Data Subject Rights in Clinical Trials

Written By Diana Andrade

The General Data Protection Regulation (GDPR) grants individuals a range of rights over their personal data, and sponsors of clinical trials must carefully navigate these obligations to ensure compliance. Unlike other industries, clinical trials involve unique complexities due to the need to protect scientific integrity, ensure participant safety, and comply with regulatory requirements. This guide focuses on the sponsor’s role in managing data subject rights while balancing these competing priorities.

Understanding Data Subject Rights in Clinical Trials

Data subject rights under GDPR include access, rectification, erasure, restriction, objection, and data portability. Each of these rights poses specific challenges within the context of clinical trials. For instance, the right to access allows participants to request information about their personal data, which sponsors must provide without compromising the trial’s confidentiality or validity. Similarly, the right to rectification requires sponsors to correct inaccuracies in personal data, yet such corrections must not undermine the integrity of trial results.

One of the most complex rights is the right to erasure, often referred to as the "right to be forgotten." While participants may request the deletion of their data, sponsors must balance this right against regulatory obligations that require the retention of certain data for compliance purposes. The right to restrict processing and the right to object also demand careful consideration, as they may impact ongoing research activities. Even the right to data portability, though less common in clinical trials, requires sponsors to provide data in a machine-readable format when applicable.

The Importance of Properly Classifying Data: Pseudonymized vs. Anonymized

One of the most misunderstood aspects of GDPR compliance in clinical trials is the distinction between pseudonymized and anonymized data. This distinction is crucial, as it directly affects data subject rights and the sponsor’s obligations under GDPR.

Why Pseudonymized Data is Still Personal Data

Pseudonymization is a commonly used technique in clinical trials to protect participant privacy. Under GDPR Article 4(5), pseudonymized data is data that has been processed in a way that cannot be attributed to a specific individual without additional information. However, this additional information still exists somewhere within the clinical trial ecosystem—typically with the clinical site.

This means that pseudonymized data remains personal data under GDPR because re-identification is still possible. As a result, all data subject rights still apply, including access, rectification, and erasure (subject to regulatory constraints).

Misclassifying Pseudonymized Data as Anonymized Data Can Lead to GDPR Violations

Some vendors in clinical trials mistakenly assume that because they do not have access to re-identification keys, the data they handle is anonymized and therefore outside the scope of GDPR. However, the European Data Protection Board (EDPB) Guidelines 01/2025 on Pseudonymisation clearly state that data remains pseudonymized and subject to GDPR as long as any party within the processing chain can reasonably re-identify individuals.

Misclassifying pseudonymized data as anonymized can have serious implications:

  • It may lead to inadequate security measures, as the organization may believe GDPR does not apply.

  • It can result in the denial of valid data subject requests, such as erasure requests from participants who withdraw from a trial.

  • It shifts accountability onto the sponsor, as GDPR holds the data controller responsible for ensuring that processors comply with data protection requirements.

To mitigate these risks, sponsors must ensure that all vendors and stakeholders involved in the clinical trial correctly classify and handle data in compliance with GDPR. Contracts and Data Processing Agreements (DPAs) should clearly define pseudonymized data as personal data, ensuring that all GDPR obligations are respected.

Balancing Compliance with Practical Challenges

Sponsors face significant challenges in implementing data subject rights while maintaining compliance with regulatory obligations. For example, clinical trial regulations often require data retention for extended periods, making it difficult to honor erasure requests fully. Furthermore, allowing data rectification or deletion during an ongoing study could compromise the scientific integrity of trial results.

To address these issues, sponsors should proactively design informed consent processes that clearly outline:

  • What data subject rights can and cannot be exercised in the context of the trial

  • The limitations on subject rights due to regulatory requirements

  • The measures in place to ensure the respect for the exercise of subject rights

Additionally, sponsors conducting cross-border trials must ensure that their data protection practices align with both GDPR and local clinical trial’s laws, which may have its own provisions on the exercise of subject rights and regulatory obligations.

Practical Steps for Sponsors to Ensure Compliance

In clinical trials, participants typically exercise their data protection rights through the principal investigator, who communicates requests to the sponsor or sponsor’s Data Protection Officer (DPO), who must ensure appropriate responses while maintaining regulatory compliance and confidentiality of trial records.

However, GDPR requires controllers (sponsors) to provide clear contact details for their DPO, ensuring that participants have the option to reach out directly. Sponsors must be prepared to handle such communications transparently and efficiently.

To effectively manage data subject rights, sponsors should implement the following best practices:

  1. Ensure Transparency in Consent Forms: Participant information sheets should explicitly explain how personal data will be used, which rights apply, any limitations on those rights. and how to exercise such rights. If ICF’s cannot include information about sponsor’s DPO, sponsor must ensure alternative ways to provide this information to trial participants.

  2. Implement Standard Operating Procedures (SOPs): Sponsors should establish clear internal procedures for handling data subject requests, ensuring consistency across studies.

  3. Validate Vendor Compliance: Sponsors should ensure that all vendors correctly classify data and implement GDPR-compliant measures. Any vendor misclassifying pseudonymized data as anonymized should be addressed through compliance reviews, contractual updates, or, if necessary, escalation to terminate contract.

  4. Monitor Compliance Through Audits: Sponsors should conduct periodic audits of both internal data handling practices and third-party vendors to verify GDPR compliance and address any discrepancies in data classification.

Conclusion

Respecting data subject rights is essential for maintaining trust with trial participants and ensuring compliance with GDPR. Sponsors must take an active role in ensuring that all stakeholders correctly classify and protect data, avoiding misinterpretations that could lead to regulatory risks. By implementing transparency measures, robust processes, and strict vendor oversight, sponsors can strike a balance between data protection compliance and the advancement of clinical research.

If you need support navigating GDPR compliance in clinical trials, feel free to reach outwe’re here to help.

Best,

Diana

Diana Andrade
Previous

Pseudonymized Data in Clinical Trials: Why EDPB's Perspective Should Prevail Over ICO's Guidance
Next

When GDPR Gets Personal: Dutch DPA Holds Clearview AI Directors Accountable