Germany Issues Guidance on the Use of Consent for Medical Research

5 minute read | November.18.2025

The German Data Protection Conference (DSK) issued guidance on transfers of personal data to countries outside of the European Economic Area — so-called “third countries” — in the context of medical research. The guidance clarifies that, even when companies do not yet know all specific research use cases when obtaining consent, so called “broad consent” may nevertheless be permissible.

The guidelines also highlight that cross-border data transfers from the EU to the U.S. for scientific research purposes remain possible. However, cross-border transfers require a careful analysis of the applicable legal basis and transfer tools, a thoughtful selection of additional safeguards, transparent notification of individuals, and documented risk controls that are tailored to the jurisdiction to which the data is transferred.

It Is Possible to Process Data Based on Broad Consent and Safeguards

In medical research, broad consent is a typical legal basis and can be appropriate if the precise processing purpose cannot be fully defined at the time of data collection. The DSK recognizes this approach but requires organizations to implement additional safeguards to preserve trust and minimize risk, such as:

Avoiding the transfer of data to third countries for which no equivalent data protection standard exists
Implementing commitments in relation to data minimization, encryption, anonymization or pseudonymization
Implementing specific rules limiting access to collected data

The DSK emphasizes that this is not an exhaustive list and that one should consider other measures, such as:

Using a consent management module: This allows individuals to effectively control, withdraw or update their broad consent if research purposes change.
Addressing transparency gaps: Since individuals typically cannot be sufficiently informed prior to granting broad consent, the DSK suggests implementing measures to proactively inform the individuals about research projects, recipients and third countries, via newsletter or a database that is continuously accessible for the individuals.
Obtaining approval from a committee: The DSK suggests obtaining approval from an ethics committee or a Use & Access Committee for each research project.
Performing a data protection impact assessment: A voluntary data protection impact assessment could identify and document risks relating to the international transfer, which may help evaluate the necessity of implementing further safeguards.
Consulting with data protection authorities: Voluntarily consulting with the relevant data protection authority early on can prevent unlawful data processing and clarify legal questions relating to third country transfers.

Choosing and Documenting the International Transfer Mechanism Is Key

Organizations should carefully review the applicable international data transfer mechanism under Chapter V of the General Data Protection Regulation (GDPR).

For international data transfers to the U.S.: Data transfers can be conducted under the EU-U.S. Data Privacy Framework (DPF) if the recipient of the data is certified under the DPF. The DSK suggests continuously monitoring the related adequacy decision issued by the European Commission, as well as the recipient’s certification status.
For international data transfers with an adequacy decision: Where organizations can rely on an adequacy decision but where they fear that such a decision may eventually be lifted by the Court of Justice of the European Union (“CJEU”), the guidance takes a pragmatic view and suggests collecting an explicit consent for the transfer as per Art. 49 GDPR “just in case.” This necessitates informing the individuals about the relationship between the adequacy decision, the consent and the risks specific to the destination country. This approach bears the risk that, if an individual later withdraws consent, any future transfer of personal data is prohibited, even if an adequacy decision exists.
For international transfers to jurisdictions without an adequacy decision: Organizations may rely on Standard Contractual Clauses (SCCs) as additional safeguards. but the DSK reiterates that organizations must still perform a transfer impact assessment, considering the efficiency of the implemented safeguards, the potential risk of government access in the destination country, the remedies available for individuals and, for non-certified organizations, the available adequacy decision of the European Commission.

General Guidance for Using Consent for International Data Transfers

Although the GDPR allows limited exceptions when neither an adequacy decision nor additional safeguards are available for international data transfers, organizations should avoid relying on such derogations due to their narrow scope.

However, the DSK clarifies that, for international data transfers involving medical research, organizations may rely on explicit and informed consent under Art. 49 of the GDPR in addition to broad consent. When relying on consent, organizations must inform individuals about the specific legal situation in the relevant third country using up-to-date information. This necessitates updating the consent when the risk regarding the receiving country changes due to new legal and political developments.

Transparency is Key

Generally, companies should inform individuals about the intended international data transfer, the underlying risks and legal basis by:

Clearly stating that personal data will be sent to a recipient in a third country
Identifying the specific third country and, if onward transfers to other countries may occur, naming those as well
Specifying if the transfer relies on an adequacy decision, SCCs, or a derogation as per Art. 49 GDPR (e.g., consent)
- If relying on SCCs, state that the destination country does not benefit from an EU adequacy decision. Describe the appropriate safeguards and explain how individuals can obtain copies or access them.
- If relying on a derogation under Art. 49 GDPR, make clear that the data may not enjoy protection essentially equivalent to the EU level.
- If relying on explicit consent, provide transparent information about the concrete risks so the individual can make an informed choice (e.g., limited enforceable rights or remedies, broad government access, etc.).

