Clinical Trials Information System: it becomes mandatory for new clinical trial applications in the EU

23 Febbraio 2023

From 31 January 2023, all initial clinical trial applications in the European Union (“EU”) must be submitted via the Clinical Trials Information System. The latter is now the single-entry point for sponsors and regulators of clinical trials for the submission and assessment of clinical trial data.

Clinical Trials Regulation: aims and benefits

On 31 January 2022, the European Regulation No. 536/2014 on clinical trials on medicinal products for human use (the “Clinical Trials Regulation”) came into force, replacing the former Directive 2001/20/EC (“Directive”) and the corresponding national transposing legislation.

The Clinical Trials Regulation provided for a transition period:

  • during the first year of implementation and until 30 January 2023, clinical trial sponsors could choose whether to apply to start a clinical trial via the CTIS or under the Directive;
  • from 31 January 2023 onwards, clinical trial sponsors are required to apply to start a clinical trial via the Clinical trials Information System (“CTIS”);
  • from 31 January 2025, any trials approved under the Directive that continue to running will need to comply with the Clinical Trials Regulation and their sponsors must have recorded the related information in the CTIS.

The Clinical Trials Regulation aims to harmonise the processes of assessing and supervising clinical trials throughout the EU in order to facilitate the conduct of larger clinical trials in multiple EU Member States/European Economic Area (“EEA”) countries and it aims to ensure that the EU provides an attractive and favorable environment for carrying out clinical research on a large scale, with high standards of public transparency and safety for clinical trial participants.

Prior to the implementation of the Clinical Trials Regulation, sponsors had to submit separate clinical trial applications to national competent authorities and ethics committees in each country in order to obtain regulatory approval to conduct a clinical trial. Furthermore, registration and the posting of results of the clinical trials were subject to separate processes.

With the implementation of the Clinical Trials Regulation – in order to obtain the approval to run a clinical trial in several European countries – sponsors can now submit one online application via the CTIS, This makes it more efficient both to carry out multinational trials and for EU Member States to evaluate and authorise such applications together.

However, running a clinical trial involves the processing of personal data and, therefore, beside the Clinical Trials Regulation, also the General Data Protection Regulation (EU) 679/2016 (“GDPR”) shall apply. It should be noted that the Clinical Trials Regulation constitutes the sector-specific legislation with special provisions under a data protection perspective which, however, do not derogate from the provisions of the GDPR.

Moreover, considering that personal data are also processed by the Union institutions, bodies, offices and agencies, also Regulation (EU) 2018/1725 (s.c. European Data Protection Regulation, hereinafter “EUDPR”) shall apply.

CTIS and personal data issues

In the context of a clinical trial (including the authorisation and supervision process), different actors may need to register personal data into CTIS, including sponsors, marketing authorisation applicants or holders, the European Commission, European Medicine Agency (“EMA”), EU Member States and EEA countries (the “Parties”).

In general terms, CTIS is a system that facilitate the exchange of information between the Parties, and specifically, throughout the lifecycle of a clinical trial, the interactions between clinical trial sponsors (researchers or companies that run a clinical trial and collect and analyse the data) and regulatory authorities in EU Member States and EEA countries.

Therefore, CTIS is structured as follows:

  • the sponsor’s workspace, which assists them with preparing and completing the clinical trial application and related documents to be submitted for evaluation;
  • the authority’s workspace, which enables EU Member States, EEA countries and the European Commission to use CTIS to oversee the conduct of clinical trials in the EU/EEA;
  • a search function within the public website, which anybody can use to find detailed information on clinical trials conducted in the EU and EEA based on the information contained in CTIS.

Considering the involvement of the different Parties in clinical trials, the protection of personal data in CTIS is a joint responsibility. Therefore each Party is responsible for ensuring that personal data are processed according to the principles of the GDPR and EUDPR.

In this regard, following consultation by EMA, the European Data Protection Supervisor (“EDPS”) confirmed[1] that, pursuant to Article 26 of the GDPR and Article 28 of the EUDPR, the Parties need to be qualified as “joint controllers” of the CTIS.

In order to comply with the obligations set forth by Article 26 of the GDPR, the EMA and the representatives of the Parties were engaged in drafting a Joint Controller Agreement (“JCA”) which sets out the roles and responsibilities of the joint controllers in relation to the processing of personal data while using and interacting with CTIS. Moreover, the JCA sets out the measures that the Parties shall put in place in order to ensure the secure processing of personal data in CTIS and covers how the Parties must handle any personal data breaches.

Considering that JCA needs to be accepted by all joint controllers, it should be noted that, when accessing the CTIS for the first time, each user is required to confirm acceptance of the terms set out in the JCA.

