GDPR PRIVACY COMPLIANCE FOR CLINICAL RESEARCH ORGANIZATIONS AND TRIAL SPONSORS

Privacy Policy for Clinical Research Organizations and Trial Sponsors

Effective: 1 May 2025

1. Introduction

We, the (“Entity”), are committed to protecting the personal data of trial participants, investigators, and stakeholders in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Clinical Trials Regulation (EU) No. 536/2014, and Good Clinical Practice (GCP) guidelines. This policy explains how we handle personal data in the context of clinical trials and biomedical research.

2. Data Controller

Depending on the trial structure, either the Entity may act as Data Controller or Joint Controller (Art. 26 GDPR), clearly documented in trial agreements.

3. What Personal Data We Collect

We may collect and process:

• Participant Data (pseudonymized): Age, sex, health history, lab results, treatment response, trial ID

• Special Category Data: Genetic data, biometric data, mental and physical health conditions

• Informed Consent Records: Signed forms, timestamps, version control

• Investigator Data: Name, qualifications, contact details, site credentials

• Device and Sensor Data: For decentralized trials or wearables (where applicable)

• Children’s or Vulnerable Subjects’ Data: Collected under strict ethical review and guardian consent

Pseudonymization is applied to ensure identity is not directly linked without a secure key, which remains with the clinical site.

4. Lawful Basis for Processing

Personal data is processed under:

• Consent (Art. 6(1)(a), Art. 9(2)(a)) – informed, specific, freely given

• Public Interest in Scientific Research (Art. 6(1)(e), Art. 9(2)(j)) – with safeguards

• Contractual Necessity (Art. 6(1)(b)) – for trial investigator agreements

• Legal Obligation (Art. 6(1)(c)) – pharmacovigilance and regulatory reporting

• Legitimate Interests (Art. 6(1)(f)) – where applicable and with balancing tests

All processing aligns with GCP and the Declaration of Helsinki principles.

5. Purposes of Data Processing

We process data to:

• Conduct, monitor, and evaluate clinical trials

• Report adverse events and ensure subject safety

• Maintain data integrity and traceability

• Analyze trial results and submit to regulators

• Manage investigator and sponsor communications

• Fulfill legal and ethical audit trails

6. Data Sharing and Recipients

Data may be shared with:

• Clinical trial sites and investigators

• Ethics Committees and Institutional Review Boards (IRBs)

• Contract Research Organizations (CROs), labs, and statisticians

• Regulatory bodies (e.g., EMA, FDA)

• Sponsors, in a pseudonymized format

All parties are bound by GCP and GDPR-compliant Data Processing Agreements. Access is limited by need-to-know and secure transmission.

7. Data Retention

• Trial Data: Retained for 25+ years, or longer per GCP and national regulations

• Consent Forms and Audit Trails: Minimum 15 years post-trial completion

• Adverse Event Data: Retained for the lifecycle of the investigational product

8. Data Subject Rights

Subject rights are supported in line with GDPR, while balancing scientific integrity:

• Access (Art. 15) – via trial site

• Rectification (Art. 16)

• Restriction (Art. 18)

• Objection (Art. 21)

• Erasure and portability may be restricted post-anonymization or once data is integrated in research findings

Withdrawal of consent does not affect data already processed lawfully under ethics approval.

Contact us below for further assistance via the COMMUNICATION OPTIONS.

9. International Transfers

If data is transferred outside the EEA:

• SCCs, BCRs, or adequacy decisions are used

• Additional safeguards (e.g., encryption, access limits) are applied

Transparency around transfers is included in participant information sheets.

10. Data Security

We apply:

• Encrypted data capture and transfer (eCRFs, EDC systems)

• Controlled access logs

• Physical and IT security for source documents

• Regular GCP-compliant audits and risk assessments

11. Data Breach Notification

Breach reporting is aligned with Article 33/34 GDPR and Sponsor obligations under the Clinical Trials Regulation.

12. Automated Decision Making

Clinical trials do not involve automated decision-making affecting participants’ rights without oversight.

13. Data Protection Impact Assessments (DPIA)

DPIAs are mandatory for trials involving:

• Genetic data

• Remote or AI-based monitoring

• Biobank integrations

14. Cookies and Tracking

If trial platforms or portals are used, cookie tracking is consent-based and explained in separate notices.

