Clinical trials part 2: Data protection considerations for vendor Data Processing Agreements

Data Processing Agreements (DPAs) are legally required under the EU and UK General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR) whenever clinical trial sponsors use third-party vendors to processA series of actions or steps taken in order to achieve a particular end. personal dataInformation which relates to an identified or identifiable natural person.. These agreements define how personal data must be handled, helping sponsors ensure compliance, reduce liability, and demonstrate accountabilityPerhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance. to regulators and trial participants. 

In part 2 of our clinical trials blog series, we explore the key data protection considerations for vendor Data Processing Agreements, with expert insights from DPO and Life Sciences Sector Lead, Lawrence Carter. We’ll cover the critical considerations for drafting a DPA along with some of the common pitfalls to avoid. 

Important areas covered: 

• Which third parties need a Data Processing Agreement?
• What should a DPA include?
• International data transfers 
• Who should review DPAs?

Missed part 1? We covered data protection in Clinical Trial Agreements (CTAs) between sponsors and sites.
Read about CTAs here.

Which third parties need a Data Processing Agreement?

Under the GDPR, a DPA is a mandatory requirement if a vendor processes personal data while delivering their services. In clinical trials, vendors can encompass a range of organisations, including Clinical Research Organisations (CROs), providers of Electronic Data Capture (EDC) systems, Electronic Trial Master File (eTMF) platforms, Clinical Trial Management Systems (CTMS), and central labs analysing samples or performing pharmacokinetic (PK) testing. 

But just because a third party is labelled a ‘vendor’ by clinical operations teams doesn’t automatically mean a DPA is needed. The nature of the relationship and how personal data is handled ultimately determine the appropriate agreement.

For example: 

• No DPA required:
  Some vendors don’t process any personal data at all, such as certain shipping providers or suppliers of comparator substances.
• DPA required:
  Others, such as consultants, contractors or auditors, might not be seen as traditional ‘vendors’, but may still process personal data on the sponsor’s behalf. In this case, a DPA is still legally required.
• When a Data Sharing AgreementA written agreement between data controllers that defines the purpose and lawfulness of data sharing, whilst establishing the roles and standards of the processing of such data (i.e. imposing requirements around security, re-use and further sharing). (DSA) is more appropriate:
  Some vendors may also be independent or joint controllers rather than processors. This might apply to collaborators, external counsel, group companies, or medical monitors. In these cases, a Data Sharing Agreement (DSA), not a DPA, may be more appropriate. 

To stay GDPR compliant, sponsors should carry out data flow mapping and compliance reviews to identify all relevant third parties, understand their role, and ensure the right agreement is in place. 

What should a DPA include?

The GDPR sets out certain required terms for DPAs. We covered these in part 1 of this blog series, but there are also a few specific areas sponsors should pay close attention to: 

1. Due diligence

Before signing any agreement, sponsors should provide the vendor with a data protection questionnaire or audit and ensure it is fully completed. This helps confirm that the vendor has appropriate technical and organisational measures in place. Sponsors should then review whether the contract terms align with the vendor’s responses and flag any inconsistencies or contradictions. 

2. Audits and inspections 

Vendors might agree to contract terms without fully understanding them, such as commitments to specific security measures. Sponsors should check that audit rights are clearly stated and ensure clauses don’t unreasonably restrict access to audit or inspection processes. 

3. Clear timeframes

Some obligations, such as data breach notifications or data subjectAn individual who can be identified or is identifiable from data. request responses, must be completed ‘without undue delay’. But in practice, vague timelines can cause issues. Sponsors should consider adding firm deadlines, especially for multi-jurisdictional trials. For example, ‘within 14 UK business days’, making sure the term is defined in the contract. 

4. Supply chain visibility

A 2024 opinion from the EDPB clarified that data controllersEntities (such as an organisation) which determine the purposes and means of the processing of personal data. must maintain comprehensive Records of Processing Activities (RoPAs) relating to all data processorsThird parties processing personal data on behalf of a data controller. and sub-processors in their supply chain. 

To meet this requirement, DPAs should explain: 

• How information about sub-processors is shared back up to the sponsor 
• Whether a full list of sub-processors will be included in the DPA, or otherwise updated regularly via a change control process
  

5. Re-use of data by processors

With the rise of AI, some larger processors may want to re-use personal data to train Large Language Models (LLMs). Even if the data were to be anonymisedAnonymised refers to data that has undergone a process of transformation to remove or alter personal data in such a way that individuals can no longer be identified from it, and it is impossible for that process to be reversed and the data to be re-identified. Anonymised data is considered non-personal and falls outside the scope of the GDPR., the act of anonymisation itself is considered processing. 

