GDPR Compliance for Clinical Trials
Governs the identification, protection, and lawful processing of personal data — including special category health data — throughout the clinical trial lifecycle, in alignment with FDA and EMA regulatory frameworks and Aurelyn Trial | OS™ platform operations.
1. Purpose
Learning & Application Objectives
- Understand how the General Data Protection Regulation (EU) 2016/679 ("GDPR") applies to clinical trial personal data.
- Apply the correct GDPR legal basis when designing protocols, consent materials, and data flows.
- Analyze cross-border data transfer and vendor arrangements for GDPR adequacy.
- Evaluate & Respond to data subject requests, breaches, and audit findings in a compliant, timely manner.
This Standard Operating Procedure ("SOP") establishes the mandatory requirements and step-by-step procedure for ensuring compliance with the GDPR whenever Aurelyn AI Clinical, its sponsor clients, contracted Clinical Research Organizations ("CROs"), investigator sites, or the Aurelyn Trial | OS™ platform and Aurelyn Clinical Engines™ (Cohort Intelligence™, Adaptive Dose™, Safety Sentinel™, Clinical Evidence™, eTMF Intelligence™) process personal data of clinical trial data subjects. It defines how GDPR obligations are harmonized with FDA (US) and EMA (EU) clinical research regulations so that a single, integrated control framework governs trial data regardless of the jurisdiction in which it is collected, processed, transferred, or archived.
GDPR non-compliance carries administrative fines of up to €20 million or 4% of global annual turnover, whichever is higher (Art. 83(5)), in addition to trial delays, CTIS submission rejection, and reputational harm. Privacy failures can also compromise data integrity relied upon by FDA and EMA for marketing authorization decisions.
2. Scope
2.1 Applies To
- All Aurelyn AI Clinical employees, contractors, and platform administrators.
- Sponsor clients and their designated Clinical Project Managers using Aurelyn Trial | OS™.
- Contracted CROs, central/local laboratories, IRT/RTSM providers, eTMF and safety-database vendors acting as data processors or sub-processors.
- Investigator sites, Principal Investigators, and site personnel entering or accessing trial participant data.
- All trial phases (I–IV), interventional and observational designs, and Investigator-Initiated Studies conducted in whole or in part in the EU/EEA, or otherwise processing personal data of data subjects located in the EU/EEA — including trials whose lawful basis, consent, or safety data must additionally satisfy FDA requirements.
2.2 Data In Scope
- Direct and indirect identifiers (name, initials, date of birth, contact details, national ID, randomization-linked codes where re-identification is possible).
- Special category data under Art. 9 GDPR: health data, genetic data, biometric data, and — where collected — data revealing racial/ethnic origin.
- Source documents, electronic case report form (eCRF) data, informed consent records, adverse event (AE/SAE/SUSAR) reports, biological-sample-linked data, images, and eTMF artifacts containing personal data of participants, investigators, or monitors.
2.3 Out of Scope
Fully anonymized, irreversibly de-identified aggregate data that can no longer be attributed to an identifiable natural person (Recital 26 GDPR) falls outside the scope of this SOP once anonymization is validated and documented. Non-EU/EEA data subject data that is not otherwise subject to GDPR's extraterritorial scope under Art. 3 is governed by applicable local/federal frameworks and cross-referenced FDA requirements only.
3. Responsibilities
A summary RACI (Responsible / Accountable / Consulted / Informed) overview is provided below; the full matrix by activity is provided in Appendix A.
