Clinical trials in Spain: Takeaways from the new code of conduct (Part 1)

Last week we raised our hands to inform you about the Spanish Data Protection Authority’s approval of the "Code of Conduct on the processing of personal data in the field of clinical trials and other clinical research as well as pharmacovigilance" (CoC). Now we will explore, as promised, the details of the CoC.

In this first post, we will analyse its highlights. We will also examine how it could lay the groundwork for a hopefully more uniform approach on data protection obligations in the context of clinical trials within the EU, which would greatly benefit multinationals carrying out their business in multiple Member States at once. Part two of this series will focus on the pharmacovigilance section of the CoC.

Basic Context of the CoC

The CoC (so far only available in Spanish here) is a national code of conduct promoted by Farmaindustria (i.e. the National Business Association of the Pharmaceutical Industry) that regulates how data protection rules impact the development of clinical trials and compliance with pharmacovigilance obligations.

It applies to the processing activities of adhered Sponsors and Clinical Research Organizations (CROs) in Spain under the jurisdiction of the Spanish Data Protection Authority (AEPD). The provisions of the CoC do not apply to investigations already initiated prior to the CoC taking full effect. However, it will be considered good practice to take the appropriate measures to bring those investigations in line with the CoC.

The Spanish DPA has also published a report approving the CoC.

Highlights on Clinical Trials and Research

Art. 5 GDPR Principles

The CoC starts from the very beginning: analysing the general data protection principles one by one. Among those, purpose limitation and accuracy principles are of special interest to the case at hand.

Under the purpose limitation principle (which has become the AEPD’s star in recent sanctioning decisions), both the inclusion by Site of the trial’s data in the clinical records and undertaking new investigations by the Sponsor and the Principal Investigators are generally deemed compatible (the latter with certain particularities as explained below).

Regarding accuracy, the Principal Investigator is responsible for complying with this principle when collecting the data.

Roles of the Parties to a Clinical Trial

The CoC helps to clarify the different roles that the parties to a clinical trial play from a data protection standpoint. A general scheme of the roles follows:

It must be highlighted that in the CoC the Sponsor and the Site are deemed separate controllers, rather than joint controllers, as suggested in passing by the Catalonian Data Protection Authority or as provided in certain templates issued by public bodies. Thus, for transparency purposes, the CoC provides that essential elements to the data agreed processing terms between the Sponsor and the Site must be put at the trial subjects’ disposal, which is very similar to the joint controllership regime under art. 26 GDPR. The door appears to not be fully closed in this regard.

The Sponsor is the controller with regard to establishing the trial subjects selection criteria and coded data, and the Site is the controller with regard to the clinical records and data necessary to provide its sanitary services throughout the trial. Among other obligations, the Site (directly or through the Principal Investigator) will be responsible for providing trial subjects with the information required under the GDPR.

The other parties to the clinical trial, including Monitors, CROs (with regard to monitorisation of the trial or other services entailing access to coded data), auditors, and trusted third parties, are deemed processors (see annexes to the CoC for template agreements, which may prove useful for negotiation). Note that the fact that these parties are deemed processors does not grant the Sponsor direct access to non-coded data.

Where the Principal investigator’s team is not part of the Site, they will also be deemed processors of the Site.

Legal Bases and Derogations under Art. 9 GDPR

The CoC explicitly establishes that processing of trial subjects’ data in the context of clinical trials is based on the existence of a legal obligation (Art. 6(1)(c) GDPR), in connection with Art. 9(2)(i) and (j) GDPR, due to the involvement of special categories of data (health data). The CoC describes the different laws and articles thereunder which serve as the bases for the referred articles.

The data subjects’ consent is not required to process their personal data once they have agreed to take part in the research/trial (i.e. the non-data protection related informed consent). As a result, the right to withdraw the consent as established under data protection rules (and the consequence of such withdrawal) does not apply. Complying with information duties under arts. 13 and 14 GDPR is still required.

Consent would be required in order to process clinical trial participants’ data for purposes other than those related to the clinical trial, unless such processing could also be based on a specific legal basis other than consent.

Data Protection Impact Assessment (DPIA)

Undertaking a DPIA is a prerequisite to carrying out a clinical trial. One DPIA may cover all clinical research carried out by the Sponsor (unless the different nature and particularities of the research require a specific DPIA or special annex). Both the Site and the Sponsor must have their own DPIA. The Sponsor’s DPIA must pay specific attention to the data codification process (and its risks and reverse-engineering consequences).

Security Measures

The CoC acknowledges that the Sponsor's security measures may be modulated due to the fact that they process already secured codified data and implement many security measures to ensure such codification (including, as established therein, periodic audits, execution of NDAs with employees, requiring monitors not to provide Sponsor with data that may identify the individual, etc.).

Security Breaches

In addition to general GDPR rules applied to this particular context, the Sponsor-Site agreement must establish who notifies the breach and the obligations regarding the coordination and cooperation to defend against the breach.

Participants to the Trial (Trial Subjects)

The Principal Investigator, in accordance with the protocol, is in charge of selecting the participants. The CoC provides for the minimum content under arts. 13 and 14 GDPR that must be provided to participants. Following a layered approach is not advised). The CoC includes an Annex with the minimum information to be provided.


