News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | How does GDPR apply to clinical trial sponsors outside EEA? Views of EEA DPAs Related reading: White Paper – DPAs on the Ground

rss_feed

""

While many organizations across the world have acclimatized to life under the EU General Data Protection Regulation, certain industries are still reconciling how it applies to them.

In the life sciences sector — particularly in the context of clinical trials — there is a stark variance in the way different stakeholders interpret how the GDPR applies to their data-processing activities. Surprisingly, this variance of interpretation also appears to exist among the relevant data protection authorities within the European Economic Area.

Why the confusion? There are three primary reasons for this uncertainty.

First, other than the EDPB Guidelines on the Concepts of Controller and Processor in the GDPR, there is no substantial Union-level guidance on how the GDPR identifies the controllership roles of various parties in a clinical trial. Although the European Data Protection Board previously published an opinion on the interplay between the EU Clinical Trials Regulation and the GDPR, this opinion did not address the questions of whether the GDPR applies to clinical trial sponsors situated outside the EEA or whether the sponsor would be considered a data controller or data processor.

Second, some clinical trial sponsors situated outside of the EEA have adopted the view that the GDPR does not apply to them at all because they do not have access to identifiable patient data.

Finally, many DPAs are unwilling to issue binding opinions on this topic since clinical trials exist within a highly regulated environment, replete with its own laws, regulations, guidelines and industry standards relating to patient safety and privacy.

In light of the widespread confusion about this issue, VeraSafe’s data protection team reached out to DPAs in various EEA member state jurisdictions to pose the following questions (written below as they were sent to the DPAs):

  1. Does the GDPR apply to a clinical trial sponsor based outside of the EEA if it is conducting clinical studies in the EEA?
  2. Is patient data processed under a clinical trial considered "personal data" even if it is pseudonymized?
  3. If a clinical trial is being conducted in your jurisdiction, would the sponsor and the principal investigator be considered joint controllers of the personal data of the trial participants (data subjects)? Alternatively:
    1. Is the sponsor the data controller while the principal investigator acts as a processor on behalf of the sponsor?
    2. Is the principal investigator an independent data controller together with the sponsor?

In turn, we highlight and categorize the responses of various EEA DPAs to the questions listed above. VeraSafe’s outreach to the DPAs spanned over six months, and the responses we obtained are described in more detail in the chart below. 

Clinical trial sponsors and the territorial scope of GDPR

There is a compelling argument that the processing undertaken by the sponsor triggers the application of the GDPR under Article 3(2)(b), even when the sponsor is located outside of the EEA, because the sponsor is effectively monitoring the behavior of data subjects within the EEA. The EDPB Guidelines 3/2018 on the Territorial Scope of the GDPR (page 20) lists "monitoring or regular reporting of an individual's health status" as an example of monitoring data subjects as contemplated in Article 3(2)(b).

To confirm our understanding of the questions we've listed, the authors polled DPAs in 34 EEA member state jurisdictions. Sixteen of the DPAs confirmed the GDPR does apply to the processing of EEA personal data by a clinical trial sponsor situated outside the EEA. Eight DPAs advised that this must be assessed by a factual analysis (i.e., on a case-by-case basis). Refer to the chart at the end of this article for further detail on the responses from the various DPAs.

Clinical trial sponsors and the material scope of GDPR

Some sponsors situated outside of the EEA have adopted the view that the GDPR does not apply to them because they do not have access to identifiable patient data. Sponsors usually have access to “key-coded” data, with the key that unlocks the data held by a third party, such as the CRO. Key-coded data is “pseudonymized,” meaning the data cannot be linked to an individual without some additional information. Recital 26 of the GDPR makes clear that pseudonymized data is considered personal data under the GDPR, which was further supported by the DPAs responding to our questions.

Out of the 34 DPAs we polled, 24 verified that pseudonymized data is personal data, many of them specifically referring to Recital 26 in their response.

