Aurelyn AI Clinical emblem
AURELYN AI CLINICAL Quality & Compliance
SOP PRI-002 Ver 1.0 Status Effective
Download Word (.docx)
Standard Operating Procedure

GDPR Compliance for Clinical Trials

Governs the identification, protection, and lawful processing of personal data — including special category health data — throughout the clinical trial lifecycle, in alignment with FDA and EMA regulatory frameworks and Aurelyn Trial | OS™ platform operations.

SOP Number
PRI-002
Version
1.0
Effective Date
15-Jul-2026
Review Cycle
Annual
Supersedes
New Document
Process Owner
Data Protection Lead
Approved By
CEO / Chief AI & Innovation Officer
Classification
Controlled Document

1. Purpose

Learning & Application Objectives

  • Understand how the General Data Protection Regulation (EU) 2016/679 ("GDPR") applies to clinical trial personal data.
  • Apply the correct GDPR legal basis when designing protocols, consent materials, and data flows.

 

  • Analyze cross-border data transfer and vendor arrangements for GDPR adequacy.
  • Evaluate & Respond to data subject requests, breaches, and audit findings in a compliant, timely manner.

This Standard Operating Procedure ("SOP") establishes the mandatory requirements and step-by-step procedure for ensuring compliance with the GDPR whenever Aurelyn AI Clinical, its sponsor clients, contracted Clinical Research Organizations ("CROs"), investigator sites, or the Aurelyn Trial | OS™ platform and Aurelyn Clinical Engines™ (Cohort Intelligence™, Adaptive Dose™, Safety Sentinel™, Clinical Evidence™, eTMF Intelligence™) process personal data of clinical trial data subjects. It defines how GDPR obligations are harmonized with FDA (US) and EMA (EU) clinical research regulations so that a single, integrated control framework governs trial data regardless of the jurisdiction in which it is collected, processed, transferred, or archived.

Why this matters

GDPR non-compliance carries administrative fines of up to €20 million or 4% of global annual turnover, whichever is higher (Art. 83(5)), in addition to trial delays, CTIS submission rejection, and reputational harm. Privacy failures can also compromise data integrity relied upon by FDA and EMA for marketing authorization decisions.

2. Scope

2.1 Applies To

  • All Aurelyn AI Clinical employees, contractors, and platform administrators.
  • Sponsor clients and their designated Clinical Project Managers using Aurelyn Trial | OS™.
  • Contracted CROs, central/local laboratories, IRT/RTSM providers, eTMF and safety-database vendors acting as data processors or sub-processors.
  • Investigator sites, Principal Investigators, and site personnel entering or accessing trial participant data.
  • All trial phases (I–IV), interventional and observational designs, and Investigator-Initiated Studies conducted in whole or in part in the EU/EEA, or otherwise processing personal data of data subjects located in the EU/EEA — including trials whose lawful basis, consent, or safety data must additionally satisfy FDA requirements.

2.2 Data In Scope

  • Direct and indirect identifiers (name, initials, date of birth, contact details, national ID, randomization-linked codes where re-identification is possible).
  • Special category data under Art. 9 GDPR: health data, genetic data, biometric data, and — where collected — data revealing racial/ethnic origin.
  • Source documents, electronic case report form (eCRF) data, informed consent records, adverse event (AE/SAE/SUSAR) reports, biological-sample-linked data, images, and eTMF artifacts containing personal data of participants, investigators, or monitors.

2.3 Out of Scope

Fully anonymized, irreversibly de-identified aggregate data that can no longer be attributed to an identifiable natural person (Recital 26 GDPR) falls outside the scope of this SOP once anonymization is validated and documented. Non-EU/EEA data subject data that is not otherwise subject to GDPR's extraterritorial scope under Art. 3 is governed by applicable local/federal frameworks and cross-referenced FDA requirements only.

