GAWEL
INSIGHT // 03 Data Privacy

Data Privacy in Clinical Trials: GDPR Meets DSG

· · 11 min read ·
Clinical Trials Data Privacy Regulatory
Abstract: Multi-jurisdictional clinical research faces an increasingly complex web of data protection requirements. The intersection of GDPR and the Swiss Federal Act on Data Protection creates compliance challenges that standard informed consent frameworks cannot resolve. What appears to be aligned regulatory philosophy masks divergent legal bases, inconsistent Member State implementations, and fundamentally different relationships between ethical consent and data protection consent.
Plain Language Summary

Clinical trials collect sensitive health data from patients in many countries. The EU applies the GDPR; Switzerland applies its own privacy law (the DSG). Trials run in both regions must satisfy both. Consent to take part in a trial is not the same as consent to process the data. EU data-protection authorities have stated that GDPR consent is often not the right basis for trials at all. This creates real difficulties for sponsors designing multi-site trials.

Table of Contents
  1. GDPR–DSG Intersection
  2. The Consent Distinction
  3. Legal Bases
  4. Swiss Framework
  5. Cross-Border Transfers
  6. Controller Roles
  7. Member State Divergence
  8. Strategic Considerations

On 31 January 2025, the three-year transition period for the EU Clinical Trials Regulation (CTR) closed.1Regulation (EU) No 536/2014 on clinical trials [2014] OJ L158/1. Every ongoing trial in the EU must run through the CTIS, a centralized portal with its own transparency obligations that interact with, but do not replace, GDPR requirements.2Regulation (EU) 2016/679 (General Data Protection Regulation) [2016] OJ L119/1. For Swiss sponsors, the transition lands at an awkward moment: Switzerland's own data protection framework was overhauled barely seventeen months earlier, and the relationship between the two regimes is less settled than their shared vocabulary suggests.

1. Where Do GDPR and DSG Actually Intersect?

The DSG, effective since 1 September 2023, aligns more closely with GDPR principles than its predecessor. Switzerland's adequacy status continues under Art. 45(9) GDPR, confirmed by the European Commission's January 2024 review.3Commission Decision 2000/518/EC; COM(2024) 7 final (15 January 2024). This facilitates data flows from EU sites to Swiss sponsors without requiring Standard Contractual Clauses or Binding Corporate Rules, but only for transfers to Switzerland, not for the sponsor's onward transfers.

However, alignment does not mean identity. The frameworks share fundamental concepts (lawfulness, purpose limitation, data minimization) but diverge in ways that matter for clinical trial operations. A Swiss sponsor conducting trials across EU Member States must comply with GDPR for EU sites while maintaining DSG compliance for Swiss operations. When data flows between jurisdictions, both frameworks may apply simultaneously.

The fundamental challenge is not that the rules differ; it is that the relationship between ethical consent and data protection consent differs, and most trial protocols do not adequately distinguish between them.

The complexity compounds when sector-specific legislation enters the analysis. Clinical trials in Switzerland operate under the Human Research Act (HFG) framework, not merely the general data protection regime.4Humanforschungsgesetz (HFG), SR 810.30. The EU Clinical Trials Regulation contains its own informed consent requirements that interact with, but are distinct from, GDPR consent. These overlapping frameworks create opportunities for gaps where sponsors believe one consent addresses all requirements when it addresses only some.

The most significant compliance risk in clinical trial data protection is the conflation of two distinct consent concepts.

Ethical consent under clinical trials legislation derives from the Declaration of Helsinki and serves to protect human dignity and physical integrity. Art. 28 CTR requires informed consent as a fundamental condition for trial participation; Art. 16 HFG mandates informed consent for research involving human subjects. This consent addresses whether a person may participate in research at all.

Data protection consent serves a distinct function. Consent under Art. 6(1)(a) GDPR provides the legal basis for processing personal data, with Art. 9(2)(a) GDPR supplying the required condition for special category data such as health information. This consent must be freely given, specific, informed, unambiguous, and, for special category data, explicit. It addresses whether personal data may be lawfully processed.

