The global impact of the General Data Protection Regulation: implications, challenges, and future outlook in oncology clinical research sponsors

Introduction

The data processing activities in the context of oncology clinical trials involve huge amounts of sensitive personal information (1). Throughout the whole lifecycle of oncology clinical trial, whether it is a clinical study or secondary data analysis, the objectives cannot be achieved without processing health data from individuals (2). Personal data such as medical history, treatment, biomarker, genetic information, etc., are collected, analysed, stored, shared, transferred, archived, and must ultimately be destroyed (or irreversibly anonymised) when the lawful retention period expires. These data are used to answer the scientific questions about cancer. When the process concerns individuals living in the European Union (EU), the data processing in oncology clinical trial is governed by the General Data Protection Regulation (GDPR) (3). However, we must recognize that, not every data-driven project in oncology counts as research or trial in the strict sense. Such data processing also occurs as part of clinical practice audits, quality improvement exercises and wider service performance reviews about monitoring or improving routine healthcare (4,5). Although these activities are also subject to the GDPR, they fall outside the scope of the Clinical Trials Regulation (CTR). In this article, we focus on interventional oncology studies involving investigational medicinal products (IMPs) and other CTR-governed clinical trials, where sponsors act as data controllers. Other data‑driven activities, such as observational cohorts, registry analyses, secondary re-use of care data, audit and service‑performance projects, are noted briefly but not examined in depth.

Before the implementation of the GDPR in May 2018, the data protection in the EU was governed by the Data Protection Directive 95/46/EC (Directive). While the Directive established some fundamental principles for protecting personal data, the data protection practices across EU member states were different and fragmented (6). For an oncology clinical trial, this meant that the clinical trial legal sponsors were often confronted with various regulatory landscapes depending on the country where the clinical study was conducted. The introduction of the GDPR, to some extent, addresses these shortcomings. The regulation was expected to provide a unified legal framework that applied across all EU member states (6). However, early experience from multi-centre cancer consortia shows that implementation has been uneven, and divergent national interpretations can still delay cross-border data sharing (7).

The primary goal of the GDPR is to protect the rights and freedoms of the data subjects (8). In the context of oncology studies, the data subjects are patients and/or study participants, and professional contacts who are involved in the clinical trial. The GDPR introduces enhanced data subject rights, giving individuals more control over their personal data. It also imposes clear requirements for obtaining consent and introduces accountability mechanisms for data controllers, who are the parties determining the purposes and the means of the processing activities (9). In clinical studies, the controller’s responsibilities are mostly with the clinical study sponsors. Moreover, these improvements come with additional requirements such as appointing a data protection officer (DPO), maintaining records of processing activities (ROPAs), performing data protection impact assessments (DPIAs) and implementing organizational and technical and organisational measures (TOMs). The strong emphasis on individual control over data has prompted debate about how best to balance personal privacy with the collective scientific benefit of oncology research (10).

The implications of the GDPR for oncology clinical trial should not be underestimated (6). Although the GDPR provides a data protection legal framework for clinical study sponsors, its principles and requirements, which seem straightforward for general business processes, are difficult to interpret in the context of clinical trial (11). Moreover, clinical study sponsors need to comply with both the GDPR and the CTR (EU No. 536/2014) (12). This introduces additional complexities at the operational level (13,14). The lack of practical guidance in the context of oncology clinical trial leaves sponsors to explore the compliance practice on their own.

This narrative review will first discuss the interpretation and implications of the GDPR principles and requirements for clinical trial, then understand why GDPR compliance is so challenging for clinical study sponsors, and finally explore the possibility of full privacy compliance and suggest pragmatic strategies for clinical study sponsors.

Key GDPR principles and their implications to oncology clinical trial

Article 5 of the GDPR provides fundamental data protection principles (8). However, their meanings and implications in the context of oncology clinical trial are not always clear for the stakeholders.

