GDPR and Clinical Trials: Data Transfers within EEA (European Economic Area) and to Third Countries

July 1, 2021

To better understand this article, it is important to get familiar with the following General Data Protection Regulation (EU) definitions:

Personal data

“Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.\(^1\)


“Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law”.\(^1\)


“Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.\(^1\)


The European Union (EU) provides important geographical coverage in clinical research. As per Good Clinical Practice (GCP), the data of the patients should be protected along with the data of other involved physical persons. The protection of these data is ensured with the unified regulation for data protection (GDPR).\(^1\)

Considering data protection issues at the initial stage of a project is crucial. This is particularly evident in clinical research, where a large amount of personal data is involved.  

The article describes the various EU regulations which companies working in clinical research and handling personal data need to comply with.

What you need to know about personal data transfers within EEA

“The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy in the EU and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas”.\(^1\)

The main goal of the GDPR “is to give individuals control over their personal data and simplify the regulatory environment for international business by unifying the regulation within the EU”.\(^1\)

The GDPR sets unified rules for all 27 EU countries, facilitating the uniform application of data protection rules throughout the region. Nevertheless, GDPR foresees the possibility to impose more stringent and specific conditions for data protection in special categories, such as minors.\(^1\)

A non-EU company (Clinical Study Sponsor) considering conducting clinical research in the EU should have its GDPR representative in the EU. A representative can be the company’s local point of contact who can liaise with data protection officials on behalf of the company.\(^1\)

The GDPR representative may be an individual or a company or organization (e.g., a law firm, private company) established in the EEA. The representative must be able to represent the Sponsor and fulfill the Sponsor’s obligations under the EU GDPR. The simplest and most common way to appoint a representative is under a simple service contract.\(^1\)

As defined by the GDPR, the Data Protection Officer (DPO) is a leadership role whose primary responsibility is to ensure that consumer data is protected and processed in a way that is considered lawful under the GDPR and other applicable legislation.\(^1\)

Appointing a DPO is mandatory when:\(^1\)

  • The data processing is being carried out by a public authority, such as a public school or government department;
  • The main business activities of the company involve regular and systematic monitoring of data subjects on a large scale, such as tracking the website activities of thousands of online users to serve them better marketing campaigns;
  • The main business activities of the company involve processing special categories of data (as defined by the GDPR) or the criminal history of data subjects, such as a job board that collects information about race or criminal background from applicants.

GDPR’s Implications in Clinical Research

In clinical research, a massive amount of personal data is processed. The personal data may include employee data as well as clinical trial data from the trial participants.

The controller of the data changes depending on the person involved. So, Sponsors, CRO and Institutions are controllers of their employee data. For patients, the controller is the Principal Investigator. These aspects should be considered when conducting clinical research and the necessary measures taken (consent etc. ). 

Patient confidentiality is always a priority, and patient data are in no circumstances disclosed to the Sponsor. Patient data need to be anonymized before sharing with the Sponsor or any other third party.

As more than one party is involved in personal data processing, the relevant parties need to conclude data protection agreements (DPA) to ensure the privacy of personal data. Special safety measures can be stipulated within the DPA to assure the safe exchange of personal data between the legal entities.

How to export personal data to third countries

In an international industry such as clinical research, personal data transfers between countries and regions are often required. As a general rule, the GDPR prohibits the transfer of personal data outside of the EEA unless additional safeguards are put into place. Thus, companies exporting data to entities outside EEA (the third countries) should be vigilant and always ensure that the export of personal data takes place in accordance with the regulations.