3. Responsibilities

A summary RACI (Responsible / Accountable / Consulted / Informed) overview is provided below; the full matrix by activity is provided in Appendix A.

RolePrimary Accountability
CEO / Chief AI & Innovation OfficerUltimate accountability for the data protection governance framework and resourcing; approves this SOP.
Data Protection Lead (DPO function)Day-to-day GDPR compliance oversight, DPIA review, breach coordination, supervisory authority liaison, and advice on Art. 6/9 legal basis.
Clinical Project ManagerEmbeds GDPR requirements into protocol, monitoring plan, and vendor selection; maintains study-level Record of Processing Activities (ROPA) entry.
Principal Investigator / Site StaffObtains and documents informed consent, safeguards source data, restricts access to authorized personnel, reports suspected breaches within 24 hours.
CRO / Vendor (Data Processor)Processes data only per written instructions and Data Processing Agreement (Art. 28); implements technical/organizational measures; supports subject rights requests.
Aurelyn Trial | OS™ Engineering & SecurityImplements privacy-by-design controls, encryption, access management, audit logging, and AI governance controls for Clinical Engines™.
QA / ComplianceAudits adherence to this SOP, tracks CAPAs, and maintains inspection readiness.
Regulatory AffairsCoordinates GDPR-consistent content for CTIS submissions, protocol Section per ICH M11, and cross-border safety reporting.

4. Definitions & Abbreviations

4.1 Key Definitions

TermDefinition
Personal DataAny information relating to an identified or identifiable natural person ("data subject"); includes pseudonymized data capable of re-identification (Art. 4(1)).
Special Category DataHealth, genetic, biometric, and related sensitive data subject to heightened protection under Art. 9; nearly all clinical trial data falls into this category.
Data ControllerThe entity determining the purposes and means of processing — typically the trial Sponsor (Art. 4(7)).
Data ProcessorAn entity processing data on the Controller's behalf and instructions — e.g., a CRO, eTMF vendor, or the Aurelyn Trial | OS™ platform (Art. 4(8)).
PseudonymizationProcessing personal data so it can no longer be attributed to a specific subject without additional, separately held information (Art. 4(5)) — e.g., subject ID codes.
DPIAData Protection Impact Assessment — a structured risk assessment required for high-risk processing (Art. 35).
SCCsStandard Contractual Clauses — the European Commission's approved transfer mechanism for international data transfers (2021 modular version).
Supervisory AuthorityThe national Data Protection Authority (DPA) with jurisdiction over the controller/processor (e.g., CNIL, BfDI, Garante, Irish DPC).

4.2 Abbreviations

AbbreviationMeaningAbbreviationMeaning
GDPRGeneral Data Protection Regulation (EU) 2016/679CTISClinical Trials Information System
DPOData Protection OfficerTMF / eTMF(electronic) Trial Master File
DPIAData Protection Impact AssessmentSAE / SUSARSerious Adverse Event / Suspected Unexpected Serious Adverse Reaction
DPAData Processing Agreement (or, contextually, Data Protection Authority)IRB / ECInstitutional Review Board / Ethics Committee
ROPARecord of Processing ActivitiesICHInternational Council for Harmonisation
CeSHarPClinical electronic Structured Harmonised Protocol (ICH M11)EMAEuropean Medicines Agency
EDPBEuropean Data Protection BoardFDAUS Food and Drug Administration
SCCStandard Contractual ClausesCTRClinical Trials Regulation (EU) No 536/2014

5. Regulatory & Guidance Framework

This SOP is designed to satisfy GDPR obligations concurrently with the following FDA (US) and EMA (EU) authorities and guidances. Where requirements diverge, personnel must apply the more stringent standard unless a documented, risk-based justification states otherwise.