Lawfulness, fairness and transparency

This principle [GDPR Article 5(1)(a)] requires that all data processing activities must have a valid legal basis (lawfulness) and are handled without misleading or harming the individuals (fairness) (8). The individuals should be informed about how their personal data is collected and processed in a transparent manner with clear and accessible language (transparency).

In oncology clinical trial, this means that clinical study sponsors must ensure that participants are fully informed about the required information as per Article 13 and 14 of the GDPR (8). For clinical study sponsors, it is practical to ensure transparency through the informed consent process. The details of data processing in oncology clinical trial can be explained in the informed consent form (ICF) and made available to the study participants (8,15). A general practice is to include a data protection appendix that contains all required information as listed in the Table 1.

The transparency principle also applies to clinical trial personnel and professional contacts, such as site staff, principal investigators, pharmacists, vendor and clinical study sponsor staff and other professional individuals involved in the clinical trial activity, as their data is also processed. For example, the professional competence of the principal investigators must be verified by evaluating their resume, work experience, etc. To ensure transparency, the clinical study sponsor should provide them with a privacy notice.

Purpose limitation

The purpose limitation principle [GDPR Article 5(1)(b)] means that personal data should be collected for specific, explicit and legitimate purposes (8). It further processing in a manner that is incompatible with the original purposes is not allowed, unless the further processing is for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

Oncology clinical studies usually collect data for a specific purpose, such as evaluating the efficacy of an immunotherapy drug, or identifying new biomarkers for cancer diagnosis (16,17). Only the data essential for the study objectives should be collected. Very often, clinical trialists may want to use the same dataset, or combine different datasets from different clinical studies, to answer a new research question (18,19). For example, a meta-analysis conducted by the European Organization for Research and Treatment of Cancer (EORTC) combined data from 30 randomized controlled trials initiated by EORTC between 1986 and 2004. The analysis showed that the baseline health-related quality of life (HRQOL) scores could help to predict survival in patients with cancer (20). In such cases, it is important to evaluate whether the new use is compatible with the original purpose, and whether the new data processing can be reasonably expected by the participants with the original information provided to them. If not, the participants must be informed of the new objectives and/or new data processing, and in some cases, new consent may be required.

To ensure purpose limitation, the clinical study sponsor should clearly define the study objectives in the protocol and ICF for their oncology clinical trial. When a new use of data emerges, the clinical study sponsor should conduct a compatibility assessment to determine whether the new use is consistent with the original purpose, and whether new information and re-consent is necessary.

Data minimization

The data minimization principle [GDPR Article 5(1)(c)] requires the data controller only collects and processes the data that are adequate, relevant and limited to what is necessary for the purposes (8). Excessive data collection irrelevant to the purposes is not allowed.

In oncology clinical trial, data minimization can directly impact the study design and data collection strategy. Clinical trial generally needs thorough health data, treatment information and sometimes genetic data to achieve its objectives. Consistent with the GDPR data minimization principle and with the requirement of International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use-Good Clinical Practice (ICH-GCP) and core research ethics standards, clinical study sponsors but collect only the data strictly necessary for the study objectives. For instance, if a study investigating the efficacy of targeted therapy for breast cancer collects genomic data to identify mutations in breast cancer-related genes, such as BRCA1 and BRCA2. This processing is relevant to the purpose. However, it would be a violation of the minimization principle if the study also sequences the entire genome or unrelated genes without obtaining explicit consent from the patients.

Importantly, some personal data such as race, ethnicity and date of birth, even not related to health, can be considered sensitive and highly identifiable, thus its collection needs specific justification in clinical trial. In France, collecting race or ethnicity data is generally restricted and may proceed only under narrowly defined exceptions, such as explicit consent from the data subject or a public interest authorization issued by Commission nationale de l’informatique et des libertés (CNIL), when it is strictly necessary for the study purpose (21). In general, date of birth is unnecessary for the scientific objectives in an oncology study targeting adult patients, but it can become relevant if the study will recruit infants and children.

