In European law there is a relationship between the General Data Protection Regulation (GDPR) and the Clinical Trial Regulation (CTR).

In European law, a Regulation becomes law in every state on enactment, although most regulations permit adaptation to local norms through derogations. Whereas, a Directive must be enacted through Member State law. For this reason, implemented Directives tend to have a greater variance between Member States than there are between Regulations. Nevertheless, there are differences, and for clinical research and medical devices, these can be significant.

The European Data Protection Board, which oversees the GDPR, has issued an opinion that most states (other than the UK) have incorrectly implemented the Clinical Trial Regulation in respect of the consent conditions and their application under GDPR. This has created much uncertainty, however Kaleidoscope has developed approaches to meet both GDPR requirements and locally implement Clinical Trial Regulation legislation – not only in the Informed Consent Form, but in the whole approach to satisfying the information requirements of GDPR where connected with CTR.

Other variations include, for example, in Greek law, clinical trials must use a Government imposed contract without variation. This contract does not address GDPR requirements for a Joint Controller Arrangement  between Controllers . In Hungary, the clinical trials legislation requires publication of the name and contact details of the Data Protection Officer, which is not required by GDPR (the UK research regulatory body has published guidance that suggests the same requirement, but we have clarified with them that this is not the case), whilst Sweden’s Patient Data Laws have a completely different set of conditions.

Kaleidoscope has considerable experience supporting Contract Research Organisations (CROs) and Sponsors to navigate the complex legislative landscape and in meeting the statutory duty to fulfil certain roles.