July 24, 2018
- If you are new to the General Data Protection Regulation, you may want to review the text of the regulation to familiarize yourself with basic GDPR concepts and terminology: https://gdpr-info.eu/ Keep in mind that the scope of the GDPR is broader than U.S. privacy laws such as HIPAA.
- The names and website addresses of each country’s data protection authority are seen in Rows 1 an 2.
- General GDPR Guidance documents are listed in appropriate row. If the information is not available in English, an online translation program can be helpful.
- The table lists guidances specific to Research, Legal Basis, Consent, and International Data Transfer. Country-level interpretations and procedures are likely to evolve over time, and data protection authorities may release new guidances.
European Union
| Name of Data Protection Authority | European Data Protection Board |
|---|---|
| Website | https://edpb.europa.eu |
| General Guidance | http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1360 |
| Consent | http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623051 |
Austria
| Name of Data Protection Authority | Data Protection Authority |
|---|---|
| Website | http://www.dsb.gv.at/ |
Belgium
| Name of Data Protection Authority | Data Protection Authority |
|---|---|
| Website | https://www.autoriteprotectiondonnees.be/ |
| Legal Basis | https://www.autoriteprotectiondonnees.be/fondement-legal-pour-le-traitement-de-donnees-a-caractere-personnel |
| Consent | https://www.autoriteprotectiondonnees.be/consentement |
| International Data Transfer | https://www.autoriteprotectiondonnees.be/international-0 |
Bulgaria
| Name of Data Protection Authority | Commission for Personal Data Protection |
|---|---|
| Website | https://www.cpdp.bg/ |
| General Guidance | https://www.cpdp.bg/index.php?p=element&aid=1163 |
| Research | https://www.cpdp.bg/en/index.php?p=element&aid=1162 |
| Consent | https://www.cpdp.bg/en/index.php?p=element&aid=1162 |
Croatia
| Name of Data Protection Authority | Personal Data Protection Agency |
|---|---|
| Website | http://www.azop.hr/ |
| General Guidance | http://azop.hr/info-servis/detaljnije/opca-uredba-o-zastiti-podataka-gdpr |
Cyprus
| Name of Data Protection Authority | Commissioner for Personal Data Protection |
|---|---|
| Website | http://www.dataprotection.gov.cy/ |
Czech Republic
| Name of Data Protection Authority | Office for Personal Data Protection |
|---|---|
| Website | http://www.uoou.cz/ |
| General Guidance | https://www.uoou.cz/gdpr-strucne/ds-4843/p1=4843 |
Denmark
| Name of Data Protection Authority | Data Protection Agency |
|---|---|
| Website | http://www.datatilsynet.dk/ |
| General Guidance | https://www.datatilsynet.dk/ |
Estonia
| Name of Data Protection Authority | Data Protection Inspectorate |
|---|---|
| Website | http://www.aki.ee/ |
| Research | http://www.aki.ee/sites/www.aki.ee/files/elfinder/article_files/When%20do%20I%20need%20permission%20for%20conducting%20scientific%20research.pdf |
| International Data Transfer | http://www.aki.ee/en/guidelines/transfer-personal-data-foreign-country |
Finland
| Name of Data Protection Authority | Office of the Data Protection Ombudsman |
|---|---|
| Website | http://www.tietosuoja.fi/en/ |
France
| Name of Data Protection Authority | National Commission of Information Processing and Freedoms |
|---|---|
| Website | http://www.cnil.fr/ |
| General Guidance | https://www.cnil.fr/fr/recherches-dans-le-domaine-de-la-sante-la-cnil-adopte-de-nouvelles-mesures-de-simplification |
| Research | https://www.cnil.fr/fr/declaration/mr-001-recherches-dans-le-domaine-de-la-sante-avec-recueil-du-consentement |
| Legal Basis | https://www.cnil.fr/fr/recherches-dans-le-domaine-de-la-sante-ce-qui-change-avec-les-nouvelles-methodologies-de-reference |
