Does the GDPR Apply to Clinical Trial Sponsors Outside the EU?

Though the General Data Protection Regulation (GDPR) has now been in effect for several years, certain industries are still grappling with how GDPR requirements intersect with industry requirements. In particular, a significant divergence exists in the clinical trial context between the various data protection authorities (DPAs) within the European Union (EU) and the European Economic Area (EEA)1 as well as among clinical trial stakeholders themselves over several key interpretations of the GDPR. 

Does the GDPR Apply to Non-EU Clinical Trial Sponsors? The Perspectives of Supervisory Authorities

In an attempt to catalog these varying interpretations and to provide clarity to VeraSafe’s biotech and pharmaceutical clients and other organizations engaged in clinical trials (such as CROs and study sites), VeraSafe’s research division reached out to the EU and EEA DPAs to ask their opinions on the following questions:

  1. Does the GDPR apply to clinical trial sponsors outside of the EEA that are conducting clinical studies in the EEA?
  2. Is patient data processed under a clinical trial considered “personal data” even if it is pseudonymized?
  3. If a clinical trial is being conducted in your jurisdiction, would the clinical trial sponsor and the principal investigator be considered joint controllers of the personal data of the trial participants (data subjects)? Alternatively:
    1. Is the clinical trial sponsor the data controller while the principal investigator acts as a processor on behalf of the sponsor?
    2. Is the principal investigator an independent data controller together with the sponsor?

For ease of comparison, VeraSafe’s research division compiled all responses received to these questions from the EU and EEA DPAs into a convenient table. This table, and a deeper analysis of the legal questions behind the issues posed here, are available in an article authored by VeraSafe and published by the International Association of Privacy Professionals (IAPP).

Help With GDPR Compliance for Clinical Trials

If you have any questions related to our findings or would like assistance with GDPR compliance in your clinical trials, VeraSafe can help. Our data protection team is highly experienced in GDPR implementation for pharmaceutical and biotech companies sponsoring clinical trials in the EU. Read more about our GDPR Compliance Services for Clinical Trials.

  1. 1.
    The EEA includes EU countries and also Iceland, Liechtenstein, and Norway.

Contact VeraSafe to discuss your data security management and privacy program today.