knowledge 20 May 2026 |

Clinical Trials and the EU Biotech Act: Key Takeaways from the EDPB - EDPS Joint Opinion

The European Commission unveiled its proposal for a health-focused Biotech Act in December 2025, aimed at positioning Europe as a global biotech powerhouse by making it a more competitive and pro-innovation environment, as well as simplifying certain EU legislation such as the EU Clinical Trials Regulation (CTR).

For further information on the proposed Biotech Act, please see our previous briefing: Turning Europe into a Biotech Powerhouse: Commission Unveils Biotech Ac and Regulatory Simplification for Devices.

Overall, while the Joint Opinion supports the proposed Biotech Act and acknowledges that a competitive biotechnology sector requires a predictable and harmonised legal environment, it underscores the importance of maintaining high standards of protection for health and genetic data when conducting clinical trials.

Key Reccommendations

Harmonised legal basis for clinical trial data

The proposed Biotech Act would amend the CTR to establish a harmonised legal basis under the GDPR for processing clinical trial data for the purposes set out in Article 93 CTR (e.g. safety monitoring and submission of trial results). Such processing would be based on ‘compliance with a legal obligation’ under Article 6(1)(c) GDPR. This has been welcomed in the Joint Opinion as it would allow sponsors and investigators rely on a single legal basis under the GDPR, thereby enhancing harmonisation and improving legal certainty. It would also help resolve the fragmented approach across EU Member States. However, the Joint Opinion recommends that improvements are made to the text of the CTR to enhance the clarity and foreseeability of the legal obligation.

The processing of health data requires not only a legal basis under Article 6 GDPR, but it must also fall within one of the Article 9 GDPR conditions that apply to the processing of special categories of personal data. The Joint Opinion welcomes the fact that a recital to the proposed Biotech Act refers to reliance on Article 9(2)(i) (i.e. ‘public interest reasons for public health’) and Article 9(2)(j) (i.e. ‘archiving purposes’).

Clarification of controller roles

The proposed Biotech Act expressly characterises sponsors and investigators as ‘controllers’ (within the meaning of Article 4(7) GDPR) for the “processing assessment leading to the authorisation of clinical trial applications and operations referred to in [Article 93 CTR]”. The Joint Opinion recommends that the controller roles are further specified so that it is clear whether they are acting as joint controllers or independent controllers as this impacts on GDPR compliance responsibilities and obligations. It is likely to also impact on clinical trial agreements as these typically record the respective data protection roles of the parties and reflect any joint controllership arrangements for the purposes of Article 26 GDPR.

The Joint Opinion also recommends that the proposed Biotech Act clarify that co-sponsors under Article 72 CTR should be regarded as joint controllers – it considers that this would provide greater legal certainty to co-sponsors and investigators, as well as to data subjects in exercising their rights.

Importantly, the Joint Opinion cautions against characterising ‘investigators’ as controllers as this would make them directly liable for compliance with the GDPR. This would be inappropriate given ‘investigators’ tend to be individuals such as physicians or other medical staff who are responsible for the conduct of the trial, but who are ultimately acting under the authority of the clinical trial site. 

Retention period

Under the proposed Biotech Act, personal data, including health and genetic data, would be subject to the 25-year retention period that applies to the clinical trial master file under the CTR. The Joint Opinion recommends that the proposed Biotech Act clarify that the 25-year retention period applies only to personal data contained in the clinical trial master file, and not all personal data processed in the context of a clinical trial.

Reuse of clinical trial data

Under the proposed Biotech Act, Article 93(6) CTR would provide that personal data collected in accordance with the CTR may be reused by the same controller for other clinical trials conducted under the CTR or for other scientific research aimed at protecting public health, improving standard of care and fostering the innovation of EU medical research. The Joint Opinion recommends that the recitals to the proposed Biotech Act state that this provision aims to provide a legal basis for the further processing of trial data by the same controller, pursuant to Article 6(1)(e) GDPR (i.e. ‘public interest’ legal basis) or Article 6(1)(c) GDPR (i.e. ‘compliance with a legal obligation’) where applicable.

As further processing involves special categories of personal data for which suitable and specific measures are required to safeguard data subjects, the Joint Opinion recommends that the safeguards for such further processing be defined more specifically, to include pseudonymisation, enhanced transparency for data subjects, governance structures and researcher confidentiality obligations.

Technical and organisational measures

The proposed Biotech Act provides that appropriate technical and organisational measures be applied to the processing of clinical trial data. In this regard, controllers (i.e. sponsors and investigators) are specifically required to obtain the informed consent of the subject in accordance with Article 29 CTR. The Joint Opinion acknowledges that informed consent is not primarily a data protection compliance measure, but rather a measure for protecting the human dignity and integrity of individuals. However, it nonetheless welcomes the inclusion of informed consent and notes that it could be viewed as a data protection safeguard.

In addition to the technical and organisational measures referenced in the proposed Article 93(8) CTR, the Joint Opinion recommends specifically requiring that pseudonymisation be used whenever it is not necessary to process directly identifiable personal data.

Electronic informed consent

The Joint Opinion welcomes the possibility of providing informed consent using electronic systems, methods and processes, including using the European Digital Identity Wallet (see our recent briefing: Ireland moves forward with Digital Wallets). However, it recommends clarifying that use of the European Digital Identity Wallet remains voluntary and other identification means should remain available. It also makes the point that the provision of informed consent must remain accessible to everyone, including those who do not use or cannot use electronic identification methods. 

Regulatory sandboxes for clinical trials

Under the proposed Biotech Act, the European Commission would establish and operate regulatory sandboxes for testing innovative approaches to clinical trials where CTR compliance is not possible or appropriate, thereby necessitating regulatory adaptations. Importantly, the Joint Opinion makes it clear that there are no ‘regulatory adaptations’ for GDPR compliance and notes that the GDPR remains fully applicable to any processing of personal data carried out in the context of a regulatory sandbox and recommends that this is clarified. A number of other specific recommendations are made in relation to regulatory sandboxes.

Use of AI in clinical trials

Under the proposed Biotech Act, Article 27e CTR would introduce obligations on sponsors intending to use AI models or AI systems in clinical trials, including for evaluating the benefits and risks to patient safety and data robustness. The Joint Opinion comments that it is unclear whether these obligations will apply in addition to those that apply under the EU AI Act, and recommends that Article 27e is clarified so that it is clear that they do. 

Comment

While the Joint Opinion is supportive of the proposed Biotech Act’s aim of fostering a more competitive and innovative EU environment for biotech and biomanufacturing, it seeks to balance regulatory simplification with ensuring that the protection of health data is not diminished and continues to be subject to the GDPR.