Skip to main content


How to manage Data Privacy in Clinical Trials

April 2nd, 2024

The clinical trials sector is one with complex and robust procedures, which organisations must account for from the onset. Moreso, such procedures remain applicable throughout the project’s lifecycle and extend to post-market authorization of the drug. Since the adoption of the European General Data Protection Regulation (the “GDPR”), the procedures have doublefolded and data protection obligations are now under the scrutiny of the supervisory authorities.

Furthermore, such obligations will not be limited solely to organisations established in the EU. For example, conducting clinical trials within the EU/EEA is considered as ‘monitoring of data subjects’ behaviour’. This means even if a Sponsor is located outside the EU/EEA, they may still fall the GDPR’s scope by virtue of Article 3(2). Therefore, said Sponsor would still be subject to the rigorous obligations set forth within the GDPR. The same can be said for Sponsors with sites in the U.K; where the level of data protection within national legislation is essentially equivalent to that within the GDPR. Let’s now delve into the myriad of data protection considerations when conducting clinical trials in the EU/EEA or the U.K.

Role Qualification

The initial alignment Sponsors must implement is the role qualification between all Parites involved within the study. This includes inter alia, the Sponsors themselves, the hospitals/sites, Clinical Research Organisations and other vendors. This is a key initial step as, depending on the outcome, different contracts need to be entered into with the respective vendor; each of which with their own differing rights and obligations.

Sponsors will always be considered as the Data Controller, as they are the entity which define the purpose (‘how’) and means (‘why’) of the Processing through drafting the study protocol, funding the clinical trial and supporting activities. In tandem, the sites are typically considered as Data Processors, unless national specificities dictate otherwise. Therefore, there should be Controller-Processor agreement between these Parties, either as part of the Clinical Trial Agreement or separately executed. Following the GDPR’s principle of ‘accountability’, it is the Sponsor’s responsibility to enter into and maintain thie aforementioned agreement.

Legal Basis

Another core principle imposed on Data Controllers is that of ‘lawfulness of processing’. The GDPR provides six (6) legal bases, upon which Processing of Personal Data will be considered ‘lawful’. Contrarily, Data Controllers who fail to utilise one of these shall be in breach of the GDPR.

As previously mentioned, there is also lack of national harmonization regarding the appropriate legal basis to utilise. For example, Italian Supervisory Authorities require ‘consent’ as a legal basis to Process clinical data concerning study participants. Conversely, other juridictions require ‘legitimate interest’ as a legal basis for the same Processing or even ‘legal obligation’ in Spain’s case.

We must reiterate that ultimately, it is Sponsors’ duty to ensure the above mentioned principles are implemented, in practice. One example of this is to collect participants’ consent through the use of Informed Consent Form (ICF).


Given the globalized nature of clinical trials, it is commonplace for Sponsors, CROs, sites, etc. to be established across multiple jurisdictions. While this may be optimal from an operational standpoint, this entails certain data protection risks (both material and residual). Data protection risks stems from different jurisdictions implementing the GDPR with slight nuances. In turn, this rattles the equilibrium sought after by the GDPR as a ‘Regulation’. For example, when transferring Personal Data outside of the EU/EEA, the transfer must be framed in alignment with the ‘appropriate safeguards’ provided within the GDPR.

For example, certain countries are deemed as offering an adequate level of data protection by the European Commission and Sponsors avail themselves from the adequacy decision. Where this is not the case, the Standard Contractual Clauses (“SCCs”) should be implemented, as these include certain obligations on the receiving party (within a third-country jurisdiction) which raises the proverbial ‘data protection bar’.

Considering the above, Sponsors should analyse the various options from a business continuity and risk perspective, while accounting for the various obligations imposed by the GDPR.


The GDPR mandates conducting a Data Protection Impact Assessment (“DPIA”) when Processing health, genetic or biometric data on a ‘large scale’. That said, the GDPR does not define the constitution of ‘large scale’, however, guidelines issued by relevant supervisory authorities provide a certain degree of clarity. Some parametrs include the amount of data-sets collected, geographical reach, temporal elements such as the permenance of Personal Data and also the amount of patients enrolled in a given study.

As with other obligations, the Sponsor is obliged to conclude the DPIA prior to the first patient-in. Moreso, the GDPR outlines the minimum requirements that DPIA should includem but does not concretely guide its implementation.


