Learn how GA4GH helps expand responsible genomic data use to benefit human health.
Learn how GA4GH helps expand responsible genomic data use to benefit human health.
Our Strategic Road Map defines strategies, standards, and policy frameworks to support responsible global use of genomic and related health data.
Discover how a meeting of 50 leaders in genomics and medicine led to an alliance uniting more than 5,000 individuals and organisations to benefit human health.
GA4GH Inc. is a not-for-profit organisation that supports the global GA4GH community.
To guide our collaborative, globe-spanning alliance, GA4GH relies on a Standards Steering Committee and an Executive Committee.
The Funders Forum brings together organisations that offer both financial support and strategic guidance.
The EDI Advisory Group responds to issues raised in the GA4GH community, finding equitable, inclusive ways to build products that benefit diverse groups.
Distributed across four Host Institutions, our staff team supports the mission and operations of GA4GH.
Curious who we are? Meet the people and organisations across six continents who make up GA4GH.
More than 500 organisations connected to genomics — in healthcare, research, patient advocacy, industry, and beyond — have signed onto the mission and vision of GA4GH as Organisational Members.
These core Organisational Members are genomic data initiatives that have committed resources to guide GA4GH work and pilot our products.
This subset of Organisational Members whose networks or infrastructure align with GA4GH priorities has made a long-term commitment to engaging with our community.
Local and national organisations assign experts to spend at least 30% of their time building GA4GH products.
Anyone working in genomics and related fields is invited to participate in our inclusive community by creating and using new products.
Wondering what GA4GH does? Learn how we find and overcome challenges to expanding responsible genomic data use for the benefit of human health.
Study Groups define needs. Participants survey the landscape of the genomics and health community and determine whether GA4GH can help.
Work Streams create products. Community members join together to develop technical standards, policy frameworks, and policy tools that overcome hurdles to international genomic data use.
GIF solves problems. Organisations in the forum pilot GA4GH products in real-world situations. Along the way, they troubleshoot products, suggest updates, and flag additional needs.
NIF finds challenges and opportunities in genomics at a global scale. National programmes meet to share best practices, avoid incompatabilities, and help translate genomics into benefits for human health.
Communities of Interest find challenges and opportunities in areas such as rare disease, cancer, and infectious disease. Participants pinpoint real-world problems that would benefit from broad data use.
See all our products — always free and open-source. Do you work on cloud genomics, data discovery, user access, data security or regulatory policy and ethics? Need to represent genomic, phenotypic, or clinical data? We’ve got a solution for you.
All GA4GH standards, frameworks, and tools follow the Product Development and Approval Process before being officially adopted.
Learn how other organisations have implemented GA4GH products to solve real-world problems.
Help us transform the future of genomic data use! See how GA4GH can benefit you — whether you’re using our products, writing our standards, subscribing to a newsletter, or more.
Help create new global standards and frameworks for responsible genomic data use.
Align your organisation with the GA4GH mission and vision.
Solve your real-world data problems with support from this valuable network of global institutions.
Work with like-minded groups committed to better data use in areas like rare disease, cancer, and infectious disease.
Share your thoughts on all GA4GH products currently open for public comment.
Solve real problems by aligning your organisation with the world’s genomics standards. We offer software dvelopers both customisable and out-of-the-box solutions to help you get started.
Learn more about upcoming GA4GH events. See reports and recordings from our past events.
Speak directly to the global genomics and health community while supporting GA4GH strategy.
Be the first to hear about the latest GA4GH products, upcoming meetings, new initiatives, and more.
Questions? We would love to hear from you.
Read news, stories, and insights from the forefront of genomic and clinical data use.
Attend an upcoming GA4GH event, or view meeting reports from past events.
See new projects, updates, and calls for support from the Work Streams.
Read academic papers coauthored by GA4GH contributors.
Listen to our podcast OmicsXchange, featuring discussions from leaders in the world of genomics, health, and data sharing.
Check out our videos, then subscribe to our YouTube channel for more content.
View the latest GA4GH updates, Genomics and Health News, Implementation Notes, GDPR Briefs, and more.
