GDPR Brief: the interplay between the Clinical Trials Regulation and the GDPR

1 Jun 2020

The EU’s Clinical Trials Regulation (CTR) and the GDPR both apply to clinical trials and (further) scientific research. This GDPR Brief details the interplay between the two regulations.


The EU’s Clinical Trials Regulation (CTR) and the GDPR both apply to clinical trials and (further) scientific research. In this GDPR Brief, I detail the interplay of the two regulations. The GDPR has been in force since May 2018. At present, the CTR does not apply yet and is due to come into force in 2021.

Not all data processing activities pursuant to the CTR pursue the same purpose. In this respect, more than one legal basis to the various types of processing may apply. During the life cycle of a clinical trial, two main types of processing for primary use can be distinguished: 1) processing for reliability and safety purposes; 2) processing for research activities. In its Opinion 3/2019, the European Data Protection Board (EDPB) considers that processing for reliability and safety purposes falls within the scope of GDPR article 6(1)(c), i.e. based on a legal obligation, together with article 9(2)(i), i.e. public interest in the area of public health. Examples of this type of processing are the performance of safety reporting, archiving of the clinical trial master files and the medical records of test subjects. Consent to data processing is not required for these processing activities.

As regards processing for research activities, the EDPB proposes three alternative legal bases: 

  1. A task carried out in the public interest pursuant to article 6(1)(e) together with article 9(2)(i), i.e. public interest in the area of public health or (j), i.e. for archiving purposes in the public interest, scientific or historical research purposes; 
  2. Legitimate interests of the controller pursuant to article 6(1)(f) together with article 9(2)(j); 
  3. Under specific circumstances, when all conditions are met, the data subject’s explicit consent. 

However, GDPR consent does not have the same meaning as informed consent in the CTR. Informed consent in a clinical trial expresses the data subject’s willingness to participate in a particular clinical trial, after having been informed of all aspects that are relevant to the subject’s decision to participate (article 2(21) CTR). Informed consent in the CTR acts a safeguard rather than a legal basis for processing. The EDBP considers that the element of “freely given” consent under the GDPR cannot be met at all times for clinical trials. The EDPB highlights this is the case where participants may not be in a good state of health, belong to a socioeconomically disadvantaged group, or are in a “situation of institutional or hierarchical dependency”. Thus, the other legal bases may be more appropriate and can provide for the default option wherever possible. If the legal basis of informed consent is chosen, a particular assessment must be carried out.

As regards the secondary use of clinical trial personal data, i.e. the use of data beyond the scope of the clinical trial protocol, the CTR requires informed consent from the participant. This informed consent should be sought from the participant at the time of the request for informed consent for participation in the clinical trial. Again, this type of consent should not be confused with the elements of consent in the GDPR. And though the EDBP recognizes that a new legal basis may not be needed provided that the conditions of article 5(1)(b) (presumption of compatibility), and article 89 GDPR (scientific research) are met, an ethical consent may still be assumed as part of the principle of fairness as laid down in article 28 CTR. There may be trials when an advance CTR informed consent is not required, i.e. in case of emergencies. The CTR also provides for alternative informed consent by proxy when the participant is unable to give consent.

Participants in a clinical trial must receive the relevant information about the clinical trial, and they should also receive the information pursuant to the GDPR, such as the legal basis for processing their data and information about their data processing rights. Participants in a clinical trial can always withdraw their informed consent under the CTR, which means they withdraw from the clinical trial itself. The withdrawal under the CTR will end the research processing, but the processing for safety and archiving obligations will be pursued. Thus, data which the controller (sponsor/ investigator) must process pursuant to legal obligations and for safety purposes may continue to be processed. This information should be included in the consent form given to participants.

Further Reading

Relevant CTR Provisions

Relevant GDPR Provisions

  • Recital 159 – processing for scientific research purposes
  • Recital 161 – consenting to participation in clinical trials
  • Article 4(11) – consent must be freely given, specific, informed, and unambiguous
  • Article 5 – principles relating to processing
  • Article 6 – lawful bases for processing
  • Article 9 – special category data
  • Article 89 – safeguards relating to processing for scientific research purposes

Irith Kist is legal counsel and Data Protection Officer of the Netherlands Cancer Institute (NKI).

See all previous briefs.

Please note that GDPR Briefs neither constitute nor should be relied upon as legal advice. Briefs represent a consensus position among Forum Members regarding the current understanding of the GDPR and its implications for genomic and health-related research. As such, they are no substitute for legal advice from a licensed practitioner in your jurisdiction.

Latest News

Headshots of the Cancer Community Co-Leads
18 Jul 2024
The GA4GH Cancer Community welcomes new Co-Leads Benjamin Haibe-Kains, Zinaida Perova, and Bernie Pope
See more
CGC and GA4GH logos
16 Jul 2024
Connecting GA4GH standards to community practice through unconferences
See more
Logos for the Research Data Alliance (RDA) and GA4GH, which are forming a strategic relationship
11 Jul 2024
GA4GH and the Research Data Alliance (RDA) agree to a Strategic Relationship to advance responsible data sharing
See more