Skip to main content

GDPR* and Research

*General Data Protection Regulation: IRB-related information, instructions and other resources for the FSU research community

What is the GDPR?

The General Data Protection Regulation (GDPR) is a data privacy law that took effect on May 25, 2018. The GDPR protects the privacy and security of personal data (including research data collected from or about study participants or subjects) of individuals who are located in a European Union (EU)/European Economic Area (EEA) member country. The GDPR places significant (more than what researchers may generally expect in the U.S.) restrictions on the use and disclosure of an individual's personal data, and establishes responsibilities of persons or entities that processing such personal data.

When organizations, including the Florida State University, offer goods or services to persons in the EEA or monitor the behavior of individuals in the EEA, such as these person's participation in research, any use, disclosure or processing of their personal data must meet the requirements of GDPR. Thus, an FSU study that may involve the use and disclosure of an individual's GDPR-protected data will trigger additional IRB-related requirements that must be satisfied as a condition of FSU IRB approval. Both study teams and FSU may face significant fines and penalties for GDPR violations. Knowing when your human research is subject to the GDPR requirements and discharging related responsibilities, and obtaining FSU IRB review and approval, may help to ensure compliance with the GDPR. Check out the panels below for more information.

The General Data Protection Regulation (“GDPR”) is a comprehensive law intended to protect the privacy of personal data that is collected from or about individuals who are located in the European Union (EU)/European Economic Area (EEA). Organizations, regardless of where located, such as FSU, which offer goods or services to persons in the EU/EEA or that monitor the behavior of individuals in the EU/EEA, and which process any of these individuals' personal data, are required to comply with the GDPR. The offer of goods or services, or the monitoring of the behavior of individuals, includes FSU research activities that may involve the use, disclosure or sharing of such personal data.

Under GDPR, “personal data” refers to any information that can identify or be used to identify individuals located in the EEU/EA; such an individual is otherwise known as "data subject." A "data subject" means a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

The law affords individuals about whom personal data are collected with certain rights relating to the processing of their data. “Processing” broadly refers to any use or disclosure of personal data, including collecting, accessing, storing, combining and even deleting personal data. These individuals have additional rights with regard to the use and disclosure of their sensitive data, such as racial, ethnic, or health-related data. Among other requirements, GDPR requires that data subjects, including research subjects, be provided with notice and informed about the processing of their personal data. Other uses of personal data in the research context, such as the use of more sensitive data, the transfer of personal data to the United States, and the use of personal data to make decisions that could significantly affect a data subject (e.g., enrolling a data subject in a placebo, control or intervention arm of a study), require data subjects' specific consent to this particular use of personal data.

Additional information and instructions about notice and consent required by the GDPR are provided below.

GDPR may apply to an FSU study when the study is processing the personal data of an individual located in the EU/EEA, and the study is:

  • Established within the EU/EEA;
  • Established outside of the EEA (e.g., established at FSU), but offering goods or services to, or monitoring the behavior of, individuals located in the EU/EEA, such as recruiting EU/EEA subjects, tracking EU/EEA individuals on websites (regardless of where a web site is hosted), conducting research activities with EU/EEA subjects; or,
  • Transferring personal data from the EU/EEA to any location outside of the EU/EEA (e.g., transferring personal data to FSU; sharing personal data with other persons or organizations, including researchers, outside of the EU/EEA) (see the Transferring Personal Data to the U.S. panel below for additional information)

Examples of studies in which the GDPR may apply to an FSU study:

    • Human research conducted on location in any EU/EEA member country;
    • Remote or virtual interviews or focus groups involving EU/EEA residents;
    • Secondary research use of previously collected personal data about EU/EEA residents; and,
    • Web-based recruitment or surveys that target or enroll EU/EEA residents within or outside of the EU/EEA.

If the GDPR applies to your study, refer to the other panels below for additional information. Note that our HRP-503 and HRP-503a (SBER) protocol templates that you will submit for FSU IRB review include GDPR-related instructions.

An FSU study that is not established in the EEA or does not involve any the use, disclosure or processing of EU/EEA personal data would generally not be subject to the GDPR.

Definitions for Key GDPR Terms

The following terms that may or may not apply to FSU human research have specific legal meanings under the GDPR. Slight edits to some definitions have been made to render in third person or tailor to FSU. A more comprehensive list of definitions is available. 