| Consent | https://www.cnil.fr/fr/declaration/mr-001-recherches-dans-le-domaine-de-la-sante-avec-recueil-du-consentement |
| International Data Transfer | https://www.cnil.fr/fr/declaration/mr-001-recherches-dans-le-domaine-de-la-sante-avec-recueil-du-consentement |
Germany
| Name of Data Protection Authority | Federal Commissioner for Data Protection and Freedom of Information |
|---|---|
| Website | http://www.bfdi.bund.de/ |
| General Guidance | https://www.bfdi.bund.de/DE/Datenschutz/DatenschutzGVO/Aktuelles/Aktuelles_Artikel/DSGVO_Kurzpapiere.html |
| International Data Transfer | https://www.bfdi.bund.de/SharedDocs/Downloads/DE/Datenschutz/Kurzpapier_DatenschutzFolgeabschaetzung.pdf?__blob=publicationFile&v=2 |
Greece
| Name of Data Protection Authority | Hellenic Data Protection Authority |
|---|---|
| Website | http://www.dpa.gr/ |
Hungary
| Name of Data Protection Authority | National Authority for Data Protection and Freedom of Information |
|---|---|
| Website | http://www.naih.hu/ |
| General Guidance | http://www.naih.hu/felkeszueles-az-adatvedelmi-rendelet-alkalmazasara.html |
Iceland
| Name of Data Protection Authority | Data Protection Authority |
|---|---|
| Website | https://www.personuvernd.is/information-in-english/ |
| General Guidance | https://www.personuvernd.is/ny-personuverndarloggjof-2018/ |
Ireland
| Name of Data Protection Authority | Data Protection Commissioner |
|---|---|
| Website | http://www.dataprotection.ie/ |
| General Guidance | http://gdprandyou.ie/ |
| Legal Basis | http://gdprandyou.ie/gdpr-12-steps/#what-we-mean-when-we-talk-about-a-legal-basis |
| Consent | http://gdprandyou.ie/gdpr-12-steps/#using-customer-consent-as-a-grounds-to-process-data |
| International Data Transfer | https://www.dataprotection.ie/docs/Transfers-Abroad/y/37.htm |
Italy
| Name of Data Protection Authority | Guarantor for the Protection of Personal Data |
|---|---|
| Website | http://www.garanteprivacy.it/ |
| Legal Basis | https://www.garanteprivacy.it/home/doveri#2 |
Latvia
| Name of Data Protection Authority | Data State Inspectorate |
|---|---|
| Website | http://www.dvi.gov.lv/ |
| General Guidance | http://www.dvi.gov.lv/lv/ |
Liechtenshein
| Name of Data Protection Authority | Data Protection Office |
|---|---|
| Website | https://www.llv.li/#/1758/datenschutzstelle |
Lithuania
| Name of Data Protection Authority | State Data Protection Inspectorate |
|---|---|
| Website | http://www.ada.lt/ |
Luxembourg
| Name of Data Protection Authority | National Commission for Data Protection |
|---|---|
| Website | http://www.cnpd.lu/ |
| General Guidance | https://cnpd.public.lu/fr/dossiers-thematiques/Reglement-general-sur-la-protection-des-donnees/responsabilite-accrue-des-responsables-du-traitement/guide-preparation-rgpd.html |
Matla
| Name of Data Protection Authority | Office of the Information and Data Protection Commissioner |
|---|---|
| Website | http://www.idpc.org.mt/ |
| General Guidance | https://idpc.org.mt/en/Pages/gdpr.aspx |
Netherlands
| Name of Data Protection Authority | Personal Data Authority |
|---|---|
| Website | https://autoriteitpersoonsgegevens.nl/nl |
| General Guidance | https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/avg-europese-privacywetgeving |
| Name of Data Protection Authority | Central Committee on Research Involving Human Subjects |
|---|---|
| Website | http://www.ccmo.nl |
| Research | http://www.ccmo.nl/en/algemene-verordening-gegevensbescherming?5ad0a79c-a970-44d7-8c78-6de7c35ff8ba |
| Consent | http://www.ccmo.nl/nl/nieuwsarchief/aanpassingen-pif-vanwege-nieuwe-europese-privacywetgeving |
Norway
| Name of Data Protection Authority | Data Protection Authority |
|---|---|
| Website | https://www.datatilsynet.no/en/ |
Poland
