The German Data Protection Conference (DSK) issued guidance on transfers of personal data to countries outside of the European Economic Area — so-called “third countries” — in the context of medical research. The guidance clarifies that, even when companies do not yet know all specific research use cases when obtaining consent, so called “broad consent” may nevertheless be permissible.
The guidelines also highlight that cross-border data transfers from the EU to the U.S. for scientific research purposes remain possible. However, cross-border transfers require a careful analysis of the applicable legal basis and transfer tools, a thoughtful selection of additional safeguards, transparent notification of individuals, and documented risk controls that are tailored to the jurisdiction to which the data is transferred.
It Is Possible to Process Data Based on Broad Consent and Safeguards
In medical research, broad consent is a typical legal basis and can be appropriate if the precise processing purpose cannot be fully defined at the time of data collection. The DSK recognizes this approach but requires organizations to implement additional safeguards to preserve trust and minimize risk, such as:
- Avoiding the transfer of data to third countries for which no equivalent data protection standard exists
- Implementing commitments in relation to data minimization, encryption, anonymization or pseudonymization
- Implementing specific rules limiting access to collected data
The DSK emphasizes that this is not an exhaustive list and that one should consider other measures, such as:
- Using a consent management module: This allows individuals to effectively control, withdraw or update their broad consent if research purposes change.
- Addressing transparency gaps: Since individuals typically cannot be sufficiently informed prior to granting broad consent, the DSK suggests implementing measures to proactively inform the individuals about research projects, recipients and third countries, via newsletter or a database that is continuously accessible for the individuals.
- Obtaining approval from a committee: The DSK suggests obtaining approval from an ethics committee or a Use & Access Committee for each research project.
- Performing a data protection impact assessment: A voluntary data protection impact assessment could identify and document risks relating to the international transfer, which may help evaluate the necessity of implementing further safeguards.
- Consulting with data protection authorities: Voluntarily consulting with the relevant data protection authority early on can prevent unlawful data processing and clarify legal questions relating to third country transfers.
Choosing and Documenting the International Transfer Mechanism Is Key
Organizations should carefully review the applicable international data transfer mechanism under Chapter V of the General Data Protection Regulation (GDPR).
- For international data transfers to the U.S.: Data transfers can be conducted under the EU-U.S. Data Privacy Framework (DPF) if the recipient of the data is certified under the DPF. The DSK suggests continuously monitoring the related adequacy decision issued by the European Commission, as well as the recipient’s certification status.
- For international data transfers with an adequacy decision: Where organizations can rely on an adequacy decision but where they fear that such a decision may eventually be lifted by the Court of Justice of the European Union (“CJEU”), the guidance takes a pragmatic view and suggests collecting an explicit consent for the transfer as per Art. 49 GDPR “just in case.” This necessitates informing the individuals about the relationship between the adequacy decision, the consent and the risks specific to the destination country. This approach bears the risk that, if an individual later withdraws consent, any future transfer of personal data is prohibited, even if an adequacy decision exists.
- For international transfers to jurisdictions without an adequacy decision: Organizations may rely on Standard Contractual Clauses (SCCs) as additional safeguards. but the DSK reiterates that organizations must still perform a transfer impact assessment, considering the efficiency of the implemented safeguards, the potential risk of government access in the destination country, the remedies available for individuals and, for non-certified organizations, the available adequacy decision of the European Commission.
General Guidance for Using Consent for International Data Transfers
Although the GDPR allows limited exceptions when neither an adequacy decision nor additional safeguards are available for international data transfers, organizations should avoid relying on such derogations due to their narrow scope.
However, the DSK clarifies that, for international data transfers involving medical research, organizations may rely on explicit and informed consent under Art. 49 of the GDPR in addition to broad consent. When relying on consent, organizations must inform individuals about the specific legal situation in the relevant third country using up-to-date information. This necessitates updating the consent when the risk regarding the receiving country changes due to new legal and political developments.
Transparency is Key
Generally, companies should inform individuals about the intended international data transfer, the underlying risks and legal basis by:
- Clearly stating that personal data will be sent to a recipient in a third country
- Identifying the specific third country and, if onward transfers to other countries may occur, naming those as well
- Specifying if the transfer relies on an adequacy decision, SCCs, or a derogation as per Art. 49 GDPR (e.g., consent)
- If relying on SCCs, state that the destination country does not benefit from an EU adequacy decision. Describe the appropriate safeguards and explain how individuals can obtain copies or access them.
- If relying on a derogation under Art. 49 GDPR, make clear that the data may not enjoy protection essentially equivalent to the EU level.
- If relying on explicit consent, provide transparent information about the concrete risks so the individual can make an informed choice (e.g., limited enforceable rights or remedies, broad government access, etc.).
Conclusion
This guidance offers a practical roadmap to help entities in the medical sector navigate cross-border data transfer with clarity. It highlights the need for clear reasoning and documentation when choosing the applicable legal basis and transfer mechanism and reiterates the necessity for clear privacy information.