Research data and GDPR

What is the GDPR?

The General Data Protection Regulation (GDPR) is an EU regulation that governs all processing of personal data within the EU/EEA. Its purpose is to protect individuals’ fundamental rights and freedoms – particularly their right to privacy – and to ensure a consistent level of data protection across all EU/EEA countries. The regulation came into force in 2018. 

Although the GDPR applies uniformly across the EU/EEA, it also allows individual countries to introduce additional rules through national legislation. As a result, data protection rules and practices can vary between European countries, which is important to consider in international research collaborations.

One example is the processing of sensitive personal data for research purposes. The GDPR requires that “appropriate safeguards” are in place under national law for processing such data but does not specify what those safeguards should be. In Sweden, a key safeguard is the requirement for approval from the Swedish Ethical Review Authority (Etikprövningsmyndigheten) before processing sensitive personal data for research. This is mandated by Swedish law, but other countries may require different safeguards.

When does the GDPR apply?

The GDPR applies whenever personal data are processed within the EU/EEA, regardless of where the data originate.  

In research, data processing is considered to occur within the organization carrying out the processing. It does not matter where the data were collected – for example, they may have been collected in another country. Similarly, your physical location while you work with the data does not affect whether the GDPR applies; the relevant factor is that the processing is carried out by an organization established in the EU/EEA.