Norton Rose Fulbright - Data Protection Report blog

On January 23, 2019, the European Data Protection Board (“EDPB”) issued an opinion on the interplay between the Clinical Trials Regulation (“CTR”) and the General Data Protection Regulation (“GDPR”). See our previous blog posts on the GDPR here and here. The opinion also addresses GDPR requirements regarding (1) the legal basis for processing personal data in the course of a clinical trial protocol (primary use) and (2) the further use of clinical trial data for other scientific purposes (secondary use).

Even though the CTR already entered into force on June 16, 2014, the regulation’s application depends on the development of a fully functional EU clinical trials portal and database which is projected to be operational in 2020. In anticipation of the CTR’s applicability, the EDPB’s Opinion 3/2019 provides much needed clarification on the interplay between the GDPR and the CTR[1] and allows companies to update their processes and agreements to conduct clinical trials that comply with both regulations.

Primary use: Legal basis for processing personal data in the course of a clinical trial


The GDPR requires a legal basis for processing personal data. When discussing the legal basis for processing personal data in the lifecycle of a clinical trial, the EDPB distinguishes between two main categories of processing: processing related to reliability and safety purposes, and processing purely related to research activities.

Reliability and safety purposes

  • The appropriate legal basis for data processing operations relating to reliability and safety purposes is Article 6(1)(c) of the GDPR. Article 6(1)(c) states that processing is lawful if it “is necessary for compliance with a legal obligation to which the controller is subject.” The EDPB provides several conditions under which this legal basis is available, yet the crux is that the obligation is imposed and valid under law.
  • The legal basis for processing sensitive personal data is Article 9(2)(i) of the GDPR. Article 9(2)(i) of the GDPR states “processing is necessary for the reasons of public interest in the area of public health.”

Research activities

The legal basis for data processing purely related to research activities is less straight forward, as the EDPB states that research activities do not derive from a legal obligation. The EDPB examines several alternative legal bases for processing operations purely related to research activities:

  • Article 6(1)(a) in conjunction with Article 9(2)(a) – consent;
  • Article 6(1)(e) or Article 6(1)(f) in conjunction with Article (9)(2)(i) or (j) GDPR) – public interest or legitimate interest of the Controller, combined with processing in the interest of the public health or necessary for scientific or historical research purposes.

Controllers may determine the specific basis by examining the whole circumstances of the trial and processing activity.

Consent as a legal basis

The EDPB differentiates between informed consent and consent as a legal basis under the CTR and GDPR respectively, and by extension, the withdrawal of consent.

The CTR requires a signed writing informing the subject as to the nature, objectives, benefits, implications, and risks of the clinical trial. In addition, the EDPB states that informed consent pursuant to Chapter V of the CTR “responds to core ethical requirements of research projects deriving from the Helsinki Declaration and is primarily a measure to ensure the protection of the right to human dignity and the right to integrity of individuals under Article 1 and 3 of the Charter of Fundamental Rights of the EU; it is not conceived as an instrument for data protection compliance.”[1]

Contrast that notion with consent under the GDPR, which must be “freely given, specific, informed, unambiguous, and explicit.” This concept of consent is designed as a measure for protection of an individual’s personal information. The EDPB stresses the importance of a controller paying attention to “freely given” consent, and that the controller examine whether there may be an imbalance of power between the sponsor and participants of a trial – an imbalance of power that may blunt the reliability of consent as a legal basis.

The EDPB considers an imbalance of power to exist under a broad set of circumstances, including when: (1) participants in a clinical trial are not in good health; (2) participants belong to an economically or socially disadvantaged group; or (3) when participants are in any situation of institutional or hierarchical dependency. The EDPB goes on to state that under these circumstances, the imbalance of power will imply that the consent is not “freely given” within the meaning of consent under the GDPR.

As a result, the EDPB states that in most cases, consent will not be an appropriate legal basis for processing clinical data for research purposes. If relying upon consent, a controller should perform a thorough assessment of all circumstances and ensure that all conditions of the Working Party 29 Guidelines on Consent are met.

While the CTR does consider this imbalance, it merely requires sponsors to take into account all circumstances which might influence the decision of a subject to participate in a clinical trial when gaining informed consent – it does not question the legitimacy of consent.

Alternative legal grounds for processing

Although the opinion questions the validity of consent for processing under the GDPR, it provides other alternative legal grounds for processing under Article 6 of the GDPR. First, under Article 6(1)(e), the processing of personal data may be considered “necessary for the performance of a task carried out in the public interest.” Under the GDPR, this legal basis is triggered when the performance of a clinical trial is vested in a public or private body by national law. Second, processing data may be permitted under Article 6(1)(f), when the processing of personal data is “necessary for the purposes of the legitimate interests pursued by the controller… except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.” The EDPB does not elaborate as to what type of scenario falls under the second legal basis.

