Transferring research data abroad

• An alternative legal basis must be present, such as the consent of the research participants (however this is not very suitable as a basis for transfer abroad, since the consent can be withdrawn at any time and the Data Inspectorate discourages this practice in most cases) or a legal authority, see PDA sections 8 and 9 (lovdata.no). 

• As a general rule, the transfer of research data to third countries on this basis requires no prior approval, but the transfer must be described in any future applications to REC / The Data Inspectorate or in any notifications to NSD concerning the main purpose of the processing.

  Or

Sufficient guarantees for the protection of the research participants' rights must be provided (section 30, second subsection)

Contact the Data Inspectorate for permission.

• EU standard contracts: A distinction is made for "transfer to other organisation" that will use the data for their own purposes and transfer to a data processor. The Data Inspectorate has different templates for these two cases. Upon transfer to the data processor, you are only obliged to notify the Data Inspectorate, under the assumption that no changes have been made to the contractual provisions. To notify, send a copy of the completed and signed standard contract to the Data Inspectorate. The transfer can take place when the notification has been sent.
  Binding corporate rules for transfer (ec.europa.eu). Several guides have been developed for establishing such binding corporate rules. 

• Discretionary assessment

In all cases, the following must be done: 

• Consider whether the transfer is in compliance with the requirements of the Personal Data Act section 11, first subsection. There must be a legal basis, see PDA sections 8 and 9 (lovdata.no) (including for example the consent of the research participants / legal authorities), and the transfer must be in accordance with defined purposes and constitute the smallest possible intervention in privacy.
• Stipulate a data processing agreement if the personal data is transferred to a data processor, or consider whether you meet the processing requirements if the data is transferred to a data controller, see The Data Inspectorate's template for the data processing agreement.
• Conduct a risk assessment in accordance with the requirements of the Personal Data Act, sections 2-4. In this regard it may be of crucial importance whether the personal data you plan to transfer contain sensitive information or not, see guidelines about data security and what should be protected? Value/risk assessment and the requirements of the personal data act.

When transferring personal data to countries outside the EEA, the information must be de-identified or made pseudonymous. The personal data should then appear as anonymous to the recipient. He/she should not be able to re-identify the information.

Upon transfer of personally identifiable health information to countries outside the EEA, certain requirements set by the health research act section 37 must be met.

If research data is transferred abroad in connection with the research project, you, as the project manager, must know how the data is handled after the project is completed. The final notification to the REC / NSD must include an account of what data is located abroad at the time of completion as well as a statement of who the data processor is.

The transfer of a biobank or parts of a biobank must be approved by the Ministry. The transfer must also be in accordance with the consent of the material donor, see the act relating to biobanks section 10.