When personal data is transferred to a third country, it should be assured that the level of protection is at par with the EU regulations. The data controllers and processors (exporters), together with the importer, are responsible for ensuring that the regulations of the importer country provide safeguards similar to that contained in the Article 46 GDPR transfer tools. As per Article 46 GDPR, data transfer is allowed “only if the controller or processor has provided appropriate safeguards and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.” The European Data Protection Board (EDPB) has laid down recommendations to support data exporters in this matter. These recommendations also help identify appropriate supplementary measures which the exporters can follow.\(^{1, 2, 3}\)

How GDPR defines safe personal data transfers to other countries: Adequacy decision

The EU determines if a non-EU country has an adequate level of data protection as required by GDPR. For this aspect, the European Commission issues adequacy decision to the countries which correspond to the same level of protection as required by GDPR.\(^3\)

The effect of the decision is that personal data exported to the entities registered in one of these countries (and where the actual data is processed) is valid based on the adequacy decision.\(^3\)

The European Commission has recognized Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay as providing adequate protection. The exporter of the data is responsible for monitoring that the adequacy decision issued by the European Commission remains in force and the data export is still lawful.\(^3\)

Data exporters should always verify the transfer tool it employs to transfer data outside the EEA. In the absence of an adequacy decision, companies need to rely on one of the transfer tools listed under Articles 46 GDPR for transfers that are regular and repetitive. Corporate binding rules and Standard Contractual Clauses (SSC) are the most common transfer tools used by data exporters and importers.\(^2\)

Recent additions to GDPR requirements: Court of Justice of European Union (CJEU) Schrems II judgment and the European Essential Guarantees

Apart from the above, there are additional measures that data exporters and importers need to follow as per the last important ruling of the Court of Justice of European Union (CJEU) - the Schrems II case.2 The CJEUstates that, “the protection granted to personal data in the European Economic Area (EEA) must travel with the data wherever it goes”.\(^2\) 

The exporter should assess if there is any aspect in the law or practice of the third country that may infringe the effectiveness of the appropriate safeguards of the transfer tools the exporter is relying on. The assessment should mainly focus on third country legislation and, in particular, check if the legislation governs the access to data by public authorities. Though assessment is crucial, it is easier said than done, especially for private companies. A helpful instrument in such cases is the EDPB recommendations on the European Essential Guarantees (EEG) for surveillance measures.\(^2\)

The EEG was drafted to help controllers and processors in the EU exporting data to third countries comply with the CJEU’s Schrems II judgment.\(^2\)

In case the data exporters understand that the level of protection in the importing country is not at the same level or standard as the EU levels and not enough for safe data procession (in particular safeguards as required by Art.46), they must identify and adopt supplementary measures.\(^4\)

The supplementary measures could be contractual, technical, or organizational in nature. Nevertheless, contractual and organizational measures are not enough. Therefore, in some cases, only technical measures could be helpful. One of the most efficient technical measures is applying the right format of the data to be transferred - plain text / pseudonymized/encrypted.\(^4\)

In cases where the third country prohibits the measures the exporter has identified (for example, use of encryption), the data exporter is not allowed to transfer the data. If the exporter proceeds with data transfer, they will be held liable for breaching GDPR and, in particular, the commitments outlined in Art. 46.\(^4\)

How can Dokumeds help?

With the advent of stringent regulations, the transfer of personal data outside the EEA has become increasingly challenging, but not impossible.

With the proper safeguards and supplementary measures, companies can continue the data processing activities and transfer personal data. Partnering with an experienced clinical CRO that has a strong legal team can help.

Dokumeds,with 25 years of experience working within Europe,  is a reliable partner for sponsors, helping them navigate through the changing EU legal environment swiftly. Dokumeds has detailed knowledge of GDPR principles and requirements as well as extensive experience with relevant procedures. Dokumeds is fully compliant with the fast-evolving regulations by consistently keeping up with any changes in legislation.

Dokumeds offers assistance in GDPR and legal representation services in the EU.


  1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN. Accessed: 28 May 2021.
  2. Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. European Data Protection Board. 2020. https://edpb.europa.eu/sites/default/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf. Accessed: 28 May 2021.
  3. Adequacy decisions. How the EU determines if a non-EU country has an adequate level of data protection. European Commission. European Data Protection Board. 2021.  https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en. Accessed: 28 May 2021.
  4. Recommendations 02/2020 on the European Essential Guarantees for surveillance measures. 2020. https://edpb.europa.eu/our-work-tools/our-documents/recommendations/recommendations-022020-european-essential-guarantees_en. Accessed: 28 May 2021.

No items found.


No items found.