Further Processing of Personal Data in Clinical Research

Madeleine Kennedy headshot

Madeleine Kennedy, Syneos Health

Clinical Researcher—September 2018 (Volume 32, Issue 8)


Madeleine Kennedy

While informed consent is a prerequisite for the enrollment of subjects in a clinical trial (according to the tenets of the International Council for Harmonization [ICH] Guideline for Good Clinical Practice E6(R2) 4.8), the General Data Protection Regulation (GDPR)* imposes a number of additional obligations on organizations that process personal data where “personal data” are defined as “any information relating to an identified or identifiable natural person (‘data subject’)” (Article 4(1)); and “processing” is defined as “any operation or set of operations that is performed on personal data or on sets of personal data” (Article 4(2)). However, the Regulation also allows for exemptions when personal data are processed for scientific research purposes. These exemptions pertain to the further processing of personal data for purposes other than the originally specified purpose (Article 5(1b)), the retention of personal data (Article 5(1e)), and the rights of data subjects (Articles 14(5b), 17(3d), 21(6), and 89(2)).

This column will focus on the topic of further processing of personal data, and will demonstrate that the exemption on such processing applies only under certain conditions and only if appropriate safeguards are in place. This article will also address the risks associated with personal data processing that is performed outside the boundaries of the controller’s instructions.

Exemption on Further Processing

GDPR defines the “controller” as the party that “determines the purposes and means of the processing of personal data” (Article 4(7)). In clinical research, the sponsor is typically acting as the controller. The GDPR principle on “purpose limitation” states that personal data must be processed “for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with these purposes” (Article 6(1b)). However, this principle contains an exemption, namely that further processing for scientific research purposes is not considered to be incompatible with the initial purposes (Article 6(1b)).

Article 89(1) clarifies that this exemption applies only if appropriate organizational and technical measures, based on a risk assessment, are in place to protect the rights and freedoms of data subjects. Article 32(1) lists the following safeguards to consider:

  1. The pseudonymization and encryption of personal data.
  2. The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
  3. The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
  4. A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Does this mean that sponsors can further process personal data (e.g., carry out additional secondary research) as long as they have appropriate organizational and technical measures in place? Not necessarily. GDPR provides context on what a controller needs to consider before processing the personal data for an additional purpose where the processing is not based on the data subject’s consent, namely:

  1. Any link between the purposes for which the personal data have been collected and the purposes of the intended further processing.
  2. The context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller.
  3. The nature of the personal data, in particular whether special categories of personal data are processed.
  4. The possible consequences of the intended further processing for data subjects.
  5. The existence of appropriate safeguards, which may include encryption or pseudonymization (Article 6(4)).

So if the further processing is not compatible with the first purpose, if particularly sensitive data are being processed and/or if data subjects do not have a reasonable expectation that their personal data may be processed for that additional purpose, particularly given the unequal relationship between research subjects and the investigator/sponsor, the interests and rights of the data subject could very well override the interest of the data controller (Article 47).

Further Processing Outside the Controller’s Instructions

Now let’s turn to the topic of further processing by a vendor. GDPR defines “processor” as the party that “processes personal data on behalf of the controller” (Article 4(8)). One might then assume that in clinical research, where a sponsor delegates trial-related responsibilities to a vendor, the vendor is the processor. However, it is not as simple as that.

GDPR emphasizes and reemphasizes that the processor may process the personal data “only on the controller’s documented instructions” (Article 28 (3a)), and may not process them outside of those instructions, “unless required to do so by Union or Member State law” (Article 29). What this means is that if a vendor processes the personal data outside the controller’s instructions, the vendor becomes the controller for that processing.

This is a material change for a vendor that has been contracted to take on the role of processor, because the controller’s responsibilities are significantly more extensive than those of the processor. Furthermore, infringements of GDPR provisions carry hefty administrative fines of “up to 20,000,000 EUR or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher” (Article 83(5)).

The processor’s responsibilities are limited to putting in place appropriate organizational and technical measures to support the controller in meeting its obligations. These include notification and communication of personal data breaches and enabling subject rights. In addition, processors must only subcontract with additional processors with prior specific or general authorization that imposes the same data protection obligations on those subcontractors as those between the controller and initial processor, with the liability for any non-performance of those processors falling on the initial processor (Article 28).

The controller, on the other hand, is responsible for, and must be able to demonstrate, compliance with:

  • Adherence with the personal data processing principles of lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality (Articles 5 through 11).
  • Facilitating the exercise of data subject rights (Articles 12 to 23).
  • Implementing data protection by design and default (Article 25).
  • Implementing “appropriate technical and organizational measures to ensure a level of security appropriate to the risk” (Article 32).
  • Using “only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject” (Article 28(1)).
  • Notification to supervisory authorities and communication to the data subjects of personal data breaches if these meet the required thresholds (Articles 33 and 34).
  • Conducting data protection impact assessments per the conditions outlined in Article 35 and consulting “the supervisory authority prior to processing where a data protection impact assessment…indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk” (Article 36).

It is important to note that while a vendor delegated by a sponsor to “perform one or more of a sponsor’s trial-related duties and functions” (ICH 1.20) is contracted to act as the processor, the vendor is the controller where the vendor determines the purposes and means of the processing (e.g., in the vendor’s processing of employees’ personal data in the specific employment context). In other words, the vendor wears two hats, depending on the type of processing performed.

If a vendor did process personal data outside the sponsor’s instructions, how would a supervisory authority determine whether the vendor is acting as the controller for that processing? The supervisory authority would likely first review the contract between the sponsor and the vendor, including the transfer of regulatory obligations to assess the sponsor’s instructions. The supervisory authority would also likely consider other factual elements, such as the expertise of the controller versus the processor and the degree of control and oversight by the controller to determine the degree of independent judgment that the processor was able to exercise. It is therefore incumbent on vendors contracting with biopharmaceutical companies to be diligent about ensuring that the sponsor’s instructions are clear, so as not to risk overstepping.


While GDPR has created an exemption to the purpose limitation principle for scientific research, this only applies if appropriate organizational and technical measures are in place and the interests and rights of the data subject are not compromised. The regulation has also emphasized that further processing of personal data outside the boundaries of the controller’s instructions carries significant liability risks for the party engaged in the further processing.


  1. International Council for Harmonization of Technical Requirements for Pharmaceuticals for Human Use. ICH Harmonized Guideline. Integrated Addendum to ICH E6(R1): Guideline for Good Clinical Practice E6(R2), Current Step 4 version.
  2. Regulation (EU) 2016/679 on the Protection of Natural Persons with regard to the Processing of Personal Data and on the Free Movement of such Data, and repealing Directive 95/46/EC (General Data Protection Regulation). European Parliament and Council of the European Union.

Madeleine Kennedy, PhD, DBioethics, (madeleine.kennedy@syneoshealth.com) is Senior Vice President Corporate Quality, Syneos Health.

*The GDPR applies to the processing of personal data by a controller or processor in the European Union (EU), regardless of whether the processing occurs in the Union. It also applies to the processing of personal data of data subjects located in the EU by controllers and processors not established in the Union if the processing relates to either the offering of goods or services to those subjects or the monitoring of their behavior where it takes place in the Union (Article 3).