In today’s interconnected world, international research collaborations are becoming increasingly vital to scientific advancement. A key component of such collaborations is the cross-border transfer of study data, including health data, which accelerates discovery and innovation. In many jurisdictions, these data transfers are subject to strict health privacy requirements. Notably, in the European Union (EU), they are mainly regulated by the EU General Data Protection Regulation (GDPR) and national implementation laws, such as the German Federal Data Protection Act (Bundesdatenschutzgesetz).
In September 2025, the German Data Protection Conference (Datenschutzkonferenz) — a joint body of the independent German Federal and State data protection authorities — released guidelines on the GDPR-based transfer of data to non-EU countries for medical research purposes. While primarily addressed to the German market, these guidelines offer best practices for research collaborations with a footprint in the EU.
Data Processing Based on Broad Consent
- Determine whether there is a suitable legal basis for processing personal data under Articles 6 and 9 of the GDPR. In medical research, “broad consent” is a common basis, allowing for some flexibility when the research purpose is not fully defined at the time of data collection.
- If data processing is based on broad consent, assess whether the principle of data minimisation is complied with and implement additional protective measures, such as effective pseudonymisation, robust consent management, strict data deletion and storage policies, and an early involvement of data protection officers and ethics committees. Even when a Data Protection Impact Assessment is not mandatory, it can help to assess the need for data processing, associated risks, and protective measures.
Data Transfers to Non-EU Countries
- Check whether the data transfer can rely on one of the conditions in Chapter V of the GDPR, including adequacy decisions by the European Commission, standard contractual clauses,
or binding corporate rules. In limited cases, individual consent or important reasons of public interest may apply.
- If an adequacy decision in accordance with Article 45 GDPR exists for the destination country, continuously monitor the decision’s validity. Without a valid adequacy decision, appropriate safeguards are required, and may need to be bolstered by supplementary measures to ensure equivalent data protection. A transfer impact assessment should evaluate government access in the destination country and available legal remedies for individuals.
- Even with an adequacy decision, the guidelines suggest to at least consider obtaining consent, provided that the relationship between decision and consent is clearly explained to individuals. Consent must meet Article 49 GDPR requirements, including informing individuals about potential risks in the destination country. If consent is withdrawn then future transfers are prohibited, even if an adequacy decision exists.
- Exceptions under Article 49 GDPR are only permissible on a case-by-case basis. Obtaining broad consent without specifying the recipient country is insufficient for that purpose.
Transparency and Information Obligations
When informing individuals about the intended data transfer, the underlying legal basis, and associated risks:
- clearly state that data will be transferred to a non-EU country;
- name the specific country and any further transfers to other non-EU countries;
- indicate the legal basis for the transfer (e.g., adequacy decision, standard clauses);
- if relying on Article 46 GDPR (appropriate safeguards), explain the absence of an adequacy decision and how to access copies of the safeguards;
- for exceptions under Article 49 GDPR, note the lack of equivalent data protection and specify the exception used;
- for explicit consent, provide clear information about the lack of essential safeguards and potential risks, such as unlimited government access and absence of enforceable rights.
Conclusion
The guidelines set the gold standard for handling data transfers in international research collaborations with an EU nexus. Following the guidelines is essential for sponsors and research institutions to enhance legal certainty in data-heavy cross-border studies.
