Clinical trials part 1: Data protection considerations for Clinical Trial Agreements

In this first part of our clinical trials blog series, we explore some of the key data protection considerations that sponsors need to cover in Clinical Trial Agreements (CTAs). Drawing on expertise from Lawrence Carter, Data Protection Officer and Life Sciences Sector Lead at The DPO Centre, this blog includes insights for ensuring compliance across the EU, EEA, and UK. 

Under the International Council for Harmonisation’s Guideline for Good Clinical Practice (ICH GCP), clinical trial sponsors are required to establish CTAs with each trial site. These agreements cover a broad range of responsibilities beyond data protection, including intellectual property, publication rights, commercial terms, and remuneration. 

From a data protection perspective, it is crucial that CTAs include clear and tailored provisions addressing the requirements of applicable data protection laws, such as the General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR). The specific provisions will depend on the jurisdictions of both the sponsor and the site and their role in data processing.

Sponsor and site roles in Clinical Trial Agreements

Under the General Data Protection Regulation (GDPR), there are two primary roles in the context of data processing. These roles have distinct responsibilities that shape how data is handled, protected, and shared. 

• Data controllerAn entity (such as an organisation) which determines the purposes and means of the processing of personal data.: An entity (such as an organisation) that determines the purposes and means of the processing of personal dataInformation which relates to an identified or identifiable natural person.
• Data processorA third party processing personal data on behalf of a data controller.: A third-party processing personal data on behalf of a data controller

As the sponsor, you will usually act as a data controller, since you make key decisions about data collection and usage. However, the role of the trial site can vary, and sites may act as:

• Data processorsThird parties processing personal data on behalf of a data controller., handling data solely on your instructions 
• Independent controllers, managing data for their own purposes
• Joint data controllersEntities (such as an organisation) which determine the purposes and means of the processing of personal data., when both parties determine data use together

Determining the site’s role

In some jurisdictions, the site’s role is clarified through national templates or regulatory guidance. For example, in France and the UK, template CTAs designate the site as a data processor, while in Italy and Spain, regulators advise treating the site as an independent data controller. 

In other jurisdictions with fewer guidelines in place, the site’s role is often determined by industry practice or the site’s own preferences.

Contractual roles

Beyond defining the site’s role, sponsors should also consider the broader contractual relationships within a CTA. Important questions include: 

• Is the CTA signed directly by the sponsor or indirectly through a Contract Research Organisation (CRO)? 
• Is the Principal Investigator (PI) or any other legal or natural person a named party to the agreement? 

These considerations may impact the data protection roles of the parties and therefore affect the specific data protection responsibilities to ensure compliance. 

What should Clinical Trial Agreements contain?

Data Sharing Agreements 

If a clinical trial site is acting as a joint or independent data controller, the CTA should include a Data Sharing AgreementA written agreement between data controllers that defines the purpose and lawfulness of data sharing, whilst establishing the roles and standards of the processing of such data (i.e. imposing requirements around security, re-use and further sharing). (DSA). This document should clearly define the data protection responsibilities of each party, including who will provide transparency information to data subjects and how responses to data subjectAn individual who can be identified or is identifiable from data. requests will be handled. 

Data Processing Agreements

When a clinical trial site acts as a data processor, a Data Processing Agreement (DPA) must be included in the CTA. This agreement defines how personal data is processed, outlines the responsibilities of each party, and ensures compliance with data protection laws. A well-structured DPA should cover the following key areas:

1. Information on data processing

The DPA should clearly outline the scope and details of data processing activities to ensure transparency. This includes: 

• Subject matter, nature, and purpose of the processing 
• Duration of the processing 
• Types of personal data being processed
• Categories of data subjects involved

2. Data controller rights and obligations

The data controller is responsible for ensuring that processing activities comply with legal requirements. This includes selecting a valid lawful basis, implementing appropriate security measures, ensuring data subjects’ rights are upheld, and conducting Data Protection Impact Assessments (DPIAs) when necessary.

