Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

EU: Personal data in clinical trials - The interplay between CTR and GDPR

In the field of clinical trials, researchers and the pharmaceutical industry in the EU face a variety of challenges and requirements to abide by legal frameworks on clinical trials and data protection, among which Regulation (EU) No 536/2014 of the European Parliament and of the Council of 16 April 2014 on clinical trials on medicinal products for human use, and repealing Directive 2001/20/EC ('CTR'). Rafael García del Poyo, Paula Grifols, and Roger Segarra, from Osborne Clarke, closely inspect the CTR, its key provisions, and interplay with the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').

Totojang / Essentials collection / istockphoto.com

Background

Ahead of going in depth on the impact of Regulation (EU) No 536/2014 of the European Parliament and of the Council of 16 April 2014 on clinical trials on medicinal products for human use, and repealing Directive 2001/20/EC ('CTR') on the personal data protection field, it is important to note that the entry into force of this regulation in June 2014 occurred during a challenging legal context regarding data protection, which, at the time, was framed by the Data Protection Directive (Directive 95/46/EC). This directive displayed a lack of harmonisation and uniformity in the application of personal data protection laws in each of the different Member States. This is likely one of the main reasons why the issue persists today in the enforcement of certain provisions of the GDPR in the field of clinical trials on medicinal products for human use.

The European Data Protection Board ('EDPB'), the health authorities of the different Member States, and even some pharmaceutical industry associations have published opinions and guidelines on the interplay between the CTR and GDPR in order to minimise the difficulties of interpretation that the pharmaceutical industry faces when making progress in the field of scientific research in full compliance with the applicable legal framework on data protection. Although said bodies have established criteria for the application of the provisions of the CTR, whilst also respecting the legal regime of the GDPR, these still lead to a certain degree of legal uncertainty. Consequently, it has made it particularly difficult for clinical trials conducted in different Member States, given that the GDPR provisions' references to sectoral legislation within the different Member States causes a degree of regulatory heterogeneity in the territory of the EU, which eventually impacts the harmonisation standards sought by the GDPR.

Scope of application of the CTR and GDPR

On the one hand, it is important to note that the CTR is a sector-specific regulation, including certain provisions on data protection (which do not constitute exceptions to the GDPR) that aim to achieve a higher degree of harmonisation of the applicable rules for conducting clinical trials across the EU. For instance, while the CTR pursues data reliability and robustness on the medicinal product under investigation, it also introduces:

  • a clinical trial authorisation procedure based on one application dossier through a single submission EU portal;

  • a clinical trial evaluation procedure that leads to a single decision;
  • rules on the protection of rights, safety, dignity, and well-being of subjects; and
  • minimum requirements of informed consent and transparency.

On the other hand, the legal framework provided by the GDPR regulating the processing of personal data guarantees the protection of natural persons regardless of their nationality or place of residence.

The European legislator has clearly determined the scope of application of the CTR stating that all clinical trials conducted in the EU fall within the scope of application of this regulation, regardless of whether or not the sponsor of the clinical trial is established in the territory of the EU. Likewise, the legislator has also clarified the concept of clinical trial classifying it into the broader category of clinical studies and differentiating it from observational studies.

While it is true that the application of the GDPR to the processing of personal data in the context of clinical trials conducted in the EU is not questioned, some of its provisions have given rise to problems of interpretation and practical application in this sector. The following are some examples:

  • the fulfilment, by the sponsor, of obligations applicable to the processing of pseudonymised personal data that does not allow the identification of the participants;
  • the GDPR's extraterritorial effect for sponsors of clinical trials established outside the EU;
  • the legal position of the different agents involved in a clinical trial (in particular, the figure of the sponsor and the trial site to which the team of investigators belongs to); and
  • the lawfulness of the processing of personal data of a clinical nature, with special reference to the application of the rules of consent of the data subjects.

Despite the EDPB's efforts to offer interpretative criteria in order to ensure consistent application of certain GDPR provisions in the field of clinical trials and, more broadly, scientific research, the delay in offering guidelines on the processing of personal data for medical and scientific research purposes has led to competent national authorities (in the health and data protection fields) issuing their own opinions, hindering the desired harmonisation of the GDPR.

General rules on the processing of clinical trial data under the GDPR

It should be noted that despite the aforementioned CTR's commitment towards harmonisation, this regulation allows certain matters of an intrinsically national nature to be evaluated by each of the Member States involved in the clinical trial. Among others, these matters include compliance with:

  • requirements for informed consent;

  • personal data protection regulations; and
  • applicable rules for the collection, storage, and future use of biological samples of the subject.

This aspect highlights the possibility of disparity between interpretative criteria of the different Member States in the application of the provisions of the GDPR in the field of clinical trials.

