What are the requirements for personal data protection (RODO/GDPR) in clinical and observational studies?
The protection of personal data in clinical and observational studies is one of the key areas of responsibility for the sponsor, CRO, and investigational sites. These studies involve the processing of particularly sensitive data, including health data, which requires compliance with enhanced obligations arising from the GDPR (RODO) and other applicable national regulations.
A fundamental requirement is having a clear and valid legal basis for processing personal data. In clinical and observational studies, data processing is not based solely on the patient’s consent within the meaning of the GDPR. Informed Consent to participate in a study has an ethical and regulatory character, whereas the legal basis for data processing is most often the performance of a task carried out in the public interest in the field of public health or the conduct of scientific research, in accordance with Articles 6 and 9 of the GDPR. In practice, this means that a clear distinction must be made between consent to participate in the study and the information provided about the processing of personal data.
Another key requirement is the principle of data minimisation. Only data that are necessary to achieve the objectives of the study as defined in the protocol may be processed. Both the sponsor and the CRO must be able to demonstrate that the scope of collected data is adequate and proportionate, and that each data category has a scientific or regulatory justification. Excessive data collection increases the risk of data breaches and may be challenged during audits or inspections.
In clinical and observational studies, pseudonymisation of data is a standard practice. Identifying data of the participant (e.g. name, surname, national identification number) remain at the investigational site, while the sponsor and CRO process data labelled with a unique study code. The key enabling patient identification must be properly secured and accessible only to authorised personnel. Pseudonymisation significantly reduces the risk to privacy but does not exempt stakeholders from GDPR obligations.
Transparency towards study participants is also essential. Each participant must receive clear information about who the data controller is, for what purposes the data are processed, how long they will be stored, to whom they may be disclosed (e.g. sponsor, CRO, regulatory authorities), and what rights the data subject has. The GDPR information notice should be consistent with the study protocol and other study documentation, and its content must reflect the specific nature of the project.
The GDPR also requires the implementation of appropriate technical and organisational measures. These include, among others, access control to systems (eCRF, eTMF), role-based user authorisations, data encryption, incident management procedures, and regular staff training.
Data retention must not be overlooked. In clinical studies, data must be retained for the period required by law and regulatory guidelines, which may involve archiving for many years. At the same time, it is necessary to clearly define which data are subject to mandatory archiving and which may be deleted after study completion, in line with the principle of storage limitation.
In summary, meeting GDPR requirements in clinical and observational studies requires a combination of regulatory, operational, and technological expertise. Properly designed data protection processes not only minimise legal risk but also build trust among study participants, investigational sites, and supervisory authorities. Well-implemented data protection is now an indispensable element of the quality and credibility of any clinical or observational study.
