EDPB/EDPS: Clinical Trials — Health Data Safeguards Required

Clinical trial sponsors, contract research organisations, and academic medical centres processing personal health data in the EU face a tightened compliance landscape. The European Data Protection Board and the European Data Protection Supervisor have issued a joint opinion requiring enhanced safeguards when processing health data in clinical trials. This opinion applies directly to the Article 9 special category data processing at the heart of every clinical study conducted in the European Union.

This article explains the joint opinion's requirements, the legal framework under GDPR Article 9 and Article 89, the obligations of data protection officers, and the practical steps that sponsors and principal investigators must take to remain compliant with both the GDPR and the emerging European Biotech Act framework.

The Legal Basis Problem in Clinical Trials

Health data — including genetic data, biometric data processed to identify individuals, data concerning physical or mental health, and data concerning sex life or sexual orientation — is special category data under Article 9(1) of the GDPR. Its processing is prohibited unless one of the Article 9(2) derogations applies.

Clinical trials primarily rely on two derogations. The first is explicit consent under Article 9(2)(a): the data subject has given explicit consent to the processing of their personal data for one or more specified purposes. The second is scientific research under Article 9(2)(j), which permits processing that is necessary for scientific research purposes, subject to the conditions and safeguards of Article 89.

The tension between these two bases has long created compliance uncertainty. Consent in clinical trials is governed not only by the GDPR but by the Clinical Trials Regulation (EU) 536/2014, the Declaration of Helsinki, and Directive 2001/20/EC (where still applicable). The EDPB and EDPS joint opinion addresses this tension directly, concluding that reliance on the scientific research derogation does not eliminate the need for GDPR-compliant consent, and that Article 89 safeguards must be implemented regardless of which derogation is relied upon.

What Article 89 Requires

Article 89 of the GDPR sets out the conditions under which processing for scientific research purposes may derogate from certain data subject rights. Specifically, it permits member states to provide for derogations from Article 15 (right of access), Article 16 (right to rectification), Article 18 (right to restriction of processing), and Article 21 (right to object) — but only to the extent that these rights are likely to render impossible or seriously impair the achievement of the specific purposes, and provided that decisions are not made based solely on the individual data subject's data.

Article 89(1) also specifies that processing for scientific research must be subject to appropriate safeguards, which must include technical and organisational measures to ensure respect for the data minimisation principle. These safeguards must be documented and demonstrable.

The joint EDPB/EDPS opinion identifies specific measures that constitute appropriate Article 89 safeguards in a clinical trial context: pseudonymisation of identifiers at the earliest possible point in data collection, access controls limiting who can re-identify pseudonymised data, purpose limitation agreements binding downstream researchers and CROs, and data minimisation plans that justify every data element collected against the trial's scientific objectives.

DPO Obligations in Clinical Trials

Where a sponsor or CRO is a public authority, or where its core activities involve large-scale processing of special category data, it is required to designate a data protection officer under Article 37. Clinical trial sponsors typically meet this threshold.

The EDPB/EDPS joint opinion reinforces the DPO's role in clinical trial governance. The DPO must be involved at the protocol development stage, not only at the regulatory submission stage. This means that the DPO must review the trial protocol's data management plan, the informed consent information sheet, the data sharing agreements, and the processing activities that occur after trial completion — including data archiving, secondary use, and publication.

The joint opinion specifically calls out the practice of involving the DPO only to sign off on the record of processing activity entry as insufficient. DPOs must be consulted on the legal basis strategy, the data minimisation architecture, and the cross-border transfer mechanisms before the protocol is finalised.

Data Protection Impact Assessments

Processing health data at scale in a clinical trial is almost always likely to result in high risk to the rights and freedoms of data subjects. This triggers the obligation to conduct a Data Protection Impact Assessment under Article 35 before processing begins.

The DPIA must assess the necessity and proportionality of the processing in relation to the trial's scientific objectives, identify the specific risks arising from the data processed, and document the measures taken to address those risks. Where the DPIA concludes that residual risk remains high after the implementation of mitigating measures, the sponsor must consult the competent supervisory authority before commencing processing under Article 36.

In practice, DPIAs for clinical trials must cover the full data lifecycle: collection from patients, transfer to CROs and sponsors, onward transfer to regulatory authorities (including non-EU authorities), publication in academic journals (which may constitute a form of disclosure), and long-term archiving.