🇺🇸 FDA (US)
  • 21 CFR 312Investigational New Drug ApplicationIND submission, sponsor obligations, and safety reporting requirements.
  • 21 CFR 50Protection of Human SubjectsInformed consent elements — distinct from, and layered atop, GDPR transparency notices.
  • 21 CFR 54Financial Disclosure by Clinical InvestigatorsInvestigator financial interest data — treated as personal data of the investigator under GDPR.
  • 21 CFR 11Electronic Records; Electronic SignaturesAudit trail, access control, and integrity controls that reinforce GDPR Art. 32 security obligations.
  • ICH E6(R3)Good Clinical PracticeQuality management, data governance, and risk-based oversight expectations.
  • ICH M11CeSHarPStructured digital protocol template — data privacy section must reflect GDPR notices & data flows.
🇪🇺 EMA (EU)
  • CTR 536/2014EU Clinical Trials RegulationHarmonized EU trial authorization; Art. 93–99 govern personal data processing.
  • CTISClinical Trials Information SystemCentral EU portal; public layer must be scrubbed of participant/investigator personal data.
  • EudraLex Vol.10Clinical Trials GuidelinesImplementing guidance for CTR, including transparency & data protection annexes.
  • ICH E6(R3)Good Clinical PracticeEU-adopted GCP standard, cross-referenced with FDA implementation.
  • GDPR Art. 9Special Category (Health) DataCore legal basis provision governing clinical trial data processing.
  • ICH M11CeSHarPJointly adopted structured protocol template (see 7.14).
Additional Applicable Guidance

This framework is supplemented, as applicable, by: EDPB Guidelines (e.g., 03/2020 on health data for scientific research), national implementing data protection laws of relevant EU/EEA Member States, the EU-U.S. Data Privacy Framework and other Commission adequacy decisions, ISO 14155 (medical device trials), CDISC standards, and Aurelyn AI Clinical's internal Data Privacy & Protection Policy (SOP PRI-001).

6. Policy Statement

Aurelyn AI Clinical requires that all processing of clinical trial personal data — whether performed directly, through the Aurelyn Trial | OS™ platform, or by contracted third parties — adhere at all times to the seven principles of Art. 5 GDPR:

01
Lawfulness, Fairness & Transparency
02
Purpose Limitation
03
Data Minimization
04
Accuracy
05
Storage Limitation
06
Integrity & Confidentiality
07
Accountability
+
Privacy by Design & Default (Art. 25)

No process, protocol, technology (including AI-assisted features of Aurelyn Clinical Engines™), or vendor arrangement may be implemented that conflicts with these principles or with applicable FDA/EMA obligations. Exceptions require documented, DPO-approved risk acceptance.

7. Procedure

The following sub-procedures must be followed sequentially at study start-up and revisited at each protocol amendment, new vendor engagement, or material change to data flows.

7.1 Determine Roles & Applicability

At protocol concept stage, the Clinical Project Manager, with DPO support, must document each party's GDPR role:

  • Sponsor — ordinarily sole or joint Controller, determining trial purpose and design.
  • Investigator Site — typically an independent Controller for source data collection and consent, or joint Controller with the Sponsor depending on Member State interpretation; confirm per-country legal analysis.
  • CRO / eTMF / IRT / Safety Database Vendors, and the Aurelyn Trial | OS™ platformProcessors, acting only on documented Sponsor instructions.

The determination is recorded in the study-level ROPA entry (Section 8) and drives which downstream controls (consent language, DPAs, transfer mechanisms) apply.

7.2 Establish the Legal Basis for Processing

Two layers of legal basis are required for special category clinical trial data — a general processing basis (Art. 6) and a special category basis (Art. 9):

LayerPreferred BasisApplication Note
Art. 6(1) — GeneralArt. 6(1)(e) Public interest task, or Art. 6(1)(f) Legitimate interestPreferred over consent to avoid conflicts if a participant later withdraws consent to participate while previously collected data must be retained for scientific/regulatory integrity.
Art. 9(2) — Special CategoryArt. 9(2)(j) Scientific research (with Art. 89(1) safeguards), or Art. 9(2)(i) Public healthMember State law may additionally require an Art. 9(2)(a) explicit consent layer — confirm local requirement before finalizing consent documents.
Common Pitfall