Nonetheless, responding to the need in offering interpretative criteria of GDPR provisions within the field of clinical trials, the EDPB1 has established the following criteria for the application of the provisions of the GDPR in the processing of clinical trial data in light of the request for consultation2 made in October 2018 by the European Commission:

1. Applicability of GDPR provisions to sponsors not established in the EU

Sponsors established outside the EU tend to consider that the execution of clinical trials in the EU does not entail the application of the provisions of the GDPR because they either erroneously believe that the codified data of the participating subjects does not fall within the concept of personal data regulated by the GDPR, or because they consider that they do not carry out the processing activities in the territory of the EU.

Codification (or pseudonymisation, in terms of the GDPR) of personal data is the process by which personal data can no longer be attributed to a data subject unless additional information is used, provided that such additional information is:

  • stored separately; and
  • subject to technical and organisational measures to ensure that the personal data cannot be attributed to an identified or identifiable person.

However, the codification of personal data does not entail their anonymisation because the link between the codified data and the identity of the subject is not irreversibly destroyed.

In the framework of clinical trials, industry practice highlights that sponsors process codified personal data, and not anonymised data, because in exceptional situations it may be necessary to disclose the identity of the subject; for instance, in the event of a real and specific danger to health and safety, or if it is necessary to ensure adequate healthcare. The general rule is that the codification process is carried out directly by the principal investigator or by a trusted third party hired by the sponsor. This codification process should be conducted in accordance with the state of the art and be sufficiently robust to preclude the re-identification of participants.

Furthermore, the extraterritorial effect of the GDPR makes its provisions applicable to the processing of personal data of participants in clinical trials in the EU to the extent that their behaviour is monitored in such territory. In this sense, the EDPB has been inclined to consider in the framework of clinical trials that such control takes place in the territory of the EU when monitoring or regular reporting on health status is carried out when the individual is established in the EU3.

2. Legal grounds for the processing of personal data in the context of clinical trials

The Commission has stated that the responsibility to determine the lawfulness of the processing of personal data in the context of clinical trials relies on both the sponsor and the trial site to which the investigator belongs to.

When determining the legal basis which justifies the processing of personal data, a distinction must be made between personal data processing activities related to the execution of a clinical trial ('primary use') and other unrelated processing activities ('secondary use'). In turn, within the framework of the activities strictly related to clinical trials, we must distinguish between those activities that aim to guarantee high standards of quality and safety for medicinal products for healthcare, and those that are purely related to scientific research activities.

The EDPB points out that the data processing operations (including health data) for purposes related to the quality and safety of medicinal products are in compliance with legal obligations imposed by the CTR and the corresponding provisions of national regulations, among which we highlight the following:

  • the obligation to perform safety reporting on medicinal products of clinical trials;
  • the archiving of the clinical trial master file and the medical files of subjects; and
  • the disclosure of clinical trial data in the context of inspections by the national authorities of Member States.

According to the EDPB, data processing activities (including health data) purely related to scientific research activities cannot be derived from a legal obligation; therefore, depending on the whole circumstances of each clinical trial, the controller must resort to other appropriate lawful basis for processing. The most prominent may be:

  • a task carried out in the public interest;
  • the legitimate interest of the controller; or
  • the clinical trial data subject's explicit consent.

It is also worth noting that the EDPB prioritises the public interest or the legitimate interest of the controller over the data subject's consent, given that the latter is usually found in a weak position; that is, whether the participant is not in good health and no treatments beyond those offered within the framework of the clinical trial are available, belongs to an economically or socially disadvantaged group or is in a situation of institutional or hierarchical dependency that could inappropriately influence their decision to participate.

Moreover, consent as a legal basis for the processing of personal data may also lead to possible undesirable effects in the field of scientific research given that the participant may withdraw such consent at any time, without the sponsor being able to consider the scientific research as an exception to this general rule. This situation implies the sponsor having to stop the participation of the participant in the trial and only having the option of effectively carrying out the processing of personal data in case there are other alternative legal bases for the retention of personal data and those that have been informed to the participants.

The EDPB4 has clarified on several occasions that the informed consent provided in the CTR should not be confused with consent as the legal basis for the processing of personal data. While the former is a sine qua non condition for carrying out the clinical trial based on the ethical grounds of guaranteeing the right to human dignity and integrity of individuals, it is necessary to protect individuals from being included in medical research projects without their consent and/or their knowledge. The concept of consent in the GDPR is not to be considered as a safeguard for the subjects participating in the clinical trial, but one of the alternatives for legitimising the processing of personal data.

