PANELFIT (GA 788039, 1 Nov 2018 – 30 April 2022) is a H2020 EU funded project aiming at facilitating the adaptation processes between new technical advances and legal frameworks, by producing a set of editable, openly accessible guidelines, as well as offering operational standards capable of reducing ethical and legal problems posed by information and communication technologies.

Brief tutorial on how to use these Guidelines

The PANELFIT Guidelines (Guidelines on Data Protection ELI in ICT Research and Innovation by the PANELFIT Project) have been conceived as a complex tool aimed at serving as a handbook of information about the regulatory framework on ICT data protection Ethical and Legal issues.

Therefore, The Guidelines are mainly focused on the research and innovation community working on the ICT field. They have been conceived to make it easier for researchers to fulfill their legal and ethical obligations in this regard.

These materials, which have been selected based on internal consensus, have been produced through a long and complex co-creation process. The first drafts were produced by the PanelfitConsortium members and then sent to more than 25 reviewers. Their comments were integrated in the materials and a second version created. On this basis, a second review was performed. Finally, the updated versions were validated by an additional external expert with expertise on data protection issues at the DPA level.  Concrete information about the names of the authors and the concrete reviewers who helped as to create these materials has been included in each section.

The Guidelines produced by PANELFIT are mainly aimed at showing the legal issues regarding data processing. An impressive amount of information about ethical issues can be found in the SHERPA project website (



The information provided in these Guidelines does not constitute legal advice; instead, all information, content, and materials provided are for general informational purposes only.

These Guidelines provide general advice around EU data protection law under the GDPR. Accordingly, the reader should be aware that the situation relevant in their specific processing context, as well as in their specific jurisdiction, may deviate from the guidance provided.

Information in these Guidelines may not constitute the most up-to-date legal or other information. The legal situation in relation to data processing in the EU changes regularly. New laws and new interpretations of existing laws relevant to the topics covered by these Guidelines appear frequently and changes may not be reflected in the Guidelines.

In this regard, we would highlight, without any intention of being comprehensive, at the time of writing, the significance of the following draft EU laws to the topics covered in these Guidelines: the ePrivacy Regulation, the AI Act, the Data Governance Act, the Digital Services Act, the Digital Markets Act and the Data Act.

Where relevant at the time of writing, authors may have attempted to highlight provisions of draft laws in relation to the topics covered in these Guidelines. The reader should be aware that drafts may change and that such references may not remain valid over time. Equally, authors’ choices to consider certain provisions from certain draft laws should not be taken as indicative of effort to be comprehensive in addressing all relevant provisions from all draft laws.

Readers of these Guidelines should contact their DPOs and DPAs to obtain advice with respect to any particular legal matter. No reader, user, or browser of these Guidelines should act or refrain from acting on the basis of information provided without first seeking legal advice from counsel in the relevant jurisdiction. Only DPOs and DPAs can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation. Use of, and access to, these Guidelines do not create any relationship between the reader, user, or browser and the authors, reviewers, validators, or commentors, of the Guidelines.

The views expressed in, or through, these Guidelines are those of the individual authors writing in their individual capacities only – not those of EU Commission, of course. All reference to reviews, validations, or provision of comments or suggestions, refer to the personal opinions of individuals acting in their personal capacities – and do not refer to the opinions of the organisations these individuals represent or to acts of these individuals in their official capacities.

The Guidelines contain links to other third-party websites.  Such links are only for the convenience of the reader, user or browser; the authors and the reviewers/validators do not recommend or endorse the contents of the third-party sites.

All liability with respect to actions taken or not taken based on the contents of these Guidelines are hereby expressly disclaimed.



Main concepts

Main principles

Main actors

Data subject rights

Main tools and action

Skip to content