| Role | Primary Accountability |
|---|---|
| CEO / Chief AI & Innovation Officer | Ultimate accountability for the data protection governance framework and resourcing; approves this SOP. |
| Data Protection Lead (DPO function) | Day-to-day GDPR compliance oversight, DPIA review, breach coordination, supervisory authority liaison, and advice on Art. 6/9 legal basis. |
| Clinical Project Manager | Embeds GDPR requirements into protocol, monitoring plan, and vendor selection; maintains study-level Record of Processing Activities (ROPA) entry. |
| Principal Investigator / Site Staff | Obtains and documents informed consent, safeguards source data, restricts access to authorized personnel, reports suspected breaches within 24 hours. |
| CRO / Vendor (Data Processor) | Processes data only per written instructions and Data Processing Agreement (Art. 28); implements technical/organizational measures; supports subject rights requests. |
| Aurelyn Trial | OS™ Engineering & Security | Implements privacy-by-design controls, encryption, access management, audit logging, and AI governance controls for Clinical Engines™. |
| QA / Compliance | Audits adherence to this SOP, tracks CAPAs, and maintains inspection readiness. |
| Regulatory Affairs | Coordinates GDPR-consistent content for CTIS submissions, protocol Section per ICH M11, and cross-border safety reporting. |
4. Definitions & Abbreviations
4.1 Key Definitions
| Term | Definition |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person ("data subject"); includes pseudonymized data capable of re-identification (Art. 4(1)). |
| Special Category Data | Health, genetic, biometric, and related sensitive data subject to heightened protection under Art. 9; nearly all clinical trial data falls into this category. |
| Data Controller | The entity determining the purposes and means of processing — typically the trial Sponsor (Art. 4(7)). |
| Data Processor | An entity processing data on the Controller's behalf and instructions — e.g., a CRO, eTMF vendor, or the Aurelyn Trial | OS™ platform (Art. 4(8)). |
| Pseudonymization | Processing personal data so it can no longer be attributed to a specific subject without additional, separately held information (Art. 4(5)) — e.g., subject ID codes. |
| DPIA | Data Protection Impact Assessment — a structured risk assessment required for high-risk processing (Art. 35). |
| SCCs | Standard Contractual Clauses — the European Commission's approved transfer mechanism for international data transfers (2021 modular version). |
| Supervisory Authority | The national Data Protection Authority (DPA) with jurisdiction over the controller/processor (e.g., CNIL, BfDI, Garante, Irish DPC). |
4.2 Abbreviations
| Abbreviation | Meaning | Abbreviation | Meaning |
|---|---|---|---|
| GDPR | General Data Protection Regulation (EU) 2016/679 | CTIS | Clinical Trials Information System |
| DPO | Data Protection Officer | TMF / eTMF | (electronic) Trial Master File |
| DPIA | Data Protection Impact Assessment | SAE / SUSAR | Serious Adverse Event / Suspected Unexpected Serious Adverse Reaction |
| DPA | Data Processing Agreement (or, contextually, Data Protection Authority) | IRB / EC | Institutional Review Board / Ethics Committee |
| ROPA | Record of Processing Activities | ICH | International Council for Harmonisation |
| CeSHarP | Clinical electronic Structured Harmonised Protocol (ICH M11) | EMA | European Medicines Agency |
| EDPB | European Data Protection Board | FDA | US Food and Drug Administration |
| SCC | Standard Contractual Clauses | CTR | Clinical Trials Regulation (EU) No 536/2014 |
5. Regulatory & Guidance Framework
This SOP is designed to satisfy GDPR obligations concurrently with the following FDA (US) and EMA (EU) authorities and guidances. Where requirements diverge, personnel must apply the more stringent standard unless a documented, risk-based justification states otherwise.
- 21 CFR 312Investigational New Drug ApplicationIND submission, sponsor obligations, and safety reporting requirements.
- 21 CFR 50Protection of Human SubjectsInformed consent elements — distinct from, and layered atop, GDPR transparency notices.
- 21 CFR 54Financial Disclosure by Clinical InvestigatorsInvestigator financial interest data — treated as personal data of the investigator under GDPR.
- 21 CFR 11Electronic Records; Electronic SignaturesAudit trail, access control, and integrity controls that reinforce GDPR Art. 32 security obligations.
- ICH E6(R3)Good Clinical PracticeQuality management, data governance, and risk-based oversight expectations.
- ICH M11CeSHarPStructured digital protocol template — data privacy section must reflect GDPR notices & data flows.
- CTR 536/2014EU Clinical Trials RegulationHarmonized EU trial authorization; Art. 93–99 govern personal data processing.
- CTISClinical Trials Information SystemCentral EU portal; public layer must be scrubbed of participant/investigator personal data.
- EudraLex Vol.10Clinical Trials GuidelinesImplementing guidance for CTR, including transparency & data protection annexes.
- ICH E6(R3)Good Clinical PracticeEU-adopted GCP standard, cross-referenced with FDA implementation.
- GDPR Art. 9Special Category (Health) DataCore legal basis provision governing clinical trial data processing.
- ICH M11CeSHarPJointly adopted structured protocol template (see 7.14).
This framework is supplemented, as applicable, by: EDPB Guidelines (e.g., 03/2020 on health data for scientific research), national implementing data protection laws of relevant EU/EEA Member States, the EU-U.S. Data Privacy Framework and other Commission adequacy decisions, ISO 14155 (medical device trials), CDISC standards, and Aurelyn AI Clinical's internal Data Privacy & Protection Policy (SOP PRI-001).
