Clinical studies & GDPR : everything patients, investigators and sponsors want to know

Clinical trials are essential to the development of new treatments and medical devices. Each clinical trial is a key step toward innovation in healthcare. They make it possible to verify the efficacy, tolerance, and safety of healthcare innovations before they are made available to patients. However, this research also relies on the collection of health data, which is considered the most sensitive type of data under the GDPR. Understanding the role of the various stakeholders and data protection obligations is therefore a major challenge for patients, investigators, and sponsors involved in clinical trials.

1. Understanding the framework andhistory of clinical studies

1.1 A brief history: who was behind the first clinical studies?

One of the earliest known accounts is that of James Lind, who in the 18th century conducted a study on citrus fruits to demonstrate their effectiveness against scurvy. This example illustrates the historical importance of clinical studies in modern medicine.

1.2 What is a clinical study in medical research (and who processes what data)?

A clinical trial is scientific research conducted on a population of healthy volunteers or patients to evaluate a treatment, drug, therapy, or medical device before it is marketed. This research follows a strict protocol validated by health authorities.

Several parties are involved in a clinical study:

• The sponsor (laboratory, public body, healthcare institution) defines the objectives and finances the study.
• The investigators (doctors, researchers) conduct the study with the participants.
• CROs (Contract Research Organizations) assist the sponsor with operational management.
• Participants provide their personal and medical data.

These various stakeholders have specific responsibilities when it comes to data processing, making clinical studies an area where GDPR governance GDPR essential.

1.3 What is the difference between a clinical study and a clinical trial?

The term clinical studies covers all research conducted on humans in a scientific or medical setting.
A clinical trial is a specific type of clinical study that tests a healthcare product in an interventional manner.
In practice, the term "clinical trial" is often used to refer to clinical studies involving new drugs.

1.4 What is the purpose of clinical studies and how do they benefit patients?

Clinical studies have several objectives:

• Evaluate the effectiveness of a treatment.
• Assess its safety and side effects.
• Obtain marketing authorization from the health authorities.
• Contribute to scientific and medical progress.

Without clinical trials, no new treatments could be offered to patients in a safe environment. Each trial aims to demonstrate a clear medical benefit.

1.5 What personal data is collected during a trial?

Clinical studies require the collection of large amounts of sensitive data:

• Identity data, often pseudonymized to limit risks.
• Medical and biological data (examinations, diagnoses, treatments).
• Follow-up information (compliance, adverse effects, frequency of medical visits, dose administered)
• Data from digital tools (eCRF software, tracking applications, sensors).
• Information related to the location where the test was conducted.

All of this data is considered health data within the meaning of GDPR. Its processing requires special precautions in terms of security and confidentiality.

1.6 Who is responsible for what (sponsor, CRO, center, investigator) under the GDPR

In a clinical study, the division of responsibilities is as follows:

• The promoter is generally the data controller, as it defines the purposes and means of data processing.
• CROs and service providers act as processors, following the sponsor's instructions.
• Investigators and centers may be considered joint controllers for certain data (medical follow-up) and processors other data.

These roles must be governed by specific contracts, in accordance with GDPR requirements.

2. Procedure and expected results

2.1 How long does a clinical trial last?

The duration of a clinical study depends on its complexity, its research phase, and various factors such as the number of participants or the type of condition being studied. In general:

• Phase I: a few months, conducted on a small group of volunteers to check tolerance and determine the correct dose for treatment. This is known as the first trial.
• Phase II: between 1 and 2 years, to evaluate the effectiveness of the treatment and adjust its administration schedule.
• Phase III: 2 to 5 years, on a much larger population, to confirm the results in comparison with a standard treatment.
• Phase IV: after market release, with follow-up over several years to monitor long-term effects.

2.2 What are the steps and results of a clinical trial protocol?

A clinical study protocol follows well-defined steps:

1. First step: protocol design (objectives, methods, inclusion criteria).
2. Approval by an ethics committee, a human protection committee, and health authorities.
3. Recruitment of participants and obtaining consent.
4. Collection and monitoring of data specified in the protocol.
5. Statistical analysis, comparison with a reference treatment, and interpretation of results.
6. Scientific publication and communication of findings.

Each protocol is designed to generate reliable and reproducible scientific results. Before involving humans, certain protocols (depending on the molecule) undergo animal testing.

