GDPR – what applies to health care, sponsor (academy / company) and patient?

The purpose of the initiative is to be able to answer questions about who is responsible for personal data for the processing of personal data when conducting clinical studies. The goal is to develop a common assessment model for assessing personal data liability.


How a clinical study is to be conducted is governed by laws, statutes and guidelines. The EU General Data Protection Regulation (GDPR) applies throughout the EU and regulates all personal data processing, including personal data in clinical studies. After the Data Protection Ordinance came into force in May 2018, special attention has been on to how personal data is processed within the framework of clinical studies and how the research data that is to form the basis for analysis and conclusions are handled. The purpose of the initiative is to be able to answer questions about personal data liability and processing of personal data based on different scenario descriptions.

Implementation and goal

The initiative is based on a number of different clinical study scenarios involving different organizations, such as e.g. healthcare principals, and academic or corporate partners. The nodes have jointly developed these scenarios where it is felt that there are ambiguities regarding personal data liability and contractual issues linked to this. Thereafter, the legal issues will be examined and investigated by a lawyer. The data is compiled into an assessment model for personal data responsibility in clinical research and the initiative will result in a method that provides support in the work of deciding which party or parties are responsible for personal data.


The initiative is expected to be completed during Q3 2021.