Clinical Trials: The Obligations Under EU Privacy Laws

//Clinical Trials: The Obligations Under EU Privacy Laws

Clinical Trials: The Obligations Under EU Privacy Laws

By |2020-04-14T21:58:50+00:00March 19th, 2019|news|0 Comments

If you are a U.S. company but you contract with laboratories in Europe to carry out clinical trials on your behalf it is important that you understand how you are affected by European law, including without limitation the European General Data Protection Regulation (GDPR), the European Clinical Trials Directive, and any EU Member State laws implementing any European legislation into national law.

  1. Clinical Trials through the prism of the GDPR.

The GDPR, the successor EU legislation to the EU Privacy Directive 95/46 of 1995, regulates since May 25, 2018, the processing of the personal data of EU residents by companies of all sizes and irrespective of whether or not such companies have a physical presence within the EU. Data of EU residents collected for purposes of or in connection with clinical trials belongs in the new definition of “Special Categories of Data” under the GDPR.

The GDPR reserves a specific treatment to the processing of any such data, which includes “the processing of generic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health and data concerning a natural person’s sex life or sexual orientation”.

As a general rule, the collection of special categories of personal data is prohibited by the GDPR. In order to be able to collect sensitive data, you need the explicit consent from the person whose data you are collecting. The consent isn’t a new concept for companies in the clinical research sector, but the GDPR has strengthened the requirements under the consent exception. The consent must be given in a clear, intelligible, and easily accessible form, and the purpose for data processing clearly described in the consent form. This means that the consent has to be specific, clearly distinguishable from the consent to any other form or purpose of processing. In addition to this restriction, if the clinical trial you sponsor implies the collection and processing of data from residents of more than one Member State of the EU, you must stay abreast of particular requirements around the terminology used to obtain consent but also any particular local requirements adopted at the EU Member State level in the countries from which the data is collected.

So, when a volunteer, patient or subject signs the informed consent it should clearly state what data is being collected and why. As a matter of general practice, the following elements should be included in your data privacy notice:

  • Identity and contact information for the sponsor (data controller)
  • Where / by whom the data may be processed inside and outside the EU
  • Contact information for the data protection officer (if there is one)
  • Special categories of personal data that will be collected for the study (e.g., age, gender, health and medical conditions)
  • Data privacy rights of the data subjects under the GDPR.

You should also make sure to keep records to show what individuals have consented to what, based on which information about the trials and the processing, and when they consented.

You should also note that regarding sensitive data, individuals cannot use their right to request the erasure of the data. This means that you can retain personal data for your full archiving period even if the data subject requests its erasure.


The GDPR is intended to cover the processing of EU personal data, as such it applies to anyone whose data is collected while the data subject is in the EU, not just EU residents. This means that the GDPR may affect U.S. clinical trials even if the trial is not conducted in the EU. Here are three scenarios in which the GDPR will apply to a clinical research:

  1. If the clinical trial includes data subjects located within the EU, then the GDPR applies in its entirety. This means that even if you are not based in the EU then you have to nominate a representative within the EU in order to fulfill your responsibilities in regards to the GDPR. For more information on this obligation to appoint a EU representative under Article 27 of the GDPR and also on the role and responsibilities of the representative, please see here our article on this topic.
  2. If you are based in the EU, then the GDPR applies to your data processing activities, even if the processing itself is not performed within the EU and if there are no data subjects within the EU that take part in the trial.
  3. If you are a joint controller with an entity that sponsors or is otherwise involved in the conduct of clinical trials, or if you are primarily U.S.-based but you have offices in the EU that are involved in some aspects of the trial.

The above list of scenarios is however not limitative. Even if you are not physically based in the EU, we recommend you proceed with a legal assessment in order to determine whether the GDPR applies to the data processing activities associated with your clinical trial.


The sponsor of a clinical trial will need to carry out a data protection impact assessment, likely both for trials that commenced after May 25, 2018 and for trials that started before May 25, 2018 but for which data was already being processed at that date. Such an assessment will need to include:

  • A description of the processing operations and of the purposes of the processing
  • An assessment of the necessity and proportionality of the processing
  • An assessment of the risks to the rights and freedoms of clinical trial subjects
  • The measures used to address those risks.

These operations are complicated and require the help of a specialist. This is why in certain cases the GDPR makes it mandatory for companies to appoint a DPO. The GDPR makes it mandatory to design a DPO if your core activity consists of processing operations which require regular and systematic monitoring of data subjects on a large scale. This means that controller and processor organizations involved in the running of clinical trials will likely need to appoint a data protection officer.

