DPO clinical trials

Published on October 23, 2025 by Admin-RDPrivacy

Why is a DPO Important in Clinical Trials?

Clinical trials inherently involve the processing of sensitive personal data, such as health information, genetic data, and sometimes even biometric data. This processing, coupled with the systematic monitoring of participants, creates a high-risk environment for data protection.
Under Article 37 of the GDPR, organizations are required to appoint a DPO if their core activities involve:
Large-scale processing of special category data, such as health data.
Regular and systematic monitoring of data subjects on a large scale, such as when processing health data through wearable devices.
For pharmaceutical companies and Sponsors, clinical trials frequently meet these criteria due to the nature and scale of the data being processed. Even a small Phase I trial involving a limited number of participants is often part of a larger research portfolio that will scale significantly in subsequent phases, involving more participants and more complex data processing.
The DPO’s role is not limited to a single trial. Instead, the appointment applies to the entire organization. This organizational-level perspective ensures consistent oversight and compliance across all trials and related activities, such as pharmacovigilance, which involves continuous monitoring of adverse events and safety reporting.

Legal and Regulatory Requirements

The GDPR provides the foundation for the mandatory appointment of a DPO, but some EU countries have additional requirements that make it even more relevant for Sponsors conducting clinical trials:

01 France:

Under MR-001, CNIL’s methodology for clinical trials, the appointment of a DPO is mandatory. Sponsors must demonstrate DPO oversight to comply with MR-001 and benefit from the simplified declaration process for trial approval.
02 Spain:

The Code of Conduct for Clinical Trials and Pharmacovigilance, approved by the Spanish Data Protection Authority (AEPD), explicitly requires Sponsors to appoint a DPO. This reinforces the importance of centralized data protection management for all trials conducted in Spain.
03 Germany:

German law, specifically §38 of the Federal Data Protection Act (BDSG), mandates the appointment of a DPO for organizations processing sensitive data on a large scale or performing activities that require a Data Protection Impact Assessment (DPIA). Clinical trials, given their nature, almost always fall under these categories.