To adhere to this principle, clinical study sponsors should apply privacy by design at the beginning of the study design stage. The study protocol must be scientifically reviewed to make sure that only necessary data will be collected. The design of the case report form (CRF) should also exclude the fields that are not related to the study objectives. Some clinical trialists investigated the technical approach for data minimization to emphasize the importance of structuring data collection proportionate with the study goals. One such approach is the minimum dataset framework, which called for more detailed thinking about data collection in quantitative research to ensure data minimization (22).

In oncology clinical trials, investigators sometimes would like to retain a narrowly defined “buffer set” of variables, or collect limited extra biospecimens, in order to answer not-yet-defined future research questions within the same tumour type (23,24). Importantly, where these parameters are widely acknowledged as scientifically valuable and their prospective use is explained in the protocol and DPIA, such limited over collection does not infringe the data minimisation principle. It is treated as processing for a compatible research purpose under Article 5 (1)(b) GDPR. Notably, many EU member states require explicit consent for collecting these extra data or samples to respect the purpose limitation principle in the primary processing. Any subsequent secondary study that uses the retained materials must also obtain ethics committee approval.

Accuracy

The accuracy principle [GDPR Article 5(1)(d)] requires the data controller to ensure the data they process is accurate and up to date (8). The inaccurate data should be erased or rectified without delay. In oncology clinical trial, accuracy is not only important for privacy compliance but also essential for the scientific validity and integrity of the study (25).

There are many ways for clinical study sponsors to ensure data accuracy in oncology clinical trial. At the organizational level, clinical study sponsors should develop clear policies and procedures and conduct regular monitoring. Training in the data protection principles, practices and processes can improve the awareness and vigilance of the study staff and avoid human errors. This is important for ensuring accurate data collection, documentation and reporting. On-site monitoring is also widely used to validate the consistency between the source documents and the CRFs, which can help identify and correct the discrepancies in a timely manner. In addition, clinical study sponsors can also implement technical solutions such as automated checks in the electronic data capture (EDC) systems. This approach, combined with the manual review by data managers, is proven to be effective in detecting and correcting errors.

In oncology clinical trials, data supporting primary, key secondary, and safety endpoints must meet clinical-grade accuracy because errors can compromise participant safety, regulatory decisions, and scientific validity. A common view in statistics is that research datasets may in some cases tolerate a different accuracy threshold from data used to guide day-to-day treatment (26). The distinction can run both ways. In retrospective secondary use, an epidemiological study might accept a small proportion of non-differential exposure misclassification. And that would be unacceptable for bedside dosing decisions. Conversely, prospective oncology trials often demand higher precision than routine care, such as centrally verified imaging assessed with the Response Evaluation Criteria in Solid Tumours (RECIST), double data entry, or genomic profiling performed in Good Clinical Laboratory Practice (GCLP). Yet the same trial may include exploratory biomarkers or quality of life scales where a “fit-for-purpose” level of accuracy suffices for statistical power while does not need the granularity of clinical diagnostics. Overall, key oncology variables such as tumour stage, histology, treatment dates and validated genomic markers, are captured to clinical grade standards and are source-verified under GCP. We therefore emphasize that clinical-grade accuracy remains the default benchmark for clinical trials and any deviation from this standard should be justified explicitly.

Storage limitation

The storage limitation principle [GDPR Article 5(1)(e)] requires that personal data should not be retained for longer than is necessary to fulfil its original purpose (8). Once the purpose has been fulfilled, the data must be deleted or anonymized unless there is a legal or regulatory obligation to retain it. This requirement can create complexities for oncology clinical research, as scientists often want to retain data and reuse it to answer new, yet undefined scientific questions (11,27).

In oncology clinical trial, data retention periods often find their legal references in scientific needs and regulatory requirements. In the EU, the EU CTR requires that clinical trial data be retained for at least 25 years after the trial has been completed. In non-EU countries, clinical study sponsors should align retention periods with local regulations.