Your data protection officer would advice your organization about its obligations regarding the GDPR and the steps it needs to take in order to comply with it. Your DPO would also monitor compliance with the GDPR, provide advice where requested, and act as a point of contact for the relevant regulator. In addition, it will be his responsibility to keep documentation proving consent, in compliance with all the different laws. Its role is  also to ensure that the data protection impact assessment noted above is conducted in compliance with the law.

For more information about the importance of having a DPO or, where not mandatory, a data protection manager, and on its role and responsibilities please see here our article on this topic.

  1. Consent through the prism of the Clinical Trials Directive.

In addition, and separate from the consent requirements of the GDPR, the Clinical Trials Directive 2001/20/EC of 4 April 2001 also has its own definition of what constitutes “informed consent” in connection with the conduct of clinical trials. Under the Clinical Trials Directive, “informed consent” is defined as “the decision, which must be written, dated and signed, to take part in a clinical trial, taken freely after being duly informed of its nature, significance, implications and risks and appropriately documented, by any person capable of giving consent or, where the person is not capable of giving consent, by his or her legal representative; if the person concerned is unable to write, oral consent in the presence of at least one witness may be given in exceptional cases, as provided for in national legislation.”

The Informed consent form must contain adequate information to meet the necessary requirements. In most cases, an information sheet should be attached and drafts of the consent form must be available when applying for approval from the national regulator in the EU Member States in which the trial is to take place, prior to the start of the proposed research.

In terms of information to be provided to the data subject in connection with obtaining the informed consent for clinical trials participation, the following should be included:

  • A statement that the study involves research subjects and an explanation of the purposes of the research;
  • The expected duration of the subject’s participation;
  • A description of the procedures to be followed, of the medicine that is going to be tested, and an identification of any procedures that are experimental;
  • A statement that participation is voluntary;
  • Information about who is organizing and funding the research;
  • A description of any reasonably foreseeable risk, discomfort or disadvantages;
  • A description of any benefits to the subjects or to others which may reasonably be expected from the research avoiding inappropriate expectations;
  • A disclosure of appropriate alternative procedures for treatment/diagnosis, if any, that might be advantageous to the subject.
  • A statement describing the procedures adopted for ensuring data protection/confidentiality/privacy, including duration of storage of the personal data;
  • A description of how incidental findings are handled;
  • A description of any planned genetic tests;
  • For research involving more than minimal risk, an explanation as to whether there are any treatments or compensation if injury occurs and, if so, what they consist of, or where further information may be obtained. Insurance coverage should be mentioned;
  • A reference to whom to contact for answers to pertinent questions about the research and research subjects’ rights, and whom to contact in the event of a research-related injury to the subject.
  • A statement offering the subject the opportunity to ask questions and to withdraw at any timefrom the research without consequences
  • An explanation of what will happen with the data or samples at the end of the research period and if the data/ samples are retained or sent/sold to a third party for further research;
  • Information about what will happen to the resultsof the research.

In its Guidelines on consent under the GDPR, of November 28, 2017, as last revised and adopted on April 10, 2018, the Article 29 Working Party, an informal gathering of EU data protection national regulators, does specify that when consent is the legal basis for conducting research in accordance with the GDPR, this consent for the use of personal data should be distinguished from other consent requirements that serve as an ethical standard or procedural obligation. An example of such a procedural obligation is precisely to be found in the Clinical Trials Regulation. In the context of data protection law, the latter form of consent could therefore be considered as an additional safeguard.

  1. What about national laws?

Unlike the GDPR, and until it is itself also replaced by a regulation, the legislative instrument that was used to replace the 1995 Privacy Directive with the GDPR, the Clinical Trials Directive is a directive which, unlike a regulation, only provides a baseline for EU Member States to adopt their own national law implementing the directive. One of the reasons why the EU made the decision to replace the Privacy Directive with the GDPR was precisely that the format of a directive coupled with 28 legislations at the national level made it overtime very difficult for companies doing business in the EU to understand and navigate. Until its replacement with a Clinical Trials Regulation, any company conducting clinical trials using EU personal data will not only need to abide by the requirements of the Clinical Trials Directive, but also of the applicable legislation in every country in the EU from where the data is collected.

In our recent article on the importance and role of a DPO we stressed the importance for companies of having an internal or external resource to advise on complying with GDPR and other data protection laws in connection with their business activity. Under Article 37 of the GDPR, an organization must designate a DPO in any case where (inter alia) its core activities consist of processing special categories of data on a large scale. But even where an organization may take the view that they don’t fit that description, it is strongly recommended they consider appointing a data protection manager, particularly where they are no expert in EU data protection law. Please read here our article on the importance of hiring EU legal expert to advise on EU law.

This article was written in collaboration with Marie-Victoire Wickers