On January 23, 2019, the European Data Protection Board (the “Board”) released its opinion here on the interplay between the EU’s General Data Protection Regulation (“GDPR”) and the Clinical Trials Regulation (“CTR”). The opinion comments on a draft of FAQs prepared by the European Commission on the same topic and provides insight into how the GDPR will be applied to data processed as part of clinical trials.

Below are some key takeaways from the opinion.

Processing of Personal Data in Clinical Trial Comes in Many Forms

The Board recognized various types of processing activities that occur with clinical data delineating between primary uses (processing related to the clinical trial) and secondary uses (processing for scientific purposes outside of clinical trial protocol). In terms of primary use, the Board further distinguished between processing related to reliability and safety (e.g., protection of health) with processing related to research activities (e.g., scientific research). Identifying the use is important to determine the appropriate basis to support the processing activity.

Primary Use

The Board opined that consent is not required for processing related to reliability and safety as it is necessary for “compliance with a legal obligation.” This is because the CTR and relevant national laws specify legal obligations related to safety reporting, archiving and disclosure.

Processing for purely research purposes, on the other hand, requires other lawful grounds such as obtaining consent, a task carried out in the public interest, or based on the legitimate interests of the controller.

  1. Not All Consents or Withdrawals are Equal

The concept of “informed consent” under the CTR relates to participation in a clinical trial (e.g., informing data subject of all aspects of the clinical trial relevant to decision to participate and consent) and not designed as a mechanism for data protection compliance. Consent in the context of the GDPR is more restrictive and specifically aligned to the processing of personal data, with activities concerning special categories of data (e.g., health data) requiring explicit consent.

The risk with relying on consent for processing is that the “freely given” requirement implies real choice and control for the data subjects. Consent is negated where a clear imbalance of powers exists between the participant and sponsor/investigator such as where participants are not in good health condition, belong to an economically or socially disadvantaged group, or in any situation of institution or hierarchical dependency. Because of this, the Board advises caution and recommends conducting a thorough assessment of the circumstances surrounding the clinical trial before relying on an individual’s consent for research purposes.

The Board also pointed out that consents are subject to withdrawal, which has a different impact depending on whether it is an informed consent under the CTR or consent obtained under GDPR. Under the former, withdrawal does not affect the activities already carried out and the use of the data obtained before the withdrawal. But, a withdrawal under GDPR requires the immediate stop of all processing activities and, unless there is a lawful basis to support continued retention, deletion of the data.

  1. Public Interest or Legitimate Interest as Bases for Processing

The Board opined that processing for research purposes require support of other legal grounds and looked favorably upon processing in the interest of public health or for purposes of legitimate interests pursued by the controller. But, these alternatives require additional effort to substantiate the processing activity.

Processing activities related to clinical trials pursued in the interest of public health, or conducted with special categories of data, require support in Union or Member State laws. Relying on legitimate interest as the basis for processing requires the controller to demonstrate that the activity does not override the interests or fundamental rights and freedoms of the data subject.

Secondary Use

While the CTR specifically provides for the ability of data controllers to process data outside of the protocol for “exclusively” scientific purposes, an informed consent under CTR does not satisfy the consent requirements to lawfully process data under the GDPR. Secondary processing requires an independent ground than the one used for the primary purpose, unless the activity falls under the compatibility presumption.

Under this presumption, a new justification for secondary use is not required for archiving purposes in the public interest, scientific, historical research or statistical purposes where appropriate safeguards are in place. Still, scientific research making use of the data outside the clinical trial protocol must comply with all other relevant and applicable provisions of data protection as mandated by the CTR.

While the Board raised the compatibility presumption as a potential option to support the secondary use without need to identify a new lawful basis, it did not go as far as to note its applicability in every circumstance. Instead, the Board reserved the issue on what conditions support the compatibility presumption for future guidance due to their horizontal and complex nature.


There are varying types of personal data processing activities that occur within clinical trials, which require independent legal basis to support the intended use. Accordingly, controllers conducting clinical trials should:

  1. Complete a data audit to identify the personal data collected and intended processing activities.
  2. Assure that any consent obtained meets the “freely given” standard and is appropriate to the type of data processed.
  3. Conduct a survey of Union and applicable Member State laws to assure that there is a legal basis to support the current or intended processing activity, as in most cases, consent will not suffice.

If you need assistance with conducting a data audit, or surveying laws, our Consulting Division can help! Contact us for more information.


Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.