The Health Research Authority website uses essential cookies

This site uses session cookies and persistent cookies to improve the content and structure of the site.

By clicking “Accept All Cookies”, you agree to the storing of cookies on this device to enhance site navigation and content, analyse site usage, and assist in our marketing efforts.

By clicking 'See cookie policy' you can review and change your cookie preferences and enable the ones you agree to.

By dismissing this banner, you are rejecting all cookies and therefore we will not store any cookies on this device.

See cookie policy

Still got questions?

Last updated on 24 May 2018
We have produced a series of questions and answers outlining commonly occurring GDPR queries and how we would advise researchers to proceed. 

Do processors have a responsibility to check whether controllers are GDPR compliant?

No. The responsibility flows the other way. Data controllers must ensure that data processors are compliant with the GDPR. Processors are responsible for ensuring their own legal compliance and that of sub-processors. 

When can data be transferred to a country outside of the EEA or to an international organisation?

Data can be transferred to a country outside of the EEA (known as third country) or to an international organisation without specific authorisation, provided it has been assessed by the European Commission as having an adequate level of protection (referred to as an adequacy decision). 

So far, the Commission has recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (limited to the Privacy Shield framework) as adequate. Adequacy talks are ongoing with Japan and South Korea. 

For more on adequacy decisions see the European Commission website.

Data can still be transferred to a country outside of the EEA or to an international organisation where there is no adequacy decision, if the data controller or processor has appropriate safeguards and enforceable data subject rights, and effective legal remedies are available. 

Data can still be transferred to a country outside of the EEA or to an international organisation where there is no adequacy decision, appropriate safeguards or binding corporate rules, under specific conditions. In the context of health and care research, the relevant condition is explicit consent from the data subject.

Anonymised data does not count as data under the GDPR so can be transferred outside of the UK without being subject to any of the requirements here.

Does ‘scientific research’ in the GDPR include social care research?

It could be argued that ‘scientific research’ does not include research into social care research. However, we believe that the drafting of the GDPR suggests that ‘scientific research’ includes social care research. 

The regulation states that the processing of personal data for scientific research purposes should be interpreted in a broad manner including, for example, technological development and demonstration, fundamental research, applied research and privately funded research. It also states that scientific research purposes include studies conducted in the area of public health. The fact that these are given as examples shows this list is not exhaustive. 

The regulation also discusses research using registries: 

  • within social science, research on the basis of registries enables researchers to obtain essential knowledge about the long-term correlation of a number of social conditions such as unemployment and education with other life conditions.
  • research results obtained through registries provide solid, high-quality knowledge which can provide the basis for the formulation and implementation of knowledge-based policy, improve the quality of life for a number of people and improve the efficiency of social services.

This demonstrates that social research is within the remit of research in the GDPR and social care research is therefore subject to the same requirements as medical research.

Can there be joint controllers?

The GDPR provides for joint controllers where two or more controllers jointly determine the purposes and means of processing. The same responsibilities apply but they have room to make agreements regarding who will be responsible for complying with obligations under the regulation. Joint controllers must do this in a manner which is transparent and respects data subjects’ rights. 

In the health and care research context it is expected that the sponsor will be a controller. In some cases, another organisation will be delegated significant decision-making responsibilities in relation to the data, for example where a clinical trial unit hosted by one organisation is responsible for designing a study and analysing the data for a separate sponsor. In such cases, a joint controller arrangement may be appropriate.

Does the GDPR mean that every contract needs to be varied?

We do not yet have clarity about whether the GDPR means that all contracts in a research setting need to be varied. We are awaiting guidance about standard contract clauses from the Information Commissioner’s Office. 

For their current position on standard contractual clauses, please refer to the ICO website.


Previous page:

Support from your institution 

Back to gdpr guidance
© Copyright HRA 2024
Site by Big Blue Door