How can clinical trial sponsors comply with the storage limitation principle while not compromising the potential for future clinical trial on existing datasets? Taking an EU trial as an example, when the initial retention period (25 years) is reached, the clinical study sponsor can first check the survival of participants. Unfortunately, some participants may have died during the oncology trial, follow-up and retention period. Data on deceased individuals is not considered personal data and is therefore not subject to GDPR. However, several member states such as France (21) and Italy (28) extend the subject rights to the deceased individuals. Sponsors must therefore check and comply with any such national provisions before deciding whether to delete, anonymise or retain those records. They may also assess whether the dataset has scientific value to advance certain cancer treatments or answer other scientific questions. Where value remains, Article 5 (1)(e) and Article 89 (1) GDPR permits prolonged storage for archiving in the public interest or for further scientific research (8). The use of the archived data requires that an ethics committee confirms the secondary value and appropriate safeguards are applied. Typical safeguards include double coding with separate custodianship of the linkage key, or irreversible destruction of that key once data cleaning has been completed.

Physical samples and the digital data derived from them follow different clocks. Many oncology biospecimens lose analytic value over time (formalinfixed blocks, slides, serum aliquots often degrade beyond 5–10 years, depending on storage conditions) (29). However, derived molecular or imaging data may retain scientific utility far longer. After primary analyses, sponsors commonly transfer residual material to an accredited biobank or central pathology laboratory under national rules. The biospecimen retention period, quality metrics and destruction triggers are then managed locally. The coded data linked to those samples remain personal data while the re-identification key exists, and their retention must respect the storage limitation principles. Spain’s Biomedical Research Law and biobank regulation provide one model: coded archiving in authorised biobanks with documented access, periodic review and ethics oversight (30-32). Sponsors should separate sample level and data level retention decisions in the protocol and ICFs and specify what happens to the linkage key at each stage (e.g., double-coding, sample or key destruction when quality thresholds fail).

Integrity and confidentiality

The principles of integrity and confidentiality [GDPR Article 5(1)(f)] requires that personal data should be processed in a manner that ensures appropriate security (8). This includes protections against unauthorized access, alteration, or loss of personal data. In oncology clinical trial, the breach of this principle can lead to data breaches, scientific integrity breach and sometimes even financial loss and reputation damage (33,34).

To improve data security, clinical study sponsors must implement security measures to protect data at every stage, from collection, processing, storage, archiving, and sharing. Technical and organizational measures such as encryption, pseudonymization, backups, access controls, regular risk assessments, and more are becoming the prerequisites (35). Clinical study sponsors must also ensure that data processors, such as clinical sites, Contract Research Organisations (CROs), and analytical laboratories, are contractually bound to adhere to the same standards by entering into agreements with appropriate confidentiality requirements.

Human error is one of the most common causes of confidentiality breaches (36,37). Mistakes such as mishandling data, accidental deletion of data, or sending files to unauthorized people, can result in data breaches. To reduce the probability of this risk, clinical study sponsors should execute comprehensive data protection training programs for all personnel involved in processing sensitive data.

Accountability

The accountability principle [GDPR Article 5(2)] defines that the data controller is responsible for the GDPR compliance for its processing activities and must be able to demonstrate its compliance (8). This with no doubt emphasizes the importance of documenting every process of compliance, such as ROPA, consent management, contract management, risk assessment and more.

Demonstrating compliance starts with documentation (38). The most required documentations by data protection authorities (DPAs) are ROPA, DPIA and data breach logs. Clinical study sponsors need clear processes to manage and maintain these documents. Oversight mechanisms are also vital, such as appointing a DPO and conducting DPIA. What’s more, clinical study sponsors must establish clear contracts with third-party collaborators, such as CROs, to define each other’s roles and responsibilities in light of GDPR requirements. The list goes on.

Other key GDPR requirements and their implications for oncology clinical trials

Navigating all requirements from the Article 5 of the GDPR is already a challenge for many oncology clinical researchers and clinical study sponsors. However, the influence of the GDPR does not stop there. Several other requirements under the GDPR are also relevant to oncology clinical trials.

