The introduction of theClinical Trial Information System (CTIS) has ushered in a new era of transparency and efficiency in the realm of clinical trials. However, with this advancement comes the paramount responsibility of ensuring data privacy. This article delves into the impact of CTIS on data privacy for clinical trial sponsors and outlines the necessary steps to ensure compliance with the new clinical trial regulation that birthed the CTIS platform.


Prelude: The CTIS has been introduced under the Clinical Trial Regulation (EU) 536/2014, referred to as the "CTR". This regulation changes how clinical sponsors submit their trial results. Additionally, the CTR, as noted in Annex 1D.17(ak) and subsequent sections, mandates that sponsors include in their study protocols measures for data protection compliance, ensuring personal data confidentiality, and addressing data breaches. Therefore, adherence to the CTIS also demands that sponsors evaluate their responsibilities as dictated by theCTR.

Understanding the CTIS Framework

The CTIS, established in accordance with Articles 80 and 81 of the Regulation (EU) No 536/2014, serves as a centralized platform for the submission of clinical trial-related information. From the initiation of clinical trial applications to ongoing supervision throughout the trial lifecycle, the CTIS plays a pivotal role. It's a collaborative effort involving the European Medicines Agency (EMA), Union Member States, and the European Commission.

Data Privacy in the CTIS Landscape

The CTIS is designed with stringent data protection measures. Personal data, such as the names and contact details of principal investigators, are captured within the CTIS's secure domain. While certain details, like the list of principal investigators' names and contact details, are made public, other personal data remains confined to the secure domain.

Moreover, the CTIS ensures that documents meant for public viewing do not contain personal data. For instance, the names (but not signatures) of the sponsor and coordinating investigator signatories of the clinical study report remain visible in the report loaded into the database, but other personal data is kept confidential.

Compliance with Data Protection Regulations

The processing of personal data within the CTIS is grounded in the public interest. The EMA, MemberStates, European Commission, and clinical trial sponsors are joint controllers in the CTIS, bound by legal obligations to collect and upload relevant documents.The data centers used for CTIS are located within the EU, specifically in the Netherlands, Ireland, andGermany.

Ensuring Data Privacy:Steps for Clinical Trial Sponsors

  1. Understand the CTIS Framework: Familiarize yourself with the CTIS's structure and its data protection measures. Recognize the distinction between data in the CTIS's secure domain and data made public.
  2. Ensure you draft a GDPR compliance statement in line with local European regulations. This is specified in the "Compliance with Regulations" section and within the Documents section of Part II of the sponsor's dossier.
  3. Stay updated with regulatory changes: Regularly review the guidelines and recommendations provided by the EMA and other relevant bodies. Recently     the EMA has revised its transparency rules for example.[1]
  4. Engage in transparent communication: Inform all stakeholders, including trial participants, about the data being collected, its purpose, and the measures in place to protect their privacy.
  5. Implement robust data protection measures: Employ state-of-the-art encryption and other security measures to safeguard data. Regularly audit and update these measures to counter evolving threats.
  6. Train your team: Ensure that everyone involved in the clinical trial is well-versed with the CTIS's data protection protocols and understands the importance of data privacy.
  1. Before making any data updates on the platform, consider the distinction between public and non-public publications. Ensure you review the anonymization process, especially if it has been entrusted to your CRO.


The CTIS represents a significant stride forward in the clinical trial landscape, offering transparency and efficiency. However, with its advent, the onus of ensuring data privacy has become even more pronounced. By understanding the CTIS framework and implementing robust data protection measures, clinical trial sponsors can navigate this new landscape confidently and compliantly.



To delve deeper, here are some valuable resources to better understand the data protection requirements as outlined in the CTR and CTIS:





Seamus Larroque

CDPO / CPIM / ISO 27005 Certified


Discover our latest articles

View All Blog Posts
April 29, 2024

FTC Completes Updates to Health Breach Notification Rule for Health Apps

The Federal Trade Commission announced it has finalized changes to the Health Breach Notification Rule (HBNR) that will strengthen and modernize the rule by clarifying its applicability to health apps and other similar technologies and expanding the information that covered entities must provide to consumers when notifying them of a breach of their health data.