Conclusion

This guidance offers a practical roadmap to help entities in the medical sector navigate cross-border data transfer with clarity. It highlights the need for clear reasoning and documentation when choosing the applicable legal basis and transfer mechanism and reiterates the necessity for clear privacy information.

Authors

Dr. Christian Schröder 合伙人, Cyber, Privacy & Data Innovation, Technology Transactions

杜塞尔多夫

See my bio

D:+49 211 3678 7269
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Technology Companies Group
White Collar
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Dr. Christian Schröder 合伙人

杜塞尔多夫

Christian helps clients consider the privacy and artificial intelligence implications of new technology, supports their compliance programs, and helps them stay ahead of enforcement trends. One particular focus of his work deals with internal data transfer agreements, external data transfers with external providers, and product launches that comply with international data protection standards, as well as privacy requirements for connected cars.

Furthermore, Christian provides guidance on privacy and data protection considerations for developing, acquiring, using, licensing and selling technology, data and intellectual property, including M&A transactions and IP focused joint ventures. He supports companies on the set-up of webshops, outsourcings, license agreements, in cases of trademark or unfair and deceptive trade practice issues, as well as on hard and software license and information technology (IT) project agreements.

Christian maintains strong working relationships with German data protection authorities and EU regulatory authorities with jurisdiction over AI, privacy and data security matters. He effectively defends companies in cybersecurity and privacy-related investigations initiated by European and German regulatory authorities. He also engages with authorities on behalf of clients and helps clients avoid proceedings and possible litigation. When litigation can't be avoided, Christian vigorously defends his clients.

For companies facing global cybersecurity incidents, Christian helps with crisis mitigation, including counselling on notification requirements, coordinating media strategies, and representing clients before data protection authorities in related regulatory investigations.

Christian regularly contributes practical thought leadership to global privacy industry publications and German privacy books and journals. Christian authors the Chapter V (international data transfers) of Germany’s leading GDPR commentary Kühling/Buchner (4th ed.) and is co-author to the Corporate Privacy Handbook (Betrieblicher Datenschutz). As an active member of the Sedona Conference, Christian drives the development and understanding of cross border privacy. He also participates in, hosts and moderates speaking programs with fellow private practitioners, EU data protection authorities, and academics focused on privacy and data security. Since 2024 he has regularly been ranked as a leading German Data Privacy Practitioner by Chambers Germany. In 2026 his whole practice group was ranked by Chambers as well. Christian is also recognized as a recommended lawyer in the field of AI by Legal 500 . Legal 500 Germany names Christian one of the top 15 practitioners since 2023 and notes that he is "a pioneer in the legal field, a data protection guru." They also recognized Christian and Orrick as "truly global" and how that it is "vital as they require the various leaders of each region to participate and bring issues to the table as a forum".

Prior to working in private practice, Christian interned with the German Federal Data Protection Commissioner and www.epic.org and wrote his PhD thesis on the liability for violations of privacy policies and binding corporate rules under both U.S. and German law.

Dr. Odey Hardan 律师, Strategic Advisory & Government Enforcement (SAGE), Cyber, Privacy & Data Innovation

杜塞尔多夫

See my bio

D:+49 211 36 78 7 602
E: [email protected]

Practice:

Strategic Advisory & Government Enforcement (SAGE)
Cyber, Privacy & Data Innovation
Technology & Innovation

vCard

See full bio

Dr. Odey Hardan 律师

杜塞尔多夫

Prior to joining Orrick, Odey served as a research assistant to a distinguished chair focusing on European law, where he authored several academic papers. Throughout his doctoral studies, he delved deeply into the intricate realms of European, international, and data protection law.

Additionally, Odey contributed to significant legal opinions and gained practical experience by supporting the representation of the German Federal Government in pivotal cases before the Federal Constitutional Court, including the proceedings on the European Patent Convention, CETA and the EU-Singapore Free Trade Agreement.

Before starting his legal practice, he also worked as a research assistant for an international UK-headquartered law firm.

Related Areas

Markets

Germany