For medical device manufacturers operating in the UK and across Europe, data protection compliance in clinical trials has become a complex legal and operational patchwork. At the heart of this complexity lies the inconsistency between how jurisdictions characterise the roles of sponsors, clinical research organisations (CROs), trial sites and principal investigators (PIs) as data controllers, joint controllers or processors under data protection law. These divergences create practical challenges for manufacturers seeking to run multi-country studies.
The controller-processor conundrum
Under GDPR and UK GDPR:
- "Controller" is the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.
- "Processor" is the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
In the context of clinical trials, however, this distinction is often blurred.
Sponsors typically act as controllers of personal data used in studies, even if they only access pseudonymised data in practice, because they design the study protocol and determine what data is collected, how it is used and for what purpose. CROs are often processors, implementing the sponsor's instructions, but this can shift if they are involved in designing the trial.
Sites and principal investigators present more complexity. Their role can be as a processor, joint controller or even independent controller depending on their involvement in trial design and patient care.
Jurisdictional divergence on the roles of sponsors and trial sites
In the UK, there is a model clinical trial agreement, available via IRAS Help under preparing and submitting applications and templates for supporting documents, as a form of agreement to be entered into between a sponsor and a trial site. This agreement takes, as its default position, that a site is the sponsor's processor when personal data is used for the purpose of a trial. The model agreement recognises that sites are controllers in their own right when they use the same personal data for the provision of medical care.
Other jurisdictions take the default view that sponsors and sites are joint controllers as they collaborate on protocols and the study.
What about PIs?
As PIs are usually employees of the study site, it would generally follow that they do not have the role of either processor or controller and are simply acting as agents of their employer. However, this is not the approach taken by some European countries, which may characterise them as processors or joint controllers.
For medical device manufacturers, these variations mean that the same trial involving the same data and actors may require different legal characterisations in different jurisdictions.
What do the regulators say?
The EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR provide an example on clinical trials (page 23):
A health care provider (the investigator) and a university (the sponsor) decide to launch together a clinical trial with the same purpose. They collaborate together to the drafting of the study protocol (i.e. purpose, methodology/design of the study, data to be collected, subject exclusion/inclusion criteria, database reuse (where relevant) etc.). They may be considered as joint controllers, for this clinical trial as they jointly determine and agree on the same purpose and the essential means of the processing. The collection of personal data from the medical record of the patient for the purpose of research is to be distinguished from the storage and use of the same data for the purpose of patient care, for which the health care provider remains the controller. In the event that the investigator does not participate to the drafting of the protocol (he just accepts the protocol already elaborated by the sponsor), and the protocol is only designed by the sponsor, the investigator should be considered as a processor and the sponsor as the controller for this clinical trial.
In practice, sponsors need to consider what is happening and determine which partners, other than the sponsor, if any, are controlling and directing the study protocol in terms of data collection and use. It may mean that sites, principal investigators and CROs move away from a processor role in some instances.
Practical difficulties for medical device manufacturers
1. Contractual complexity
Determining the correct role of each party dictates which GDPR provisions apply:
- Controller-processor relationship: requires data processing agreements under Article 28 GDPR.
- Joint controller relationship: triggers Article 26 obligations, including the need for transparent arrangements regarding data subjects' rights.
A cross European and UK clinical trial may require bespoke agreements for each country.
2. Informed consent challenges
Informed consent forms are vital but can be misleading. Consent to participate in a trial is distinct from consent as a legal basis for data processing under GDPR. Some jurisdictions rely heavily on explicit consent under Articles 6 and 9 of GDPR, while others favour legitimate interests or public interest grounds. These differences require nuanced drafting of informed consent forms and privacy notices.
3. Operational risks
Operating within these roles incorrectly can lead to challenges from regulators, ethics committees and clinical trial participants. Enforcement action or trial delays are realistic risks if responsibilities are not clearly defined and documented.
Moving towards best practice
To manage these challenges, medical device manufacturers should:
- Determine on a case-by-case basis whether sites, principal investigators and CROs are controllers, joint controllers or processors of the sponsor.
- Draft clinical trial agreements and data contracts to reflect the actual roles.
- Ensure that privacy notices and informed consent forms align with national guidance.
Conclusion
In an ideal world, a unified interpretation of data protection roles across the UK and Europe would simplify matters for sponsors. Until then, medical device manufacturers must navigate the inconsistencies and plan carefully to avoid regulatory pitfalls. With increasing regulatory scrutiny and the critical importance of data in clinical innovation, getting these relationships right has never been more essential.
We regularly advise medical device manufacturers, sponsors and research partners on structuring clinical trial arrangements that are robust, defensible and aligned with evolving regulatory expectations. If you would like to discuss how these issues affect your studies, please get in touch.