6. Policy Statement
Aurelyn AI Clinical requires that all processing of clinical trial personal data — whether performed directly, through the Aurelyn Trial | OS™ platform, or by contracted third parties — adhere at all times to the seven principles of Art. 5 GDPR:
No process, protocol, technology (including AI-assisted features of Aurelyn Clinical Engines™), or vendor arrangement may be implemented that conflicts with these principles or with applicable FDA/EMA obligations. Exceptions require documented, DPO-approved risk acceptance.
7. Procedure
The following sub-procedures must be followed sequentially at study start-up and revisited at each protocol amendment, new vendor engagement, or material change to data flows.
7.1 Determine Roles & Applicability
At protocol concept stage, the Clinical Project Manager, with DPO support, must document each party's GDPR role:
- Sponsor — ordinarily sole or joint Controller, determining trial purpose and design.
- Investigator Site — typically an independent Controller for source data collection and consent, or joint Controller with the Sponsor depending on Member State interpretation; confirm per-country legal analysis.
- CRO / eTMF / IRT / Safety Database Vendors, and the Aurelyn Trial | OS™ platform — Processors, acting only on documented Sponsor instructions.
The determination is recorded in the study-level ROPA entry (Section 8) and drives which downstream controls (consent language, DPAs, transfer mechanisms) apply.
7.2 Establish the Legal Basis for Processing
Two layers of legal basis are required for special category clinical trial data — a general processing basis (Art. 6) and a special category basis (Art. 9):
| Layer | Preferred Basis | Application Note |
|---|---|---|
| Art. 6(1) — General | Art. 6(1)(e) Public interest task, or Art. 6(1)(f) Legitimate interest | Preferred over consent to avoid conflicts if a participant later withdraws consent to participate while previously collected data must be retained for scientific/regulatory integrity. |
| Art. 9(2) — Special Category | Art. 9(2)(j) Scientific research (with Art. 89(1) safeguards), or Art. 9(2)(i) Public health | Member State law may additionally require an Art. 9(2)(a) explicit consent layer — confirm local requirement before finalizing consent documents. |
Do not rely on GDPR Art. 6(1)(a)/9(2)(a) consent as the sole lawful basis for research data processing. Because withdrawal of GDPR consent must, by default, be as easy as giving it and can trigger erasure obligations, relying on consent alone is operationally incompatible with the data integrity requirements of ICH E6(R3) and 21 CFR Part 312. Informed consent under 21 CFR Part 50 / ICH E6(R3) remains mandatory for study participation but is a separate instrument from the GDPR legal basis for data processing.
7.3 Privacy by Design and by Default (Art. 25)
- Pseudonymize participant identity at first point of capture using subject ID codes; the re-identification key is held only by the investigator site under restricted access.
- Apply role-based access control (RBAC) within Aurelyn Trial | OS™ so users see only the minimum data set needed for their function.
- Design eCRFs and Clinical Engines™ inputs to exclude direct identifiers wherever indirect/coded identifiers suffice.
- Default all new platform modules to the most privacy-protective configuration; explicit administrator action is required to broaden access or retention.
7.4 Conduct a Data Protection Impact Assessment (Art. 35)
A DPIA is mandatory before processing begins whenever any trigger in Appendix B is met — this includes, by default, essentially all interventional trials processing special category health data at scale, and any use of AI-assisted features (Cohort Intelligence™, Adaptive Dose™, Safety Sentinel™) that produce automated outputs influencing participant management. The DPIA is drafted by the Clinical Project Manager, reviewed and approved by the DPO, and — where residual risk remains high after mitigation — submitted for prior consultation with the competent Supervisory Authority (Art. 36).
7.5 Consent Forms & Transparency Notices
Maintain two distinct documents, cross-referenced but not merged:
Informed Consent Form
21 CFR 50 / ICH E6(R3) — participation, risks, benefits, voluntariness.
GDPR Privacy / Transparency Notice
Art. 13/14 — identity of controller, purposes, legal basis, retention, transfers, rights.
Combined Participant Pack
Delivered together at consent visit; each retained as a distinct, IRB/EC and DPO-approved artifact.