DPO

A DPO informs and advises the controller or processor of their data protection obligations, monitors compliance, provides advice on performing DPIAs, cooperates and acts as a point of contact with the supervisory authority (39). It is important to understand that DPO is not responsible for the organization’s compliance, the organisation’s upper management as data controller is.

The DPO must be independent and can work without conflicts of interest. The DPO should have direct access to upper management. The data controller or processor shall provide the DPO with adequate resources and support to perform his or her duties effectively.

Although the appointment of DPO is not required for all data processing activities, in the context of oncology clinical trial, it is mandatory. As seen in Table 2, due to the nature of oncology clinical trials, it meets almost all criteria for appointing a DPO. Health data is considered a special category of data under Article 9 of the GDPR (8). Monitoring individuals’ health as the core part of the oncology studies is a form of behavioural monitoring, because it involves systematic observation and evaluation of the physical and physiological conditions of the participants over time.

Oncology clinical trial sponsors often find it difficult to appoint a qualified DPO. First, it is not easy to find a DPO with the unique combination of skills including in-depth knowledge of GDPR and other data protection laws, familiarity with the clinical trial landscape, and technical expertise in managing sensitive health data. Second, a DPO must also have excellent communication skills as she/he will be speaking with stakeholders with different backgrounds (40), such as physicians, data managers, clinical research associates, who may not have a comprehensive understanding of the legal terms under the GDPR. This gap needs to be filled by the DPO through proper training, good communication and close collaboration. For non-EU clinical study sponsors who are not familiar with the GDPR, the challenge is even more profound.

DPIA

Article 35 of the GDPR requires the data controller to carry out a DPIA whenever the data processing is likely to pose high risks to individuals’ rights and freedoms (8). The Guidelines on DPIA and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 provide detailed criteria to assess when a DPIA is required (41). As shown in Table 3, in the context of oncology clinical trial, at least four of the criteria are met, which makes it mandatory to perform a DPIA.

For a cancer clinical trial, a DPIA should evaluate the risks of processing large amounts of sensitive health data. It should contain a systematic description of the processing operations, such as data collection at the clinical site, data upload to the electronic trial master files, data transfer to analytical labs and so on. It also should include the purpose of the study, which is usually well addressed in the study objectives. The DPIA must describe how the clinical study sponsors ensure that the data processing is necessary and proportionate to the study objectives, and evaluate the risks to the rights and freedoms of data subjects, such as risks of re-identification, data breaches, and unauthorized access. Furthermore, the DPIA should detail security measures to mitigate these risks, such as pseudonymization, encryption, and controlled access for clinical research personnel.

Despite the importance of the DPIA, performing one is never easy for clinical study sponsors. Mapping the data flow and identifying risks across multi-site and multi-regional studies can be incredibly complex. In addition, cross-border data transfer is adding more burden as specific safeguards must be implemented for such transfer. As the DPIA process requires a lot of resources, smaller clinical study sponsors may lack the internal expertise or financial resources to allocate to such a compliance task. For larger organizations, they need to balance the efforts and ensure collaboration from different teams and stakeholders.

At present, DPIA reports are not yet examined systematically by most ethics committees. This leaves a potential oversight gap. Any DPIA that identifies residual risks should be accompanied by a concise statement demonstrating that the anticipated scientific and public health benefits clearly outweigh those risks. Such a justification ought to be made available to the ethics committee, in line with GDPR Recital 75, Article 35 and the principles set out in the Declaration of Helsinki. This calls for closer data protection authority and ethics committee collaboration (42).

Data transfer

Chapter V of the GDPR sets out the conditions under which personal data can be transferred to countries outside the European Economic Area (EEA) in order to ensure that the level of protection guaranteed by the GDPR is not undermined.

A common misunderstanding about data transfers is that many clinical study sponsors believe only the physical transmission of data is considered as a data transfer. However, according to the European Data Protection Board (EDPB) Guidelines 05/2021 on the interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR (43), a data transfer occurs when personal data is disclosed or made accessible to a controller or processor in a third country, regardless of whether the data is physically moved (44). This means that even remote access to personal data by an entity outside the EEA, such as viewing or consulting data stored on an EU server from a third country, is also considered a data transfer and must comply with GDPR’s transfer requirements.

