Compilation of Guidances on the EU General Data Protection Regulation

July 24, 2018

  1. If you are new to the General Data Protection Regulation, you may want to review the text of the regulation to familiarize yourself with basic GDPR concepts and terminology: https://gdpr-info.eu/  Keep in mind that the scope of the GDPR is broader than U.S. privacy laws such as HIPAA.
  2. The names and website addresses of each country’s data protection authority are seen in Columns B and C.
  3. General GDPR Guidance documents are listed in Column D. If the information is not available in English, an online translation program can be helpful.
  4. The table lists guidances specific to Research (Column E), Legal Basis (Column F), Consent (Column G), and International Data Transfer (Column H). Country-level interpretations and procedures are likely to evolve over time, and data protection authorities may release new guidances.
 
A B C D E F G H
Country Name of Data Protection Authority Website General Guidance Research Legal Basis Consent International Data Transfer
European Union European Data Protection Board  https://edpb.europa.eu http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1360     http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623051  
Austria Data Protection Authority http://www.dsb.gv.at/          
Belgium Data Protection Authority https://www.autoriteprotectiondonnees.be/     https://www.autoriteprotectiondonnees.be/fondement-legal-pour-le-traitement-de-donnees-a-caractere-personnel https://www.autoriteprotectiondonnees.be/consentement https://www.autoriteprotectiondonnees.be/international-0
Bulgaria Commission for Personal Data Protection https://www.cpdp.bg/ https://www.cpdp.bg/index.php?p=element&aid=1163 https://www.cpdp.bg/en/index.php?p=element&aid=1162   https://www.cpdp.bg/en/index.php?p=element&aid=1162  
Croatia Personal Data Protection Agency http://www.azop.hr/ http://azop.hr/info-servis/detaljnije/opca-uredba-o-zastiti-podataka-gdpr        
Cyprus Commissioner for Personal Data Protection http://www.dataprotection.gov.cy/          
Czech Republic Office for Personal Data Protection http://www.uoou.cz/ https://www.uoou.cz/gdpr-strucne/ds-4843/p1=4843        
Denmark Data Protection Agency http://www.datatilsynet.dk/ https://www.datatilsynet.dk/        
Estonia Data Protection Inspectorate http://www.aki.ee/   http://www.aki.ee/sites/www.aki.ee/files/elfinder/article_files/When%20do%20I%20need%20permission%20for%20conducting%20scientific%20research.pdf     http://www.aki.ee/en/guidelines/transfer-personal-data-foreign-country
Finland Office of the Data Protection Ombudsman http://www.tietosuoja.fi/en/          
France National Commission of Information Processing and Freedoms http://www.cnil.fr/ https://www.cnil.fr/fr/recherches-dans-le-domaine-de-la-sante-la-cnil-adopte-de-nouvelles-mesures-de-simplification https://www.cnil.fr/fr/declaration/mr-001-recherches-dans-le-domaine-de-la-sante-avec-recueil-du-consentement and https://www.cnil.fr/sites/default/files/atoms/files/guide-cnom-cnil.pdf https://www.cnil.fr/fr/recherches-dans-le-domaine-de-la-sante-ce-qui-change-avec-les-nouvelles-methodologies-de-reference https://www.cnil.fr/fr/declaration/mr-001-recherches-dans-le-domaine-de-la-sante-avec-recueil-du-consentement https://www.cnil.fr/fr/declaration/mr-001-recherches-dans-le-domaine-de-la-sante-avec-recueil-du-consentement
Germany Federal Commissioner for Data Protection and Freedom of Information http://www.bfdi.bund.de/  https://www.bfdi.bund.de/DE/Datenschutz/DatenschutzGVO/Aktuelles/Aktuelles_Artikel/DSGVO_Kurzpapiere.html       https://www.bfdi.bund.de/SharedDocs/Downloads/DE/Datenschutz/Kurzpapier_DatenschutzFolgeabschaetzung.pdf?__blob=publicationFile&v=2
Greece Hellenic Data Protection Authority http://www.dpa.gr/          
Hungary National Authority for Data Protection and Freedom of Information http://www.naih.hu/ http://www.naih.hu/felkeszueles-az-adatvedelmi-rendelet-alkalmazasara.html        
Iceland Data Protection Authority https://www.personuvernd.is/information-in-english/ https://www.personuvernd.is/ny-personuverndarloggjof-2018/        
Ireland Data Protection Commissioner http://www.dataprotection.ie/ http://gdprandyou.ie/   http://gdprandyou.ie/gdpr-12-steps/#what-we-mean-when-we-talk-about-a-legal-basis http://gdprandyou.ie/gdpr-12-steps/#using-customer-consent-as-a-grounds-to-process-data https://www.dataprotection.ie/docs/Transfers-Abroad/y/37.htm
