GDPR Compliance Services for Clinical Trials

Leverage VeraSafe’s deep experience advising sponsors of EU clinical trials

VeraSafe provides a complete solution to ensure that your clinical trial is conducted in compliance with the EU General Data Protection Regulation (“GDPR”). Through numerous successful GDPR implementations ranging from small single-site phase I trials, to large multi-site phase III trials that involve clinical sites in multiple EU member states, VeraSafe has developed a highly specialized practice at the intersection of clinical trials and the GDPR.

Take the first step now by contacting VeraSafe for a no-obligation quote.

Thank You

Thank You!

We’ll be in contact shortly.

We’re Your Partner for Clinical Trials Under the GDPR

As part of VeraSafe’s expertise in this specialized area of law, our team is highly experienced in steering clinical trials through the requirements of not only the GDPR, but also local EU member-state legislation and regulatory guidance. VeraSafe also has specific expertise in managing the interplay between the GDPR, the EU Clinical Trial Regulation (“CTR”), and Good Clinical Practice guidelines (“GCP”). Rely on our expertise gained serving as the Data Protection Officer for numerous prominent pharmaceutical companies for assurance that your clinical trial will be GDPR compliant.

Our Services Include:

VeraSafe’s Outstanding Legal Project Management Methodology

VeraSafe’s tried and proven project management methodology ensures that we are able to meet tight deadlines and accommodate aggressive study timelines. Your VeraSafe project team will include a qualified project manager who is responsible for managing the overall pace, organization, and efficiency of your compliance project. The project manager has the ability to draw on the resources and expertise of the entire VeraSafe team, when needed, to accelerate the completion of deliverables.

  • Scoping and Data Mapping

    A foundational first step towards GDPR compliance is to develop your organization’s records of personal data processing activities. Article 30 of the GDPR requires study sponsors to maintain accurate records of their data processing activities. VeraSafe will assist your organization in developing these records and implementing internal processes to facilitate ongoing updates of such records.

  • Privacy Notice Drafting

    As an alternative to using ICFs as a means to provide the requisite privacy notice disclosures to patients, VeraSafe will draft a standalone privacy notice to enable your organization’s compliance with the privacy notice obligations of the GDPR. VeraSafe can review and revise your current patient privacy notice or create a new patient privacy notice for your clinical trial, as needed.

  • Vendor Management

    The GDPR requires a written contract to be signed between your organization and each of its vendors that have the technical or physical ability to access clinical trial patient data or personal data of site staff. Such vendors typically include contract research organizations (“CROs”), labs, and cloud software providers, among others. Compliance with this obligation is most frequently accomplished by signing a data processing addendum (“DPA”) with such vendors.


    These DPAs must include a number of specific provisions to mandate that the technical and organizational measures by which the vendors secure personal data meet the high standards of the GDPR. VeraSafe will assist your organization in reviewing these vendor contracts and, if necessary, directly support or lead the effort to negotiate and sign a DPA with each of your organization’s relevant vendors.

  • Clinical Trial Agreements

    Much in the same way that your organization must implement DPAs with its vendors, a sponsor must ensure that clinical sites also are subject to a DPA. Data processing addenda can be attached to your clinical trial agreements that are signed by your clinical sites. The data protection terms contained within these DPAs can be made country-specific, e.g., depending on whether a clinical site is a processor or a controller in that jurisdiction.

  • Collaboration Partners

    In case your clinical trial involves collaboration partners that receive study data (even key-coded data) outside of the European Economic Area (“EEA”), a specialized data transfer agreement may need to be implemented between your organization and the collaboration partner(s). VeraSafe will draft this data transfer agreement and, if necessary, assist your organization in negotiating and signing the agreement with your organization’s collaboration partner(s).

  • Data Protection Impact Assessments

    Clinical trials in the EU inevitably involve processing personal health data, which must be archived for an especially long period of time in a clinical trial master file. For these reasons, a Data Protection Impact Assessment (“DPIA”) is typically required under the GDPR as part of a sponsor’s preparation for a clinical trial. In conducting your Data Protection Impact Assessment, VeraSafe will leverage its well-developed methodology and specialized templates specific to DPIAs for clinical trials.

  • Internal Policy and Procedure Review

    A clinical trial sponsor’s internal policies and procedures typically require some level of revision to help ensure that business operations are aligned to the GDPR. To meet this challenge, VeraSafe has painstakingly developed a library of data protection-related standard operating procedure templates that can be easily customized to fit your particular circumstances. VeraSafe can also refine your existing policies and procedures to embed the requisite GDPR operational requirements into your existing business process documentation.

  • Data Subject Rights Management

    In practice, a number of patient privacy rights established under the GDPR are effectively limited by countervailing obligations under the EU Clinical Trial Regulation. However, the sponsor must nevertheless ensure that patients have a means to request the exercise of their privacy rights. To comply with this requirement but avoid violating the confidentiality requirements of Good Clinical Practice guidelines, VeraSafe can serve as your organization’s point of contact for patients who wish to exercise privacy rights available to them under the GDPR.

  • IT Security Review and Remediation

    Article 32 of the GDPR establishes a broad requirement for strong data security in pursuit of overall privacy protection. If requested, VeraSafe can review your organization’s IT security policies and procedures against the VeraSafe Privacy Program Certification Criteria, which is a highly actionable set of requirements that merges the GDPR’s risk-based approach with the U.S. National Institute of Standards and Technology’s Cybersecurity Framework for Critical Infrastructure (“NIST CSF”). This data protection standard provides the basis of a high-assurance assessment of compliance with Article 32.

  • Data Protection Officer Services

    Clinical trial sponsors are typically subject to the GDPR’s requirement to appoint a Data Protection Officer (“DPO”). Appointing VeraSafe as your organization’s DPO is an exceptionally easy and cost-effective approach, which ensures your compliance with this important obligation.

    As your DPO, the entire VeraSafe team of privacy experts, in-house attorneys, IT security experts, and project managers will be available as your data protection subject matter experts. Going beyond the compliance activities described above, our team will help monitor your organization’s compliance with the Regulation and proactively identify compliance strategies, opportunities, and risks.

  • Article 27 EU Data Protection Representative

    The GDPR requires many organizations that are regulated by the GDPR but that have no physical presence in the EU to appoint an official representative located in the EU for the purpose of responding to the inquiries of European regulatory agencies and data subjects.

    By appointing VeraSafe’s European subsidiary as your organization’s official EU representative for data protection, you can rest assured that your organization complies with this often-overlooked requirement.

Getting Started

Whether your organization is sponsoring a single phase I study, multiple phase III studies, or something in between, VeraSafe is your ideal partner in navigating the complexities of designing and operating clinical trials in compliance with the GDPR.

Why VeraSafe?

Track record of successful GDPR implementations across industries.

Work directly with our in-house team of US and European attorneys, IT experts, and project managers.

Strategic, risked-based approach to compliance.

Fully customizable DPO program, tailored to fit your needs.

Holistic approach: We help you identify business opportunity hidden inside the GDPR.

Going beyond just EU privacy law, VeraSafe is your end-to-end partner for the entire privacy and cybersecurity domain.