In oncology clinical trial, data transfer may occur at all stages. For instance, during site selection, the professional data of the principal investigators, doctors and nurses may be shared with CRO or clinical study sponsor. Throughout the trial, clinical data, imaging, and biospecimens may be sent to laboratories or CRO for analysis. The study results will be shared with clinical study sponsors, their delegates, and collaborators. After trial completion, data may be transferred to clinical study sponsor’s or external statisticians for analysis. The data may also be submitted to regulatory authorities for review. Eventually, the study data will be archived physically or in the cloud. If the clinical study sponsor is located outside the EEA, compliance becomes more complex. The clinical study sponsors will need to include data transfer clauses in all contracts concerning EEA data and perform Transfer Impact Assessments (TIAs) to evaluate the effects of third-country laws on data protection (45). In some cases, clinical sites may request the study sponsor to provide the TIAs or other documentation to demonstrate their GDPR compliance before entering into a clinical trial agreement with them.

Recently, there has been a trend in EU to implement data localization requirements. This means that it is encouraged to store the data locally unless no other technical solution is available (46). Some member states require that health data must be stored within the EEA, or in countries recognized by the European Commission as providing adequate protection. For example, according to the French Public Health Code (Article L.1111-8), data controller processing personal health data must use a service provider that holds the health data hosting [Hébergeurs de Données de Santé (HDS)] certification (47). This certification mandates that health data be stored within the EEA. This requirement is emphasized in the guidelines from the French Health Data Hub (HDH). Similarly, in Germany, recent updates to the Social Code Book V require that certain health data processed as part of public healthcare services must remain on servers physically located in Germany or within the EU (48). Although the full implementation of these national requirements is still evolving, clinical study sponsors must stay vigilant, as this trend will likely introduce additional technical constraints for data transfer in clinical trial. They must plan for technical constraints introduced by data localization, especially when multi-site oncology studies need to pool rare genomic or molecular-marker data.

A practical compromise, which echoes in the forthcoming European Health Data Space (EHDS), is to keep raw, identifiable records on national servers while running federated analytics, also called a datavisiting approach, across sites (49,50). Under the EHDS Regulation each Member-State Health Data Access Body will retain custody of patient-level datasets, and authorised researchers will run algorithms inside HealthData @EU secure-processing environments that only anonymised or strictly pseudonymised outputs can leave the country (51). Pilot projects such as the Global Alliance for Genomics and Health (GA4GH) Federated Analysis System Project, and the ELIXIR Beacon network for rare variant queries have shown that multi state pooling of genomic or radiomics data is feasible without breaching localization rules (52,53). Despite these demonstrations, large-scale federated learning still faces important limitations for oncology trials. First, maintaining data quality parity across dozens of local nodes is difficult. Divergent curation pipelines or missing-value rules can silently degrade model performance. Second, because no single controller sees the full dataset, it is hard to run global plausibility checks, outlier reviews or de-duplication. Third, the absence of harmonised technical and governance standards means every new consortium must renegotiate security controls, audit rights and liability allocation, which raises cost and complexity.

Conversely, several pan‑European programmes show that a single, high‑security repository can satisfy localisation and quality demands. SPECTA, the panEuropean “Screening Platform for Efficient Clinical-Trials Access” coordinated by the European Organisation for Research and Treatment of Cancer (EORTC), registers patients outside therapeutic trials, banks annotated tumour tissue and blood, performs broad molecular profiling and returns molecular reports to investigators. By the end of 2024 it had recruited more than 4,500 patients from 129 institutions in 20 countries and issued over 2,180 result reports across cohorts such as SPECTA color and SPECTA Arcagen (54,55). Building directly on SPECTA’s consent framework and logistics, the Innovative Medicines Initiative project IMMUcan (grant No. 821558) extends the model to immuno‑oncology, compiling multi‑omics and immunephenotyping data from roughly 2,700 patients across five tumour types, the majority recruited via SPECTA (56,57). Comparable single‑site, controlled‑access repositories are also used by Cancer Core Europe’s Virtual Data Centre, which harmonises realworld oncology datasets across seven comprehensive cancer centres (58). Collectively, these experiences show that, until EHDS‑level interoperability is fully operational, a well governed central EEA repository remains the most practical route for oncology trial data sharing. Why is GDPR compliance so complex and challenging for oncology clinical study sponsors?

