Compilation of Guidances on the EU General Data Protection Regulation

July 24, 2018

1. If you are new to the General Data Protection Regulation, you may want to review the text of the regulation to familiarize yourself with basic GDPR concepts and terminology: https://gdpr-info.eu/  Keep in mind that the scope of the GDPR is broader than U.S. privacy laws such as HIPAA.
2. The names and website addresses of each country’s data protection authority are seen in Columns B and C.
3. General GDPR Guidance documents are listed in Column D. If the information is not available in English, an online translation program can be helpful.
4. The table lists guidances specific to Research (Column E), Legal Basis (Column F), Consent (Column G), and International Data Transfer (Column H). Country-level interpretations and procedures are likely to evolve over time, and data protection authorities may release new guidances.

A	B	C	D	E	F	G	H
Country	Name of Data Protection Authority	Website	General Guidance	Research	Legal Basis	Consent	International Data Transfer
European Union	European Data Protection Board	https://edpb.europa.eu	http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1360			http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623051
Austria	Data Protection Authority	http://www.dsb.gv.at/
Belgium	Data Protection Authority	https://www.autoriteprotectiondonnees.be/			https://www.autoriteprotectiondonnees.be/fondement-legal-pour-le-traitement-de-donnees-a-caractere-personnel	https://www.autoriteprotectiondonnees.be/consentement	https://www.autoriteprotectiondonnees.be/international-0
Bulgaria	Commission for Personal Data Protection	https://www.cpdp.bg/	https://www.cpdp.bg/index.php?p=element&aid=1163	https://www.cpdp.bg/en/index.php?p=element&aid=1162		https://www.cpdp.bg/en/index.php?p=element&aid=1162
Croatia	Personal Data Protection Agency	http://www.azop.hr/	http://azop.hr/info-servis/detaljnije/opca-uredba-o-zastiti-podataka-gdpr
Cyprus	Commissioner for Personal Data Protection	http://www.dataprotection.gov.cy/
Czech Republic	Office for Personal Data Protection	http://www.uoou.cz/	https://www.uoou.cz/gdpr-strucne/ds-4843/p1=4843
Denmark	Data Protection Agency	http://www.datatilsynet.dk/	https://www.datatilsynet.dk/
Estonia	Data Protection Inspectorate	http://www.aki.ee/		http://www.aki.ee/sites/www.aki.ee/files/elfinder/article_files/When%20do%20I%20need%20permission%20for%20conducting%20scientific%20research.pdf - PDF			http://www.aki.ee/en/guidelines/transfer-personal-data-foreign-country
Finland	Office of the Data Protection Ombudsman	http://www.tietosuoja.fi/en/
France	National Commission of Information Processing and Freedoms	http://www.cnil.fr/	https://www.cnil.fr/fr/recherches-dans-le-domaine-de-la-sante-la-cnil-adopte-de-nouvelles-mesures-de-simplification	https://www.cnil.fr/fr/declaration/mr-001-recherches-dans-le-domaine-de-la-sante-avec-recueil-du-consentement and https://www.cnil.fr/sites/default/files/atoms/files/guide-cnom-cnil.pdf - PDF	https://www.cnil.fr/fr/recherches-dans-le-domaine-de-la-sante-ce-qui-change-avec-les-nouvelles-methodologies-de-reference	https://www.cnil.fr/fr/declaration/mr-001-recherches-dans-le-domaine-de-la-sante-avec-recueil-du-consentement	https://www.cnil.fr/fr/declaration/mr-001-recherches-dans-le-domaine-de-la-sante-avec-recueil-du-consentement
Germany	Federal Commissioner for Data Protection and Freedom of Information	http://www.bfdi.bund.de/	https://www.bfdi.bund.de/DE/Datenschutz/DatenschutzGVO/Aktuelles/Aktuelles_Artikel/DSGVO_Kurzpapiere.html				https://www.bfdi.bund.de/SharedDocs/Downloads/DE/Datenschutz/Kurzpapier_DatenschutzFolgeabschaetzung.pdf?__blob=publicationFile&v=2 - PDF
Greece	Hellenic Data Protection Authority	http://www.dpa.gr/
Hungary	National Authority for Data Protection and Freedom of Information	http://www.naih.hu/	http://www.naih.hu/felkeszueles-az-adatvedelmi-rendelet-alkalmazasara.html
Iceland	Data Protection Authority	https://www.personuvernd.is/information-in-english/	https://www.personuvernd.is/ny-personuverndarloggjof-2018/
Ireland	Data Protection Commissioner	http://www.dataprotection.ie/	http://gdprandyou.ie/		http://gdprandyou.ie/gdpr-12-steps/#what-we-mean-when-we-talk-about-a-legal-basis	http://gdprandyou.ie/gdpr-12-steps/#using-customer-consent-as-a-grounds-to-process-data	https://www.dataprotection.ie/docs/Transfers-Abroad/y/37.htm