These are not the same consent. A signed informed consent form that satisfies CTR requirements does not automatically satisfy GDPR requirements. The European Data Protection Board addressed this distinction directly in Opinion 3/2019, stating that informed consent under the CTR "responds primarily to core ethical requirements" and "is not conceived as an instrument for data protection compliance."5EDPB, Opinion 3/2019 (23 January 2019) paras 16, 20.

The practical question becomes: if ethical consent is not data protection consent, what legal basis supports the processing of clinical trial data?

The EDPB Opinion 3/2019 distinguishes between two categories of processing. Processing for safety and reliability (safety reporting under Art. 41-43 CTR, archiving of the clinical trial master file (25 years per Art. 58 CTR), disclosure to regulators) finds its legal basis in Art. 6(1)(c) GDPR (legal obligation) combined with Art. 9(2)(i) GDPR (public health interest).

Processing for the trial's actual scientific purpose presents more complex analysis. The EDPB identifies public interest under Art. 6(1)(e) GDPR as one potential basis, though this works more clearly for academic institutions than commercial sponsors. Legitimate interests under Art. 6(1)(f) GDPR offer an alternative but require demonstrating that the controller's interests are not overridden by data subjects' rights. Explicit consent under Art. 6(1)(a) and Art. 9(2)(a) GDPR remains theoretically available but faces significant practical constraints.

The EDPB's position on consent deserves particular attention. The Opinion states that consent "will not be the appropriate legal basis in most cases" for clinical trials. The reasoning focuses on power imbalances: participants may not be in good health, may belong to vulnerable groups, or may face institutional dependency. The Article 29 Working Party's Guidelines on Consent reinforce the point: dependency relationships and health conditions may compromise voluntariness even when formal consent procedures are followed.6Article 29 Working Party, Guidelines on Consent (10 April 2018).

This creates an uncomfortable tension. The entire ethical framework of clinical research is built on informed consent. Yet data protection authorities suggest that this consent is often inadequate, perhaps inherently inadequate, for GDPR purposes.

4. How Does the Swiss Framework Differ?

Swiss sites operate under a parallel but distinct regime. The Human Research Act, supplemented by the Clinical Trials Ordinance (KlinV), provides the sector-specific framework for clinical trials. The Federal Council adopted significant amendments to the Human Research Act's implementing ordinances on 7 June 2024, with most provisions, including new notification and reporting requirements, effective 1 November 2024. The transparency provisions entered into force on a staggered basis: the mandatory publication of results summaries within one year of trial completion (Art. 65a KlinV) applies from 1 March 2025, with the one-year clock running only for trials completed after that date. These requirements affect data processing timelines and retention obligations.

The DSG applies alongside this sector-specific framework, but its structure differs fundamentally from GDPR. Unlike Art. 6 GDPR, which requires a legal basis for all processing, the DSG permits private persons to process personal data without a specific legal basis, provided they comply with the general processing principles in Art. 6 DSG (lawfulness, good faith, proportionality, purpose limitation). Art. 31 DSG becomes relevant only when processing infringes personality rights under Art. 30 DSG, providing justification grounds including consent, overriding interest, or statutory authorization.7DSG (SR 235.1), Art. 6, 30, 31; DSV (SR 235.11). Art. 31(2)(e) DSG mentions research as a scenario where an overriding private interest may be recognized, provided results are published in a form that does not permit identification of data subjects, but this is structurally different from Art. 89 GDPR's comprehensive research regime.

The relationship between HFG consent and DSG consent is arguably the most consequential open question in Swiss clinical trial data protection. Swiss law has traditionally treated informed consent under the HFG as sufficient basis for associated data processing, a lex specialis interpretation whose continued validity under the DSG is uncertain. The DSG introduced heightened requirements for processing sensitive personal data that did not exist under the predecessor statute, and the EDÖB's evolving interpretive approach had not, as of September 2025, produced definitive guidance on whether HFG consent satisfies DSG requirements for health data processing. The same consent-quality concerns raised by the EDPB (power imbalances, dependency relationships, questionable voluntariness) may apply with equal force to the HFG consent framework.

5. What Happens When Trial Data Crosses Borders?

Clinical trial data routinely crosses borders: from investigator sites to sponsors, from sponsors to contract research organizations (CROs), from CROs to regulatory authorities. Each transfer must satisfy the data export requirements of the originating jurisdiction.