Do not rely on GDPR Art. 6(1)(a)/9(2)(a) consent as the sole lawful basis for research data processing. Because withdrawal of GDPR consent must, by default, be as easy as giving it and can trigger erasure obligations, relying on consent alone is operationally incompatible with the data integrity requirements of ICH E6(R3) and 21 CFR Part 312. Informed consent under 21 CFR Part 50 / ICH E6(R3) remains mandatory for study participation but is a separate instrument from the GDPR legal basis for data processing.

7.3 Privacy by Design and by Default (Art. 25)

  • Pseudonymize participant identity at first point of capture using subject ID codes; the re-identification key is held only by the investigator site under restricted access.
  • Apply role-based access control (RBAC) within Aurelyn Trial | OS™ so users see only the minimum data set needed for their function.
  • Design eCRFs and Clinical Engines™ inputs to exclude direct identifiers wherever indirect/coded identifiers suffice.
  • Default all new platform modules to the most privacy-protective configuration; explicit administrator action is required to broaden access or retention.

7.4 Conduct a Data Protection Impact Assessment (Art. 35)

A DPIA is mandatory before processing begins whenever any trigger in Appendix B is met — this includes, by default, essentially all interventional trials processing special category health data at scale, and any use of AI-assisted features (Cohort Intelligence™, Adaptive Dose™, Safety Sentinel™) that produce automated outputs influencing participant management. The DPIA is drafted by the Clinical Project Manager, reviewed and approved by the DPO, and — where residual risk remains high after mitigation — submitted for prior consultation with the competent Supervisory Authority (Art. 36).

7.5 Consent Forms & Transparency Notices

Maintain two distinct documents, cross-referenced but not merged:

Informed Consent Form

21 CFR 50 / ICH E6(R3) — participation, risks, benefits, voluntariness.

+
GDPR Privacy / Transparency Notice

Art. 13/14 — identity of controller, purposes, legal basis, retention, transfers, rights.

Combined Participant Pack

Delivered together at consent visit; each retained as a distinct, IRB/EC and DPO-approved artifact.

Per Recital 33 and Art. 17(3)(d), withdrawal of participation does not require erasure of data already lawfully collected where retention is necessary for scientific research or archiving purposes with Art. 89(1) safeguards; the transparency notice must state this explicitly to avoid participant misunderstanding.

7.6 Managing Data Subject Rights

Right (GDPR Article)Trial-Context ApplicationLimitation
Access (Art. 15)Participant may request confirmation of processing and a copy of their personal data.May be restricted where disclosure would unblind treatment allocation (coordinate with DPO/PI before response).
Rectification (Art. 16)Correction of inaccurate personal data.Corrections to locked eCRF data must go through formal query/audit-trail process, not silent edit.
Erasure (Art. 17)"Right to be forgotten."Does not apply where processing is necessary for compliance with a legal obligation or for archiving/scientific research purposes (Art. 17(3)(b),(d)).
Restriction (Art. 18)Temporary restriction pending accuracy dispute resolution.Must not compromise ongoing safety monitoring obligations.
Objection (Art. 21)Objection to processing based on Art. 6(1)(e)/(f).May be overridden by compelling legitimate grounds or necessity for public interest research (Art. 21(6)).
Portability (Art. 20)Generally inapplicable — trial data is not processed on the basis of consent/contract in a way that triggers this right.N/A in most trial contexts; confirm case-by-case with DPO.
Blinded Study Requirement

All data subject rights requests must be routed to the DPO and Principal Investigator before any response is issued. No site or vendor staff may unblind treatment assignment to fulfil a rights request; where unblinding would be required, apply the emergency unblinding procedure and document DPO sign-off.

