Starting clinical trials in Europe?
This is what you need to know about privacy laws in the EU and the UK.
Clear and practical data protection guidance for Sponsors and CROs running clinical trials across Europe.
Clinical trials in Europe are not only governed by clinical trial regulations.
Whenever personal data is processed in the EU, the General Data Protection Regulation (GDPR) also applies. This includes:
- Patient data in clinical trials,
- Study recruitment data, and
- Personal data belonging to HCPs.
This applies even if participant data is pseudonymized using subject IDs or coded data and even if your organization is based outside the EU.
You do not need to be a GDPR expert yourself, but you do need to understand what GDPR means for your study in practice.
That is where we support you.
GDPR guidance for EU clinical trial roles
This page is for professionals who carry responsibility in clinical trials taking place in Europe, even if GDPR is not part of their daily role.
Typical roles include:
- Clinical Operations
- Study / Project Management
- Quality Assurance
- Legal & Regulatory Affairs
What these roles have in common is accountability for compliant, uninterrupted clinical trials.
For Sponsors
As a sponsor, you remain responsible and accountable for how participant data is processed in your study, including data collected by CROs, trial sites, and other vendors.
Typical questions we are asked:
Does GDPR really apply to our clinical trial? We’re not collecting names.
Yes. GDPR applies whenever personal data is processed. Clinical trial data is considered personal data as long as participants can be re-identified, directly or indirectly (e.g. via subject IDs).
We are a US-based sponsor. Does GDPR still apply?
Yes. GDPR applies when clinical trial sites and participants are in the EU, and also when HCPs in the EU are engaged.
Does our ICF also double as consent to processing personal data?
This can be the case, but only to a certain extent and only if the consent contains specific data protection provisions.
What happens if a participant withdraws consent to process their data?
This depends on the study phase, the regulatory context, and the information they were provided in the ICF. There are a lot of nuances to using consent as a legal basis to process data – and that’s where we come in!
What responsibility do we retain when working with CROs and sites?
CROs can support implementation, but the sponsor remains accountable and must ensure appropriate contracts, governance and oversight
We help sponsors understand what GDPR means for their studies and translate legal requirements into clear responsibilities, robust documentation and defensible decision-making. All guided by our principle: experience meets practicality.
For Clinical Research Organizations (CRO)
As a CRO, you operate at the center of trial execution and play a key role in the practical implementation of GDPR requirements.
Common questions include:
Are we responsible under GDPR, or only acting on behalf of the sponsor?
CROs typically act on behalf of the sponsor but remain responsible for compliant execution of their own processing activities.
Why do different sponsors interpret GDPR differently?
Because GDPR allows interpretation and must be applied based on specific study setups and national requirements.
What do we need to demonstrate during sponsor audits or authority inspections?
Clear role definitions, compliant processes and consistent, study-specific documentation.
We support CROs by explaining GDPR in practical terms, defining clear roles and responsibilities, and helping to establish processes that scale across multiple sponsors and studies.
A shared challenge - compliance without complexity
You do not need to become a GDPR specialist to run compliant clinical trials. What you do need is:
- Clarity on responsibilities
- Proper documentation that regulators acknowledge
- Guidance that reflects how clinical trials actually work in Europe.
This is our main focus.
You want clarity on GDPR and privacy? Then talk to us
If you are planning or running a clinical trial in Europe and want clarity on GDPR and data protection requirements, we are happy to support you.
Whether you are at an early planning stage, preparing submissions, or responding to audit findings: we help you reduce uncertainty and regulatory risk.
Get in touch to discuss your study and your specific questions.
You will be redirected to Microsoft Bookings.
... or send us a message.
About fox-on
How can fox-on support you with data protection?
We have over 20 years of experience with data protection consulting, and over 15 years practical experience working with questions from clinical trials.
We focus on advice which can actually be implemented in real organzational settings. After all, data protection is most important in the places where the data is processed, and not on paper.
EU & UK Representative
Companies not established in the European Union or the UK need an official representative within the EU or UK (see Article 27 GDPR and UK-GDPR).
Appointing a data protection representative ensures you comply with an important requirement of these privacy laws, and you also demonstrate that data protection is a priority in your company. This provides you with a sense of security, and provides reassurance for your customers.
At the same time, it helps you minimize the risk of fines and legal exposure. With fox-on at your side, you have a strong partner providing reliable and practical support.
Does this sound good? Get in touch – together we make data protection clear, manageable, and suited to your needs.
New to GDPR in clinical trials?
The GDPR is applicable when personal data is processed in a clinical trial taking place in the EU, with EU data subjects. Whether your background is in clinical, data management, or regulatory, you yourself do not need to be a GDPR expert. However, understanding all areas the GDPR affects is a good basis for your knowledge.
Practically speaking, the GDPR affects:
- Overall and operational responsibility for personal data
- How study recruitment and pre-screening may be conducted
- How consent must be collected and documented as a legal basis
- How data may be used during and after a trial
- Retention periods and deletion requirements
- Safeguards for transferring data outside the EU
- And how sponsors, CROs and sites must work together
GDPR does not replace other regulations governing clinical trials. It adds an additional legal layer, that must be aligned with the Clinical Trial Regulation and national laws.
Our role is to translate these data protection requirements into clear, practical guidance that fits actual clinical trial workflows — without creating unnecessary complexity or delays.
Need support with regulatory affairs?
If your focus is more on regulatory strategy and submissions than on GDPR and data protection, you’re in the right place and we know exactly who can help you next.
For expert support in regulatory affairs, especially for studies involving the U.S. FDA and global development strategy, we highly recommend Mederi Partners.
Mederi specializes in simplifying complex regulatory challenges across the entire drug development lifecycle, from early strategy to successful interactions with regulators like the FDA. Their services include regulatory strategy advising, IND/NDA submissions, FDA meeting preparation, regulatory publishing and medical writing. All this is tailored to your program’s needs.
We partner with Mederi on many cross-functional projects and value their structured and highly collaborative approach. Kristin and her team bring deep regulatory experience and practical insight helping sponsors and development teams navigate regulatory requirements with confidence and clarity. And she is also lovely to work with!