  1. Personal data. The term ‘personal data’ means any information concerning or relating to a living person who is either identified or identifiable (such a person is referred to as a ‘data subject’). An individual could be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (such as an IP address) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.
  2. Processing. The term “processing” refers to any operation or set of operations performed on personal data. Processing includes storing, collecting, retrieving, using, combining, erasing and destroying personal data, and can involve automated or manual operations.
  3. Data Protection Commission. The “Data Protection Commission” was established by the Data Protection Acts 1988 to 2018 ('the Data Protection Acts'). Under the GDPR and the Data Protection Acts, the Commission is responsible for monitoring the application of the GDPR in order to protect the rights and freedoms of individuals in relation to processing. The tasks of the Commission include promoting public awareness and understanding of the risks, rules, safeguards and rights in relation to processing; handling complaints lodged by data subjects; and cooperating with (which includes sharing information with) other data protection authorities in other EU member states.
  4. Data Controller. A “data controller” refers to a person, company, or other body which decides the purposes and methods of processing personal data. FSU and the study Principal Investigator or a study sponsor may be deemed a data controller.
  5. Data Processor. A “data processor” refers to a person, company, or other body which processes personal data on behalf of a data controller. The study Principal Investigator, study team member, sponsor agent or designated third party may be deemed a data processor.
  6. Consent. Some types of processing are carried out on the basis that a data subject (FSU study subject or participant) has provided consent. Under the GDPR, consent to processing must be freely given, specific, and informed. A data subject cannot be forced to provide consent, must be told what purpose(s) their data will be used for, and must demonstrate their consent through a ‘statement or as a clear affirmative action’ (e.g., ticking a box). Consent is not the only lawful basis on which personal data can be processed. Article 6 of the GDPR sets out the complete list of lawful reasons for processing personal data as:
    • Consent.
    • To carry out a contract.
    • In order for an organization to meet a legal obligation.
    • Where processing the personal data is necessary to protect the vital interests of a person.
    • Where processing the personal data is necessary for the performance of a task carried out in the public interest.
    • In the legitimate interests of a company/organization (except where those interests contradict or harm the interests or rights and freedoms of the individual).*

*It is important to note that Article 6(1)(f) provides that the "legitimate interests" reason is not available to public authorities where the processing is being conducted in the exercise of their functions.

  1. Profiling. Profiling is any kind of automated processing of personal data that involves analyzing or predicting a data subjects' behavior, habits or interests.
  2. Special categories of personal data. Certain types of sensitive personal data are subject to additional protection under the GDPR. These are listed under Article 9 of the GDPR as “special categories” of personal data. The special categories are:
    • Personal data revealing racial or ethnic origin.
    • Political opinions.
    • Religious or philosophical beliefs.
    • Trade union membership.
    • Genetic data and biometric data processed for the purpose of uniquely identifying a natural person.
    • Data concerning health.
    • Data concerning a natural person’s sex life or sexual orientation.
    • Processing of these special categories is prohibited, except in limited circumstances set out in Article 9 of the GDPR.
  1. Data Protection Officer (DPO). The GDPR requires data controllers and data processors to appoint a Data Protection Officer (DPO) in certain circumstances. A data controller can also voluntarily decide to appoint a DPO.

The GDPR requires that prospective and enrolled study participants be provided with an informational notice before their personal data is collected. The notice must disclose what personal information will be collected, the purposes for which it will be used, whom it will be shared with, and how long it will be retained, as well as information about an individual’s rights under the GDPR and how to exercise them. These requirements may be met by supplementing other consent-related information that will otherwise be provided to individuals.

Additionally, the GDPR requires that researchers obtain consent before certain specific uses of study participants' personal data, and before transferring study participants' personal information out of the EU/EEA to the US or to another non-EU/EEA country. If personal information will be transferred out of the EU/EEA, your study will be required to have a separate justification for that transfer. The US and most non-EEA countries do not meet the GDPR’s privacy requirements to be exempted from this requirement.

Click on the Notice and Consent panels below to learn more.

Notice Requirements

When Personal Data of an individual located in the EU/EEA is used or disclosed for research purposes, GDPR requires that individuals be informed, via a notice, of the following information:

  • The specific types of Personal Data collected and processed;
  • The reasons, or purposes, for using the individual’s Personal Data (i.e., using the Personal Data in order to conduct the research study);
  • The expected duration for retaining Personal Data;
  • The types of entities or individuals who will have access to or receive the Personal Data;
  • A description of the individual’s rights under GDPR (which should also include language that informs the Data Subject that their Personal Data will be protected under GDPR and how withdrawal of their consent to participate in the study will affect FSU (i.e., the study team’s) subsequent use of their Personal Data);
  • Notice that his or her Personal Data will be available in the United States (or other countries outside the EU/EEA), and a description of how FSU will protect the personal data;
  • If Personal Data is being used to make decisions about the person or to create a profile, relevant information (this is discussed in more detail below); and
  • Contact information for the study team and the IRB (as well as the local privacy officer, as applicable).

This information must be provided to Data Subjects located in the EU/EEA in any research study that involves collecting or using their Personal Data.