Switzerland's EU adequacy status, confirmed in January 2024, facilitates data flows from EEA sites to Swiss sponsors under Art. 45 GDPR. Onward transfers from Switzerland to third countries require independent assessment under the DSG framework, and the Swiss adequacy list (Annex 1 to the Data Protection Ordinance) does not mirror the EU list. For Switzerland-to-US flows, the Federal Council's September 2024 recognition of the US Data Privacy Framework provides an adequacy pathway for transfers to DPF-certified entities;8Schweizerischer Bundesrat, amendment to DSV Annex 1 (14 August 2024, effective 15 September 2024), adding the United States to the Swiss adequacy list. for non-certified entities, SCCs or derogations remain necessary.

For transfers to countries without adequacy status, both frameworks recognize similar mechanisms: Standard Contractual Clauses (the EU SCCs are accepted by Swiss authorities subject to Swiss-specific adaptations that the EDÖB has outlined),9EDÖB, The transfer of personal data to a country without an adequate level of data protection based on standard data protection clauses (27 August 2021, revised 12 February 2025). Binding Corporate Rules for intra-group transfers, and specific derogations. Transfer impact assessments may be required under both frameworks when relying on SCCs; the Swiss analysis follows similar principles to the Schrems II framework10Case C-311/18 Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (Schrems II) ECLI:EU:C:2020:559. but is conducted independently.

Clinical Trial Data Transfer Flows Diagram showing data flows from EU investigator sites to a Swiss sponsor and onward to a US CRO, with the applicable legal framework governing each transfer: EU adequacy decision for EU-to-Switzerland, DPF or SCCs for Switzerland-to-US, and EU-US DPF or direct GDPR mechanisms for EU-to-US. EU Sites GDPR applies CTR obligations Swiss Sponsor DSG applies HFG framework US CRO DPF certification (if applicable) Adequacy Art. 45 GDPR DPF / SCCs DSG framework EU-US DPF / SCCs / Art. 49 Direct GDPR path
Clinical trial data transfer chain: applicable legal frameworks at each node

6. Who Determines Purposes and Means?

The controller-processor distinction under Art. 4(7)-(8) GDPR and Art. 5(j)-(k) DSG turns on who determines the purposes and means of processing, a determination that is rarely straightforward in clinical trials.11EDPB, Guidelines 07/2020 on controller and processor concepts (7 July 2021). The sponsor typically determines the research purposes. But investigators at clinical sites make enrollment decisions, CROs may exercise discretion over data management processes, central laboratories determine testing methodologies, and CTIS imposes its own processing requirements. The EDPB Guidelines provide an analytical framework, but applying that framework to the multi-party structure of a clinical trial requires assessment that standard service agreements often elide.

The CRO relationship warrants particular scrutiny. Where a CRO exercises significant discretion over processing operations (determining data management methodologies, selecting sub-processors, making independent decisions about data handling), it may qualify as a joint controller rather than a processor under Art. 26 GDPR. The distinction matters: a joint controller arrangement requires a transparent allocation of GDPR responsibilities (Art. 26(1) GDPR), which differs materially from the data processing agreement required under Art. 28 GDPR. Standard service agreements that assume a processor role without examining the CRO's actual operational discretion may mischaracterize the relationship.

Clinical trial data processing will also, in most cases, require a Data Protection Impact Assessment. Under Art. 35 GDPR, a DPIA is mandatory where processing is likely to result in a high risk to individuals' rights, and large-scale processing of special category health data appears on the Art. 35(3) GDPR indicative list. The Swiss equivalent under Art. 22 DSG applies a different trigger, without GDPR's enumerated criteria. Whether one DPIA can cover all jurisdictions or whether site-specific assessments are needed depends on the degree of variation in processing operations across sites.

7. How Much Do Member State Requirements Vary?

The GDPR is a regulation, directly applicable in all Member States. Yet Art. 9(2)(j) GDPR, the scientific research condition for processing special category data, is an opening clause that permits Member States to establish the specific legal basis in national law.

