GDPR Compliance
Trialinx and GDPR in clinical trials
Legal basis, data subject rights, DPA, international transfers, and retention. How GDPR applies to clinical data in European studies.
General Data Protection Regulation (EU 2016/679) · Unión Europea / EEE
What is GDPR
The General Data Protection Regulation (GDPR, EU Regulation 2016/679) is the European regulation on personal data processing. It applies when the controller or processor is in the EU/EEA, when data of EU residents is processed, or when goods/services are offered to EU residents.
In clinical research, clinical data is special category data (Art. 9) requiring specific legal basis: typically explicit consent, or public-interest basis in public health or scientific research (Art. 9.2.i/j).
Key obligations for EDCs
Appropriate legal basis
Explicit subject consent or alternative legal basis (scientific research with appropriate safeguards). The chosen basis must be documented.
Data Processing Agreement (DPA)
Art. 28 requires a written contract between controller (sponsor/institution) and processor (Trialinx) with specific obligations.
Data subject rights
Access, rectification, erasure, restriction, portability, and objection. Research carve-outs exist under Art. 89 when they compromise scientific objectives.
Security of processing (Art. 32)
Appropriate technical and organizational measures: encryption, pseudonymization, system resilience, restoration processes, and periodic evaluation.
Breach notification
72 hours to notify the AEPD (or equivalent authority) + affected data subjects if high risk (Art. 33-34).
International transfers
Data outside the EEA only with a valid transfer mechanism: adequacy decision, SCCs, binding corporate rules.
Data Protection Impact Assessment (DPIA)
Mandatory for high-risk processing, including large-scale health data (Art. 35).
How Trialinx meets it
- ✓Signable DPA available across all paid plans
- ✓EU data residency in Institutional (Art. 44)
- ✓AES-256 at rest and TLS 1.2+ in transit (Art. 32)
- ✓Audit trail supporting access and rectification rights
- ✓Export and deletion tools for portability and erasure
- ✓Documented ≤72h breach notification (Art. 33)
- ✓DPIA-ready documentation under NDA for Institutional customers
- ✓Internal RoPA (Record of Processing Activities) kept up-to-date
Shared responsibility
Under GDPR, Trialinx acts as processor. The sponsor / institution acts as controller. This means:
- •The controller determines legal basis and purpose
- •The controller obtains consent or justifies alternative basis
- •The controller conducts a DPIA where required
- •The controller appoints (or justifies not needing) a DPO
- •Trialinx processes data only under documented instructions (DPA)
- •Trialinx notifies the controller without undue delay in case of breach
- •Trialinx assists the controller with data subject rights and DPIAs on request
Frequently asked questions
Do I need explicit subject consent to use Trialinx?
You need a legal basis to process their data. In clinical research it's typically explicit consent or public-interest / scientific basis with appropriate safeguards (Art. 9.2.i/j). Trialinx doesn't determine the legal basis — you do as controller.
Does data stay in the EU?
By default data may be served from global infrastructure. Institutional customers get EU-only residency. International transfers are covered by SCCs.
How do I exercise right to erasure?
The controller requests via the dashboard or writes to privacy@trialinx.com. Trialinx marks data as deleted within <24h and purges live systems in 30 days. Backups rotate per retention policy.
What about pseudonymized research data?
Pseudonymization (replacing identifiers with codes) reduces risk but doesn't exempt from GDPR if the controller can still re-identify. Trialinx supports storing minimal-identifier data and keeping re-identification keys separately.
Official resources
Need the package for your ethics committee or DPO?
Contact us and we'll send all the documentation your ethics committee or data protection officer needs.
Request documentation