Skip to NavigationSkip to content

The interplay between the GDPR and the EU Clinical Trials Regulation

Published on 13/05/19 at 11:14am

Paul Kavanagh, partner at law firm Dechert, explores the relationship between GDPR and CTR, and its potential impact on the legal implications of personal clinical trial data processing and handling.

On 23 January 2019, the European Data Protection Board (EDPB) issued an opinion on the interplay between the EU General Data Protection Regulation (GDPR) and the EU Clinical Trials Regulation (CTR). The CTR is not yet applicable (it is expected to enter into application in 2020), but the guidance given by the EDPB should also prove useful under the current regime. The opinion seeks to address a lack of consensus regarding the appropriate legal basis for processing of personal data in clinical trials. In doing so, the opinion distinguishes between: (i) processing during the course of the clinical trial protocol (primary use), and (ii) processing outside of the relevant clinical trial protocol for scientific purposes (secondary use). 

Legal bases for processing

Under the GDPR, processing of personal data is only lawful to the extent one of six legal bases applies to the processing. These bases are:

a)      Consent

b)      Necessity for performance of contract

c)      Necessity for compliance with a legal obligation

d)      Necessity for protecting vital interests

e)      Necessity for performance of a task in the public interest or in the exercise of official authority

f)       Necessity for the purposes of legitimate interests, except where overridden by the data subject’s rights and freedoms

Data controllers therefore need to identify the purposes for which they are processing personal data in order to establish the most appropriate legal basis.

For special categories of data (which includes health data), controllers must identify a further legal basis for processing, the most relevant of which are:

a)      Explicit consent

b)      Necessity for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law, which provides for suitable and specific measures to safeguard the rights and freedoms of the data subjects, in particular professional secrecy

c)      Necessity for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject

Although there are multiple potential legal bases under the GDPR, the CTR requires the informed consent of participating individuals. As consent is already required pursuant to the clinical trial rules, there has been some argument that consent should therefore also be relied upon for the purposes of the GDPR. Consent is considered in further detail below. 

Primary use

The EDPB says that all processing operations relating to a specific clinical trial protocol are primary uses of clinical trial data, but processing operations may be for different purposes. Consequently, the legal basis for primary use may differ. The EDPB outlined two particular categories of processing activities: (i) processing for ‘reliability and safety’ related purposes, and (ii) processing for ‘research activities’. 

Reliability and safety purposes

Most processing operations for reliability and safety purposes (such as archiving of the clinical trial master file and safety reporting) are dictated by the CTR and other relevant national provisions. As such, they are necessary for compliance with a legal obligation to which the controller is subject (Article 6(1)(c) GDPR).


Where special categories of data are processed, the EDPB states that the corresponding lawful basis is that “processing is necessary for reasons of public interest in the area of public health, such as […] ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law, which provides for suitable and specific measures to safeguard the rights and freedoms of the data subjects, in particular professional secrecy” (Article 9(2)(i) GDPR). 

Research activities

Depending on the processing, the EDPB indicates that one of three legal grounds under Article 6 GDPR could be applicable.

The first possible ground is consent under Article 6(1)(a) (and, for special categories of data, explicit consent under Article 9(1)(a) GDPR). The EDPB emphasised that consent as a legal ground under the GDPR is distinct from the ‘informed consent’ required under the CTR, meaning two layers of consent would need to be obtained. The GDPR sets a high standard for consent, requiring that it must be freely given, specific, informed and unambiguous; the EDPB focused particularly on the requirement for such consent to be ‘freely given’ which may not be the case where there is an imbalance of power such as where the data subject is not healthy or suitably fit to give consent.

The CTR also requires informed consent to be free and voluntary. The recitals to the CTR explain that in order to certify that informed consent is given freely, account should be taken of all relevant circumstances which may influence the decision of an individual, in particular whether they belong to an economically or socially disadvantaged group or are in a situation of institutional or hierarchical dependency. However, the EDPB clearly feels that ‘free and voluntary’ under the CTR and ‘freely given’ under the GDPR are not one and the same. The explanation for this is unsatisfactory given that the requirement for consent to be ‘freely given’ was a significant factor in the EDPB’s determination that consent will not, in most instances, be the appropriate legal basis for processing of personal data for research activities.

Difficulties also arise with withdrawal of consent. Under the GDPR, individuals may withdraw their consent to processing at any time, at which point the controller must cease all processing actions which are based on consent (although this does not affect the lawfulness of the processing carried out to that point). This would present problems with the continued use of clinical trial data relating to the particular individual for research activities.

Accordingly, the second and third possible grounds – “task carried out in the public interest”, and “legitimate interests of the controller” under Articles 6(1)(e) and (f) respectively – would appear to be more appropriate legal bases. The former would only be relevant for a narrow range of clinical trials – those carried out by a public or private body in the exercise of official authority vested in them by national law. For all other circumstances, the EDPB considered that the “legitimate interests” of the data controller could be grounds for data processing, as long as the fundamental freedoms and rights of the data subject do not override these legitimate interests.

For special categories of data, the EDPB pointed to Article 9(2)(i) GDPR (“reasons of public interest in the area of public health”) or Article 9(2)(j) (“scientific purposes”). 

Secondary use

The EDPB considered that where personal data is further processed for scientific purposes outside those defined in the clinical trial protocol, there should be a presumption that such purposes are compatible with the initial purpose (of conducting the clinical trial), such that a new legal basis is not required, provided that appropriate safeguards are in place in accordance with the provisions of Article 89 GDPR.

Article 89 GDPR provides that those safeguards shall ensure that technical and organisational measures are in place, in particular in order to ensure respect for the data minimisation principle. The provision also highlights the use of pseudonymisation.

The EDPB indicated that it would need to give further consideration to, and guidance on, the safeguards in the future.

Currently, data controllers looking to conduct multi-site clinical trials need to grapple with conflicting guidance from regulators across Europe. In particular, we understand that some European regulators generally expect sponsors to obtain consent for processing of personal data in clinical trials; in contrast, the UK Health Research Authority points to legitimate interests as being the appropriate legal basis for processing.

Given the difficulties with obtaining GDPR-standard consent (and the consequences of withdrawal of consent) the EDPB’s opinion is welcome, and helpful in clarifying its view as to the appropriate legal bases for processing of personal data in clinical trials. However, it remains to be seen whether supervisory authorities across the EU will follow this approach, especially given that EDPB opinions are not binding.

Data controllers in clinical trials are reminded of the importance of undertaking data mapping and planning for clinical trials and, where appropriate, legitimate interest assessments so that they are clear on exactly what legal basis they are relying on for the relevant processing purpose.

Mission Statement is a leading portal for the pharmaceutical industry, providing industry professionals with pharma news, pharma events, pharma service company listings and pharma jobs,
Site content is produced by our editorial team exclusively for and our industry newspaper Pharmafocus. Service company profiles and listings are taken from our pharmaceutical industry directory, Pharmafile, and presented in a unique Find and Compare format to ensure the most relevant matches