Italy	Guarantor for the Protection of Personal Data	http://www.garanteprivacy.it/ https://www.garanteprivacy.it/regolamentoue			https://www.garanteprivacy.it/home/doveri#2
Latvia	Data State Inspectorate	http://www.dvi.gov.lv/	http://www.dvi.gov.lv/lv/
Liechten-stein	Data Protection Office	https://www.llv.li/#/1758/datenschutzstelle
Lithuania	State Data Protection Inspectorate	http://www.ada.lt/
Luxem-bourg	National Commission for Data Protection	http://www.cnpd.lu/	https://cnpd.public.lu/fr/dossiers-thematiques/Reglement-general-sur-la-protection-des-donnees/responsabilite-accrue-des-responsables-du-traitement/guide-preparation-rgpd.html
Malta	Office of the Information and Data Protection Commissioner	http://www.idpc.org.mt/	https://idpc.org.mt/en/Pages/gdpr.aspx
Nether-lands	Personal Data Authority	https://autoriteitpersoonsgegevens.nl/nl	https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/avg-europese-privacywetgeving
Nether-lands	Central Committee on Research Involving Human Subjects	http://www.ccmo.nl		http://www.ccmo.nl/en/algemene-verordening-gegevensbescherming?5ad0a79c-a970-44d7-8c78-6de7c35ff8ba		http://www.ccmo.nl/nl/nieuwsarchief/aanpassingen-pif-vanwege-nieuwe-europese-privacywetgeving
Norway	Data Protection Authority	https://www.datatilsynet.no/en/
Poland	Personal Data Protection Office	https://uodo.gov.pl/
Portugal	National Commission for Data Protection	https://www.cnpd.pt/	https://www.cnpd.pt/bin/rgpd/rgpd.htm		https://www.cnpd.pt/bin/faqs/faqs.htm
Romania	National Supervisory Authority for Personal Data Processing	http://www.dataprotection.ro/	http://www.dataprotection.ro/?page=Regulamentul_nr_679_2016
Slovakia	Office for Personal Data Protection	http://www.dataprotection.gov.sk/	https://dataprotection.gov.sk/uoou/sk/main-content/nariadenie-gdpr
Slovenia	Information Commissioner	https://www.ip-rs.si/	https://www.ip-rs.si/varstvo-osebnih-podatkov/projekti/rapidsi/
Spain	Agency for Data Protection	https://www.agpd.es/	https://www.servicios.agpd.es/AGPD/view/form/MDAwMDAwMDAwMDAwMDE3NjUwNzcxNTMyNDU2MTM5ODQ2?updated=true
Spain	Department of Medications for Human Use	https://www.aemps.gob.es/		https://www.aemps.gob.es/investigacionClinica/medicamentos/docs/anexo8c-Ins-AEMPS-EC.pdf - PDF		https://www.aemps.gob.es/investigacionClinica/medicamentos/docs/anexo8c-Ins-AEMPS-EC.pdf - PDF	https://www.aemps.gob.es/investigacionClinica/medicamentos/docs/anexo8c-Ins-AEMPS-EC.pdf - PDF
Sweden	Data Inspection Board	http://www.datainspektionen.se/	https://www.datainspektionen.se/lagar--regler/dataskyddsforordningen/				https://www.datainspektionen.se/lagar--regler/dataskyddsforordningen/tredjelandsoverforing/
United Kingdom (Data Protection Act of 2018)	Information Commissioner’s Office	https://ico.org.uk	https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/		Legitimate Interests: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/	https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/	https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/international-transfers/
United Kingdom (Data Protection Act of 2018)	NHS Health Research Authority	https://www.hra.nhs.uk			https://www.hra.nhs.uk/planning-and-improving-research/policies-standards-legislation/data-protection-and-information-governance/gdpr-guidance/what-law-says/consent-research/	https://www.hra.nhs.uk/planning-and-improving-research/policies-standards-legislation/data-protection-and-information-governance/gdpr-guidance/what-law-says/consent-research/

Disclaimer: Though this Compilation contains information of a legal nature, it has been developed for informational purposes only and does not constitute legal advice or opinions as to the current operative guidelines of any jurisdiction. In addition, because new guidelines are issued on a continuing basis, this Compilation is not an exhaustive source of all current applicable guidelines relating to the General Data Protection Regulation. While reasonable efforts have been made to assure the accuracy and completeness of the information provided, researchers and other individuals should check with local authorities and/or research ethics committees before starting research activities.