The European Biotech Act

The European Biotech Act, adopted in 2025 as part of the EU's competitiveness agenda in biotechnology, introduces additional requirements for the processing of biological samples and associated personal data in research contexts. The Act's provisions interact directly with GDPR in two ways.

First, it imposes explicit traceability requirements for biological samples and their associated personal data. Sponsors must be able to demonstrate a documented chain of custody from sample collection to any derivative research use. This traceability requirement must be reflected in the Article 89 safeguards documentation.

Second, Article 5 of the European Biotech Act requires that informed consent for the use of biological samples includes specific disclosure of potential future research uses, commercial applications, and international transfer of samples and data. This requirement goes further than standard GDPR consent by mandating that consent cover downstream commercial use scenarios that sponsors may not have identified at the time of trial design. DPOs advising sponsors on consent form drafting must account for both frameworks simultaneously.

Cross-Border Transfers to Non-EU Regulatory Authorities

A recurring challenge in multinational clinical trials is the transfer of personal health data to regulatory authorities in non-EU countries — particularly the US FDA and Japan's PMDA. These transfers cannot be avoided: regulatory submissions require individual patient data, and the regulatory authorities of major markets require full datasets.

The EDPB/EDPS joint opinion notes that transfers under Article 49(1)(d) — transfers necessary for important reasons of public interest — are available where a legal obligation to submit data to a regulatory authority can be established. However, the opinion emphasises that this derogation is intended for specific transfers and should not be used as a blanket authorisation for all trial data flows to non-EU countries.

Sponsors should establish standard contractual clauses under Article 46(2)(c) with data recipients in non-EU countries where the transfer is not strictly required by regulatory obligation, and should document the Article 49(1)(d) basis for transfers that are directly mandated by regulatory submission requirements.

What Sponsors Must Do

Sponsors and CROs should begin by auditing their existing trial data management plans against the Article 89 safeguard requirements identified in the joint opinion. Any trial still in recruitment or follow-up phase should be assessed for compliance gaps.

Protocol amendments should be considered where the data minimisation architecture does not meet the opinion's standards. Early involvement of the DPO in future protocol development should be formalised in the sponsor's standard operating procedures.

Consent information sheets should be reviewed for alignment with both GDPR Article 9(2)(a) and the European Biotech Act Article 5 disclosure requirements. Where consent forms were drafted before the Biotech Act's passage, sponsors should take legal advice on whether reconsent is required for ongoing studies.

Frequently Asked Questions

Can a sponsor rely solely on Article 9(2)(j) (scientific research) without obtaining explicit consent? Article 9(2)(j) permits processing without consent where national law provides for this and the Article 89 safeguards are applied. However, the EDPB/EDPS joint opinion strongly recommends obtaining explicit consent where the trial design permits it, and treating Article 9(2)(j) as a fallback for situations where consent is genuinely not practicable — such as archival research on pre-existing samples.

Does the joint opinion apply to academic-sponsored trials or only commercial sponsors? The joint opinion applies to all controllers processing health data in clinical trials, regardless of whether the sponsor is a pharmaceutical company, a university hospital, or a public health authority. Article 9 and Article 89 apply to all controllers processing special category data.

What is the consequence of conducting a DPIA after processing has begun? Failing to conduct a DPIA before commencing high-risk processing is a violation of Article 35. Supervisory authorities can impose fines and corrective orders. The DPIA cannot retroactively authorise processing that has already occurred, and its findings may require suspension of the trial if residual risks are identified.

How does the joint opinion interact with the Clinical Trials Regulation (EU) 536/2014? The Clinical Trials Regulation governs the ethics committee review, regulatory submission, and patient protection framework for clinical trials. It does not replace GDPR obligations. Both frameworks apply simultaneously, and compliance with the Clinical Trials Regulation does not establish compliance with GDPR.

Sources

• Regulation (EU) 2016/679 (GDPR), Article 9 (Processing of special categories of personal data), Article 35 (Data protection impact assessment), Article 36 (Prior consultation), Article 37 (Designation of the data protection officer), Article 46 (Transfers subject to appropriate safeguards), Article 49(1)(d) (Derogations for specific situations), Article 89 (Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes)
• EDPB-EDPS Joint Opinion on the processing of personal health data in clinical trials (2025)
• Regulation (EU) 536/2014 (Clinical Trials Regulation)
• European Biotech Act (2025), Article 5 (Consent requirements for biological samples)
• EDPB Guidelines 05/2020 on consent under Regulation 2016/679