Per Recital 33 and Art. 17(3)(d), withdrawal of participation does not require erasure of data already lawfully collected where retention is necessary for scientific research or archiving purposes with Art. 89(1) safeguards; the transparency notice must state this explicitly to avoid participant misunderstanding.
7.6 Managing Data Subject Rights
| Right (GDPR Article) | Trial-Context Application | Limitation |
|---|---|---|
| Access (Art. 15) | Participant may request confirmation of processing and a copy of their personal data. | May be restricted where disclosure would unblind treatment allocation (coordinate with DPO/PI before response). |
| Rectification (Art. 16) | Correction of inaccurate personal data. | Corrections to locked eCRF data must go through formal query/audit-trail process, not silent edit. |
| Erasure (Art. 17) | "Right to be forgotten." | Does not apply where processing is necessary for compliance with a legal obligation or for archiving/scientific research purposes (Art. 17(3)(b),(d)). |
| Restriction (Art. 18) | Temporary restriction pending accuracy dispute resolution. | Must not compromise ongoing safety monitoring obligations. |
| Objection (Art. 21) | Objection to processing based on Art. 6(1)(e)/(f). | May be overridden by compelling legitimate grounds or necessity for public interest research (Art. 21(6)). |
| Portability (Art. 20) | Generally inapplicable — trial data is not processed on the basis of consent/contract in a way that triggers this right. | N/A in most trial contexts; confirm case-by-case with DPO. |
All data subject rights requests must be routed to the DPO and Principal Investigator before any response is issued. No site or vendor staff may unblind treatment assignment to fulfil a rights request; where unblinding would be required, apply the emergency unblinding procedure and document DPO sign-off.
Response timeline: Requests must be acknowledged within 5 business days and substantively resolved within 1 calendar month of receipt (extendable by two further months for complex requests, with the data subject informed of the extension within the first month) (Art. 12(3)).
7.7 International Data Transfers (Chapter V)
Any transfer of personal data outside the EU/EEA — including to Aurelyn AI Clinical's US infrastructure, a US-based Sponsor, or FDA submission packages — requires a documented lawful transfer mechanism before data leaves the EU/EEA.
Adequacy Decision?
Check the European Commission's current adequacy list (including the EU–U.S. Data Privacy Framework for certified US recipients).
Standard Contractual Clauses
If no adequacy decision applies, execute the 2021 modular SCCs matching the Controller/Processor configuration.
Transfer Impact Assessment
Conduct a Transfer Risk Assessment (post-Schrems II) evaluating destination-country law and supplementary measures (encryption, pseudonymization).
Art. 49 Derogation
Reserved for exceptional, non-repetitive transfers (e.g., explicit consent, important public-interest reasons for a specific clinical research need).
See Appendix D for the full decision tree used at protocol start-up and vendor onboarding.
7.8 Data Processing Agreements (Art. 28)
A written Data Processing Agreement ("DPA") is mandatory with every processor and sub-processor before any personal data is shared, including CROs, central/local laboratories, IRT/RTSM vendors, safety database providers, translation vendors, and the Aurelyn Trial | OS™ hosting infrastructure. At minimum, each DPA must specify:
- Subject matter, duration, nature and purpose of processing, and categories of data/data subjects.
- Obligation to process only on documented Controller instructions (Art. 28(3)(a)).
- Confidentiality commitments for authorized personnel.
- Technical and organizational security measures (Art. 32).
- Sub-processor authorization mechanism (general or specific written authorization).
- Assistance obligations for data subject rights, DPIAs, and breach notification.
- Return/deletion of data at end of engagement, subject to regulatory retention overrides.
- Audit rights for the Controller/DPO.
7.9 Security of Processing (Art. 32)
Technical and organizational measures implemented across the Aurelyn Trial | OS™ platform and required of all processors include:
Security measures are periodically tested (penetration testing, access reviews, business continuity/disaster recovery exercises) and documented for both GDPR Art. 32 and 21 CFR Part 11 audit trail requirements simultaneously.
7.10 Personal Data Breach Management (Art. 33–34)
Any suspected or confirmed personal data breach must be reported immediately to the DPO via the incident channel; the timeline below governs the response.
Detection
Site/vendor/platform detects and reports suspected breach to DPO.
Triage
DPO & Security triage scope, cause, and affected data categories/subjects.
Authority Notice
Notify competent Supervisory Authority unless risk to rights/freedoms is unlikely (Art. 33).
