Skip Navigation
Search
Office of the Vice President for Research
Office of Research Compliance
HomeHuman Subject ResearchGDPR and Human Subjects

GDPR and Human Subjects

Contact the Office of Research Compliance if your study will be enrolling GDPR subjects as these individuals cannot be enrolled at this time.

What is the GDPR? 

GDPR is a regulation based on the protection of data and privacy of individuals in the 28 EU member states and three additional countries (Liechtenstein, Iceland, and Norway), which together constitute the greater European Economic Area (EEA).  

What countries are part of the EEA? 

Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom.

What does GDPR apply to?

  • Organizations anywhere in the world that process the personal data of those in the EEA related to offering of goods and services, regardless of whether payment is exchanged.
  • Organizations anywhere in the world that monitor the behavior of subjects as far as their behavior takes place in the EEA. 
  • GDPR likely applies to a study if the researcher continues to monitor the EEA research subjects or provides study related interventions after they return to the EEA (In this case, the Sponsor is not located in the EEA).

What does GDPR not apply to? 

  • Organizations not present in the EEA which process the personal data of citizens of EEA member countries while they are abroad in non-EEA countries (e.g., if an EU citizen travels to the US, a company in the US processing personal data the EU citizen leaves behind while visiting the US is not subject to GDPR. However, if that same company processed data the same EU citizen generated while in the EEA, that activity would be subject to GDPR.

What is Personal Data? 

Personal Data broadly means any information relating to an identified or identifiable natural person. An identifiable natural person is “one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.” The GDPR frequently requires that data revealing any of the following considered to be “sensitive” data be collected through an informed consent process:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic, biometric, and health data
  • Data concerning a person’s sex life or sexual orientation.

How to ensure that the consent process complies with GDPR? 

Specific language must be inserted into the informed consent form if GDPR applies. The GDPR Consent language may be added to a Common Rule Consent Form. In that way, the EEA Research Subject will need to sign the document to provide both the informed consent required by U.S. federal law and the GDPR Consent.

When does GDPR not apply? 

  • General Data Protection Regulations do not apply when the collection of data does not include information that is linked to a subject’s identity such as an anonymous survey in which the identity of the subject cannot be traced to the individual.
  • Another key point of GDPR is whether the data is anonymized (i.e., impossible to connect back to a single person). Fully anonymized data is not subject to GDPR.

Does the GDPR apply to Pseudonmymized Data? 

Coded research data is considered to be “Pseudonymized Data” and therefore Personal Data under the GDPR because the data can be attributed to a person by the use of additional information such as a key to the code. If the researcher maintains the key (or a third party maintains the key for the researcher), such data will generally not be treated as anonymized Personal Data under the GDPR. Full anonymization of Personal Data requires not only the removal of all identifiers from the data set, but also the destruction of any keys to the code. Pseudoanonymized data is data that may be able to be connected back to identifiable information.  Additionally, the GDPR applies when the university conducts research in the US in which subject data is transmitted to a sponsor, server, or data core facilities in the EU. 

Where can you find additional information about GDPR? 

Complete guide to GDPR compliance