European Commission Directorate-General For Health And Food Safety: Question and Answers on the interplay between the Clinical Trials Regulation and the General Data Protection Regulation

According to the principle of accountability, it is the obligation of the data controller (sponsor/clinic-institution of the investigator) to implement the appropriate technical and organisational measures to ensure and be able to demonstrate that the personal data are processed in accordance with the data protection rules (Article 24 of GDPR). The controller must ensure compliance of the processing operations carried out in the context of a clinical trial with all the data protection rules in GDPR (including ensuring respect of the data protection principles, providing information on the processing to data subjects, appointing a Data Protection Officer where required, maintaining records of processing activities, facilitating the exercise of individuals’ rights, etc.). It stems from above, that the controller (sponsor/clinic-institution of the investigator) is responsible to determine the legal basis for processing of personal data.

In case of questions please consult the data protection authorities (DPA`s) established in the Member States (11). Regarding cross-border processing by one data controller a lead DPA will coordinate the cooperation of all the DPAs concerned in order to ensure consistency (Article 56 of the GDPR)(12). Regarding multiple investigators, DPAs will need to cooperate.

Download all questions and answers in the Florence Beginner’s Guide to GDPR for Clinical Trials.

The information presented in our library is for informational purposes only, they are not for implementation in operations. Please consult official GDPR guidance documents for operational use.

This information was sourced from the European Commission Directorate-General For Health And Food Safety: Question and Answers on the interplay between the Clinical Trials Regulation and the General Data Protection Regulation.