Italy Guarantor for the Protection of Personal Data http://www.garanteprivacy.it/https://www.garanteprivacy.it/regolamentoue     https://www.garanteprivacy.it/home/doveri#2    
Latvia Data State Inspectorate http://www.dvi.gov.lv/ http://www.dvi.gov.lv/lv/        
Liechten-stein Data Protection Office https://www.llv.li/#/1758/datenschutzstelle          
Lithuania State Data Protection Inspectorate http://www.ada.lt/          
Luxem-bourg National Commission for Data Protection http://www.cnpd.lu/ https://cnpd.public.lu/fr/dossiers-thematiques/Reglement-general-sur-la-protection-des-donnees/responsabilite-accrue-des-responsables-du-traitement/guide-preparation-rgpd.html        
Malta Office of the Information and Data Protection Commissioner http://www.idpc.org.mt/ https://idpc.org.mt/en/Pages/gdpr.aspx        
Nether-lands Personal Data Authority https://autoriteitpersoonsgegevens.nl/nl https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/avg-europese-privacywetgeving        
Nether-lands Central Committee on Research Involving Human Subjects http://www.ccmo.nl   http://www.ccmo.nl/en/algemene-verordening-gegevensbescherming?5ad0a79c-a970-44d7-8c78-6de7c35ff8ba   http://www.ccmo.nl/nl/nieuwsarchief/aanpassingen-pif-vanwege-nieuwe-europese-privacywetgeving  
Norway Data Protection Authority https://www.datatilsynet.no/en/          
Poland Personal Data Protection Office https://uodo.gov.pl/          
Portugal National Commission for Data Protection https://www.cnpd.pt/ https://www.cnpd.pt/bin/rgpd/rgpd.htm   https://www.cnpd.pt/bin/faqs/faqs.htm    
Romania National Supervisory Authority for Personal Data Processing http://www.dataprotection.ro/ http://www.dataprotection.ro/?page=Regulamentul_nr_679_2016        
Slovakia Office for Personal Data Protection http://www.dataprotection.gov.sk/ https://dataprotection.gov.sk/uoou/sk/main-content/nariadenie-gdpr        
Slovenia Information Commissioner https://www.ip-rs.si/ https://www.ip-rs.si/varstvo-osebnih-podatkov/projekti/rapidsi/        
Spain Agency for Data Protection https://www.agpd.es/ https://www.servicios.agpd.es/AGPD/view/form/MDAwMDAwMDAwMDAwMDE3NjUwNzcxNTMyNDU2MTM5ODQ2?updated=true        
Spain Department of Medications for Human Use https://www.aemps.gob.es/   https://www.aemps.gob.es/investigacionClinica/medicamentos/docs/anexo8c-Ins-AEMPS-EC.pdf   https://www.aemps.gob.es/investigacionClinica/medicamentos/docs/anexo8c-Ins-AEMPS-EC.pdf https://www.aemps.gob.es/investigacionClinica/medicamentos/docs/anexo8c-Ins-AEMPS-EC.pdf
Sweden Data Inspection Board http://www.datainspektionen.se/ https://www.datainspektionen.se/lagar--regler/dataskyddsforordningen/       https://www.datainspektionen.se/lagar--regler/dataskyddsforordningen/tredjelandsoverforing/
United Kingdom (Data Protection Act of 2018) Information Commissioner’s Office https://ico.org.uk https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/   Legitimate Interests: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/ https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/ https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/international-transfers/
United Kingdom (Data Protection Act of 2018) NHS Health Research Authority https://www.hra.nhs.uk     https://www.hra.nhs.uk/planning-and-improving-research/policies-standards-legislation/data-protection-and-information-governance/gdpr-guidance/what-law-says/consent-research/ https://www.hra.nhs.uk/planning-and-improving-research/policies-standards-legislation/data-protection-and-information-governance/gdpr-guidance/what-law-says/consent-research/  

 

Disclaimer: Though this Compilation contains information of a legal nature, it has been developed for informational purposes only and does not constitute legal advice or opinions as to the current operative guidelines of any jurisdiction. In addition, because new guidelines are issued on a continuing basis, this Compilation is not an exhaustive source of all current applicable guidelines relating to the General Data Protection Regulation. While reasonable efforts have been made to assure the accuracy and completeness of the information provided, researchers and other individuals should check with local authorities and/or research ethics committees before starting research activities.

Content created by Office for Human Research Protections (OHRP)
Content last reviewed on August 2, 2018