Response timeline: Requests must be acknowledged within 5 business days and substantively resolved within 1 calendar month of receipt (extendable by two further months for complex requests, with the data subject informed of the extension within the first month) (Art. 12(3)).

7.7 International Data Transfers (Chapter V)

Any transfer of personal data outside the EU/EEA — including to Aurelyn AI Clinical's US infrastructure, a US-based Sponsor, or FDA submission packages — requires a documented lawful transfer mechanism before data leaves the EU/EEA.

Step 1
Adequacy Decision?

Check the European Commission's current adequacy list (including the EU–U.S. Data Privacy Framework for certified US recipients).

Step 2
Standard Contractual Clauses

If no adequacy decision applies, execute the 2021 modular SCCs matching the Controller/Processor configuration.

Step 3
Transfer Impact Assessment

Conduct a Transfer Risk Assessment (post-Schrems II) evaluating destination-country law and supplementary measures (encryption, pseudonymization).

Step 4
Art. 49 Derogation

Reserved for exceptional, non-repetitive transfers (e.g., explicit consent, important public-interest reasons for a specific clinical research need).

See Appendix D for the full decision tree used at protocol start-up and vendor onboarding.

7.8 Data Processing Agreements (Art. 28)

A written Data Processing Agreement ("DPA") is mandatory with every processor and sub-processor before any personal data is shared, including CROs, central/local laboratories, IRT/RTSM vendors, safety database providers, translation vendors, and the Aurelyn Trial | OS™ hosting infrastructure. At minimum, each DPA must specify:

  • Subject matter, duration, nature and purpose of processing, and categories of data/data subjects.
  • Obligation to process only on documented Controller instructions (Art. 28(3)(a)).
  • Confidentiality commitments for authorized personnel.
  • Technical and organizational security measures (Art. 32).
  • Sub-processor authorization mechanism (general or specific written authorization).
  • Assistance obligations for data subject rights, DPIAs, and breach notification.
  • Return/deletion of data at end of engagement, subject to regulatory retention overrides.
  • Audit rights for the Controller/DPO.

7.9 Security of Processing (Art. 32)

Technical and organizational measures implemented across the Aurelyn Trial | OS™ platform and required of all processors include:

AES-256
Encryption at rest for all personal & special category data
TLS 1.2+
Encryption in transit
RBAC
Role-based, least-privilege access control
21 CFR 11
Aligned audit trail & e-signature integrity

Security measures are periodically tested (penetration testing, access reviews, business continuity/disaster recovery exercises) and documented for both GDPR Art. 32 and 21 CFR Part 11 audit trail requirements simultaneously.

7.10 Personal Data Breach Management (Art. 33–34)

Any suspected or confirmed personal data breach must be reported immediately to the DPO via the incident channel; the timeline below governs the response.

0h
Detection

Site/vendor/platform detects and reports suspected breach to DPO.

24h
Triage

DPO & Security triage scope, cause, and affected data categories/subjects.

72h
Authority Notice

Notify competent Supervisory Authority unless risk to rights/freedoms is unlikely (Art. 33).

HR
Subject Notice

Notify affected data subjects "without undue delay" if the breach is likely to result in a high risk (Art. 34).

SeverityCriteriaAction
LowEncrypted/pseudonymized data, low re-identification risk, no rights impact.Log internally; DPO review; no external notification required.
ModerateUnencrypted personal data exposed, limited scope, contained quickly.Supervisory Authority notification within 72 hours; internal CAPA opened.
HighSpecial category health data exposed at scale, or re-identification risk is significant.Supervisory Authority + data subject notification; Sponsor/IRB notified; CAPA + root-cause analysis mandatory.

7.11 Records of Processing Activities (Art. 30)

The DPO maintains a central ROPA covering every study and platform processing activity, including: purposes of processing, categories of data subjects and data, recipients (including third-country recipients), transfer safeguards, retention periods, and a general description of security measures. The ROPA is updated at study start-up, protocol amendment, and vendor change, and is reviewed at minimum annually.