Subject Notice
Notify affected data subjects "without undue delay" if the breach is likely to result in a high risk (Art. 34).
| Severity | Criteria | Action |
|---|---|---|
| Low | Encrypted/pseudonymized data, low re-identification risk, no rights impact. | Log internally; DPO review; no external notification required. |
| Moderate | Unencrypted personal data exposed, limited scope, contained quickly. | Supervisory Authority notification within 72 hours; internal CAPA opened. |
| High | Special category health data exposed at scale, or re-identification risk is significant. | Supervisory Authority + data subject notification; Sponsor/IRB notified; CAPA + root-cause analysis mandatory. |
7.11 Records of Processing Activities (Art. 30)
The DPO maintains a central ROPA covering every study and platform processing activity, including: purposes of processing, categories of data subjects and data, recipients (including third-country recipients), transfer safeguards, retention periods, and a general description of security measures. The ROPA is updated at study start-up, protocol amendment, and vendor change, and is reviewed at minimum annually.
7.12 Data Retention & Destruction
GDPR's storage limitation principle (Art. 5(1)(e)) permits extended retention where data is processed for archiving in the public interest or scientific research purposes, subject to Art. 89(1) safeguards (pseudonymization, access restriction). This allows trial data to be retained per the longer of applicable regulatory retention periods (see Appendix C) without conflicting with GDPR, provided the retention schedule is documented and enforced. Destruction/anonymization at end of retention must be logged and, where technically irreversible anonymization is used, validated before the record is considered fully out of GDPR scope.
7.13 EU Clinical Trials Regulation 536/2014 & CTIS Submission
- Lay summaries and protocol content submitted to CTIS must be reviewed by the DPO to confirm no direct participant identifiers appear in the public layer.
- Investigator and Sponsor contact personal data published via CTIS transparency rules is processed under a distinct legal basis (public task/legitimate interest for regulatory transparency) documented separately in the ROPA.
- EudraLex Volume 10 guidance on data protection and CTIS user manuals must be consulted for country-specific deferral/redaction requests (e.g., delayed publication) where applicable.
7.14 ICH M11 CeSHarP Protocol Template Alignment
Where a protocol is authored using the ICH M11 Clinical electronic Structured Harmonised Protocol template, the data protection / privacy section must reference: the applicable Art. 6/9 legal basis, categories of data collected, the GDPR transparency notice, and a summary data flow diagram (see Appendix D pattern) consistent with the sections above, ensuring a single source of truth between the protocol and the participant-facing consent pack.
7.15 AI & Aurelyn Clinical Engines™ Governance
Where Cohort Intelligence™, Adaptive Dose™, Safety Sentinel™, Clinical Evidence™, or eTMF Intelligence™ process personal data — including for model-assisted analysis, cohort selection, or dose recommendations — the following additional controls apply:
- A DPIA is mandatory before go-live for any AI feature that produces an output materially influencing decisions about a participant (Art. 22 automated decision-making considerations).
- Personal data is pseudonymized by default before being processed by any AI/ML component; direct identifiers are excluded from model inputs unless a documented, DPO-approved exception exists.
- Human oversight is maintained — no fully automated decision producing legal or similarly significant effects on a participant is permitted without meaningful human review.
- Personal data is not used to train or fine-tune AI models beyond the specific study for which lawful basis was established, absent a separate, documented legal basis.
7.16 Cross-Border Safety Reporting
SUSAR and expedited safety reports transmitted to EMA/national authorities and to FDA (IND Safety Reports) under ICH E2A and CIOMS/E2B(R3) formats must minimize personal data — using case identifiers rather than direct identifiers — while retaining sufficient traceability for causality assessment. Cross-border transmission of safety data follows the transfer mechanisms in Section 7.7.
7.17 Training & Awareness
All personnel with access to trial personal data must complete GDPR and this SOP's training module prior to data access, with refresher training at each annual review cycle or upon material regulatory change. Completion is logged in the training record referenced in Section 8.
7.18 Deviations & CAPA
Any deviation from this SOP is documented, risk-assessed by the DPO/QA, and — where warranted — escalated into the Corrective and Preventive Action (CAPA) process. Recurring or systemic deviations trigger a root-cause review and, where required, DPIA re-assessment.
