The European General Data Protection Regulation (GDPR) regulates the use, access, collection, and processing of all personal data from the European Economic Area (EEA), regardless of the citizenship or residency status of the individual to whom the data pertains. US investigators conducting research with data from the EEA should become familiar with their responsibilities established by the GDPR .
Countries that belong to the EEA include Austria, Belgium, Bulgaria, Czech Republic, Cyprus, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, United Kingdom.
When the personal data of a European subject is collected, used, or accessed, the researcher must present certain information to the subject. If sensitive data is being collected, used, or accessed, a full informed consent process must be used, with translation as appropriate. The researcher is required to collect only the minimum necessary information for the defined research purpose.
Subjects must be informed of:
The data of individuals in Europe must be stored in a way that enables the following rights:
The GDPR permits the retention of personal data for only as long as necessary to achieve the specific purpose for which it was collected. It must be deleted after that time. If there is a data breach which could pose any risk to participants, participants must be informed of the breach.
A project which uses personal data from Europe must abide by the requirements of the GDPR.
Personal data is “any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, constitute personal data.”
For data to no longer be considered “personal data” it must be rendered anonymous in such a way that the individual is not identifiable. The anonymization must be “irreversible.” If a link or key exists between the data and subject identifiers (pseudonymized data/coded data) the data is not anonymized and must be treated as personal data, regardless of whether the investigator has access to the key.
Examples of personal data:
Sensitive data is data concerning “one’s health, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sexual orientation, biometric data, or data concerning a person’s sex life.” Explicit consent must be used for collection or use of sensitive data. Receipt of sensitive data from Europe must always be accompanied by the explicit consent of the individual, and for a specified purpose (“passive consent,” or a Letter of Information, is not sufficient).
The GDPR defines a child (for the purposes of using or accessing personal data) as an individual under the age of 16. Parental consent is required for any personal data collected regarding a child under the age of 16.
NOTE – individual member states may utilize a different age of consent within their own jurisdiction.