Whichever member state you are undertaking research in, you need to determine what the national guidelines are within that country. Examples include:
Data protection is legislated under the Data Protection Act, 1998. The principles of data processing broadly follow the principles as set out within the 1995 Directive. Exemptions exist for use of certain data types for certain reasons, for example the use of health data (which is considered to be sensitive personal data) for public health reasons.
The Bundesdatenschutzgesetz (Federal Data Protection Act) is the legislation that implements the directive under German law. There are, however, further laws, with each German state having its own data protection law.
In both countries there are additional safeguards for different data types. For example, in the UK's National Health Service (NHS), Caldicott Guardians ensure the protection of data relating to NHS users in a single hospital. This involves the monitoring of data use beyond the reason for which it was initially collected, including research purposes.