The application of European regulation on data protection (GDPR) is a major challenge for Biotechs wishing to conduct clinical trials in the EU and requires them to master the conduct of their projects to comply with the applicable legal framework.

Record levels for biotechs

The global biotech market is growing rapidly, driven by the interest generated by the pandemic, with a valuation of $793.87 billions in 2021 and projections of $1,415.45 billions by 2028¹. Although the United States accounts for 59% of the global biotech market², many American companies are now aiming to develop their operational activities in Europe, leading to remarkable market growth and interest from European pharmaceutical companies.

Highly regulated activities in Europe

In the EU, clinical trials are governed by legislative, regulatory, and administrative provisions relating to the application of good clinical practices at both European and local levels. They aim at a high level of patient protection, while setting rigorous quality and safety standards to obtain reliable and robust data and results.

Adopted in May 2018, the European Regulation on the Protection of Personal Data (GDPR) ensures the protection and privacy of individuals with regard to the processing of personal data and provides for the rules on the free movement of such data. Any sponsor or subcontractor involved in a clinical trial, whether a company, institute, or association, that handles personal data of EU member states residents must comply with the GDPR, even if the entity is not established in Europe. “Health data” is defined specifically as any personal data relating to the physical or mental health of a natural person, including the provision of healthcare services, which reveals identifiable information about that person’s health status.

The interaction between the European Union’s regulation on clinical trials and the General Data ProtectionRegulation (GDPR) requires a thorough impact assessment on the implementation and conduct of health-related research.

From fundamental principles to compliance obligations

The principles of the GDPR are based on transparency of personal information, lawfulness of data processing activities, the right of data subjects, data retention and the principle of accountability for the application of GDPR rules.

The GDPR compliance framework requires specific knowledge and skills. Adoption processes must be adapted to secure such sensitive personal data as health data from the moment it is collected.

The GDPR requires mapping processing activities, setting up processes and registers, informing individual, guaranteeing their rights and freedoms, and raising awareness internally of good practices on personal data protection.

Data controllers must therefore ensure the application of appropriate technical and organizational measures. The challenge is to be able to demonstrate compliance with data protection rules (accountability or demonstrability principle) and the exercise of patient’s rights, particularly in the event of data transfer outside the European Union.

The appointment of a Data Protection Officer (DPO) to ensure compliance is a requirement for a clinical trial sponsor. In addition, if the entity is not established in a member state of the European Community, a Data protection authority must be appointed in the non eu country where the data processing activity takes place.

Legality of data transfers outside the European Union

Since the invalidation of the Privacy Shield by the European Court of Justice (“Schrem II”), each organization must now verify the legality of personal data transfers outside the EU, and particularly transfers to the United States. Thus, each actor is required to determine the criticality for its organization and define an action plan according to a defined method in order to achieve compliance.

Non-compliance with the GDPR: what penalties?

In case of non-compliance, the consequences are numerous. The amount of the penalties can be up to 20 million euros or in case of a company up to 4% of the annual worldwide turnover. These penalties can me made public and put the company’s reputation at stake.

Biotechs outside the EU: getting better organized to establish themselves in Europe

The application of the GDPR to clinical trials conducted in Europe can be tedious for Biotechs located outside the European Union, and particularly for American Biotechs concerned by a highly constrained data transfer. A comparison between European and American rules on health data protection regulations reveals a European legislative apparatus with standards that are very different from those of HIPAA and the Cybersecurity Law. The protection of personal data is at the heart of the European regulatory framework. Information, access, deletion, limitation, and portability of data are linked to the principle of informed explicit consent, responsibility, and risk control. Outsourcing R&D activities in Europe for the early stages of processing development requires new strategies and support in order to avoid some of the risks inherent to these developments.

As Data Protection Officer (DPO), iliomad assists American Biotechs in their efforts to conduct clinical trials in Europe.Our compliance platform ( dedicated to American Biotechs provides concrete answers to transpose the GDPR into daily practice, and better understand the differences between national and regional legislative frameworks (

Seamus Larroque

CDPO / CPIM / ISO 27005 Certified


Discover our latest articles

View All Blog Posts
April 23, 2024
No items found.

iliomad is deligthed to have supported the ICM - Institut du Cancer de Montpellier in their CNIL's authorization process

We are delighted to share that the ICM - Institut du Cancer de Montpellier was authorized by the French Data Protection Authority (CNIL) to conduct APAD-ECO study. The CNIL granted authorization to conduct a medico-economic study on the effects of physical activity in women treated for breast cancer on April, 19th. This groundbreaking study involves combining data from two clinical trials with that of the Caisse nationale de l’Assurance Maladie, covering the period from 2009 to 2022. The study aims to assess the long-term impacts of physical activity in patients who have undergone treatment for breast cancer. We are proud to have contributed to this project by providing the ICM - Institut du Cancer de Montpellier with a compliant Data Protection Impact Assessment (DPIA), a crucial step in obtaining CNIL approval.