If the Personal Data of an individual located in the EU/EEA is used in research, where the Personal Data is provided to FSU by a third party, individuals also must be informed of:

  • The source of the data; and
  • A description of the categories of personal data.

Our HRP-502EEA - TEMPLATE - EEA NOTICE AND CONSENT form provides the key language that must be used under the above circumstances. This template is accessible in RAMP IRB, under the IRB, Library and Templates tabs.

Below is a curated list of rights to which study participants (data subjects) are entitled under the GDRP. The FSU Principal Investigator and other members of the FSU study team are responsible for handling a study participants' requests and answering their questions about the use of their data. There are exceptions to granting these rights that are not listed here; a more comprehensive list of these rights is available. 

Rights:

  1. Notice – Right of subjects to be given information about FSU (including the study team) identity, the purposes and lawful bases of using, disclosing and processing subjects' data, recipients of study data, etc.
  2. Access – Right of subjects to obtain confirmation about whether their personal data are being used, disclosed or processed, and if so, obtain copies of their personal data.
  3. Rectification – Right of subjects to correct inaccurate or incomplete personal data about them.
  4. Erasure – Right to request that their personal data be erased.
  5. Data Portability – If use, disclosure or processing of a subject's study data is based upon consent, agreement or a contract with the subject, and is automated, subjects have a right to receive the personal data that they shared with FSU in a commonly-used and machine-readable format, and to transfer it to another.
  6. Objection/Withdrawal of Consent – Right to object when personal data is used, disclosed or processed for research. The processing/research of that data must generally cease.
  7. Restriction - Right to restrict certain FSU use, disclosure or processing activities involving their study data.

The GDPR requires that FSU researchers have a lawful basis and need to transfer a study subject's personal data from the EU/EEA to the U.S. Lawful bases may include, but are not limited to the following:

  • Standard contract clauses approved by the European Commission
    • May apply when FSU or the study team is not itself collecting study subjects' personal data itself (e.g., secondary use of previously collected personal data); please confer with the Office of Research legal counsel to ensure that these clauses are GDPR-compliance
  • Explicit, specific consent from the study subject for the transfer of their personal data to the U.S.
    • Applies when FSU or the study team is using, collecting or processing study subjects' personal data (e.g., collecting personal data directly from a study subject)

As earlier mentioned, FSU researchers must obtain the explicit consent of the study subject when they may collect study subjects' personal data and intend to transfer the data to the United States, such as to an FSU site or a study team colleague at another site outside the EU/EEA. Also under these circumstances, study subjects must be informed that the United States does not protect their personal data in the same manner as the data may be protected in the EU/EEA. 

Our HRP-502EEA - TEMPLATE - EEA NOTICE AND CONSENT form provides the key language that must be used under the above circumstances. This template is accessible in RAMP IRB, under the IRB, Library and Templates tabs.

FSU Resources

  • To report a breach or unauthorized disclosure or use of GDPR data, contact the FSU Information Technology Services office immediately by phone at 850-644-4357 or the FSU ITS Service Center. Also report the incident to the FSU IRB; refer to our reporting instructions under our Specific FAQ #7.
  • Questions about the GDPR, other than in connection with research, may be submitted to m.sechrist@fsu.edu. or research-compliance@fsu.edu.
  • Contact the FSU Research Computing Center for assistance, resources and information about data management planning, data storage, funding agency requirements, data curation tools, and options for sharing, licensing of publishing data sets.
  • The FSU Libraries provide a wide range of Research Data Management guidance, including guidance for planning and creating data management plans as well as suggested best practices, list of data repositories, agencies/sponsors' data sharing requirements, and sample data management plans. Researchers planning NIH funding applications are strongly advised to access these resources and to contact the FSU Libraries Research Data Management Librarian for further information and additional resources or support:

General Resources:

  • New to the GDPR? Familiarize yourself with basic GDPR concepts and terminology: check out the full text of the GDPR: https://gdpr-info.eu/
  • The European Data Protection Board website: https://edpb.europa.eu/
  • The U.S. Department of Health and Human Services (DHHS) Office for Human Research Protections (OHRP) provides a compilation of GDPR Guidances; go to the OHRP GDPR web page for information
  • A “Compilation of Guidances on the EU GDPR” posted by the United States Office for Human Research Protections (OHRP) listing, by country, the data protection authorities of all EU/EEA countries that fall under the GDPR.

Need to contact OHSP or IRB? Click on the panel below.

Office for Human Subjects Protection (OHSP)
2010 Levy Avenue, Bldg. B Suite 276 (FSU Innovation Park Campus)
Tallahassee FL, 32306-2742 (mailing) or 32310 (physical or courier)
Telephone: (850) 644-7900 (automated call answering with voice menu system allowing callers to be routed quickly and efficiently to needed points of contact)
Facsimile: (850) 644-4392
Email: humansubjects@fsu.edu