The result is documented divergence. A practitioner survey published in May 2019 examined 31 European countries and reported that 25 required either explicit consent or explicit acceptance by patients for clinical trial data processing.12Hogan Lovells, 'EDPB's position on clinical trials creates friction with other EU legislation' (May 2019) (practitioner survey). That 2019 survey predates the maturation of several national Art. 9(2)(j) GDPR implementations and the issuance of sector-specific DPA guidance on clinical trial data processing; specific national positions may have shifted since its publication. The broad pattern, however, persists: some Member States require GDPR-style explicit consent regardless of the EDPB's position; others have implemented public interest or research exemptions that do not require consent; several have imposed additional safeguards including mandatory ethics committee approval, data protection impact assessments, or specific security measures.

For a multi-site trial operating across ten Member States, the sponsor may face ten different legal basis requirements. The EDPB acknowledged in its response to the European Commission questionnaire on research that "the potential negative impact of such a heterogeneous legal basis for processing health data in one research project in multiple Member States can be acknowledged" but noted that this heterogeneity "cannot be solved in the EDPB guidelines or by means of Codes of conduct."13EDPB, Response to the request from the European Commission for clarifications on the consistent application of the GDPR (2 February 2021).

The practical consequences compound across trial design. A lowest-common-denominator approach that satisfies all applicable Member State requirements may impose consent obligations where they are not legally necessary, creating withdrawal complexities that would not otherwise exist. Site-specific compliance approaches that vary by jurisdiction create administrative fragmentation. And certain trial configurations may simply not be feasible without legislative harmonization that shows no sign of arriving.

The European Health Data Space Regulation, adopted in 2025, will add a further layer.14Regulation (EU) 2025/327 on the European Health Data Space [2025] OJ L 2025/327. The EHDS establishes a framework for secondary use of electronic health data, including clinical trial data, through authorized health data access bodies in each Member State. Its secondary use provisions create new statutory grounds for certain categories of health data processing that may complement or modify the existing Art. 9(2)(j) framework, and the EHDS's phased implementation timeline means that compliance strategies relying exclusively on the GDPR framework risk becoming incomplete.

8. Strategic Considerations

The complexities outlined above (consent distinctions, Member State divergence, transfer chains, controller determinations) compound in ways that surface unpredictably across a trial's lifecycle. The sponsor that discovers these tensions during a regulatory inspection rather than during protocol design faces remediation options that range from difficult to impossible.

Participant withdrawal illustrates the compounding effect. Under Art. 28(3) CTR, withdrawal of informed consent ends trial participation, but it does not resolve the data protection question. Safety reporting and the 25-year archiving obligation under Art. 58 CTR may continue under Art. 6(1)(c) GDPR; whether the research data itself must be erased depends on whether the legal basis was consent, public interest, or legitimate interest, a determination that varies by Member State. Key-coded pseudonymization, the dominant approach for managing clinical trial data, adds further uncertainty: pseudonymized data remains personal data under both frameworks (Recital 26 GDPR), and neither provides explicit guidance on how the key-coding architecture affects the withdrawal-and-retention analysis. Where a participant's data has already been incorporated into endpoint calculations, the tension between data subject rights and the regulatory requirement for complete, auditable datasets resists generic resolution.

Data flows in multi-site trials create transfer chains that often extend beyond the sponsor's direct visibility. The onward flow to a CRO's analytics team, a central laboratory's quality systems, or a cloud provider's processing infrastructure introduces dependencies that standard contractual clauses do not automatically resolve. Transfer impact assessments under the Schrems II framework require evaluation of destination country surveillance laws, an analysis that changes when sub-processors operate in jurisdictions the sponsor did not initially contemplate.

For trials involving Swiss sites, the overlay of HFG requirements alongside DSG obligations creates a parallel compliance track that mirrors but does not replicate the CTR/GDPR intersection. The November 2024 ordinance amendments added transparency and reporting requirements that existing trial documentation may not address. Whether Swiss and EU compliance frameworks can be satisfied through unified documentation, or whether parallel structures are required, depends on specifics that generic templates cannot resolve.

