Data
Website	http://www.garanteprivacy.it/
Legal Basis	https://www.garanteprivacy.it/home/doveri#2

Name of Data Protection Authority	Data State Inspectorate
Website	http://www.dvi.gov.lv/
General Guidance	http://www.dvi.gov.lv/lv/

Name of Data Protection Authority	Data Protection Office
Website	https://www.llv.li/#/1758/datenschutzstelle

Name of Data Protection Authority	State Data Protection Inspectorate
Website	http://www.ada.lt/

Name of Data Protection Authority	National Commission for Data Protection
Website	http://www.cnpd.lu/
General Guidance	https://cnpd.public.lu/fr/dossiers-thematiques/Reglement-general-sur-la-protection-des-donnees/responsabilite-accrue-des-responsables-du-traitement/guide-preparation-rgpd.html

Name of Data Protection Authority	Office of the Information and Data Protection Commissioner
Website	http://www.idpc.org.mt/
General Guidance	https://idpc.org.mt/en/Pages/gdpr.aspx

Name of Data Protection Authority	Personal Data Authority
Website	https://autoriteitpersoonsgegevens.nl/nl
General Guidance	https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/avg-europese-privacywetgeving

Name of Data Protection Authority	Central Committee on Research Involving Human Subjects
Website	http://www.ccmo.nl
Research	http://www.ccmo.nl/en/algemene-verordening-gegevensbescherming?5ad0a79c-a970-44d7-8c78-6de7c35ff8ba
Consent	http://www.ccmo.nl/nl/nieuwsarchief/aanpassingen-pif-vanwege-nieuwe-europese-privacywetgeving

Name of Data Protection Authority	Data Protection Authority
Website	https://www.datatilsynet.no/en/

Name of Data Protection Authority	Personal Data Protection Office
Website	https://uodo.gov.pl/

Name of Data Protection Authority	National Commission for Data Protection
Website	https://www.cnpd.pt/
General Guidance	https://www.cnpd.pt/bin/rgpd/rgpd.htm
Legal Basis	https://www.cnpd.pt/bin/faqs/faqs.htm

Name of Data Protection Authority	National Supervisory Authority for Personal Data Processing
Website	http://www.dataprotection.ro/
General Guidance	http://www.dataprotection.ro/?page=Regulamentul_nr_679_2016

Name of Data Protection Authority	Office for Personal Data Protection
Website	http://www.dataprotection.gov.sk/
General Guidance	https://dataprotection.gov.sk/uoou/sk/main-content/nariadenie-gdpr

Name of Data Protection Authority	Information Commissioner
Website	https://www.ip-rs.si/
General Guidance	https://www.ip-rs.si/varstvo-osebnih-podatkov/projekti/rapidsi/

Name of Data Protection Authority	Agency for Data Protection
Website	https://www.agpd.es/
General Guidance	https://www.servicios.agpd.es/AGPD/view/form/MDAwMDAwMDAwMDAwMDE3NjUwNzcxNTMyNDU2MTM5ODQ2?updated=true

Name of Data Protection Authority	Department of Medications for Human Use
Website	https://www.aemps.gob.es/
Research	https://www.aemps.gob.es/investigacionClinica/medicamentos/docs/anexo8c-Ins-AEMPS-EC.pdf
Consent	https://www.aemps.gob.es/investigacionClinica/medicamentos/docs/anexo8c-Ins-AEMPS-EC.pdf
International Data Transfer	https://www.aemps.gob.es/investigacionClinica/medicamentos/docs/anexo8c-Ins-AEMPS-EC.pdf

Name of Data Protection Authority	Data Inspection Board
Website	http://www.datainspektionen.se/
General Guidance	https://www.datainspektionen.se/lagar--regler/dataskyddsforordningen/
International Data Transfer	https://www.datainspektionen.se/lagar--regler/dataskyddsforordningen/tredjelandsoverforing/

Name of Data Protection Authority	Information Commissioner’s Office
Website	https://ico.org.uk
General Guidance	https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
Legal Basis	Legitimate Interests: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/
Consent	https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/
International Data Transfer	https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/international-transfers/

Name of Data Protection Authority	NHS Health Research Authority
Website	https://www.hra.nhs.uk
Legal Basis	https://www.hra.nhs.uk/planning-and-improving-research/policies-standards-legislation/data-protection-and-information-governance/gdpr-guidance/what-law-says/consent-research/
Consent	https://www.hra.nhs.uk/planning-and-improving-research/policies-standards-legislation/data-protection-and-information-governance/gdpr-guidance/what-law-says/consent-research/

Disclaimer: Though this Compilation contains information of a legal nature, it has been developed for informational purposes only and does not constitute legal advice or opinions as to the current operative guidelines of any jurisdiction. In addition, because new guidelines are issued on a continuing basis, this Compilation is not an exhaustive source of all current applicable guidelines relating to the General Data Protection Regulation. While reasonable efforts have been made to assure the accuracy and completeness of the information provided, researchers and other individuals should check with local authorities and/or research ethics committees before starting research activities.

Compilation of Guidances on the EU General Data Protection Regulation

European Union

Austria

Belgium

Bulgaria

Croatia

Cyprus

Czech Republic

Denmark

Estonia

Finland

France

Germany

Greece

Hungary

Iceland

Ireland

Italy

Latvia

Liechtenshein

Lithuania

Luxembourg

Matla

Netherlands

Norway

Poland

Portugal

Romania

Slovakia

Slovenia

Spain

Sweden

United Kingdom (Data Protectioon Act of 2018)