Confusions in legal basis

One of the key requirements of GDPR compliance is determining the appropriate legal basis for processing personal data, as defined under Article 6 of the GDPR (8). For oncology clinical trial sponsors, since they will be processing health data, which is categorized as a special category of data, they also need an exemption from Article 9 of the GDPR. One of the legal bases in Article 6 is consent. However, in the context of clinical trials, this becomes confusing because clinical trials also require ethical consent for participation. Ethical consent ensures participants agree to take part in the study, while the legal basis for processing their personal data must be justified separately under GDPR (59). While these two types of consent are distinct, in practice they are often confused or misunderstood.

Contrary to common belief, consent is not the recommended legal basis for data processing in clinical trials under GDPR. The EDPB encourages clinical study sponsors to rely on legal basis such as legitimate interest [Article 6 (1)(f)] and exemptions in Article 9, such as for scientific research [Article 9 (2)(j)] or public interest in public health [Article 9 (2)(i)] (60). The reasoning is that consent under GDPR must be “freely given, specific, informed, and revocable at any time”. And in the context of oncology clinical trial, there is an imbalance of power between the patients and the clinical study sponsor as the patients may feel pressured to participate due to their medical conditions. If clinical study sponsors choose consent as the legal basis, they shall be prepared to demonstrate that the consent is valid, which is not needed if they rely on legitimate interest. However, the use of legitimate interest comes with additional requirements as well. Clinical study sponsors must conduct a balancing test to show that their interests in processing data outweigh the rights and freedoms of data subjects (61). As shown in Table 4, the combination of legal bases from Article 6 and exemptions from Article 9 creates some possible approaches for clinical study sponsors when processing sensitive health data in trials. Each approach comes with advantages and disadvantages.

While the EDPB strongly advises against using consent as a legal basis, clinical study sponsors may have no choice in some jurisdictions. National requirements, such as in Germany and Italy, often require clinical study sponsors to obtain consent for health data processing (62,63). This divergence creates significant operational challenges for multi-site trials, as clinical study sponsors must adapt their legal basis in different member states. Additionally, opinions from local EC may also vary, and it sometimes delays the project as the clinical study sponsors must take time to either modify the protocol and ICF or justify their position.

The interplay between the GDPR and CTR

Oncology clinical trial in EU is subject to both the GDPR and CTR. While both regulations aim to protect individuals’ rights and ensure high standards of data integrity, they have overlapping and sometimes seemingly conflicting requirements, which creates complexity for clinical study sponsors in practice (13).

As previously discussed, CTR mandates informed consent for trial participation, and GDPR requires an independent legal basis for data processing, such as compliance with a legal obligation, scientific research exemptions, or legitimate interest. Many clinical study sponsors and patients confuse the ethical consent required under CTR with GDPR consent for data processing. If consent is chosen as a legal basis despite EDPB recommendations, clinical study sponsors must ensure that the consent to data processing is explicit and clearly different from the ethical consent.

Another challenge is that the CTR requires that clinical study sponsors remain blinded to the identity of trial participants to avoid bias. However, GDPR grants participants specific rights, such as access, rectification, and erasure of their data. To exercise these rights, the data subjects’ identity must be verified. Because the re-identification key is held exclusively at each investigational centre and the sponsor only receives pseudonymized data, any GDPR request must be verified and executed with the support of the clinical sites. This site-mediated workflow preserves the blind but adds operational complexity. If procedures are unclear or records mismatched, a data‑subject request could inadvertently unblind the study or trigger a data breach.