Unless there’s a lawful basis for secondary use, supported by a compatibility assessment or separate privacy noticeA clear, open and honest explanation of how an organisation processes personal data., sponsors should consider removing or rejecting these clauses. 

International data transfers and DPAs

If a clinical trial vendor is based outside the UK, EU, or EEA, transferring personal data to them is considered an international data transferThe movement of data from one place to another. This could be, for example, from one data controller to another, or from one jurisdiction to another. under the GDPR. In these cases, sponsors must include an appropriate transfer mechanism. 

The most common transfer mechanism options are: 

Adequacy decisions

These are granted by the European CommissionOne of the core institutions of the European Union, responsible for lawmaking, policymaking and monitoring compliance with EU law. or UK government when a country’s legal framework provides an adequate level of protection. A legal entity can also be deemed adequate through a limited adequacy decisionA decision adopted by the European Commission on the basis of Article 45 of the GDPR, which establishes that a third country (i.e. a country not bound by the GDPR) or international organisation ensures an adequate level of protection of personal data. Such a decision takes into account the country's domestic law, its supervisory authorities, and international commitments it has..., such as the EU-US Data Privacy FrameworkThe EU-US Data Privacy Framework (EU-US DPF) is a set of principles and safeguards for transferring personal data from the EU to certified US organisations. The programme took effect on 10 July 2023, replacing the invalidated Privacy Shield, and the EU Commission has since deemed transfers made from the EU to certified US organisations Adequate.  (DPF).

Standard Contractual ClausesStandard Contractual Clauses are legal tools to provide adequate safeguards for data transfers from the EU or the European Economic Area to third countries. (SCCs)

If adequacy doesn’t apply, Standard Contractual Clauses (SCCs) must be used.

For transfers outside the EU or EEA, organisations must use the 2021 EU SCCs. Remember to:  

• Make sure the correct SCC module is selected (based on controller/processor roles) 
• Complete the 3 annexes as appropriate  
• Update clauses 7, 9, 11, 17, and 18 to reflect agreed details

For transfers outside the UK, either the UK AddendumAn additional document that modifies, clarifies, or supplements the terms of an existing legal document without nullifying the original content. or International Data Transfer Agreement (IDTAThe International Data Transfer Agreement (IDTA) is a UK framework used as a mechanism to enable a data sharing agreement for the legal transfer of personal data to a country outside the UK. It came into force on 21 March 2022 and replaced the EU’s Standard Contractual Clauses (SCCs)) can be used. Similarly to EU SCCs, you must complete the detailed tables for the transfer mechanism to be valid.  

If the vendor uses sub-processors outside the EU/UK, onward SCCs may also be needed.  

Assessments

Whenever SCCs are used, a Transfer Impact Assessment (TIA) (or Transfer Risk Assessment (TRA) for UK-only transfers) must be completed to assess local laws in the destination country. This step is often overlooked but is essential for GDPR compliance. For more information on each assessment, read Navigating international data transfers: TIAs vs TRAs. 

Who should review DPAs?

DPAs are often embedded within broader contracts, like Master Services Agreements (MSAs), and may include commercial terms, liabilities, or global privacy clauses. 

To ensure a thorough DPA review, sponsors should assign reviewers based on expertise: 

• Legal teams or external counsel for commercial and liability terms 
• Data protection specialists for GDPR and international transfer clauses 
• Operational leads for process feasibility and timelines 

And to avoid unnecessary delays, clearly define the scope and timeframe for each reviewer. 

Key takeaways

A well-crafted Data Processing Agreement (DPA) is more than just a legal requirement – it’s a vital tool for protecting personal data and managing risk in clinical trials. Sponsors need a clear understanding of how data flows through their vendor network and must ensure the right contractual safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of personal data. Organisations should ensure that data subjects' rights will be respected and that the data subject has access to redress if they don't, and that the GDPR principles will be adhered to whilst the personal data is in the... are in place. By proactively defining roles, managing international transfers, and overseeing sub-processors, sponsors can stay ahead of compliance issues and avoid due-diligence headaches. Those who take the time to tailor DPAs to their operational and regulatory requirements are better positioned to minimise delays, demonstrate accountability, and build trust with participants, partners, and regulators.    

The DPO Centre has extensive experience in supporting clinical trial sponsors with data protection requirements.
Get in touch with our team for more information. 

______________________________________________________________________________________________________________________________

In case you missed it… 

• Clinical trials part 1: Data protection considerations for Clinical Trial Agreements 
• How to choose the right lawful basis for clinical trial data processing 
• Data Protection for Life Sciences and Clinical Trial Sponsors 

______________________________________________________________________________________________________________________________

Alternatively click one of the options below to speak to us

Email Call