These steps guarantee the scientific validity of the results, while ensuring that clinical studies comply with ethical rules and the GDPR.

3. GDPR challenges GDPR clinical trials: a demanding framework for protecting health data

Clinical studies involve the processing of health data, which is considered the most sensitive type of data under GDPR. Its collection and use therefore require special precautions: clear definition of the legal basis, implementation of pseudonymization or anonymization, technical and organizational security of systems, transparent information for participants, and strict supervision of processors CROs, hosting providers, laboratories). Beyond regulatory compliance, these measures aim to protect patients' fundamental rights and guarantee the scientific reliability of results.

3.1 Some of the most sensitive health data

Clinical studies rely on the collection and analysis of medical data: test results, medical history, responses to treatment, and data from digital tools (sensors, eCRFs, monitoring platforms). This information is considered the most sensitive under the GDPR, as its disclosure or misuse could have serious consequences for participants.
The first GDPR challenge GDPR clinical studies is to precisely identify the data collected and implement mechanisms for minimization and pseudonymization.

3.2 Ethical consent vs. GDPR legal basis

Many people confuse the consent given by the patient to participate in a trial with the GDPR legal basis GDPR processing their data. These are two different concepts.
In some cases, the legal basis may be public interest, legal obligation, or explicit consent.
A major challenge is choosing and documenting the appropriate legal basis to avoid any risk of non-compliance.

3.3 Transparency and information for participants

Participants must be informed in a clear and understandable manner: what data is collected, who uses it, for what purposes, and for how long, in order to build genuine trust with patients.
Another GDPR challenge GDPR clinical trials: drafting accessible information notices that include the DPO's contact details and the rights provided for by the regulations.

3.4 Data security and confidentiality

Because they are sensitive, health data require enhanced protection. This includes:

• encryption,
• strict access management,
• logging,
• accommodation that complies with applicable standards,
• and a data breach management plan.

The challenge GDPR here GDPR to guarantee the confidentiality and integrity of information at every stage of the clinical trial.

3.5 Supervision of processors partners

Clinical studies involve many different parties: CROs, laboratories, hosting providers, digital platforms. Each one plays a role in data processing.
The sponsor must therefore supervise these parties through data processing agreements (DPAs) and verify their security and compliance guarantees. But that is not enough: it is also essential to regularly monitor these service providers through GDPR audits to ensure that contractual commitments are being met and that practices remain compliant over time.
A key challenge is to ensure clear, documented governance that is adapted to the various outsourced services.

3.6 Impact analysis and documentation

Since clinical studies deal with sensitive data on a large scale, a data protection impact assessment (DPIA) is generally mandatory. It identifies risks to participants and demonstrates the protective measures in place.
This GDPR requirement GDPR the credibility of the protocol, and each documented element increases the sponsor's ability to prove compliance.

3.7 Data retention archiving

Data from clinical trials must be retained for periods that can sometimes be lengthy, as required by scientific regulations.
The challenge GDPR to reconcile these obligations with the principle of Data retention limitation by defining appropriate archiving and destruction policies.

3.8 Quality control and GDPR compliance

Beyond contractual agreements and GDPR audits, clinical trials require continuous monitoring of data quality and practices. Quality control can now be carried out remotely using digital tools, which raises new data protection issues. The CNIL (National Commission for Information Technology and Civil Liberties) published recommendations on this subject, reiterating that the implementation of quality control must guarantee the security of health information, limit access to strictly necessary data, and ensure the traceability of operations carried out (see the CNIL (National Commission for Information Technology and Civil Liberties) article CNIL (National Commission for Information Technology and Civil Liberties).

Rigorous quality control management, combined with regular audits and appropriate technical measures, is therefore essential for demonstrating GDPR compliance GDPR maintaining participant confidence.

Conclusion

Clinical studies are essential to medical advances, but they involve the processing of particularly sensitive data. The GDPR therefore GDPR a strict framework: choice of legal basis, transparent information, pseudonymization, security, supervision of processors, management of international transfers, participants' rights, and archiving.

Compliance with these requirements is not only a regulatory obligation, but also a prerequisite for ensuring patient confidence and the scientific credibility of results. Finally, it should be noted that all trials must adhere to these principles of compliance in order to protect both science and individuals.

At Dipeeo, we support sponsors, CROs, investigators, and healthcare institutions at every stage: impact analysis, auditing and contractual supervision of service providers, data security, and compliance documentation.