It should be noted that the EDPB opinion clarifies that for processing sensitive data, the above Article 6 legal bases can only be applied if Article 9 of the GDPR provides for a specific derogation from the general prohibition to process sensitive data. While not directly addressed by the guidance, this issue is crucial in clinical trials because the vast majority of the valuable information processed is sensitive personal data. Therefore, depending on the circumstances of a clinical trial, the EDPB states the appropriate Article 9 condition for all processing operations for purely research purposes could be either: public interest in the area of public health or for scientific research in accordance with proper safeguarding. Further complicating the matter are Member State laws that provide derogations in specific derogations in this area.[2]

Secondary use: clinical trial data outside the clinical trial protocol for scientific purposes


The CTR specifically addresses secondary use, and if a clinical trial subject gives informed consent, the sponsor may ask the participant for consent to use his or her data outside the protocol of the clinical trial for secondary and related scientific purposes. However, consent under the GDPR is not the same as under the CTR, and the EDPB finds that reliance on consent may not be valid because of the imbalance of power. Therefore, controllers who plan to use personal data for any other scientific purpose other than the ones defined by the clinical trial protocol must articulate a different specific legal ground under the GDPR such as Article 6(1)(c), if the sponsor/investigator is subject to legal obligations related to safety purposes. The EDPB notes that the chosen legal basis may be the same or different as the legal bases for primary use.

The EDPB recognizes that requiring another specific legal ground for secondary use would be contrary to the presumption of compatibility provided by Article 5(1)(b) of the GDPR. Article 5 provides that where data is processed for archiving purposes in the public interest, scientific, historical research, or statistical purposes, that use should be considered compatible with the initial purpose provided that proper safeguards are in place. Indeed, under certain conditions, the EDPB recognizes that the controller should be allowed to further process clinical data for secondary use without a need for a new legal basis. But, the conditions that would allow such further processing requires “specific attention” and additional guidance from the EDPB. Until such guidance is issued, the EDPB states that the presumption of compatibility should still apply for the secondary use of clinical trial data, subject to the safeguard requirements of Article 89.

Our take: Further questions and implications


Opinion 3/2019 clarifies the interplay between the CTR and the GDPR but also raises many questions about how data protection law interacts with established clinical trial norms, such as collecting and relying on participants’ consent. Below are a couple of key takeaways:

  • The EDPB makes a clear distinction between processing of personal data in the context of clinical trials (primary use) and secondary use of clinical trial data for other scientific purposes, but also differentiates between processing of personal data related to reliability and safety purposes and processing of personal data related to research activities as part of the primary use. Organizations involved with clinical trials should evaluate whether and to what extent their internal processes reflect this distinction and whether there is a legal basis for any of these data processing activities available.
  • Consent requirements under the GDPR shall not be confused with informed consent pursuant to the CTR. It is a little incongruous that a data subject can consent to be a human test subject in a clinical trial through informed consent, but may not be able to consent to have their personal data processed in that same clinical trial because of the power imbalance between the subject and the researcher. Nevertheless, organizations should take steps to comply with both regimes
  • The EDPB’s reference to Article 89 of the GDPR is interesting as this research exception is broader than the definition of “research” in several Member States’ pre-GDPR laws and includes “privately funded research.”
  • The EDPB Opinion 3/2019 can create confusion for patients if they are presented with multiple consents, each designed to comply with different laws. Generally, data protection authorities frown on processes that create ambiguities for data subjects.
  • The CTR and the GDPR both raise concerns about an imbalance of power between clinical trial operators and participants. Therefore, controllers must be ready to look at all the circumstances involved, and make reasonable and thorough determinations as to whether there is any imbalance of power issue prior to relying on consent as a legal basis.
  • While the public’s interest and legitimate interest of the controller are permitted legal bases, they are limited and may restrict the processing of data for secondary purposes and future research.

Ultimately, organizations involved with clinical trials will need to reevaluate where consent is used as a legal basis. They may also have to reconsider their procedures around consent, whether there is an imbalance of power between controllers and data subject, and whether other legal bases for processing are available. Further, any secondary processing of data should be carefully considered in light of the CTR, GDPR, and the public interest in scientific research.

[1] Recital 161 of the GDPR merely states “For the purpose of consenting to the participation in scientific research activities in clinical trials, the relevant provisions of Regulation (EU) No 536/2014 of the European Parliament and of the Council should apply.

[2] The protection of personal data is ensured in Article 8 of the Charta of Fundamental Rights of the EU stating that “everyone has the right to the protection of personal data concerning him or her” and that “such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law”.

[3] Section 27(1) German Federal Data Protection Act states that by derogation from Article 9(1) GDPR, the processing of sensitive personal data shall be permitted also without consent for scientific research purposes, if such processing is necessary for these purposes and the interests of the controller in processing substantially outweigh those of the data subject in not processing the data.