Despite the EDPB's recommendation to adopt lawful bases other than consent for the processing of personal data in the context of clinical trials, the reality is that the practice of the clinical trials sector reveals that, in some cases, pharmaceutical laboratories do not make a distinction between the informed consent required by the CTR and the consent as a legal ground for the processing of personal data regulated in the GDPR, implying that the participants' consent justifies the processing of their personal data.

Changes to the use of clinical trials data

The CTR enables the sponsor to use clinical trial data outside the trial protocol for scientific purposes only, provided that consent for this specific purpose is obtained at the moment of the consent request to participate in the clinical trial.

Without prejudice to the consent required by the CTR for the secondary use for scientific purposes of clinical trial data, the EDPB insists, once again, that this consent is not the same as the one regulated in the GDPR as one of the lawful bases for the processing of personal data. For this reason, the sponsor must analyse which legal basis is applicable for the processing of data for secondary uses of scientific research outside the clinical trial, which may turn out to be the same as for the primary use of the data in the clinical trial. Nonetheless, the presumption of compatibility of purposes between the primary use and secondary uses cannot be excluded.

Separately, among other situations, the compatibility of purposes regulated in the GDPR takes place when data collected in the context of a clinical trial is used for scientific research purposes, provided that adequate safeguards are adopted to respect the rights of data subjects. Therefore, the controller may further process the data for scientific research purposes without the need for a new legal basis under specific conditions. Said conditions for the application of compatibility of purposes in the context of scientific research is a complex issue on which the EDPB is currently working on.

Notably, Spanish Organic Law 3/2018, of 5 December 2018, on the Protection of Personal Data and Guarantee of Digital Rights ('LOPDGDD') focuses on the consent of the data subject as the appropriate legal ground for the reuse of personal data for scientific purposes compatible with the purpose of a clinical trial, thus extending the purposes for which such consent was obtained. In our opinion, the fact that the lawful ground for the processing of personal data in the framework of a clinical trial is the participant’s consent – as provided in Spanish legislation – should be reconsidered in accordance with the EDPB recommendations and alternative legal bases (other than consent) in the field of clinical trials should be evaluated. Regarding the extension of purposes and its compatibility with the original specific purpose, the Spanish data protection authority ('AEPD') considers that, according to the provisions of Recital 33 of the GDPR, the requirements of specificity and unambiguity for giving consent in the field of scientific research should not be interpreted in a restrictive manner. In this regard, the indication of a broad field of research would be enough (e.g. cancer research), whilst considering the benefits for society that may derive from such unplanned research.

The role of data subject rights in relation to the CTR

Bearing in mind that the standard practice is for sponsors not to have access to any data allowing the identification of participants in clinical trials, it is practically impossible for these to be able to comply with the obligation of information and transparency or to attend the exercise of data protection rights regulated in the GDPR (i.e. access, rectification, erasure, restriction, portability, and objection) and in the applicable national regulations (among others, this is the case of French and Portuguese legislation regulating the right of data subjects to make decisions regarding the management of their personal data after their death).

When the informed consent from the clinical trial participants is obtained, the investigator must make available the data protection information required by Articles 13 and 14 of the GDPR. Among this information, it is important to highlight that the sponsor has access to codified data, leading to a risk of re-identifying the participants. Therefore, any data subject request to exercise rights should be addressed to the investigator of the clinical trial. Nonetheless, in case trial participants still contact the sponsor, the latter should inform the former by indicating that it cannot attend to such rights because it does not have registers that identify the data subject specifying that the correct person to contact for exercising such rights is the investigator.

The withdrawal of the informed consent in the context of the CTR will not affect the activities that have already been carried out and the use of the data that has already been obtained before the individual expresses its willingness to not participate any further in said trial. As a result, the sponsor is responsible for having appropriate legal bases in place to justify the lawfulness of the processing of the personal data obtained within the framework of the clinical trial once the participants' consent has been withdrawn.

Likewise, the GDPR establishes certain restrictions on the exercise of data protection rights in the field of clinical trials and enables Member States to also regulate their own restrictions in the event that their exercise precludes or seriously impedes the achievement of scientific purposes. Thus, it is worth noting the exceptions to the right to erase data when the processing is necessary for certain purposes directly related to health research or for scientific research purposes, as well as the exception to the exercise of the rights of access, rectification, restriction, and objection concerning the results of the research or when such research is aimed at public interest which is regulated by the LOPDGDD.

Risks resulting from the CTR

As mentioned above, the risks derived from the application of the CTR in the field of data protection are the lack of uniformity in the application of the rules on the processing of personal data in clinical trials in the national regulations of the different Member States.

