General Data Protection Regulation (GDPR) in Human Subjects Research

What is GDPR?

The General Data Protection Regulation (GDPR) is a European data privacy law that took effect on May 25, 2018. GDPR protects the personal data of people located in the European Economic (EEA).  

EEA locations:

  • The European Union (EU) consists of 27 coutries:
    • Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden.
    • EEA - EU countries and Iceland, Liechtenstein, Norway. 
    • Similar protections apply to the United Kingdom.
    • For a full list of territories within the European Economic Area, please see here.

GDPR Terms:

  • “Process” is any use of data (collection, storage, transmission, analysis, etc.)
  • Personal data” is any information that can identify a person.
  • "Specialized categories of data"
    • Health data, biometric data, Genetic data, Data about sex life or sexual orientation, race or ethnicity, political opinions, religious or philosophical beliefs, trade union membership.
  • "Data Controller" - Decides how and why the data is collected. The owner(s) of the data.


  • In clinical research, the sponsor is a controller if they design the study protocol, which determines how/and why the data’s collected.
  • "Data Processor" - Collects or does anything with the data on behalf of the controller.

When Does GDPR Apply to a UCSF Study?

GDPR may apply to a UCSF study when the study is processing personal data and the study is: 

  • Established within the EEA: or
  • Outside of the EEA, but offering goods or services to, or monitoring the behavior of, people in the EEA: or
    • i.e., targeting or recruiting EEA subjects, tracking EEA people on websites, research of EEA subjects, etc.
  • Transferring personal data from the EEA to outside of the EEA.
    • i.e., the study is receiving data from a site collecting data from individuals in the EEAs

Examples – When GDPR Does Not Apply to the Study:

  • In a multi-site clinical study where the UCSF, is only enrolling subjects in the United States or other non-EEA countries, and not receiving or processing data from the EEA sites.
  • The study is not established in the EEA and does not involve any EEA subject data.

When GDPR May Apply to the Study:

  • Telemedicine studies with EEA residents
  • Clinical research conducted on-  site in the EEA                  
  • Research on data from EEA sites in a multi-site clinical study
  • Web-based surveys, i.e., survey studies that target subjects globally or in the EEA

How do UCSF Studies Comply with GDPR?

Data Controller and Processor Obligations

It is important to understand the UCSF PI/study’s role in designing and controlling the collection and use of the EEA data because responsibilities differ between the data processor and controller. The data controller has more GDPR obligations than the processor.

The data processor is responsible for:

  • Only processing the data at the controller’s direction/instruction.
    • Implementing technical and organizational safeguards to protect the security of the data, such as limiting the processing to the data needed, retaining it for the shortest time needed, limiting access, coding (pseudonymizing) it, encrypting it, etc.
  • Notifying controller of breach without undue delay as defined by the contract.

The data controller is responsible for:

  • Implementing technical and organizational safeguards to protect the security of the data, described above.
  • Meeting GDPR’s Data Processing and Consent Requirements (see sections below).
    • Please use the GDPR Consent Form Addendum template and Website Privacy Policy Notice if applicable.
  • Ensuring that its processors can comply with GDPR.
  • Ensuring that data subjects can exercise GDPR rights (see section below).
  • Breach notice requirements.

Data Processing Requirements

To process personal data of people in the EEA, processing activity must be:

1) Collected for specific, explicit, and legitimate purposes and not further processed in a way incompatible with those purposes;

  • This refers to the specific research purpose of the study.

2) Lawful, fair, and transparent to the subject;

  • Must be a lawful basis for each purpose underlined in #1

3) Adequate, relevant, and limited to what’s needed for the purpose of the processing;

4) Accurate and where needed, kept up to date;

5) Kept in a form allowing identification no longer than needed for the processing purposes; and

6) Secure.

Consent Requirements

Please use the GDPR Consent Form Addendum template to ensure that the following consent requirements are met.

GDPR requires that any processing of personal data be done pursuant to a “lawful basis.” The subject’s consent is one of the bases. Under GDPR, consent must be a freely given, specific, informed, unambiguous indication by a statement/clear affirmative action that the subject consented to the processing of their personal data for a specific purpose.

Explicit Consent may be required in certain cirumstances:

GDPR Consent Form Checklist:

In accordance with UC policy, Study teams must ensure that the Informed Consent Document addresses all of the following:

  1. The specific types of Personal Data collected and processed;
  2. The reasons, or purposes, for using the individual’s Personal Data (i.e., using the Personal Data in order to conduct the research study);
  3. The expected duration for retaining Personal Data;
  4. The types of entities or individuals who will have access to or receive the Personal Data
  5. A description of the individual’s rights under GDPR (which should also include language that informs the Data Subject that their Personal Data will be protected under GDPR and how withdrawal of their consent to participate in the study will affect UC’s subsequent use of their Personal Data)
  6. Notice that Personal Data will be available in the United States (or other countries outside the EEA), and a description of how UC will protect the personal data
  7.  If Personal Data is being used to make decisions about the person or to create a profile, relevant information; and
  8. Contact information for UC and the local privacy officer.

Please use the GDPR Consent Form Addendum template to ensure that these consent requirements are met.

Secondary Research Requirements:

The data controller of the initial dataset is responsible for meeting secondary research requirements.

If the UCSF Study is the Data Controller for the Initial Dataset:

The GDPR Consent Form Addendum template includes language for secondary research.

Data Transfer Requirements (From the EEA to UCSF):

A lawful basis is needed to transfer personal data from the EEA to the U.S., including but not limited to:

  • Standard contract clauses approved by the European Commission; or
  • Explicit consent from the subject for the transfer after being informed that the European Commission has not deemed the U.S. able to ensure adequate protection for personal data.

Subject's Rights

GDPR gives fundamental rights to the subject that the controller must generally provide.

If the UCSF PI/Study is the Controller:

  • The PI/study is responsible for handling GDPR subjects’ requests and answering questions about the use of the data. There are exceptions to granting these rights that are not listed here


  • Notice – Right of subjects to be given information about the controller’s identity, purposes and lawful bases of processing, recipients of the data, etc.  
  • Access – Right of subjects to obtain confirmation of whether their personal data is being processed, and if so, obtain copies of their personal data.
  • Rectification – Right of subjects to correct inaccurate or incomplete personal data about them.
  • Erasure – Right to request that their personal data be erased.
  • Data Portability – If processing is based on consent or a contract with the subject, and is automated, subjects have a right to receive the personal data that they shared with the controller in a commonly-used and machine-readable format, and to transfer it to another controller.
  • Objection/Withdrawal of Consent – Right to object when personal data is processed for research. The processing/research of that data must generally cease.
  • Restriction - Right to restrict certain processing activities of the controller for their data.

For GDPR Templates and IRB-Related Questions

  • For questions about informed consent requirements, please contact the IRB.
  • For questions about GDPR, please contact the Privacy office at [email protected]





Last updated: September 27, 2023