Guidance: General Data Protection Regulation (GDPR)

You are here

The GDPR is a set of regulations designed to protect the privacy rights of individuals who are located in the European Economic Area (EEA). The EEA is comprised of the following EU countries: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the UK. The EEA also includes Iceland, Liechtenstein and Norway.


Under the GDPR, “personal data” is defined as any information that relates to an identified or identifiable living individual who is physically located in the EEA at the time of data collection (even if the individual is NOT a resident of the EEA). Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.

The GDPR also establishes “special cases” of personal data, designated as such due to the heightened risk of harm from a privacy standpoint. Special cases include information about a data subject’s health, genetics, race or ethnic origin, biometrics for identification purposes, sex life or sexual orientation, political opinions, religious or philosophical beliefs, or trade union membership. 

An individual is considered to be “identified” or “identifiable” if the individual can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Exemptions from the GDPR

If the research data being collected is fully anonymous (i.e. there does not exist any method that could be used to identify any individual participant) then this data is not considered personal data under the GDPR and is exempt from the regulations.

However, data that has been de-identified, encrypted or pseudonymized (ex. coded data) but any code or key exists that would allow an individual to be reidentified (even if the researcher does not have access to this code or key) is considered personal data under the GDPR and is subject to these regulations.

Research that does not involve the collection of personal data from individuals located outside of the EEA is also exempt from the GDPR.

Examples of Personal Data under the GDPR

Examples of personal data under the GDPR include, but are not limited to:

  • Individuals’ full legal name
  • Home address
  • Phone number
  • Individually identifying email address (ex:
  • IP address
  • ID / identification card number
  • Photograph

Privacy Rights of Individuals within the GDPR

The GDPR establishes a set of rights covering the use of personal data. These rights include:

  • Right of Access: individuals have a right to obtain a copy of all personal data collected
  • Right to Withdrawal of Consent: individuals have the right to withdraw consent for the use of personal data at any point and to have their data deleted or fully anonymized
  • Right to Prior Notification: individuals have the right to be fully informed about the current and future uses of their personal data and to provide advance consent for this use

Research Derogation

The GDPR recognizes that scientific research is a legitimate justification for the processing of personal information under the GDPR. Participants in human subjects research that is subject to the GDPR must be informed about the specific types of personal data being collected, the specific research purposes and justifcation for the collection and processing of this information, and provided a simple method to clearly indicate their consent for the research use of this personal data, as well as a simple procedure to opt out of certain parts of this research use of personal data, or any use of this personal data at all.

Researchers utilizing this exception to GDPR for the purposes of scientific research are permitted to utilize pseudonimization (e.g. keys, codes) to manipulate and store personal data of research participants, provided that this process is disclosed to research participants, and that this information is only collected and stored in a secure fashion, and only for as long as is necessary to acheive the scientific goals of the study. Such information can not be stored indefinitely; the approximate duration of time the participants personal data will be stored must be disclosed to prospective participants as part of the consent process.

Lehigh IRB and GDPR Compliance

Under the GDPR, the clear, unambiguous, and active consent on the part of research participants to the use of their personal data for the purposes of scientific research constitutes the legal basis for research institutions to collect and process personal data from research participants. Furthermore, individuals must be provided with sufficient information regarding the specific purpose(s) of the data collection and the means by which this data will be used and protected by researchers. Finally, there must be a means for individuals to exercise their rights to obtain a copy of any personal data collected by researchers or to withdraw consent for the use and maintenance of their personal data.

The Lehigh IRB has provided updated consent template language to ensure that the privacy rights of individuals protected by the GDPR are maintained. For studies involving the collection of personal data from individuals protected by the GDPR, researchers are required to implement this consent language as part of their informed consent procedures.

Please contact the Research Integrity office with any specific questions concerning the GDPR and how these regulations may affect your research design and implementation.


For more information on the GDPR, please visit the European Commission GDPR Portal.

"The EU’s General Data Protection Regulation (GDPR) in a Research Context":

GDPR Research Derogation (Chapter 9, Article 89):

GDPR Processing for Scientific Research Purposes (Recital 159):