7.12 Data Retention & Destruction

GDPR's storage limitation principle (Art. 5(1)(e)) permits extended retention where data is processed for archiving in the public interest or scientific research purposes, subject to Art. 89(1) safeguards (pseudonymization, access restriction). This allows trial data to be retained per the longer of applicable regulatory retention periods (see Appendix C) without conflicting with GDPR, provided the retention schedule is documented and enforced. Destruction/anonymization at end of retention must be logged and, where technically irreversible anonymization is used, validated before the record is considered fully out of GDPR scope.

7.13 EU Clinical Trials Regulation 536/2014 & CTIS Submission

  • Lay summaries and protocol content submitted to CTIS must be reviewed by the DPO to confirm no direct participant identifiers appear in the public layer.
  • Investigator and Sponsor contact personal data published via CTIS transparency rules is processed under a distinct legal basis (public task/legitimate interest for regulatory transparency) documented separately in the ROPA.
  • EudraLex Volume 10 guidance on data protection and CTIS user manuals must be consulted for country-specific deferral/redaction requests (e.g., delayed publication) where applicable.

7.14 ICH M11 CeSHarP Protocol Template Alignment

Where a protocol is authored using the ICH M11 Clinical electronic Structured Harmonised Protocol template, the data protection / privacy section must reference: the applicable Art. 6/9 legal basis, categories of data collected, the GDPR transparency notice, and a summary data flow diagram (see Appendix D pattern) consistent with the sections above, ensuring a single source of truth between the protocol and the participant-facing consent pack.

7.15 AI & Aurelyn Clinical Engines™ Governance

Where Cohort Intelligence™, Adaptive Dose™, Safety Sentinel™, Clinical Evidence™, or eTMF Intelligence™ process personal data — including for model-assisted analysis, cohort selection, or dose recommendations — the following additional controls apply:

  • A DPIA is mandatory before go-live for any AI feature that produces an output materially influencing decisions about a participant (Art. 22 automated decision-making considerations).
  • Personal data is pseudonymized by default before being processed by any AI/ML component; direct identifiers are excluded from model inputs unless a documented, DPO-approved exception exists.
  • Human oversight is maintained — no fully automated decision producing legal or similarly significant effects on a participant is permitted without meaningful human review.
  • Personal data is not used to train or fine-tune AI models beyond the specific study for which lawful basis was established, absent a separate, documented legal basis.

7.16 Cross-Border Safety Reporting

SUSAR and expedited safety reports transmitted to EMA/national authorities and to FDA (IND Safety Reports) under ICH E2A and CIOMS/E2B(R3) formats must minimize personal data — using case identifiers rather than direct identifiers — while retaining sufficient traceability for causality assessment. Cross-border transmission of safety data follows the transfer mechanisms in Section 7.7.

7.17 Training & Awareness

All personnel with access to trial personal data must complete GDPR and this SOP's training module prior to data access, with refresher training at each annual review cycle or upon material regulatory change. Completion is logged in the training record referenced in Section 8.

7.18 Deviations & CAPA

Any deviation from this SOP is documented, risk-assessed by the DPO/QA, and — where warranted — escalated into the Corrective and Preventive Action (CAPA) process. Recurring or systemic deviations trigger a root-cause review and, where required, DPIA re-assessment.