Similarly to the DPIA, the GDPR obliges the Controller to also assign a Data Protection Officer (DPO) when Processing special categories of Personal Data on a ‘large scale’. Article 39 GDPR imposes certain obligations on the DPO. Such functions include inter alia, monitoring GDPR compliance, raising privacy awareness, advising on data breach evaluations, assisting with DPIAs, cooperating and communicating with Data Protection Authorities (DPAs) and acting as a point of contact for data subjects. In this regard, the Sponsor must ensure the appropriate delegation notification to the competent supervisory authorities, including where the site is based.

Clinical trials also hint at monitoring data subjects’ behavior. In such case, entities are obliged to appoint a Data Protection Representative (DPR), even if they are not established in the EU/UK themselves, but have EU/UK sites and data subjects participating in their trial. Another showcase that the GDPR is not only a checkpoint of EU/UK companies, but affects most companies participating in clinical trials worldwide.


A vital, yet often overlooked, requirement is the establishment of Records of Processing Activities (ROPAs). Data Controllers are obliged to compile, maintain and ensure the accuracy of their ROPAs. The ROPA is a register of the activities involing the processing of personal data and will typically be top priority for supervisory authorities should they conduct an inspecting.

Populating ROPAs sufficiently to include all mandatory information can prove tedious. The complexity is only exacerbated when one considereds the multi-jurisdicitonal nature of Parties and the continuous flow of Personal Data – particularly where transfers outside the EU/EEA are involved.

Personal Data Breaches

‘Personal Data Breaches’ (as defined within the GDPR) typically constitute one of the highest risks to organisations, as they have no control over an asaliant’s determination to attack their systems. That said, one of the more commonplace forms of data-breaches is when individual employees mistakenly send confidential e-mail correspondence to incorrect respondents (typically containing multiple fields of Personal Data). In this regard, organisations do have a certain degree of control such as internal trainings of validation processes.

Where organisations notice they have suffered from a  Pesonal Data Breach, the initial action should be to conduct a risk-assessment to objectively quantify the level of right which may be imparted onto Data Subjects’ rights and freedoms. Should this result in a ‘high’ risk scenario, organisations are obliged to notify the relevant supervisory authority within seventy-two (72) hours from when they became aware of the Personal Data Breach. This should include important relevant information to the breach and be accompanied by any mitigation measures implemented. Hence, companies should establish appropriate procedures and roles, before initiating their Processing activities. The aim of these measures are to mitigate the adverse affects and risks which organisations face when encoutring Personal Data Breaches, which extend to complaints, fines and reputational damage.

Vendor Assessments

A clinical trial cannot be performed without vendors assisting with the multitude of tasks, regulatory requirements, procedures and submissions. As Data Controller, the Sponsor is obliged to only engage Data Processors who offer a sufficient level of data protection and adequate guarantess (be they technical, organizational or contractual). One such way a Sponsor can achieve this goal is through conducting a ‘vendor assessment’ prior to their engagement. The aim here is to very said vendor’s data protection compliance and highlight any security measures/guarantess in place.

Should the result of this assessment prove positive, the Sponsor must ensure to put in place the necessary agreements with its vendor. The scope of such agreements is to cover all the obligatory data protection elements. This includes measures to ensure inter alia confidentiality, adherence to documented instructions, data breaches, data subjects’ requests, transfers and more and periodically conduct audits to ensure the effectiveness of such clauses in practice.


While the abovemented may prima facie seem overwhelming, overall compliance may be seen as a marathon, not a sprint. Therefore, it is imperative to dissect the requirements and compartamentalise them into smaller, more ‘easily-digestable’ segments. This not only allows for a more comprehensive and holistic compliance programme, but allows for candid and frank discussion as to organisations’ needs. In this regard, the GDPR allows for a risk-based and tailored approach, which may vary depending on organisations’ size, resources and scope of Processing.

MyData-TRUST specializes in data protection exclusively within the life-sciences sector, offering bespoke and pragmatic solutions to its clientele. We cordially invite organisations’ of any size to get in touch for a tailored programme which suits their individual needs, paving the way for holistic compliance throughout a project’s lifecycle.


Winnie Dongbou

Data Protection Lawyer

Tryfon Memos

Data Protection Lawyer


Jake Camilleri

Data Protection Lawyer

We are supporting our clients in all topics related Data Protection & Privacy. Our team of experts can support you in a lot of local regulations. If you are interested, feel free to reach out to our team for support.

Contact us