About this guide

Clinical trials often take place on a cross-border basis, involving sites in a number of different jurisdictions. However, experience shows that it can be difficult to understand and manage the privacy requirements for cross-border trials. In a large part, this is due to differences in local law and interpretation relating to the interplay between privacy laws and clinical trials. This is the case even within the EU: although the GDPR is directly applicable in all member states, there are often differences in the way these countries, and their national privacy and medicines regulators, interpret and apply the Regulation to the context of clinical trials.   

This Guide – created by privacy professionals from our global Life Sciences sector team – covers privacy requirements in 25 jurisdictions and provides useful guidance for industry. 

It offers an overview of the main privacy-related issues arising within clinical trials and answers questions pertaining to: 

  • Extraterritorial applicability of legislation.
  • Legal ground for processing personal data in conducting clinical trials and performing pharmacovigilance activities.
  • Privacy role of the stakeholders involved.
  • Key-coded clinical trial data.
  • Secondary use.
  • International transfer of personal data. 

Our Life Sciences practice

The challenges facing today's biotechnology and medical device companies are greater than ever. For companies to take promising therapies from the laboratory to the market, they must protect those therapies from IP, regulatory and reputational risks. Furthermore, the last few years have seen increasing pressure from many sides: demand for greater shareholder return, loss of key revenue streams due to patent expiration or generic challenges, fierce competition in key therapeutic areas, pricing pressures from health care payors, increased government regulation beyond core safety issues, rising costs of R&D, challenges in maximizing return in emerging markets and aggressive government enforcement action.

Our life sciences sector team is one of the largest and most active of any law firm. DLA Piper’s team includes award-winning lawyers practicing litigation, compliance and investigations, IP strategy and enforcement, M&A, licensing and distribution and clinical trial advice. They also support clients across all other areas needed to address risk, including government affairs, environmental law, import/export, tax, real estate and employment law. Many of our lawyers are former sector professionals, many have PhDs or other advanced degrees in the life sciences field and others are former government officials or prosecutors.

About DLA Piper 

DLA Piper is a global law firm with lawyers located in more than 40 countries throughout the Americas, Europe, the Middle East, Africa and Asia Pacific, positioning us to help clients with their legal needs around the world.




Office locations


Lawyers ranked as leaders in their field

Some of the terms used in the country insights are explained below:


Anonymization means the processing of personal data in such a manner that the personal data cannot irreversibly be attributed to a specific individual. Anonymized data is no longer considered personal data under the GDPR and other data privacy laws covered by this Guide

Encrypted participant data

Encrypted participant data means that in order to protect data participant’s data confidentiality, his/her is translated into another form or code, so that this data can be red only by people with access to a secret decryption key. 

Key-coded clinical trial data

Key-coded clinical trial data is data where the identity of the individual clinical trial participant is replaced with a unique subject identification code, and the ‘key’ which can be used to re-identify the participant is held by the Principal Investigator.


Pharmacovigilance means the activities relating to the detection, assessment, understanding and prevention of adverse effects or any other medicine-related problem.  


Pseudonymization means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific individual without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable individual. Pseudonymized data is still considered personal data under the GDPR and other data privacy laws covered by this Guide.