Therefore, the argument that the GDPR does not apply to a sponsor situated outside the EEA on the basis that the sponsor does not have access to identifiable EEA patient data is considered incorrect by applicable DPAs.

Who is the controller in a clinical trial in the EU?

The next question that automatically flows from the conclusion above is whether the sponsor would be considered an independent data controller with regard to the personal data processed in the context of the trial or whether the sponsor is considered a joint controller with any other party (most likely the principal investigator).

Example 25 of the EDPB Guidelines 3/2018 on the Territorial Scope of the GDPR illustrates that a non-EU sponsor would be a data controller. The EDPB Guidelines on the Concepts of Controller and Processor in the GDPR provide that if a principal investigator and a sponsor decide to launch a clinical trial together with the same purpose and collaborate on drafting the study protocol, they may be considered joint controllers for the clinical trial because they jointly determine and agree on the purpose and essential means of the processing.

The EDPB clarified that if the principal investigator does not participate in drafting the protocol and the protocol is solely designed by the sponsor, then the principal investigator should be considered a processor and the sponsor the controller for that clinical trial.

It is, therefore, clear that the controllership of each party should be determined by assessing the facts of each particular situation. A sponsor will always act as a controller, though whether it is an independent controller or a joint controller will vary according to circumstance. If the principal investigator does not jointly determine the purposes and means of processing for the trial with the sponsor, then the principal investigator will be considered a data processor in the context of the data processing done on behalf of the sponsor pursuant to the clinical trial protocol.

However, it is important to understand personal data is processed for different reasons within the scope of a clinical trial. So far, we have been discussing the processing of personal data for the purpose of clinical research or furthering the study. The principal investigator also processes personal data to provide medical care to the data subjects, which may not necessarily form part of the clinical trial protocol. The principal investigator could, therefore, “wear different hats” depending on the particular activities they are conducting within the ambit of the clinical trial.

To this end, the EDPB has stated “the collection of personal data from the medical record of the patient for the purpose of research is to be distinguished from the storage and use of the same data for the purpose of patient care, for which the health care provider remains the controller.” In the latter case, the principal investigator is the health care provider and, therefore, a controller.

It is possible in the context of a clinical trial for a principal investigator to be either a joint controller together with the sponsor or a processor for clinical research purposes and an independent data controller solely for the purpose of providing health care to patients.

These nuances should be kept in mind when determining the respective roles of the parties involved in a clinical trial. Interestingly, of the 34 DPAs we polled, 16 DPAs advised that the determination of whether the sponsor is a joint controller or an independent controller must be done through a factual analysis or on a case by case basis. Four DPAs responded the parties may be joint controllers and one of those DPAs also believed that the parties could be independent controllers (however, this outcome would depend on the facts of the situation). These results are indicated in the chart below.

Final thoughts on controllership in EU clinical trials

We suggest that sponsors perform an evaluation of the particular circumstances of their situation when determining how the GDPR applies to their data processing and confirming the controllership roles of various parties conducting a clinical trial, taking into account the varying opinions of the DPAs, health authorities and EDPB to tailor their GDPR compliance programs on a member-state by member-state basis. This evaluation should be documented and maintained internally.

Another possible approach to resolving these questions on an industry-wide scale would be developing a code of conduct for the life sciences sector. This code of conduct could set forth the proper application of the GDPR to various parties involved in a clinical trial. A certification scheme to demonstrate compliance with the GDPR pursuant to Article 42, which leverages existing health regulations applicable to patient privacy, is an additional possibility.

It is important to note that most DPAs responded to our queries prior to the publication of the updated EDPB Guidelines on the Concepts of Controller and Processor in the GDPR. It is possible the DPAs may form different opinions after reviewing the example in the EDPB guidelines, which specifically applies to the relationship between the sponsor and investigator.