Discover all things GA4GH: explore our news, events, videos, podcasts, announcements, publications, and newsletters.
6 May 2019
Data controllers that plan to transfer personal data to a non-EU/EEA country or international organization (including for onward transfers of personal data from the third country or an international organization to another third country or to another international organization) must be mindful of the GDPR’s strict provisions on international data transfers.
Data controllers that plan to transfer personal data to a non-EU/EEA country or international organization (including for onward transfers of personal data from the third country or an international organization to another third country or to another international organization) must be mindful of the GDPR’s strict provisions on international data transfers. There are four avenues for lawful international data transfers under the GDPR:
We only focus on avenues that may be most suitable in the genomic research context. A controller must satisfy a two-stage permissibility test before an international transfer may proceed: first, a controller must have a lawful basis for processing personal data; second, the international transfer must adhere to at least one of the lawful avenues listed above. No matter the avenue, a controller must inform data subjects, when a privacy notice is provided, that the controller intends to transfer these personal data internationally, and must specify the legal basis upon which the transfer will be made.
The best scenario is where data can be transferred internationally to a recipient country whose relevant legal framework has been assessed by the European Commission as having an “adequate level of protection.” However, to date, the Commission has recognized as adequate only a small handful of countries.
In the absence of an adequacy decision, data can still be transferred internationally if the data controller or processor has appropriate safeguards, and that enforceable data subject rights and effective legal remedies are available. Adequate safeguards may be provided for by, inter alia, contractual clauses between the sender and recipient that are authorized by the competent data protection authority. However, these clauses may be difficult to negotiate or receive authorization.
Adequate safeguards also may be provided for by European Commission-approved standard contractual clauses; this may be a suitable option for investigators transferring data to their sponsors, though a less suitable option for transfers to public authorities out of concerns regarding compliance with, among other things, indemnification and jurisdiction clauses. These clauses do not require additional European Commission authorization and cannot be negotiated. The constraints are that they can only be used where there is an EU/EEA-based controller-exporter, so cannot be used by EU/EEA-based data processors (e.g. contract research organizations).
Codes of conduct constitute another possible safeguard. However, to date, the European Data Protection Board (EDPB) has not approved any code following the process laid down in Article 40.
Another avenue is derogations for specific situations, although the EDPB has made clear that these derogations are exemptions to the general rule and must be interpreted restrictively. One possible derogation is obtaining explicit consent from the data subject to the proposed international transfer. However, explicit consent is not always feasible in large-scale genomic research projects. Among other issues, consent will only be valid after data controllers have informed the data subject of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards. Also, consent must be revocable; therefore, data controllers must be able not to transfer the data if consent is revoked.
Finally, where a transfer cannot be based on an adequacy decision or appropriate safeguards, and none of the specific derogations referred to in Article 49 are applicable, a non-repetitive transfer, concerning only a limited number of data subjects, may take place, subject to a number of conditions. The GDPR specifically mentions that: “For scientific […] research purposes […], the legitimate expectations of society for an increase of knowledge should be taken into consideration” in permitting transfers in this scenario. This avenue requires data controllers to inform the relevant data protection authority of the transfer and provide additional information to individuals on the international data transfer; it also requires them to make a thorough assessment of all the circumstances surrounding the data transfer and provide suitable safeguards with regard to the protection of personal data.
European Union or Member State law may set express limits to the transfer of specific categories of personal data to a third country or an international organization unless an adequacy decision applies to it. Data controllers should check this point before finalizing transfer arrangements.
Edward Dove is a Lecturer in Law at the University of Edinburgh. Robert Eiss is a senior adviser at the Fogarty International Center of the US National Institutes of Health. Jennifer Stoddart was Privacy Commissioner of Canada from 2003 to 2013.
See all previous briefs.
Please note that GDPR Briefs neither constitute nor should be relied upon as legal advice. Briefs represent a consensus position among Forum Members regarding the current understanding of the GDPR and its implications for genomic and health-related research. As such, they are no substitute for legal advice from a licensed practitioner in your jurisdiction.