8. Documentation & Records
| Record | Owner | Retention |
|---|---|---|
| Record of Processing Activities (ROPA) | Data Protection Lead | Life of study + regulatory retention period |
| DPIA reports | Data Protection Lead / CPM | Life of study + regulatory retention period |
| Data Processing Agreements & SCCs | Legal / Vendor Management | Duration of engagement + 6 years |
| Breach log & notifications | Data Protection Lead | Minimum 5 years from closure |
| Consent forms & transparency notices (executed) | Site / eTMF | Per Appendix C retention schedule |
| Training completion records | QA / Compliance | Duration of employment/engagement + 3 years |
10. Appendices
Appendix A — RACI Matrix
| Activity | Sponsor / CEO | DPO | CPM | PI / Site | CRO / Vendor | Engineering |
|---|---|---|---|---|---|---|
| Legal basis determination | A | R | C | I | I | I |
| DPIA authoring & approval | I | A | R | C | C | C |
| Consent / notice drafting | I | C | R | A | I | I |
| DPA / SCC execution | A | R | C | I | R | I |
| Breach detection & escalation | I | A | C | R | R | R |
| Authority / subject notification | C | AR | I | I | I | I |
| Platform security controls (Art. 32) | I | C | I | I | C | AR |
| Data subject rights response | I | A | R | C | C | C |
Legend
R = Responsible · A = Accountable · C = Consulted · I = Informed
Appendix B — DPIA Screening Checklist
| Trigger | Applies? |
|---|---|
| Large-scale processing of special category (health/genetic) data | Screen |
| Systematic monitoring of data subjects (e.g., wearables, continuous safety monitoring) | Screen |
| Use of AI/automated processing producing outputs affecting participant management (Cohort Intelligence™, Adaptive Dose™) | Mandatory DPIA |
| Cross-border transfer to a country without an adequacy decision | Screen |
| Novel technology or processing method not previously assessed | Screen |
| Combination/matching of datasets from different sources | Screen |
Two or more "Screen" triggers, or any "Mandatory DPIA" trigger, requires full DPIA completion before processing begins.
Appendix C — Data Retention Schedule
| Record Type | Minimum Retention | Basis |
|---|---|---|
| Trial Master File / eTMF (source data, consent forms, CRFs) | 25 years post-trial completion (or per national law/Sponsor requirement, whichever longer) | ICH E6(R3); EU CTR 536/2014 Art. 58; national implementing law |
| IND-related records (US trials) | 2 years after marketing application approval, or if not approved, 2 years after investigation discontinued | 21 CFR 312.62 |
| Safety data (AE/SAE/SUSAR) | Per TMF retention above; case-level minimization applied for cross-border transmission | ICH E2A/E2B(R3) |
| DPIAs, ROPA, DPAs/SCCs, breach logs | Life of study + applicable regulatory retention period | GDPR Art. 5(2) accountability; Art. 30 |
Appendix D — International Transfer Decision Tree
Adequacy Decision?
e.g., EU–U.S. Data Privacy Framework-certified recipient
SCCs Executed?
2021 modular Standard Contractual Clauses
Transfer Impact Assessment
Supplementary measures documented (encryption, pseudonymization)
Transfer Authorized
Logged in ROPA with mechanism reference
If Adequacy = No and SCCs cannot be executed, escalate to DPO to evaluate Art. 49 derogation on an exceptional, documented basis.
Appendix E — Breach Notification Timeline
See the 0h → 24h → 72h → high-risk notification timeline illustrated in Section 7.10.
Appendix F — Regulatory Crosswalk
| Topic | GDPR | FDA (US) | EMA (EU) |
|---|---|---|---|
| Consent / participation | Art. 6/9 (legal basis) + Art. 13/14 (notice) | 21 CFR Part 50 | EU CTR 536/2014; ICH E6(R3) |
| Electronic records integrity | Art. 5(1)(f), Art. 32 | 21 CFR Part 11 | EudraLex Vol. 4 Annex 11 (GMP context); ICH E6(R3) |
| Investigator data | Art. 6(1)(f) — legitimate interest | 21 CFR Part 54 | CTIS transparency publication rules |
| Structured protocol authoring | Data protection section required | ICH M11 CeSHarP | ICH M11 CeSHarP |
| Central submission portal | Public-layer personal data minimization | N/A (IND via FDA ESG) | CTIS |
| Safety reporting | Case-level data minimization for transfer | 21 CFR 312.32; IND Safety Reports | EudraVigilance / national DPAs |
Appendix G — Revision History
| Version | Date | Description of Change | Author |
|---|---|---|---|
| 1.0 | 15-Jul-2026 | Initial issue. | Data Protection Lead, Aurelyn AI Clinical |