If a pharmaceutical company complies with the EU Clinical Trials Regulation, do they automatically comply with the GDPR?

The short answer is no.

Are you a non-EU pharmaceutical company in the early stages of seeking clinical trial authorisation in Europe?
Perhaps you’re a small to medium-sized enterprise (SME) already in talks with research organisations in the EU but are unsure about the interplay between the European Union Clinical Trials Regulation (EU-CTR) and the EU General Data Protection Regulation (GDPR).

Then this article is for you – GDPR compliance for clinical trials Regulation.

Below is a brief overview of the European Union (EU) Clinical Trials Regulation, some examples of how the GDPR and CTR interrelate and how working with a pharma GDPR consultancy can help you comply with both regulations.

What laws apply to clinical trials in the EU?

To conduct clinical trials in the European Union, life science companies and other research organisations must comply with stringent and sometimes contradictory regulations, most notably the GDPR and the CTR. The CTR imposes obligations related to the establishment and conduct of a clinical trial, and the GDPR imposes obligations in processing personal data from names and email addresses of employees or customers to sensitive information such as health data from a clinical trial. Applying the two regulations in parallel can prove challenging, especially if this is the first time you have conducted clinical trials in the EU.

For more detail on how to comply with GDPR in the context of conducting clinical trials, please see our article The importance of GDPR compliance for European clinical trials.

EU Clinical Trials Regulation

Since 2004, the EU Clinical Trial Directive 2001/20/EC (EU-CTD) has governed the conduct of clinical trials in the EU. However, as a directive, EU-CTD only provided a baseline for EU member states to adopt and implement their own national legislation, which has been challenging for sponsors and others who faced a fragmented application and assessment process for multinational clinical trials, as well as a complex data submission framework. 

Effective 31 January 2022, a new regulation began replacing the EU-CTD. The EU Clinical Trial Regulation 536/2014 (EU-CTR) is a binding legislative act. It applies automatically in all EU member states, thus addressing many of the EU-CTD’s shortcomings by simplifying and harmonising the submission, assessment and supervision processes of clinical trials in the EU.

Under the CTR, sponsors can simultaneously apply for authorisations in up to 30 EU/EEA countries using the same documentation. At the core of this centralised registration process is the Clinical Trials Information System (CTIS), which provides a single-entry portal for applications, the submission and assessment of clinical trial data, and a searchable database for healthcare professionals, patients and the general public.

Clinical trial sponsors have been allowed to use the CTIS since 31 January, 2022 but have yet to be obliged to do so. However, this is about to change:

  • From 31 January 2023, sponsors must use the CTIS for new EU clinical trial applications.
  • From 31 January 2025, any trials previously approved under the Clinical Trials Directive that are still running must also comply with the Clinical Trials Regulation, and sponsors must record them in the CTIS.

Please note that the EU-CTR does not apply to clinical trials conducted in the United Kingdom. To learn more about recent changes to clinical trial regulations in the UK and how these interplay with the UK-GDPR, please schedule a call with our expert Pharma Data Protection team.

Talk to us about your clinical trial applications in the EU or UK

How are EU-CTR and EU-GDPR interrelated?

The European Data Protection Board (EDPB) clearly states that companies cannot use the CTR as an exemption for compliance with the GDPR. And both regulations will require organisations involved with clinical trials to carefully evaluate the nature of data processing regarding its legal basis under the GDPR. However, specific interrelated challenges are associated with this evaluation process.

From a privacy and data protection perspective, the CTR requires all clinical trial information to be recorded, processed, handled, and stored following the applicable personal data protection law, including the EU General Data Protection Regulation (GDPR). Thus, sponsors submitting a clinical trial application must include proof that data will be collected and processed in compliance with the GDPR through a statement to this effect by the sponsor (or its representative in the EU/EEA). The statement must include a description of the following:

  • The arrangements to comply with the applicable rules on the protection of personal data; technical and organisational measures (TOMs) that the organisation will implement to avoid unauthorised access, disclosure, dissemination, alteration or loss of personal data processed
  • Measures to ensure the confidentiality of records and personal data
  • Measures to mitigate possible adverse effects in the case of a data security breach

It is important to note that if you state you are GDPR compliant, your company must be inspection and audit ready. GDPR is not something that you should apply retrospectively. Non-compliance increases the risk of data breaches and attracts heavy penalties of up to 4 per cent of an organisation’s global annual revenue or €20 million, whichever is higher. Non-compliance can also incur enforcement action, where a penalised organisation will be under strict supervision as it addresses areas of non-compliance – reducing productivity and increasing costs.

