Why Clinical Organizations already have strong basis to implement the GDPR?

Life Sciences

As a Sponsor, Institution or Investigator organizing or performing clinical trials you already know that the new Regulation (EU) No. 536/2014 for clinical trials of medicinal products for human in force since 2014 will come into application in January next year.

Clinical trials are subject to ethical standards that promote and ensure respect for all human subjects and protect their health and rights. This fundamental principle is confirmed by Article 3(b) of the Clinical Trial Regulation (CTR). The CTR strengthens certain measures requiring the sponsor/investigator to record, process, store and handle data, while preserving the confidentiality of the records and requiring appropriate technical and organisational measures to protect information and personal data (Article 56 of CTR).

The General Data Protection Regulation (GDPR) supports and complements these existing principles.

Additionally, Article 93 of the CTR provides that “Member States shall apply Directive 95/46/EC [repealed by the GDPR] to the processing of personal data carried out in the

Member States pursuant to this Regulation” and that “Regulation (EC) No 45/2001

[repealed by Regulation 2018/1725] shall apply to the processing of personal data carried out by the

Commission and the Agency pursuant to this Regulation”.

Also, keep in mind that the GDPR applies to Sponsor, CRO, Service Providers established in the EU as well as outside the EU, if the processing activities are related to data subjects in the EU.  Meaning that the GDPR also applies, in addition to the CTR.

The overall objective of the GDPR is to protect fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. For transparency reason, protection of personal data should be at the centre of the Sponsor, known as Data Controllers under GDPR, decision since the beginning of the treatments.

In particular, processing operations purely related to research activities must be distinguished from processing operations related to the purposes of protection of health, while setting standards of quality and safety for medicinal products or devices by generating reliable and robust data (reliability and safety related purposes); these two main categories of processing activities fall under different legal bases.

The clinical trial protocol, authorised under the CTR, defines the purposes and conditions for which the data of clinical trial subjects will be processed. Subjects should be properly informed on the processing of their personal data. Subjects’ data is pseudonymized in clinical trials, nevertheless the GDPR considers key-coded data to be “personal data” therefore subject to GDPR.


Doctor touching GDPR tablet

Requirements of the GDPR regarding information that should be given to subjects participating in a clinical trial

The CTR requires that any person included in a clinical trial receive the relevant information related to the clinical trial, the medical aspect, the GDPR has the same requirement for the processing of personal data

It is important to understand these regulations and their respective application. To know more, we strongly advise you to discover our new e-learning course: The GDPR for Clinical Research Professionals. This course has been specifically designed by experienced Data Protection Officers and Clinical Research Professionals for people managing personal health data who would like to understand their role in this European Regulation and its implementation.


Question and Answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection Regulation (GDPR)



Would you like personalized support?