Geography

Also, the geographical delineation of your study has consequences for the measures you have to take. Not only the countries that are involved in the study, but for instance also the countries where servers are located storing the data of your study. The privacy expert in your organisation can tell you the exact measures based on your situation.


Three scenarios

Broadly, three scenarios can be distinguished regarding geography:

1. Within the institution. You are conducting the research in the actual institution. Any data will only be available to employees of this institution. This scenario requires the least drastic measures.

2. Within the EU. You are conducting the study in collaboration with organisations in the EU, which may be both public and private organisations. In this scenario you will have to make arrangements about access to data and coordination will be required regarding the technologies to be used for data storage and analysis among others.

3. Outside the EU. This scenario entails the most drastic measures. You are collaborating with organisations outside the EU, where other agreements regarding the handling of personal data apply. This collaboration is also very well possible within the GDPR, but requires contractual agreements about data handling in every research phase.

Actions

The specification of the measures you have to take in your study based on the scenario that is relevant to you is comparable with the steps in the ‘collaboration scenarios’. By performing a DPIA you will get insight in the measures to be taken.