GDPR Representation

GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
Taking into consideration the domain of activity and the type of processed data, a DPO and an EU Representative are required and GDPR is applicable for clinical trials performed on EU citizens.
As for the pharmaceutical industry, personal data will mean data held on consumers, patient databases, employee data, and other HR-related files within their own business, medical records, screening forms, medical consent forms, as well as questionnaires that are filled in by patients on clinical trials.
In clinical trials, the sponsors, as Controllers, usually have access to “key-coded” data, with the key that unlocks the data held by a third party, such as the CRO or other Vendor. Key-coded data is “pseudonymized,” meaning the data cannot be linked to an individual without some additional information. Recital 26 of the GDPR makes clear that pseudonymized data is considered personal data under the GDPR, and needs to be protected accordingly.
Non-EU Controllers must comply with GDPR if they are monitoring the behavior of the data subjects, as long as they are EU citizens.