| Name of Data Protection Authority | Personal Data Protection Office |
|---|---|
| Website | https://uodo.gov.pl/ |
Portugal
| Name of Data Protection Authority | National Commission for Data Protection |
|---|---|
| Website | https://www.cnpd.pt/ |
| General Guidance | https://www.cnpd.pt/bin/rgpd/rgpd.htm |
| Legal Basis | https://www.cnpd.pt/bin/faqs/faqs.htm |
Romania
| Name of Data Protection Authority | National Supervisory Authority for Personal Data Processing |
|---|---|
| Website | http://www.dataprotection.ro/ |
| General Guidance | http://www.dataprotection.ro/?page=Regulamentul_nr_679_2016 |
Slovakia
| Name of Data Protection Authority | Office for Personal Data Protection |
|---|---|
| Website | http://www.dataprotection.gov.sk/ |
| General Guidance | https://dataprotection.gov.sk/uoou/sk/main-content/nariadenie-gdpr |
Slovenia
| Name of Data Protection Authority | Information Commissioner |
|---|---|
| Website | https://www.ip-rs.si/ |
| General Guidance | https://www.ip-rs.si/varstvo-osebnih-podatkov/projekti/rapidsi/ |
Spain
| Name of Data Protection Authority | Agency for Data Protection |
|---|---|
| Website | https://www.agpd.es/ |
| General Guidance | https://www.servicios.agpd.es/AGPD/view/form/MDAwMDAwMDAwMDAwMDE3NjUwNzcxNTMyNDU2MTM5ODQ2?updated=true |
| Name of Data Protection Authority | Department of Medications for Human Use |
|---|---|
| Website | https://www.aemps.gob.es/ |
| Research | https://www.aemps.gob.es/investigacionClinica/medicamentos/docs/anexo8c-Ins-AEMPS-EC.pdf |
| Consent | https://www.aemps.gob.es/investigacionClinica/medicamentos/docs/anexo8c-Ins-AEMPS-EC.pdf |
| International Data Transfer | https://www.aemps.gob.es/investigacionClinica/medicamentos/docs/anexo8c-Ins-AEMPS-EC.pdf |
Sweden
| Name of Data Protection Authority | Data Inspection Board |
|---|---|
| Website | http://www.datainspektionen.se/ |
| General Guidance | https://www.datainspektionen.se/lagar--regler/dataskyddsforordningen/ |
| International Data Transfer | https://www.datainspektionen.se/lagar--regler/dataskyddsforordningen/tredjelandsoverforing/ |
United Kingdom (Data Protectioon Act of 2018)
| Name of Data Protection Authority | Information Commissioner’s Office |
|---|---|
| Website | https://ico.org.uk |
| General Guidance | https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/ |
| Legal Basis | Legitimate Interests: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/ |
| Consent | https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/ |
| International Data Transfer | https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/international-transfers/ |
| Name of Data Protection Authority | NHS Health Research Authority |
|---|---|
| Website | https://www.hra.nhs.uk |
| Legal Basis | https://www.hra.nhs.uk/planning-and-improving-research/policies-standards-legislation/data-protection-and-information-governance/gdpr-guidance/what-law-says/consent-research/ |
| Consent | https://www.hra.nhs.uk/planning-and-improving-research/policies-standards-legislation/data-protection-and-information-governance/gdpr-guidance/what-law-says/consent-research/ |
Disclaimer: Though this Compilation contains information of a legal nature, it has been developed for informational purposes only and does not constitute legal advice or opinions as to the current operative guidelines of any jurisdiction. In addition, because new guidelines are issued on a continuing basis, this Compilation is not an exhaustive source of all current applicable guidelines relating to the General Data Protection Regulation. While reasonable efforts have been made to assure the accuracy and completeness of the information provided, researchers and other individuals should check with local authorities and/or research ethics committees before starting research activities.
