On September 17, 2025, the German Supervisory Authorities (Konferenz der unabhängigen Datenschutzaufsichtsbehörden des Bundes und der Länder, DSK) published new guidelines and recommendations addressing the complex requirements for transferring personal data, particularly health data (including health data contained in biomaterials), to countries outside of the European Economic Area for scientific research purposes under the GDPR. These guidelines may be of particular relevance for pharmaceutical, medical device, and other life sciences companies that conduct clinical research.

Two-Stage Assessment for Third-Country Transfers

The guidelines state that assessing the lawfulness of such transfers involves a two-stage process. The first stage examines whether the data processing itself has a valid legal basis under Articles 6 and 9 GDPR, including any applicable exceptions for special categories of data such as health or genetic data. The second stage determines whether the transfer can rely on an authorized transfer mechanism under Chapter V, such as adequacy decisions, Standard Contractual Clauses (SCCs), or specific derogations under Article 49.

First Stage Assessment: Focus on Broad Consent (Arts. 6(1)(a) and 9(2)(a) GDPR)

The legal basis for processing under Articles 6 and 9 of the GDPR may vary, but the guidelines focus solely on broad consent. The guidelines acknowledge that, for many researchers, “broad consent” plays a vital role in legitimizing the processing of personal data when research purposes may still evolve.

According to the guidelines, broad consent cannot serve as a legal basis if transfers of personal data to third countries with a lower level of data protection are anticipated. In this regard, the guidelines mention the necessity of Transfer Impact Assessments (TIA) to evaluate whether local laws or practices in the third country might undermine data protection. For research involving sensitive health data that may be difficult to pseudonymize (e.g., genetic data), this assessment is particularly critical.

Significantly, the guidelines call for robust supplementary measures to compensate for the broader scope of consent. These include implementing consent management systems enabling ongoing updates and revocations, providing proactive information to data subjects, early involvement of ethics and data protection authorities, and conducting data protection impact assessments. These supplementary measures correspond to those outlined by the DSK in its position paper “Requirements for the secondary use of genetic data for research purposes” from May 15, 2024.

Second Stage Assessment: A Sequence of Options (Chapter V GDPR)

If a legal basis for processing has been established, the next step is to identify a transfer mechanism under Chapter V of the GDPR. This begins by checking whether the country of destination offers an adequacy decision confirming an adequate level of protection by the European Commission. The guidelines note that controllers concerned about adequacy decisions being revoked may also seek consent, provided that the relationship between the adequacy decision and consent is transparent to the data subject. However, if consent is withdrawn, controllers can no longer rely on the adequacy decision to justify the transfer. Although revoking consent pursuant to Article 49(1)(a) GDPR does not generally preclude transfer on the basis of an adequacy decision, the DSK takes the view that such a revocation also constitutes a revocation of consent in the first stage (i.e., the legal basis for that processing).

If no adequacy decision exists, controllers should consider SCCs or, for intra-group transfers, Binding Corporate Rules (BCRs). Data exporters must assess, through a TIA, whether the safeguards in these clauses can be effectively implemented in the third country concerned, given potential conflicts with local legal frameworks. This assessment is essential to determine if additional measures are required to ensure an equivalent level of protection. For transfers to the United States, the guidelines advise relying on the Commission’s EU-U.S. Privacy Framework assessment when conducting the TIA.

The guidelines also highlight pseudonymization as an important supplementary measure in research and healthcare, but emphasize the need to assess on a case-by-case basis whether data can be pseudonymized under Article 4(5) GDPR. According to the guidelines, this can be difficult for biomaterials, extensive health data, or imaging data, which often cannot be pseudonymized due to their direct link to an individual. The guidelines also clarify that SCCs and BCRs cannot be supplemented with consent as a fallback to compensate for missing supplementary measures, such as when pseudonymization is appropriate but not feasible.

Only if these transfer mechanisms are unavailable should derogations under Article 49 be considered as a last resort. Following the European Data Protection Board (EDPB) guidelines, these derogations—such as explicit consent or reliance on important public interest—must be applied restrictively and only after a thorough risk assessment. Regarding the “important public interest” derogation under Article 49(1)(d) GDPR, the guidelines note that, against the backdrop of the constitutionally protected research interest under Article 5(3) of the German Constitution (Grundgesetz, GG) and the public significance of health research, transfers to third countries may in limited cases be justified under this derogation. However, for the private sector, reliance on these derogations would be highly exceptional, as it typically requires an interest of exceptional importance aimed at protecting a particularly significant legal right or public good.

Enhanced Transparency and Information Obligations

Building on Articles 13 and 14 GDPR, the guidelines and recommendations discuss the specific information that must be provided to data subjects concerning third-country transfers. This includes stating the precise recipient country or countries, the transfer’s legal basis, and any known risks to data protection posed by each recipient jurisdiction’s legal environment.