Notably, the determination of the lawfulness of the data processing in relation to clinical trials requires recourse to national regulations of the Member States in order to distinguish, among others, the legal obligations or the reasons of public interest in the field of health that allow such processing of personal data. This situation is particularly complex in multi-centre clinical trials carried out by the same sponsor in different Member States, since, in some cases, the need for different legal bases for the processing of personal data in the same clinical trial may arise, having a detrimental effect on the participants if they do not have the same rights. Consequently, the rights applicable to participants in the same trial could be different if in one Member State the lawful basis for the processing activities purely related to research activities is the consent of the data subject, and in another Member State the legal ground is legitimate interest.

Another risk associated with the Member States participating in clinical trials deciding the standards of compliance with the provisions of the GDPR is the diversity of opinions in the different Member States with respect to the legal position of the sponsor and the clinical trial site to which the investigator belongs to in the processing of personal data, being considered differently depending on the Member State – as joint controllers, independent controllers, or a controller (the sponsor) and a processor (the clinical trial site). This lack of uniformity within the EU makes it difficult to carry out clinical trials, especially when they take place in public hospitals.

Other information of note within the CTR on data processing

The CTR regulates the obligation for sponsors of clinical trials not established in the EU to appoint a legal representative (natural or legal person) in said territory for the purpose of ensuring material compliance with the obligations applicable to the sponsor under the CTR and to act as a mailbox for any notification that can be addressed to the sponsor. However, Member States may exceptionally not require the appointment of such a figure in clinical trials taking place in their territory and in that of third countries, provided that a contact person is appointed as the recipient of the notifications addressed to the sponsor under the CTR.

It is true that the functions of the legal representative of the sponsor in the EU do not match those of the data protection representative of the controller (generally, a designation that is necessary when the provisions of the GDPR apply to a controller not established in the EU). Nonetheless, in our opinion, the operational regime of both figures has certain similarities since, in both cases, the representative is entrusted with the material fulfilment of the corresponding regulatory obligations, the position may be filled by a natural or legal person, and it acts as a point of contact for the competent authorities.

On a side note, an individual can hold the position of legal representative of the sponsor under the CTR and that of a data protection representative of said sponsor simultaneously when the latter is established outside the EU. In fact, Spanish personal data protection law allows both positions to be held by the same person. However, in order to avoid conflicts of interest, the data protection representative should not be the data protection officer ('DPO') or a data processor of the sponsor, and must be established in one of the Member States where the clinical trial is being carried out. Note that it is good practice to designate them in the Member State with the largest number of participants.

The widespread practice of sponsors having access exclusively to codified data has some impact on compliance with certain obligations of the GDPR. For example, the execution of data protection impact assessments ('PIAs') requiring, specifically, an analysis of the risks of re-identification of participants and personal data security breaches that the sponsor must only notify to the competent data protection authority expressly stating that the data processed is codified.

Notwithstanding the fact that the processing of personal data in the field of clinical trials is mainly focused on patients, it should not be disregarded that the execution of clinical trials requires that the sponsor, in compliance with the legal obligations regulated in the CTR, should process personal data of the team of investigators including their name, position, and curriculum vitae in order to assess their qualifications, as well as any circumstance that may influence the impartiality of the investigators, such as economic interests and institutional affiliations.

Conclusion: The necessity of change

The need for advancing on scientific research and the fact that the provisions of the GDPR are becoming very relevant in the framework of good clinical practice inspections underline the urgency of the matter. Given the considerable differences in Member States' legislation in the field of scientific research, the EDPB should establish, to the fullest extent permitted by applicable law, clear guidelines regarding the application of the provisions of the GDPR. In particular, focusing on areas, such as the determination of the legal position of the main actors (sponsor and trial site to which the investigator belongs to) and the legal bases applicable for the lawful processing of the data throughout the lifecycle of the trial (i.e. from the start to the destruction at the end of the archiving period of the data).

Rafael García del Poyo Partner
[email protected]
Paula Grifols Lawyer
[email protected]
Roger Segarra Lawyer
[email protected]
Osborne Clarke, Madrid


1. Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection regulation (GDPR) (art. 70.1.b); available at :https://edpb.europa.eu/sites/default/files/files/file1/edpb_opinionctrq_a_final_en.pdf
2. See at: https://health.ec.europa.eu/system/files/2019-04/qa_clinicaltrials_gdpr_en_0.pdf
3, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3); available at https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf
4. Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection regulation (GDPR) (art. 70.1.b); available at: https://edpb.europa.eu/sites/default/files/files/file1/edpb_opinionctrq_a_final_en.pdf and EDPB Document on response to the request from the European Commission for clarifications on the consistent application of the GDPR, focusing on health research; available at: https://edpb.europa.eu/sites/default/files/files/file1/edpb_replyec_questionnaireresearch_final.pdf