The German data protection supervisory authorities have released their take on international data transfers in medical research. With its guidelines published in September 2025, the Data Protection Conference (DSK) specifies the requirements of the GDPR for cross-border data transfers for research purposes. The guidelines are primarily intended for research institutions, university hospitals, contract research organizations (CROs), and sponsors of clinical trials, but their relevance may extend across Europe to stakeholders engaged in research activities.
The publication represents a noteworthy reference point in a landscape where international collaboration and the use of medical data are increasingly central to scientific advancement. The DSK attempts to strike a balance between freedom of research and data protection law – with a clearly structured, practice-oriented regulatory framework.
Legal Basis and Broad Consent
The guidelines focus on the question of the legal basis on which personal health data may be processed in the context of research projects. The DSK emphasizes that processing must comply with both Article 6 GDPR and one of the conditions set out in Article 9(2) GDPR. The consent of the data subject – referred to as broad consent - is relevant in this context.
In contrast to its previous positions, the supervisory authorities now explicitly recognize the admissibility of broad consent for scientific research, provided that appropriate safeguards are in place. Broad consent allows data to be used for future research purposes that are not yet fully defined at the time of data collection. However, the DSK clarifies that this leeway is conditional upon adherence to the principle of data minimization and the implementation of suitable organizational and technical measures.
Effective pseudonymization or double coding, robust management of consent and revocation, narrowly defined retention periods, and early involvement of data protection officers and ethics committees are required. Even where a data protection impact assessment is not strictly required, the DSK recommends conducting one regularly as a means of risk assessment and documentation. This approach aims to integrate legal compliance with a broader commitment to responsible research governance.
Transfers to Third Countries
The second focus concerns the transfer of personal research data to recipients outside the European Economic Area (EEA). Here, the DSK strictly follows the well-known cascade from Chapter V of the GDPR, but at the same time formulates specifications for research scenarios.
As a first step, it must be determined whether a valid adequacy decision by the European Commission exists for the destination country. The DSK requires that its continued validity be regularly reviewed and documented, especially in cases where political or legal developments might affect the stability of the level of data protection. In the absence of such a decision, appropriate safeguards within the meaning of Article 46 GDPR are required, typically standard contractual clauses or binding corporate rules. These safeguards must be backed up by additional technical or organizational measures to ensure a level of protection that is essentially equivalent.
The authorities emphasize the obligation to analyze the actual access possibilities of government agencies in the recipient country and to evaluate the existing legal remedies for data subjects as part of a transfer impact assessment (TIA). A data transfer may only proceed if the outcome of this assessment demonstrates that an equivalent level of protection can be maintained.
Notably, alongside the established transfer mechanisms, the DSK also acknowledges the possible parallel use of consent. Even where an adequacy decision exists, it may be advisable to obtain the express consent of the data subject – provided that the individual is informed transparently about the purpose and legal framework of the transfer. The DSK interprets this opening as an additional transparency measure, not as a substitute for, but as a supplement to the guarantees under Chapter V. Nevertheless, the DSK clarifies that if consent is revoked, future transfers are not permitted, even if another basis for transfer theoretically continues to exist.
Finally, the DSK reaffirms that exceptions under Article 49 GDPR – such as transfers based on individual consent or for important reasons of public interest – are only permissible on a restrictive basis and in individual cases. Generally, blanket consents obtained in advance are not sufficient for this purpose. In doing so, the authorities emphasize the case-by-case nature of the exception and take a clear stance against blanket or general transfer clauses.
Focus on Transparency Obligations
The DSK devotes a significant part of its guidelines to the information obligations under Articles 13 and 14 GDPR, which are sometimes underestimated in practice. Research institutions are required to provide data subjects with comprehensive information about the nature and scope of data transfers. This includes information about the recipient country, any onward transfers to other third countries, the applicable legal basis (adequacy decision, safeguards, or exception), and the risks that may arise from a lack of an equivalent level of protection.
If appropriate safeguards are used in accordance with Article 46 GDPR, it must also be explained how data subjects can obtain copies of the relevant safeguards. In the case of exceptions under Article 49 GDPR, it must be expressly stated that the country in question does not have a level of data protection that meets EU standards. In cases where explicit consent is obtained, the DSK requires clear and specific information about the possible risks – such as unlimited government access or the lack of enforceable rights for data subjects.
These provisions seek to not only enhance transparency, but also increase the requirements for documentation and communication quality. Data protection information in the research sector thus becomes a central governance tool that must meet both regulatory and ethical standards.
Significance for Research Institutions and Life Sciences Companies
For sponsors, CROs, and university research institutions, the new guidelines may provide greater legal certainty: for the first time, the DSK appears to have established an interpretation scheme that applies GDPR requirements to the research sector without losing sight of the special features of clinical and academic research.
The guidelines signal an expectation that existing consent procedures, data protection frameworks, and data transfer mechanisms will be reviewed and harmonized. Multicenter studies, international data pools, and research networks may wish to adapt their mechanisms for pseudonymization, consent management, and data storage to the new standard. Stakeholders may also consider systematically reviewing existing standard contractual clauses and TIAs in light of the DSK criteria.
From a compliance perspective, the interlinking of data protection, ethics, and governance is becoming increasingly noteworthy. The involvement of the data protection officer at an early stage of study planning, coordination with ethics committees, and ongoing documentation of data flows may in the future be understood not only as best practice but also as a regulatory expectation.
Outlook
The DSK guidelines set a high but practical standard for international research involving personal data. They aim to enhance greater legal certainty for collaborations that extend beyond EU borders and provide a basis for institutional data protection concepts in the life sciences.
Companies and research institutions may want to review their existing processes in a timely manner. Those that proactively align their consent and transfer mechanisms, clearly document pseudonymized data flows, and rigorously fulfill information obligations may not only strengthen their own compliance, but also the trust of test subjects, partners, and supervisory authorities.