8. Documentation & Records

RecordOwnerRetention
Record of Processing Activities (ROPA)Data Protection LeadLife of study + regulatory retention period
DPIA reportsData Protection Lead / CPMLife of study + regulatory retention period
Data Processing Agreements & SCCsLegal / Vendor ManagementDuration of engagement + 6 years
Breach log & notificationsData Protection LeadMinimum 5 years from closure
Consent forms & transparency notices (executed)Site / eTMFPer Appendix C retention schedule
Training completion recordsQA / ComplianceDuration of employment/engagement + 3 years

10. Appendices

Appendix A — RACI Matrix

ActivitySponsor / CEODPOCPMPI / SiteCRO / VendorEngineering
Legal basis determinationARCIII
DPIA authoring & approvalIARCCC
Consent / notice draftingICRAII
DPA / SCC executionARCIRI
Breach detection & escalationIACRRR
Authority / subject notificationCARIIII
Platform security controls (Art. 32)ICIICAR
Data subject rights responseIARCCC
Legend

R = Responsible · A = Accountable · C = Consulted · I = Informed

Appendix B — DPIA Screening Checklist

TriggerApplies?
Large-scale processing of special category (health/genetic) dataScreen
Systematic monitoring of data subjects (e.g., wearables, continuous safety monitoring)Screen
Use of AI/automated processing producing outputs affecting participant management (Cohort Intelligence™, Adaptive Dose™)Mandatory DPIA
Cross-border transfer to a country without an adequacy decisionScreen
Novel technology or processing method not previously assessedScreen
Combination/matching of datasets from different sourcesScreen

Two or more "Screen" triggers, or any "Mandatory DPIA" trigger, requires full DPIA completion before processing begins.

Appendix C — Data Retention Schedule

Record TypeMinimum RetentionBasis
Trial Master File / eTMF (source data, consent forms, CRFs)25 years post-trial completion (or per national law/Sponsor requirement, whichever longer)ICH E6(R3); EU CTR 536/2014 Art. 58; national implementing law
IND-related records (US trials)2 years after marketing application approval, or if not approved, 2 years after investigation discontinued21 CFR 312.62
Safety data (AE/SAE/SUSAR)Per TMF retention above; case-level minimization applied for cross-border transmissionICH E2A/E2B(R3)
DPIAs, ROPA, DPAs/SCCs, breach logsLife of study + applicable regulatory retention periodGDPR Art. 5(2) accountability; Art. 30

Appendix D — International Transfer Decision Tree

Adequacy Decision?

e.g., EU–U.S. Data Privacy Framework-certified recipient

SCCs Executed?

2021 modular Standard Contractual Clauses

Transfer Impact Assessment

Supplementary measures documented (encryption, pseudonymization)

Transfer Authorized

Logged in ROPA with mechanism reference

If Adequacy = No and SCCs cannot be executed, escalate to DPO to evaluate Art. 49 derogation on an exceptional, documented basis.

Appendix E — Breach Notification Timeline

See the 0h → 24h → 72h → high-risk notification timeline illustrated in Section 7.10.

Appendix F — Regulatory Crosswalk

TopicGDPRFDA (US)EMA (EU)
Consent / participationArt. 6/9 (legal basis) + Art. 13/14 (notice)21 CFR Part 50EU CTR 536/2014; ICH E6(R3)
Electronic records integrityArt. 5(1)(f), Art. 3221 CFR Part 11EudraLex Vol. 4 Annex 11 (GMP context); ICH E6(R3)
Investigator dataArt. 6(1)(f) — legitimate interest21 CFR Part 54CTIS transparency publication rules
Structured protocol authoringData protection section requiredICH M11 CeSHarPICH M11 CeSHarP
Central submission portalPublic-layer personal data minimizationN/A (IND via FDA ESG)CTIS
Safety reportingCase-level data minimization for transfer21 CFR 312.32; IND Safety ReportsEudraVigilance / national DPAs

Appendix G — Revision History

VersionDateDescription of ChangeAuthor
1.015-Jul-2026Initial issue.Data Protection Lead, Aurelyn AI Clinical

Appendix H — Approval

Prepared By — Data Protection Lead
 
Signature & Date
Approved By — CEO / Chief AI & Innovation Officer
Sheilah Johnson-Rocha
Signature & Date
Reviewed By — QA / Compliance
 
Signature & Date
Reviewed By — Regulatory Affairs
 
Signature & Date
↑ Top