GDPR and challenges to CTR transparency

Data transparency and patient-level data sharing are increasingly important in modern pharmaceutical innovation. To this end, the European Union’s Clinical Trials Regulation aims to increase public access to clinical trial data (CTD). Until now, transparency has not been necessary until the product approval stage. But the new CTD transparency rules mean that other researchers, clinicians and the public have access to information throughout the lifecycle of the clinical trial from as early as the initial application.

There are some exemptions to the CTR transparency rule to protect personal data, commercial confidentiality information, and confidential communication among member states regarding their assessment or clinical trial supervision by member states.

However, it is the responsibility of the sponsors to ensure GDPR compliance of all documents subject to the CTR transparency rule uploaded by them or on their behalf to CTIS. By adopting any number of the following:

  • removing personal data
  • anonymising data
  • implementing a robust redacting system
  • identifying a derogation, e.g., for investigator details.

Consent

Consent requirements under the CTR and GDPR are often believed to mean the same thing, but this is incorrect.

Consent to participation in a clinical trial in the context of the CTR is an ethical standard and legal obligation, and the Regulation defines informed consent as:
 ‘a subject’s free and voluntary expression of his or her willingness to participate in a particular clinical trial, after having been informed of all aspects of the clinical trial that are relevant to the subject’s decision to participate or, in case of minors and of incapacitated subjects, an authorization or agreement from their legally designated representative to include them in the clinical trial.’

However, consent to participate in a clinical trial is not the same as consent to process one’s personal data under the GDPR. In addition, the European Data Protection Board (EDPB) advises organisations against using consent as the sole legal basis for processing trial participants’ personal data as there can be an imbalance of power between the sponsor and the data subject. Special category data, e.g., health data, can only be processed under the GDPR if specific conditions are met. Consent is not always required under the GDPR when processing clinical trial data, but care must be taken to identify a lawful basis to process any category of personal data within your company.

Balancing the clinical utility of data with the protection of data subjects’ privacy 

Clinical Trial Data (CTD) includes different types of data, e.g., clinical reports, patient-level data, and staff data (investigators, CRO, vendors). As a rule, under the CTR transparency rule, all clinical reports submitted as part of a regulatory application will be subject to publication and may even be subject to third party access. To protect an individual’s privacy, the personal data must be anonymised or redacted so the data subjects’ cannot be identified. However, redaction decreases the value of the clinical data for research purposes. And therefore, a balance must be achieved between anonymisation, pseudonymisation (which is still considered personal data under GDPR), and redaction.

Cross-border (international) data transfers

Sharing clinical trial data is a key component of the CTR transparency rule and is vital for innovation in pharmaceutical products and medical devices. However, the GDPR requires that companies protect all EU citizens’ data transferred to non-EU destinations in a manner consistent with the protection of personal data in the EU.

Depending on the countries involved, this may be allowed through international agreements with the EU, standard contractual clauses, approved codes of conduct or (in exceptional circumstances) clearly worded informed consent. However, in all cases, the controller must ensure that the personal data is protected.

Do the CTR representative (the ‘Sponsors Legal Representative’) and the GDPR Data Protection Representative have the same role?

No. These are two different roles with different responsibilities. Clinical sponsors with no presence in the EEA can and must appoint separate representatives in order to conduct a clinical trial.

  • CTR representative: The CTR requires trial sponsors not established within the EU/EEA to appoint a Sponsor Legal Representative who represents the trial sponsor in interactions with the competent authorities and, if necessary, the courts in the EEA countries. The role has different levels of liability according to the country. 
  • GDPR Data Protection Representative: The EU Data Protection Representative acts as the point of contact in the EU for data subjects and data protection authorities. The representative also maintains records of processing activities (RoPAs) and makes them available to the data protection authorities upon request.

How can a pharma data protection consultancy help you comply with CTR and GDPR?

Navigating European or UK clinical trial regulations can be daunting and time-consuming, especially if this is your first international clinical trial application. The first step is to find an EU or UK data protection specialist team with pharmaceutical or biotech industry experience who can do the heavy regulatory lifting. Having a trusted pharmaceutical data protection consultant by your side can relieve stress, giving you peace of mind as they guide you through the regulations. At the same time, you can continue to focus on your product development, research and trial execution.

Pharma Data Protection has the industry expertise and experience managing the interplay between the EU GDPR and the EU Clinical Trials Regulation. We handle the technicalities while partnering with you to ensure you have the support and our GDPR compliance tools to help you produce detailed, accurate documentation and efficient processes to comply with both regulations.

Schedule a call with our specialist Data Protection Team to learn more about the EU CTR and EU GDPR.

Talk to us about a Data Protection Impact Assessment