Where transfers rely on explicit consent under Article 49(1)(a), controllers must give data subjects clear, accessible, and comprehensive information on the following: (i) the absence of equivalent data protection laws and enforceable rights; (ii) the lack of restrictions on access to personal data by public authorities; (iii) the lack of safeguards for onward data transfers; and (iv) the lack of an independent data protection authority. As indicated above, the guidelines suggest that controllers must now also perform a TIA to meet their transparency obligations for transfers under Article 49 GDPR – TIAs are generally required only for transfers under Article 46 GDPR (i.e., under SCCs or BCRs).

It is worth noting that the guidelines were adopted after the European Court of Justice’s (CJEU) decision of 4 September 2025 in the SRB case (Case C-413/23 P), and the German authorities appear to assume that the transferred data, even if pseudonymized, is always personal data for the recipient. In the SRB case, however, the CJEU confirmed that pseudonymized data can qualify as anonymous data depending on the ability of the recipient to re-identify the subject behind the data.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Read more about Kristof Van QuathemEmail
Show more Show less
Photo of Dr. Dr. Adem Koyuncu Dr. Dr. Adem Koyuncu

Adem Koyuncu is double qualified as a lawyer and medical doctor and a partner in our Brussels and Frankfurt office. He is a chair of the firm’s “Food, Drug & Device” practice group and also a member of our Compliance practice. Adem is…

Adem Koyuncu is double qualified as a lawyer and medical doctor and a partner in our Brussels and Frankfurt office. He is a chair of the firm’s “Food, Drug & Device” practice group and also a member of our Compliance practice. Adem is recognized as a “leading lawyer for pharma and medical devices law” (JUVE).

Adem is a life sciences industry advisor with more than 25 years of professional experience. He has a broad practice that cuts across regulatory, compliance, IP, privacy and liability matters. Adem also provides strategic advice. He knows the life sciences sector also from his earlier work in the pharmaceutical industry and as a medical doctor. He represents clients before courts and authorities and assists them in contract negotiations, investigations and transactions. For years, Adem is listed in various lawyer rankings.

See some Accolades from Clients and Surveys:

“Adem Koyuncu is one of the most intelligent lawyers I know.” (Legal 500 2023)
“He is one of the most detail-oriented and client-focused partners I have ever encountered.” (Client, Chambers 2021)
“Great professional and human competence, good team player.” (Client/Adverse Party, JUVE 2022)
“I find him to be one of the most pragmatic regulatory lawyers. He was a doctor before a lawyer, has been in-house, worked on lots of stuff that I have to handle in-house, which helps when getting advice. He is really good at saying it’s a complex situation and your best option is to do this.” (Chambers 2022)
“He always comes through with extremely helpful advice. He brings a unique understanding and experience to his practice as both a lawyer and medical doctor.” (Chambers 2021)
“He is an excellent dispute resolution lawyer and advises at the highest level, including, in particular, strategic advice.” (Legal 500 2023)
“He is very sharp and quick, while at the same time having a good sense of humor and nerves of steel. Very pleasant to work with.” (Legal 500 2022)
He is described as “versatile competent, reliable and high quality” (JUVE 2021) and “incredibly fast.” (JUVE 2018)
Provides advice at “an outstanding level.” (Legal 500 2015)
“Very strong negotiation skills.” (JUVE 2011)
Clients appreciate his “very broad knowledge and long-standing expertise” (JUVE 2021/22) and that “he is approachable, knowledgeable and really easy to talk to over the various issues. He is calm and has seen most problems before.” (Chambers 2020)
Peer lawyers described him as “highly competent” and a “very good and pleasant lawyer” (JUVE 2014) and as “the off-label-guru, substantively very good, creative.” (JUVE 2022)

Adem is the author of numerous publications (e.g., in leading books on pharma law, product liability and clinical trials) and frequent speaker at different events. As such, he will soon speak at following events:

Speaker at webinar “Germany Life Sciences Update – Spotlight: Clinical Trials,” (9/12/2025)
“The new EU Product Liability Directive and its implications for pharmaceutical companies and their compliance officers,” 33th AKG Compliance Officer-Meeting (in German), Berlin (11/26/2025)
“The Information Officer – Responsible Person under § 74a AMG,” Seminar, Munich (February 3, 2026)

Read more about Dr. Dr. Adem KoyuncuEmail
Show more Show less
Photo of Lars Lensdorf Lars Lensdorf

Lars Lensdorf is a partner in the Frankfurt office. He focuses on IT law, outsourcing, cloud-services, digitalization/ industry 4.0, IT related bank regulatory matters, IT-compliance, incl. cybersecurity and data protection.

Furthermore, Lars is also focused on interfaces to other practice areas to the…

Lars Lensdorf is a partner in the Frankfurt office. He focuses on IT law, outsourcing, cloud-services, digitalization/ industry 4.0, IT related bank regulatory matters, IT-compliance, incl. cybersecurity and data protection.

Furthermore, Lars is also focused on interfaces to other practice areas to the extent that IT related matters are affected, e. g. regulatory requirements for banking and financial services as well as public procurement law.

Read more about Lars LensdorfEmail
Show more Show less
Photo of Anna Sophia Oberschelp de Meneses Anna Sophia Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is special counsel in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is special counsel in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.

She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).

Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.

Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.

Read more about Anna Sophia Oberschelp de MenesesEmailAnna Sophia's Linkedin Profile
Show more Show less