Jurisdiction Does the GDPR apply to a clinical trial sponsor situated outside the EU? What are the controllership roles of the investigator and sponsor? Is Pseudonymized Personal Data Regulated by the GDPR?
Belgium Factual analysis. The authority’s view has not been confirmed as of the date of publication.* Yes.
Bulgaria The authority’s view has not been confirmed as of the date of publication. The authority issued a formal opinion indicating that the Investigator and Sponsor are joint controllers. The authority’s view has not been confirmed as of the date of publication.
Croatia Factual analysis. Factual analysis. Yes.
Cyprus Yes, by virtue of either Article 3(1) or Article 3(2). Factual analysis. Yes.
Czech Republic Yes, by virtue of Article 3(2)(b). Joint controllers. Yes.
Denmark Factual analysis. The authority’s view has not been confirmed as of the date of publication. Yes.
Estonia Yes, by virtue of Article 3(2). Factual analysis. Yes.
France Yes, by virtue of Article 3(2). Investigator is a processor on behalf of the sponsor. Yes.
Germany (Bremen) Factual analysis. Factual analysis. Yes.
Germany (Federal) The authority’s view has not been confirmed as of the date of publication. Factual analysis. The authority’s view has not been confirmed as of the date of publication.
Hungary Yes. Factual analysis. Yes.
Iceland Yes. Factual analysis. Yes.
Ireland Factual analysis. The authority’s view has not been confirmed as of the date of publication. Yes.
Italy Yes. Independent controllers or joint controllers, contingent on factual analysis. Yes.
Latvia Yes, by virtue of Article 3(2)(b). Factual analysis. Yes.
Liechtenstein Yes, by virtue of Article 3(2). Factual analysis. Yes.
Lithuania Yes. Factual analysis. Yes.
Luxembourg Factual analysis. Factual analysis. Yes.
Malta Yes, by virtue of Article 3(2). Joint controllers. Yes.
Netherlands Factual analysis. The authority’s view has not been confirmed as of the date of publication. Yes.
Norway Factual analysis. The authority’s view has not been confirmed as of the date of publication. Yes.
Portugal Yes. Investigator is a processor on behalf of the sponsor. Yes.
Romania Yes, by virtue of Article 3(2). Factual analysis. Yes.
Slovakia Yes, by virtue of Article 3(2). Factual analysis. Yes.
Slovenia Yes, by virtue of Article 3(2)(b). Factual analysis. Yes.
Sweden The authority’s view has not been confirmed as of the date of publication. Factual analysis. The authority’s view has not been confirmed as of the date of publication.
United Kingdom Yes. The authority’s view has not been confirmed as of the date of publication. Yes.

As of the date of publication, the following DPAs’ responses to our questions have either not been received or we are in ongoing communication with the DPA to clarify their view:

  • Austria.
  • Finland.
  • Germany (Bavaria).
  • Germany (North Rhine-Westphalia).
  • Greece.
  • Poland.
  • Spain.

*This outcome in the table indicates that, at the date of writing, we have not yet received a response on this point or are in ongoing communication with the DPA to clarify their view on this matter. We will post an update in 2021 on the VeraSafe Data Protection Blog.

Photo by Satheesh Sankaran on Unsplash

To clarify some of the terms used in the article:
  • An “independent data controller” means an entity that alone determines the purposes and the means of the data processing it undertakes. Multiple independent data controllers could share a pool of personal data, but each independent data controller assumes all of the responsibilities of a data controller.
  • A “sponsor” is typically a natural or legal person (e.g., a pharmaceutical company or a research and development company) that initiates, manages or finances the clinical trial but does not actually conduct the investigation or research.
  • A “principal investigator” is an individual who is responsible for conducting the clinical trial at the study site.
  • A “study site” is a clinical research site or location where the trial is conducted.
  • A “CRO” (contract research organization) is a person or an organization contracted by the sponsor to perform one or more of a sponsor’s trial-related duties and functions.

Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

Authors
Headshot Zia Ilyichsha Maharaj, CIPP/E, CIPP/US, CIPM IAPP Member Contributor
Headshot Karl Laureau, CIPP/E IAPP Member Contributor
Headshot Jean Van Wyk, CIPP/E, CIPM IAPP Member Contributor
Headshot Calli Schroeder, CIPP/C, CIPP/E, CIPP/US, CIPM, FIP IAPP Member Contributor
Tags
Health Care
Europe
Biometrics
Privacy Law
Privacy Research
Westin Research Center
7 Comments

If you want to comment on this post, you need to login.

  • comment Kristin Williams • Jan 26, 2021 
    Working in clinical research, this is a great article and highlights the misunderstanding of so many of pseudonymized v. anonymized data.  Is there any way you could discuss the legal basis for clinical trials as I see so many conflicting opinions in the research (especially for privately-funded research)?  Some say it's consent since subjects have to sign informed consent, but there's a solid argument that it is not completely freely given as it's required to participate in the trial.
  • comment Lee Parker • Feb 5, 2021 
    This is a great summary showing the disharmony around Europe which has a real impact on pharmaceutical companies' ability to conduct uniform clinical trials across the EU.  Patients suffer because of this disharmony, because: (a) trial speed/efficiency/costs are hindered when pharma companies have to take a piecemeal approach across dozens of countries, even though they theoretically have the same law (GDPR); and (b) patients end up having different rights in different countries due to differing Member State interpretations of the same law.  This was not the intention of a General Data Protection Regulation for all EU citizens!
  • comment Matthew Clayton • Feb 5, 2021 
    <p>Very interesting article, thank you - useful to see the different approaches which DPAs are taking to these questions.  It's also worth remembering that clinical trial sponsors who aren't established in the EEA or the UK (as the case may be) may well need to appoint an organisation as EEA and/or UK Representative under Article 27, for the purposes of the trial.  EDPB guidance is clear that the CRO, if acting as data processor, should not also be the Representative.</p>
  • comment Zia Maharaj • Feb 9, 2021 
    Hi Kristin, 

That’s a great question!

The regulatory requirement for clinical trial participants to provide informed consent to participate in the trial must be distinguished from the requirement to have a legal basis for processing personal data under privacy laws like the GDPR. If a data controller (like a clinical trial sponsor) relies on consent as the legal basis for processing under the GDPR, the consent must be freely given, specific, informed and unambiguous. As you’ve rightly pointed out, consent by a clinical trial participant might not meet this criteria if it is a prerequisite to participate in the trial (from a healthcare regulatory perspective).  

There is some guidance on this issue in the recent EDPB Document on response to the request from the European Commission for clarifications on the consistent application of the GDPR, focusing on health research (https://edpb.europa.eu/our-work-tools/our-documents/other/edpb-document-response-request-european-commission-clarifications_en), which clarifies that consent can be relied on as a legal basis for processing personal data in medical research projects where it can be established that no imbalance of power between data subjects and researchers exists and the requirements for explicit consent in GDPR can be met. This will require a careful assessment on a case-by-case basis. 

It can be argued that there is an imbalance of power between clinical trial participants and the researchers when consent is essentially a condition to participate in the trial based on health regulations. It also seems likely that an imbalance of power would in fact exist in the case where a data subject with a terminal illness is participating in a clinical trial researching a potential treatment for that illness. While the EDPB has yet to explicitly rule out reliance on consent in such a situation, it is clear that other bases of processing and derogations under Article 6 and Article 9 respectively, would likely be more appropriate. In our view, data controllers will have to carefully assess the facts of each case/research study to determine whether consent is the most appropriate basis for processing personal data under the GDPR, or if a different basis for processing should be relied on. The administrative burden created by conducting an appropriate analysis in each case, given the diversity of factors impacting such analyses, suggests that clinical trials sponsors should explore alternative bases of processing where possible.

It is important to remember that not only is a legal basis for processing required pursuant to GDPR Article 6, but a derogation to process health data (as a special category of personal data) is also required pursuant to GDPR Article 9. If consent is relied on as a legal basis for processing personal data, the informed consent form signed by the clinical trial participant must make this clear, and distinguish the consent for processing personal data from the consent to participate in the clinical trial. Of note, also, is the distinction between “consent” under Article 6 and “explicit consent” as an exemption/derogation under Article 9.

