EEA Countries

• Austria
• Belgium
• Bulgaria
• Croatia
• Republic of Cyprus
• Czech Republic
• Denmark
• Estonia
• Finland
• France
• Germany
• Greece
• Hungary
• Iceland
• Ireland
• Italy
• Latvia
• Lichtenstein
• Lithuania
• Luxembourg
• Malta
• Netherlands
• Norway
• Poland
• Portugal
• Romania
• Slovakia
• Slovenia
• Spain
• Sweden

Personal Data

Under the GDPR, “personal data” refers to any information that relates to an identified or identifiable natural person (i.e., an individual, not a company or other legal entity), otherwise known as a “data subject.”

Examples of personal data include a person’s name, email address, government-issued identification or other unique identifier such as an IP address or cookie number, and personal characteristics, including photographs.

Special Categories of Personal Data

The GDPR highlights some special categories of personal data that merit a higher level of protection due to their sensitive nature and risk for greater privacy harm. This includes the following information about a data subject:

• Health
• Genetics
• Race or ethnic origin
• Biometrics for identification purposes 
• Sex life or sexual orientation
• Political opinions
• Religious or philosophical beliefs
• Trade union membership

GDPR and Coded Data

Importantly, the GDPR considers pseudonymized data (e.g., coded data) to be personal data, even where one lacks access to the key code or crosswalk required to link data to an individual data subject. This is inconsistent with U.S. regulations protecting human subjects and, therefore, important for researchers to understand.

GDPR and Anonymized Data

The GDPR does not apply to data that have been anonymized. Under the GDPR, in order for data to be anonymized, there can be no key code in existence to re-identify the data. For example, if Brown serves as the sponsor of a research study with a site located in the EEA and receives only coded data from the EEA site, such data from the EEA site remain personal data. This holds true even when Brown researchers have no access to the key code or crosswalk required to link data to an individual data subject.

The following research-related activities are subject to the GDPR:

• Activities involving identifiable information if personal data is being collected from one or more research participants physically located in the EEA at the time of data collection (The participant does not need to be an EEA resident.)
• Activities involving the transfer of personal data collected under the GDPR from an EEA country to a non-EEA country (like the U.S.)

Activities involving collection of identifiable personal data from individuals who are physically located within the U.S. at the time of data collection — even if the participant is an EEA citizen — are not subject to the GDPR.

Collect Minimal or De-Identified Information

To ensure your research complies with the GDPR, collect only the absolute minimum personal/demographic data needed to complete the study. If your study can be completed using only de-identified data, you are strongly advised to take this approach. 

Many online survey sites collect personal information, including IP addresses, by default. Ensure that you set up your study to receive only the information you are seeking. To the extent possible, verify that any third-party website or app being used for data collection is GDPR-compliant.

Plan for Data Removal

For activities in which identifiable data is collected, you must have an executable plan to remove data in the event a participant requests to have their data removed.

Follow GDPR Consent Rules

Under the GDPR, consent must be freely given, specific, informed, unambiguous and explicit. A description of the data processing and transfer activities to be performed, if applicable, must be included in the informed consent document. Make sure to follow all GDPR requirements regarding consent, many of which are consistent with standard consent processes and documentation.

Maintain Consent Records

Consent records, including time and date of consent, must be maintained for each subject. In the case of verbal, online or any other type of undocumented consent, the principal investigator (PI) is responsible for maintaining a consent log indicating each subject (either by name or study ID number) and the date and time that consent was provided.

Be Clear and Explicit

Consent information must be provided in clear and plain language in an intelligible and easily accessible format. 

Consent also must be explicit. If the consent form or consent script serves multiple purposes (e.g., a consent form that is also the recruitment email), then the request for consent must be clearly distinguishable.

Allow for Withdrawal

Each subject has a right to withdraw consent at any time. Each subject must be informed of this right prior to giving consent. Withdrawal of consent must be as easy as giving consent.

Use Active Consent

Use an active (“opt-in”) informed consent. Following an informed consent description, a “Click next to proceed to the survey” button or equivalent is sufficient for “active” consent for online data collection. 

Ensure Consent is Freely Given

Consent must be freely given. Individuals in a position of authority cannot obtain consent, nor can consent be coerced. This means that faculty members or teachers cannot obtain consent from their own students.

Consent forms must contain the following information:

• Identity of the PI
• Purpose of data collection
• Types of data collected, including listing of special categories noted above
• The right to withdraw from the research and the mechanism for withdrawal
• Who will have access to the data
• Details about automated processing of data for decision-making about the individual, including profiling
• Details about data security, including storage and transfer of data
• How long data will be stored (this can be indefinite)
• Whether and under what conditions data may be used for future research, either related or unrelated to the purpose of the current study

In the event of a data breach, notify Human Research Protection Program (HRPP) staff immediately (irb@brown.edu), so that appropriate steps can be taken by the University.