The JCA also includes two annexes:

  • “Annex I” provides a list of contact points for cooperation between the different Parties subject to the CTIS JCA and having access to the CTIS secure domain as applicable, and for data subjects in respect of queries, complaints and provision of information within the scope of the JCA;
  • “Annex II” thereof provides a privacy notice regarding personal data processing in the CTIS.

Finally, it is important to note that each of the joint controller can act as an independent controller for the processing activities that can be performed without the cooperation of the other Parties (e.g. sponsors are independent data controllers in relation to data processing activities performed outside of CTIS and carried out within their organisation, whether related to clinical trials or not).

Privacy roles of the sponsor and the clinical trial centre

As clarified above, in any clinical trial there are multiple actors involved, each with their own scope of activities and specific responsibilities. However, while the role of the Parties within the CTIS is well defined, in the context of conducting clinical trials, neither the GDPR nor the Clinical Trials Regulation have brought clarity to the privacy roles of the subjects involved therein.

In this paper, the privacy roles of the sponsor and the trial centre will be examined in more detail.

The EDPB’s Guidelines 07/2020 on the concepts of controller and processor in the GDPR (“EDPB’s Guidelines”), throughout a specific example[2], consider that the trial centre and the sponsor, which have to draft together the study protocol, should be qualified, pursuant to Article 26 of the GDPR, as joint-controller, as they jointly determine and agree on the same purpose and the essential means of the processing.

On the contrary, in the event that the trial centre does not participate to the drafting of the protocol (it only accepts the protocol already elaborated by the sponsor), and the protocol is only designed by the sponsor, the trial centre should be considered as a processor and the sponsor as the controller for such trial.

Instead, at the national level, the “Guidelines for the Processing of Personal Data in the Context of Clinical Trials of Medicines - July 24, 2008” (“Guidelines”) published by the Italian Data Protection Authority (“Italian DPA”) provide that, trial centres and sponsor have separate responsibilities in the context of clinical trials and are, therefore, to be qualified as autonomous data controllers.

In fact:

  • on the one hand, the sponsor (i) does not collect data directly, (ii) does not interact with “enrolled” subjects, and (iii) carries out processing operations through its monitors;
  • on the other hand, the trial centre (i) is not subjected to any subordination, (ii) accepts the sponsor’s protocol by agreeing with the latter on certain aspects, (iii) performs the trial in organizational autonomy although in compliance with the protocol, (iv) provides the privacy notice, (v) independently decides to employ collaborators that it deems qualified and is accountable for their performance, (vi) allows the sponsor’s collaborators access to the original medical records of the subjects involved in the trial in order to carry out the monitoring activities, and (vii) manages and keeps such records under its own responsibility.

In view of the above, it follows that the trial centre and the sponsors should, for the reasons outlined by the Italian DPA, be considered as two autonomous data controllers regardless of whether or not they have jointly drafted the trial protocol.


The joint-controllership’s approach (which is common especially in other European countries) should not be deemed as the suitable solution applicable aprioristically to all clinical trials without any distinction. This is due to the circumstance that data controllers shall comply, pursuant to Articles 5(2) and 24 of the GDPR. In this specific case, the Accountability principle should require the parties to carry out a specific assessment, supported by documentation, of their privacy roles, taking into account the flow of personal data in the context of clinical trials.

In particular, it should be noted that "joint-controllers" jointly determine the purposes and means of processing. In the context of clinical trials, however, the purposes pursued by the clinical trial centre (i.e., patient care purposes) and the sponsor (i.e., scientific research purposes) are substantially different, even if they share a protocol.

Finally, it is worth noting that while the Guidelines are still applicable, they are dated, and new EDPB guidelines, updated in light of the provisions of the Clinical Trials Regulation, are expected.

[1] See EDPS Case Number C 2018-0642.

[2] The example mentions the case in which a health care provider (the investigator) and a university (the sponsor) decide to launch together a clinical trial with the same purpose. They collaborate together to the drafting of the study protocol (i.e. purpose, methodology/design of the study, data to be collected, subject exclusion/inclusion criteria, database reuse (where relevant) etc.

2024 - Morri Rossetti

I contenuti pubblicati nel presente sito sono protetti da diritto di autore, in base alle disposizioni nazionali e delle convenzioni internazionali, e sono di titolarità esclusiva di Morri Rossetti e Associati.
È vietato utilizzare qualsiasi tipo di tecnica di web scraping, estrazione di dati o qualsiasi altro mezzo automatizzato per raccogliere informazioni da questo sito senza il nostro esplicito consenso scritto.
Ogni comunicazione e diffusione al pubblico e ogni riproduzione parziale o integrale, se non effettuata a scopo meramente personale, dei contenuti presenti nel sito richiede la preventiva autorizzazione di Morri Rossetti e Associati.