REFERENCES

01
Regulation (EU) No 536/2014 of the European Parliament and of the Council of 16 April 2014 on clinical trials on medicinal products for human use, and repealing Directive 2001/20/EC [2014] OJ L158/1 (CTR). See particularly Art. 81 CTR (public access to clinical trial data through CTIS); EMA, Guidance for the Notification of Serious Breaches of Regulation (EU) No 536/2014 or the Clinical Trial Protocol (EMA/698382/2021, 31 January 2022).
02
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L119/1 (GDPR).
03
Commission Decision 2000/518/EC of 26 July 2000 pursuant to Directive 95/46/EC on the adequate protection of personal data provided in Switzerland [2000] OJ L215/1, maintained under Art. 45(9) GDPR; European Commission, Report from the Commission to the European Parliament and the Council on the first review of the functioning of the adequacy decisions adopted pursuant to Art. 25(6) of Directive 95/46/EC COM(2024) 7 final (15 January 2024), confirming continued adequacy following DSG entry into force.
04
Bundesgesetz über die Forschung am Menschen (Humanforschungsgesetz, HFG) vom 30. September 2011 (SR 810.30); Verordnung über klinische Versuche mit Ausnahme klinischer Versuche mit Medizinprodukten (Verordnung über klinische Versuche, KlinV) vom 20. September 2013 (SR 810.305), as amended 7 June 2024 (notification and reporting provisions effective 1 November 2024; transparency provisions including Art. 65a KlinV (mandatory results publication) effective 1 March 2025).
05
European Data Protection Board, Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection Regulation (GDPR) (EDPB, 23 January 2019) paras 16, 20.
06
Article 29 Working Party, Guidelines on Consent under Regulation 2016/679 (28 November 2017, revised 10 April 2018), endorsed by EDPB, elaborating requirements for valid consent including the 'freely given' element and its application to situations involving power imbalances.
07
Bundesgesetz über den Datenschutz (Datenschutzgesetz, DSG) vom 25. September 2020 (SR 235.1), effective 1 September 2023, Art. 6 (processing principles), 30 (personality rights violations), 31 (justification grounds including Art. 31(2)(e) on research); Verordnung über den Datenschutz (Datenschutzverordnung, DSV) vom 31. August 2022 (SR 235.11).
08
Schweizerischer Bundesrat, amendment to the Datenschutzverordnung (DSV) of 14 August 2024, adding the United States to the list of states with adequate data protection (Annex 1 DSV, SR 235.11, effective 15 September 2024) for transfers to entities certified under the DPF.
09
EDÖB, The transfer of personal data to a country without an adequate level of data protection based on standard data protection clauses in accordance with Art. 16(2)(d) DSG (27 August 2021, revised 12 February 2025), specifying Swiss-specific adaptations required when using EU Commission Standard Contractual Clauses for transfers from Switzerland.
10
Case C-311/18 Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (Schrems II) ECLI:EU:C:2020:559, invalidating the EU-US Privacy Shield and establishing the requirement for transfer impact assessments when relying on Standard Contractual Clauses.
11
European Data Protection Board, Guidelines 07/2020 on the concepts of controller and processor in the GDPR (EDPB, 7 July 2021), providing analytical framework for determining controller/processor status in complex processing arrangements.
12
Patrice Navarro and others, 'EDPB's position on clinical trials creates friction with other EU legislation' (Hogan Lovells, May 2019), practitioner survey of 31 European countries on clinical trial data processing requirements; figures cited should be read as reflecting the position at the time of publication.
13
European Data Protection Board, Document on response to the request from the European Commission for clarifications on the consistent application of the GDPR, focusing on health research (EDPB, 2 February 2021) 6.
14
Regulation (EU) 2025/327 of the European Parliament and of the Council of 11 February 2025 on the European Health Data Space [2025] OJ L 2025/327, 5 March 2025, establishing a framework for primary and secondary use of electronic health data, including provisions for secondary use of clinical trial data through authorized health data access bodies.

RELATED INDUSTRIES

Biotech & Pharma ICT & Digital Health

RELATED INSIGHTS

Clinical Trials

Biotech Clinical Manufacturing: Regulatory Boundaries

11 min read Data Privacy

Cloud Service Contracts: Jurisdictional Complexity

12 min read

The compliance gaps that surface during a regulatory inspection are rarely the ones that protocol design anticipated.

Get in Touch