3. Data processor obligations

When a trial site acts as a data processor on behalf of the sponsor, the DPA must include specific contractual obligations, as required under Article 28 of the GDPR. Here is a breakdown of the key responsibilities a data processor must uphold: 

• Act only on the written instructions of the data controller 
• Inform the data controller if an instruction violates applicable law 
• Ensure confidentiality of personnel involved in data processing 
• Implement technical and organisational measures to protect data 
• Assist the data controller with Data Subject Requests, such as access, rectification, and deletion 
• Support GDPR compliance, including breach notifications and DPIAs 
• Submit to audits and inspections and provide compliance information
• Delete or return all personal data at the end of the contract

4. Responsibilities when engaging sub-processors

Under the GDPR, if a data processor engages another processor (commonly referred to as a sub-processor), they must meet specific requirements to ensure continued data protection and accountabilityPerhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance.: 

• Obtain prior written authorisation (specific or general) from the data controller 
• Ensure the sub-processor signs a contract that includes obligations equivalent to those in the original DPA 
• Remain fully liable for the actions and compliance of the sub-processor
  

These safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of personal data. Organisations should ensure that data subjects' rights will be respected and that the data subject has access to redress if they don't, and that the GDPR principles will be adhered to whilst the personal data is in the... ensure that all parties in the processing chain adhere to the same legal and security standards, protecting personal data at every stage.

CTAs and Standard Contractual ClausesStandard Contractual Clauses are legal tools to provide adequate safeguards for data transfers from the EU or the European Economic Area to third countries.

When personal data is transferred internationally as part of a clinical trial, Standard Contractual Clauses (SCCs) or other relevant transferThe movement of data from one place to another. This could be, for example, from one data controller to another, or from one jurisdiction to another. mechanisms may be required in a CTA to comply with GDPR or other relevant data protection laws. 

Whether SCCs are needed depends on the jurisdictions of both the sponsor and the site. 

• For transfers from the EU and EEA, the European Commission’s International Transfer SCCs must be used 
• From the UK, transfers may require the UK AddendumAn additional document that modifies, clarifies, or supplements the terms of an existing legal document without nullifying the original content. to the EU SCCs or the UK International Data Transfer Agreement (IDTAThe International Data Transfer Agreement (IDTA) is a UK framework used as a mechanism to enable a data sharing agreement for the legal transfer of personal data to a country outside the UK. It came into force on 21 March 2022 and replaced the EU’s Standard Contractual Clauses (SCCs)) 

It is essential to properly complete SCCs to ensure they provide adequate safeguards for international data transfers. Given the complexity of cross-border transfer rules, sponsors unfamiliar with EU SCCs or UK IDTA requirements should seek expert legal advice to ensure compliance and avoid regulatory risks.  

Learn more about EU Standard Contractual Clauses (SCCs) and UK International Data Transfer Agreement (IDTA).  

Key takeaways

For clinical trial sponsors operating in the EU, EEA, and UK, incorporating clear and compliant data protection provisions into Clinical Trial Agreements is essential for demonstrating GDPR compliance. Neglecting this step can lead to enforcement actions or scrutiny from ethics boards, potentially delaying trial operations. Further down the line, inadequate data protection measures may also raise concerns during due diligence reviews by investors, acquiring parties, or collaborators, potentially affecting the sponsor’s commercial viability. 

By clearly defining responsibilities and embedding robust data protection terms into CTAs, sponsors can ensure their clinical trials are both legally sound and GDPR-compliant, reducing risks and maintaining smooth trial operations. 

The DPO Centre has extensive experience in supporting clinical trial sponsors with data protection requirements. Get in touch with our team for more information. 

______________________________________________________________________________________________________________________________

In case you missed it… 

• How to choose the right lawful basis for clinical trial data processing
• Data Protection for Life Sciences and Clinical Trial Sponsors
• European Clinical Trials and the GDPR

______________________________________________________________________________________________________________________________

Don’t miss out on the latest data protection updates – stay informed with our fortnightly newsletter, The DPIA