X
Cookies settings & disclosure

Frequently Asked Questions

Life Sciences

Do we need to conduct a Data Protection Impact Assessment (DPIA)?


Yes—if you’re processing sensitive personal data (such as health information), a DPIA is typically mandatory under GDPR and other frameworks. A DPIA helps you identify risks to participants and determine and implement appropriate safeguards before you begin collecting data.

How can we legally transfer clinical trial data internationally?


Data can only be transferred internationally if certain legal or regulatory requirements are met. In some cases, a transfer may be determined to be legal because data is being sent to a country deemed by local authorities to provide an adequate level of protection. When the recipient country has not been found to be “adequate,” organizations must implement Standard Contractual Clauses (SCCs) or Binding Corporate Rules. Ensuring the chosen method aligns with the jurisdictions involved is crucial for lawful cross-border data flows.

Who is considered the ‘Data Controller’ in a clinical trial?


The Data Controller is the entity that determines the purpose and means of data processing. This is often the study sponsor, but roles can vary based on trial structure. Clearly defining and documenting roles (including joint controllers or processors) clarifies the data protection responsibilities each entity bears and is essential for compliance and risk management.

Our organization is processing health data about study participants. Do we need to appoint a Data Protection Officer (DPO) and a Data Protection Representative (DPR)


A DPO is typically required when a study involves large-scale processing of sensitive health data. If you are based outside the EU but recruiting EU participants, you must also appoint an EU-based DPR to act as your local privacy contact for regulators and data subjects.

What contracts and agreements must be in place?


To comply with most data protection laws and regulations, organizations need properly executed Data Processing Agreements (DPAs), Clinical Trial Agreements (CTAs), and where applicable, joint controller arrangements. These ensure that each party processes personal data lawfully, transparently, and in accordance with defined, agreed-upon responsibilities.