Skip to Content

Research

Research

Transferring research data abroad

When transferring research data abroad, you as the project manager must ensure the compliance with the relevant rules and regulations.

An example of transfer abroad is when a researcher who is collaborating with universities in other countries wishes to transfer collected personal data to one of the partner countries for further processing.

The Personal Data Act’s provisions apply. You are therefore obliged to submit an application to REC/ the Data Inspectorate, or to send a notification to NSD when this is required.

Terms marked in bold are defined in the list of definitions and abbreviations.

In addition, the following points apply:

Research data may be transferred to countries within the EU and the EEA

Personal data may also be transferred to

See The Data Inspectorate's website.

In all cases, the Personal Data Act's requirements for processing personal data must be met:

  • Consider whether the transfer is in compliance with the requirements of the Personal Data Act section 11, first subsection. There must be a legal basis, see PDA sections 8 and 9 (including for example the consent of the research participants / legal authorities). The transfer must be in accordance with defined purposes and constitute the smallest possible intervention in privacy.
  • The transfer of research data to other countries does not require sending an application/ notification, but the transfer must, however, be described in any future applications to REC/ The Data Inspectorate or in a notification to NSD concerning  the main purpose of the processing.
  • Stipulate a data processing agreement if the personal data is transferred to a data processor, or consider whether you meet the processing requirements if the data is transferred to a data controller, see The Data Inspectorate's template for the data processing agreement.
  • Conduct a risik assessment in accordance with the requirements of the Personal Data Act, sections 2-4. In this regard it may be of crucial importance whether the personal data you plan to transfer contain sensitive information or not, see guidelines about data security: What should be protected? Value and risk assessment  and The requirements of the personal data act.

Transferring research data to countries outside the EU and EEA is generally not allowed

The transfer of research data to third countries (countries outside the EU and EEA, countries that have not been approved by the European Commission, US organisations that have not joined the Privacy Shield) may nevertheless be permitted, ref. The Personal Data Act section 30:

One of the alternative legal bases must be present (section 30, first subsection)

  • An alternative legal basis must be present, such as the consent of the research participants (however this is not very suitable as a basis for transfer abroad, since the consent can be withdrawn at any time and the Data Inspectorate discourages this practice in most cases) or a legal authority, see PDA sections 8 and 9 . 
  • As a general rule, the transfer of research data to third countries on this basis requires no prior approval, but the transfer must be described in any future applications to REC / The Data Inspectorate or in any notifications to NSD concerning the main purpose of the processing.

    Or

Sufficient guarantees for the protection of the research participants' rights must be provided (section 30, second subsection)

Contact the Data Inspectorate for permission, see The Data Inspectorate's website:

  • EU standard contracts: A distinction is made for "transfer to other organisation" that will use the data for their own purposes and transfer to a data processor. The Data Inspectorate has different templates for these two cases. Upon transfer to the data processor, you are only obliged to notify the Data Inspectorate, under the assumption that no changes have been made to the contractual provisions. To notify, send a copy of the completed and signed standard contract to the Data Inspectorate. The transfer can take place when the notification has been sent.

    Binding corporate rules for transfer. Several guides have been developed for establishing such binding corporate rules. 
  • Discretionary assessment.

In all cases, the following must be done: 

When transferring personal data to countries outside the EEA, the information must be de-identified or made pseudonymous. The personal data should then appear as anonymous to the recipient. He/she should not be able to re-identify the information.

Upon transfer of personally identifiable health information to countries outside the EEA, certain requirements set by the health research act section 37 must be met.

If research data is transferred abroad in connection with the research project, you, as the project manager, must know how the data is handled after the project is completed. The final notification to the REC / NSD must include an account of what data is located abroad at the time of completion as well as a statement of who the data processor is.

The transfer of a biobank or parts of a biobank must be approved by the Ministry. The transfer must also be in accordance with the consent of the material donor, see the Act relating to biobanks section 10.

Contact