The codification process may be carried out directly by the Principal Investigator or through a trusted third party contracted by the Sponsor (see annexes to the CoC to find contractual wording to be used in these cases). The latter will be external to the clinical trial, and its participation must be limited to coding the identifiable data included in the information to be submitted by the Site, prior to its receipt by the Sponsor.

The codification procedure shall entail robust and solid techniques to ensure (i) that the Sponsor cannot identify the trial subjects, except in exceptional situations, (ii) the elimination of the patient identification chain, and (iii) that all the information referring to the same participant is stored under the same code, in order to obtain a real vision of the evolution of the clinical trial in each patient.

International Data Transfers

The CoC does not provide significant findings in this respect. General GDPR rules apply. However, it does indicate that a non-EU Sponsor must appoint a representative in the EU under art. 27 GDPR. Indirectly, and although it is no surprise, the CoC confirms that Sponsors outside the EU can be subject to GDPR under art. 3.2 GDPR.

Record of Processing Activities (ROPA)

Both the Site (and, where applicable, the Principal Investigator) and the Sponsor shall keep a ROPA in accordance with art. 30 GDPR. To the extent that the processing operations in the context of clinical investigations are similar (i.e. where the data processed and the purposes are similar), a single ROPA may be kept for the common purpose of managing clinical investigations. The Sponsor must clearly establish therein that it receives coded data. A ROPA template is included in the CoC.

Data Retention

As a general rule, the data relating to clinical investigations (i.e. the content of the master file) must be kept by both the Sponsor and the Site (and, if applicable, the Principal Investigator) for a minimum period of 25 years from the end of the clinical investigation. This period may be extended in particular cases (e.g. depending on the applicable law). In addition, in the event that certain data are to be reused for purposes other than clinical research, the applicable retention periods for each purpose must be differentiated. Basic rules on how to keep the data are briefly described in the CoC.

Data Subjects' Rights

Since the Sponsor does not have direct access to the identifying data of trial subjects, it cannot respond to rights requests from participants. However, Sponsors must reply indicating that they hold no data in their records and that data subjects should contact the Principal Investigator. As pointed out below, a response template is provided in the CoC.

Adverse Events

The CoC draws a distinction between (a) adverse events occurring in clinical trials and (b) those occurring in observational studies. In both cases, the Principal Investigator should inform the Sponsor as provided by law and, therefore, the legal basis for these communications is compliance with a legal obligation under art. 6.1(c) GDPR. Specific rules apply where an insurer covers the damage produced.

Compatible Purposes and Secondary Uses

In cases where the re-use of coded data is envisaged for future trials or investigations, parties can do so without the consent of clinical trial subjects, provided that the following requirements are met:

The Principal Investigator and its team members will not have access to the trial subjects’ identification data. For this purpose, coding must be carried out by a third party who is not part of the research team, and the third party must retain the information necessary to re-identify the participants.

All members of the research team must sign a confidentiality agreement (see annexes to the CoC) and agree not to carry out any activity aimed at re-identifying the participants.

The Site shall implement all necessary security measures aimed at preventing the re-identification of trial subjects or access by unauthorized third parties.

Where consent is required, general GDPR rules would apply (although consent could be a bit broader than what it usual under GDPR rules).

Special rules apply in case of great danger to individuals.

Use of Other Data Sources – Real World Evidence

The Sponsor should ensure that the sources of information chosen in the study have mechanisms to guarantee the quality of the information, so that it is reliable, valid and adequate to answer the specific questions to be resolved within the scope of the research.

Finally, the CoC provides for the following annexes including templates with the minimum content to comply with information duties, data processing agreements, and clauses between the different parties to a clinical trial:

Minimum content of the data protection clause within informed consents.

Sponsor-Trusted third party agreement data protection clause.

Sponsor-Site / Principal Investigator agreement data protection clause.

Sponsor-Monitor/auditor agreement data protection clause.

Sponsor-CRO agreement data protection clause for CRO’s services other than monitorisation.

Other services agreement data protection clause.

Records of processing activities template.

Template for Sponsors to reply to data subjects rights exercised to them.

Confidentiality clause for research team.

Next steps

Regarding CROs, it must not be forgotten that being adhered to an approved code of conduct is a way to demonstrate sufficient guarantees as referred in paragraphs 1 and 4 of Arts. 28. GDPR. This could establish a difference between adhered and non-adhered entities.

In addition, the CoC could become a benchmark at the European level. This may even be the first step toward a potential uniform approach to data protection for clinical trials at the EU level. Can you imagine?


Authored by Santiago de Ampuero and Graciela Martín.


This website is operated by Hogan Lovells Solutions Limited, whose registered office is at 21 Holborn Viaduct, London, United Kingdom, EC1A 2DY. Hogan Lovells Solutions Limited is a wholly-owned subsidiary of Hogan Lovells International LLP but is not itself a law firm. For further details of Hogan Lovells Solutions Limited and the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses ("Hogan Lovells"), please see our Legal Notices page. © 2022 Hogan Lovells.

Attorney advertising. Prior results do not guarantee a similar outcome.