On January 23, 2019, the European Data Protection Board (EDPB), released an opinion on the relationship between the European Clinical Trials Regulation (CTR) and the EU General Data Protection Regulation (GDPR) (the “Opinion”). The CTR, scheduled to take effect in 2020, is designed to harmonize how clinical trials are assessed and supervised across the EU. It introduces a Clinical Trials Information System and establishes rules that protect individuals and enhance transparency requirements.

In its Opinion, the EDPB provides guidance on (1) the legal bases for primary uses of clinical data, i.e., processing personal data in the course of a clinical trial protocol, and (2) secondary uses of clinical trial data outside the clinical trial protocol for scientific purposes.

We highlight the following aspects of the guidance found in the Opinion:

With respect to processing data in the course of a clinical trial protocol, the Opinion emphasizes that processing operations related to a clinical trial protocol, and across all phases of the protocol, are considered primary uses of clinical trial data. These processing operations include the activity at the start of the trial through the final disposal or destruction of data.

According to the EDPB, for these primary uses, processing activities fall into one of two main categories — (1) processing operations related to the protection of health and setting standards of quality and safety for medicinal products by generating reliable and robust data (“Safety and Reliability Purposes”); and (2) processing operations related to research activities only (“Pure Research Activity Purposes”).

The EDPB notes a legal basis for processing data for Pure Research Activity Purposes may be established by consent or performance of a task carried out in the public interest. It may also be considered a legitimate interest of the controller for purposes of the public interest, historical research purposes or statistical purposes.

The Opinion also highlights the specific consent requirements of each regulation. The CTR requires informed consent and respond primarily to core ethical requirements of research projects involving humans. The GDPR requires that consent be freely given, specific, informed, unambiguous, and explicit consent if it is to serve as a legal basis to process data.

With respect to secondary uses of clinical trial data for scientific purposes, Article 28(2) of the CTR states that the trial sponsor may ask for consent to the use of data outside the clinical trial – for scientific purposes only – when a clinical trial subject provides informed consent to participate in the study. However, this consent is not considered consent for processing personal data under the GDPR. Should a sponsor or investigator wish to use personal data for any scientific purpose other than those defined in the clinical trial protocol, it would need to establish another legal basis for processing for the secondary purpose. That legal basis may be the same as that established for the primary use, or it may differ.

The EDPB further comments that where the secondary use of the clinical trial data for scientific purposes is compatible with the original purpose, the controller may be able to further process such data without recourse to a new legal basis, so long as other requirements are met.

These are only examples of the EDPB’s analysis of the relationship between the GDPR and the CTR. What is clear, however, is that companies using clinical trial data for scientific purposes need to be aware of their responsibilities to comply with both regulations. Moreover, compliance with one regulation does not necessarily fulfill requirements for the other. Being knowledgeable about your company’s obligations – and having available the necessary expertise and advice – will be critical to compliance success.


Through its software guided review and remediation process, education tools and representation services, Achieved Compliance makes it possible for companies to take all the steps needed for meaningful compliance that meets regulators’ expectations.

For more information as to how we can help your organization be GDPR compliant please contact info@achievedcompliance.com.