GDPR Considerations in European – American University Research Contracts

Negotiating R&D contracts with European partners over the past 20 years has always been my favorite type of transaction work. You have the cultural differences, the time zone issue, language issues, IPR issues, liability and indemnification issues, currency issues, and other issues that add complexity to the negotiation (and ultimately management) of such transatlantic research contracts.

Since May 25, 2018, the date that the GDPR came into force, the exporting of European personal data to America via research contracts has assumed more importance in the international contracts realm. In this brief post I want to point out several of the large buckets that university contract negotiators need to consider in negotiating and managing such contracts (and ultimately the relationship between the parties).

The scenario covered by this article is a European sponsor (government, foundation, private company, etc.) who wants to provide money to an American university for specific research work, such work often involving the private information of European data subjects and requiring its exporting to the U.S. partner. For example, such a scenario could involve funding from the European Commission to Harvard University. Now onto the buckets.

Bucket 1: Ascertaining Important Data Protection / Privacy Information Parameters at the Beginning

This bucket includes the information that should be ascertained at the beginning: the pre – award / proposal development / Scope of Work (SOW) stage of the research partnership. Here are some questions that should arise from the American side: Is there a European address? Where is the corporate headquarters? Why does your partner want to include GDPR terms in the contract?

At this stage, it is also important to determine what type of data is being transferred and if the data meets one of the three standards for GDPR application to U.S. – based organizations: 1) physically present in the EEA; 2) offering goods / services in the EEA; or 3) monitoring behavior in the EEA. These questions – and their follow on ones – really are part of the partnership building process at the beginning. This should happen well before the issuance of a research contract for negotiation and signature.

Bucket 2: Who is the Controller? Who is the Processor?

This is Privacy 101, but these questions are foundational. Who determines the purposes and means of the processing of European personal data of data subjects? (Controller) Who acts on behalf of the Controller pursuant to a data processing agreement? (Processor) These roles need to be determined as the project is conceptualized and developed.

Once again, it is useful to look at the Scope of Work (SOW) to determine what role is best suited for each party given the proposed research activities.

While for most European – American projects it would be the European Sponsor / Funder of research activities as the controller and the American university as the processor, it is still theoretically possible that either contracting party could be either a controller, processor, or joint controller. Once again, it depends on project scope and what each party is doing during the project.


This relatively short post is meant as an introduction to the GDPR dimensions of transatlantic university research contracts. Data protection / GDPR considerations have joined a multitude of programmatic and contractual issues for these international contracts. A future post will focus on contract negotiation. Please feel free to leave comments below.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.