15. Complaints

You may lodge a complaint with your Supervisory Authority if you believe your rights are infringed via CONTACT SUPERVISORY AUTHORITY below.

16. Use of Artificial Intelligence (AI) and Automated Tools

We may use Artificial Intelligence (AI) or automated technologies to support the delivery, analysis, or improvement of our services. Any deployment of AI is conducted in accordance with applicable laws, including the GDPR and forthcoming EU AI Act, and is subject to the following safeguards:

• Transparency: Where AI tools are used to process personal data (e.g., chatbots, service optimization, fraud detection), individuals are clearly informed at the point of interaction.

• Human Oversight: All AI-supported functions are subject to human review and final decision-making. No fully automated decisions with legal or similarly significant effects are taken without human intervention.

• Fairness and Accuracy: AI systems used by the Entity are regularly monitored to ensure outputs are non-discriminatory, accurate, and aligned with intended purposes.

• Data Minimization: Personal data used in AI models is limited to what is strictly necessary, and anonymization or pseudonymization is applied wherever feasible.

• Third-Party AI Providers: If AI services are sourced from external vendors, they are required to comply with our data protection standards and are bound by GDPR-compliant agreements (Art. 28).

• Rights of Individuals: Data subjects retain all applicable GDPR rights, including the right to object to automated processing (Art. 21) and to receive meaningful information about the logic and implications of any AI-supported decisions (Art. 22).

This clause will be updated as legal frameworks governing AI continue to evolve.

17. Updates
This policy is reviewed annually and updated to reflect changes in law or service station operations.

We the ENTITY take your privacy seriously and treat your personal information with the same care and respect we would expect for our own. This policy has been developed to comply with relevant data protection laws in our jurisdiction and, where necessary, with those of other applicable regions. If you have any concerns or identify areas where you feel we may not be meeting our responsibilities, please don’t hesitate to get in touch using the contact methods listed at the end of this policy. We are committed to addressing any issues promptly and transparently.

A specialized compliance team has created this policy

1. Data Protection Officer (DPO) – Regulatory Oversight

• Ensures all policies strictly adhere to GDPR principles (lawfulness, transparency, data minimization, etc.)

• Coordinates legal review of lawful basis, data subject rights, international transfers

• Leads DPIA structure and breach protocols

2. Healthcare Compliance Specialist – Clinical & Sector-Specific Accuracy

• Aligns policies for clinics, hospitals, diagnostic labs, and CROs with EU healthcare-specific laws (e.g., MDR, IVDR)

• Validates handling of health data, pseudonymization, and patient consent

3. Cybersecurity Expert – Data Security & Technical Controls

• Reviews and enhances sections on encryption, access controls, breach response

• Assesses vulnerabilities in telemedicine, HealthTech, and device ecosystems

4. Clinical Trials Legal Advisor – Research & Ethics Governance

• Provides expert review of consent models, data minimization, and pseudonymization in CRO/trial sponsor contexts

• Validates retention and secondary use of trial data

5. Insurance & Claims Data Analyst – Financial & Claims Compliance

• Reviews insurance provider policy to ensure lawful processing of medical + financial data

• Checks fraud detection profiling, cross-border reinsurance handling

6. Social Care & Safeguarding Expert – Care Facilities Privacy

• Ensures care home, mental health, and disability service policies reflect safeguarding, social care, and public interest standards

7. Occupational Health Specialist – Employment Health Interface

• Validates lawful employer data access, fitness for work processing boundaries, and health/safety recordkeeping

8. Medical Device Regulatory Consultant – MDR/IVDR Alignment

• Ensures policies for device providers include obligations under EU Medical Device Regulation and post-market surveillance practices

9. Digital Health & AI Legal Advisor – Emerging Tech Compliance

• Checks AI/algorithmic decision-making disclaimers in telemedicine & HealthTech

• Ensures policies reflect EU AI Act intersections where applicable

10. Cross-Border Transfers Specialist – International Data Governance

• Verifies compliance mechanisms for SCCs, BCRs, and adequacy decisions across all entities transferring data internationally