Cross-border data transfers are a critical yet complex aspect in clinical trials. With global collaborations becoming the norm, personal data often moves across jurisdictions, exposing it to varying levels of protection. The General Data Protection Regulation (GDPR) sets strict requirements to ensure that these transfers do not compromise participant’s privacy.

Why Cross-Border Data Transfers Are Important in Clinical Trials

Clinical trials are necessarily global, involving stakeholders from multiple countries, including sponsors, contract research organizations (CROs), regulators, and data storage providers. These collaborations require the transfer of sensitive personal data, such as health-related information, across borders. For instance, data collected from participants in Europe may be processed or analyzed by a CRO in the United States or stored on servers in a third country.

While these transfers are essential for research efficiency and innovation, they also pose risks to data security and participant privacy. GDPR addresses these risks by imposing stringent requirements on how personal data is transferred to countries outside the European Economic Area (EEA).

GDPR Obligations for Cross-Border Transfers

Under GDPR, personal data transfers to non-EEA countries (third countries) are only permitted if the receiving country ensures an adequate level of data protection. This can be achieved through one of the following mechanisms:

  1. Adequacy Decisions: Some countries are deemed by the European Commission to provide adequate data protection. Transfers to these countries are considered safe and do not require additional safeguards.
  2. Standard Contractual Clauses (SCCs): For countries without adequacy decisions, SCCs provide contractual obligations for data processors to implement sufficient safeguards.
  3. Binding Corporate Rules (BCRs): BCRs are internal data protection policies approved by regulators, allowing multinational companies to transfer data within their group entities.
  4. Derogations: In limited cases, transfers may be justified under specific derogations, such as explicit consent from data subjects.

Importantly, Schrems II decision by the CJEU, which invalidated the EU-U.S. Privacy Shield, heightening scrutiny on transfers to the United States and other third countries. Organizations must now conduct a Transfer Impact Assessment (TIA) to evaluate whether the recipient country’s legal framework undermines the safeguards provided by SCCs or BCRs.

Responsibilities of Sponsors in Clinical Trials

Sponsors bear the primary responsibility for ensuring that cross-border data transfers comply with GDPR. Their obligations include:

  • Identifying Data Transfer Needs: Sponsors must map out data flows to identify when and where personal data will be transferred. This includes understanding which entities will process the data, the purpose of the transfer, and the legal basis for processing.
  • Conducting a Transfer Impact Assessment (TIA): A TIA evaluates the risks associated with transferring personal data to a third country. Sponsors must assess the legal and practical risks in the recipient country, particularly focusing on the possibility of government surveillance or access. Based on the findings, they must implement supplementary measures, such as encryption or pseudonymization, to mitigate risks.
  • Implementing Appropriate Safeguards: Sponsors must ensure that all transfers are covered by SCCs, BCRs, or another valid mechanism. These agreements must be incorporated into contracts with CROs, data storage providers, and other partners.
  • Ensuring Transparency and Participant Rights: GDPR emphasizes transparency and the protection of participant rights. Sponsors must inform participants about the details of cross-border transfers in the trial’s privacy notice and ensure they can exercise their rights, such as access to data or withdrawal of consent.
  • Due Diligence on CROs and Vendors: CROs and vendors handling participant data must comply with GDPR requirements. Sponsors must conduct due diligence to verify their partners’ compliance, including reviewing certifications such as ISO/IEC 27001 for information security.

Conclusion

Cross-border data transfers are integral to clinical trials but must be carefully managed to comply with GDPR. Sponsors play a critical role in ensuring data protection by conducting TIAs, implementing safeguards, and collaborating with CROs and vendors. By following GDPR’s requirements, sponsors can protect participant privacy, mitigate risks, and maintain the trust of both participants and regulators in an increasingly global research environment.

Diana Andrade
Diana Andrade
Website | + posts

Diana is the Founder & Managing Director at RD Privacy and a contributing columnist, specializing in privacy for the pharmaceuticals and life science sectors, particularly small biopharma companies, with extensive experience as a European qualified privacy attorney and Data Protection Officer (DPO).