At one time or another, any organisation with operations in Europe will have had to navigate the GDPR: the European data protection law which sets some of the highest standards for data privacy worldwide. For clinical trial sponsors, there’s also the European Clinical Trials Regulation (‘CTR’) to contend withalongside international laws governing the life sciences industry.

With all these rules in place, you’d be forgiven for assuming that European clinical trials are a mecca for legislative precision. In fact, while the GDPR and CTR each lay out the law in black and white, they combine to create a substantial grey area. The European Commissioner has published at least three guidance notes on the subject, but no clear consensus exists on how the two laws link together. And this is where the AEPD, Spain’s data protection regulator, comes in.

What’s new?

Earlier this year, Spain’s data protection regulator published a new code of conduct for health research and clinical trials. In partnership with the Spanish pharmaceutical body, Farmaindustria, this code of conduct represents a move to shut down the ambiguity between the CTR and GDPR. The new document asserts a range of decisions that are usually left to the sponsor, such as specifications on lawful bases for processing, activities regarding anonymisation and pseudonymisation, as well as provisions for data subject rights.

Although this code of conduct is only legally binding in Spain, it could provide a blueprint for other European states (or the EU as a whole) to introduce legislation of this kind. And by leading the way, the AEPD is positioning Spain as a desirable location for well-regulated clinical trials.

What does this mean for sponsors?

If you’re a clinical trial sponsor with existing activities in Spain, there’s one more piece of paperwork to complete. For now, the AEPD has not published any translations for the code of conduct, which might be an added consideration if your organisation is in need of language support.

Maybe you don’t conduct any trials in Spain at present, but it’s up for consideration further down the line. If you already have trials in other countries, you might want to ask whether the judgement calls set out in the code of conduct conflict with decisions made at existing sites or if the approach set out by the AEPD is compatible with your existing activities.

How strong are the tides of change?

Unlike some industry regulations, this update from the AEPD does not exist to impose a new standard for data processing in clinical trials—it sets out to clarify existing standards. Whatever way this code of conduct translates to the practical actions for sponsors to take, the two most important questions remain: what does this mean for our research? And what does it mean for our patients? The Spanish code of conduct is the first of its kind, but for clinical sponsors, it is simply a new factor for this familiar equation.

HewardMills has expert knowledge on data protection legislation across sectors, globally. For further details, please contact us at