The EDPB also makes a point of noting that because certain bases of processing and derogations rely on the existence of an applicable Member State law requiring the processing in question, appropriate bases of processing and derogations will necessarily vary among Member States, and certainly, this view is quite clearly evidenced in the different opinions of various Data Protection Authorities and Ethics Committees across the various Member States. The EDPB is developing guidelines (which are due to be published this year) on the processing of personal data for scientific research purposes. These guidelines will provide further detail on the bases for processing personal data in the context of scientific research.

In the meantime, please feel free to reach out to us directly (https://verasafe.com/about-us/contact-us/) if you have any other questions about how the GDPR applies to privately-funded clinical research.
  • comment Richard Pais • Feb 19, 2021 
    I thoroughly enjoyed this article and am glad the authors addressed the challenges posed by GDPR in the life sciences sector.  I do want to mention here the ambiguity about anonymized data and the challenges faced by CROs. Anonymization under GDPR is completely different to the methods suggested by the HIPAA privacy rule - Safe Harbor and Statistical/Expert Determination.  I am not too sure whether these are considered equivalent under the GDPR.  Another area of ambiguity is whether "pseudonymized" data held by the sponsor can be considered "anonymized" by the CRO as the latter has no access or knowledge of key codes or statistical model used by the sponsor.  To further exacerbate the matter, the terms "anonymized" and "de-identified" are often used interchangeably under HIPAA.
  • comment Carl Hoyer • Mar 22, 2021 
    I am not sure I fully understand your reasoning regarding 'key-coded data is pseudonymized'. Pseudonymised data is, in principal, personal data, but only if you did pseudonymise these data and/ or have the ability to reverse the pseudonymisation. Otherwise, it is just data.
In this case the key-coded data is provided to a third party (i.c. the sponsor), which can't access the original (non-pseudonymised) data. Since the sponsor is a different legal entity without any controlling mechanism to manage the third party holding the key (i.c. trusted third party (TTP)), it is unable to either access the ‘raw’ data or reverse the pseudonymisation in a legal/ manageable way. It is well understandable that a sponsor therefore considers these data to be ‘just’ data and not personal data.
  • comment Uwe Fiedler • Mar 26, 2021 
    Hi Carl, I agree and the article "Anonymised Data and the Rule of Law" from Daniel Groos and Evert-Ben van Veen (https://edpl.lexxion.eu/article/EDPL/2020/4/6) outline the problem quite well.
Related Stories
White Paper – DPAs on the Ground
This piece focuses on the resources available to each DPA and its progress so far in addressing complaints, both individually and in coordination with other member states. Additionally, it highlights the GDPR's impact on budget and staffing levels in relation to a country's GDP. Results from the que...
Read More queue Save This
GDPR Genius
This interactive tool provides IAPP members ready access to critical GDPR resources — enforcement precedent, interpretive guidance, expert analysis and more — all in one location....
Read More queue Save This
To clarify some of the terms used in the article:
  • An “independent data controller” means an entity that alone determines the purposes and the means of the data processing it undertakes. Multiple independent data controllers could share a pool of personal data, but each independent data controller assumes all of the responsibilities of a data controller.
  • A “sponsor” is typically a natural or legal person (e.g., a pharmaceutical company or a research and development company) that initiates, manages or finances the clinical trial but does not actually conduct the investigation or research.
  • A “principal investigator” is an individual who is responsible for conducting the clinical trial at the study site.
  • A “study site” is a clinical research site or location where the trial is conducted.
  • A “CRO” (contract research organization) is a person or an organization contracted by the sponsor to perform one or more of a sponsor’s trial-related duties and functions.
Related Stories
Tags
Health Care
Europe
Biometrics
Privacy Law
Privacy Research
Westin Research Center
Recent Comments