Managing a participant’s withdrawal of consent also highlights the practical complexity of granting data subject rights in an oncology clinical trial. When the sponsor relies on legitimate interest with the scientific research exemption [Article 6 (1)(f) and Article 9 (2)(j)] for their clinical trial, a withdrawal of ethical consent halts further data collection, but the sponsor may continue to process the coded data already held, provided that appropriate safeguards remain in place and the subject’s rights are not overridden. By contrast, if the processing in the clinical trial is based on GDPR consent and explicit consent [Article 6 (1)(a) and Article 9 (2)(a)], withdrawal obliges the sponsor to stop further processing of that subject’s data for the trial’s purposes. Data processing prior to withdrawal remains lawful, but further processing for the trial purpose requires a valid alternative legal basis. Lawful retention of already collected data may still be justified by legal obligations, such as maintaining the trial master file or ensuring safety reporting (43). An extreme situation arises when a participant wishes to remain in the trial yet refuses ongoing data processing. In practice, several member states, especially those that mandates consent as a legal basis for clinical trial, state in their national patient information sheet and ICFs that participation in the clinical trial is not possible without consent to data processing. This raises doubts as to whether the consent can ever be regarded as “freely given” under Article 7 GDPR, given the participant’s dependence on access to therapy available only through the trial. These uncertainties explain why the EDPB encourages sponsors to rely on a public interest research basis wherever national legislation permits, thereby avoiding the operational impasse that a partial withdrawal of consent can create (64).

A related complexity concerns tumour tissue, blood and other samples banked during the trial for assays that are not yet fully defined. Collection of tumour tissue, blood or other specimens for the current protocol is covered by the trial’s ethical consent. Where material is to be stored beyond protocol-specified analyses (biobanking), most EU member states require explicit consent to that storage in the patient information sheet/ICF. This is an ethical requirement distinct from the GDPR legal basis used for processing the trial data. Any future research use of the stored specimens (and the data generated from them) must receive ethics committee approval for the new study and must establish its own GDPR legal basis for data processing. The original broad “biobank” consent rarely satisfies the detailed information obligations of a later protocol and cannot replace the study-specific participant information sheet that ethics review demands. Because sponsors must track which participants authorized storage, which authorized future contact, and which authorized secondary analyses, managing these granular consent layers across multi‑country oncology trials is operationally complex. Secondary use consent and related information duties remain among the most challenging areas of GDPR/CTR implementation.

To address these practical challenges, clinical study sponsors lack pragmatic guidance. The Opinion 3/2019 concerning the Questions and Answers on the interplay between the CTR and the GDPR [Article 70 (1)(b)] and the Questions and Answers on the interplay between the CTR and the GDPR provide useful clarifications on various compliance challenges. However, they do not fully resolve the practical difficulties that clinical study sponsors face in balancing GDPR and CTR requirements.

Lack of expert guide and practical guide

Even though the GDPR was created with a hope to harmonize data protection across the EU, its implementation still presents fragmentation, such as the inconsistent and fragmented regulatory guidance by different member states (62,65). Clinical researchers are also worried that the trend of data localization may further increase the operational complexity and administrative burdens for oncology clinical trials.

The GDPR’s principles are designed to apply broadly across industries but lack specificity for clinical trial. Principles such as transparency, lawfulness, and minimization must be balanced with the ethical considerations in oncology clinical trial (65). Clinical study sponsors are left to reconcile these competing requirements without clear guidance. As mentioned in the last chapter, EDPB has published the Opinion on the interplay between the CTR and the GDPR. And the European Data Protection Supervisor issued a Preliminary Opinion on data protection and scientific research (66). However, the opinions are high-level, the pragmatic aspects in practice and operation are still in the mist for clinical study sponsors.

Finally, GDPR compliance in clinical trials requires expertise that spans legal, technical, and clinical trial domains. Many smaller clinical study sponsors lack the internal resources to hire privacy specialists or designate a dedicated DPO. Even larger organizations often struggle to allocate sufficient resources to privacy teams. This gap in expertise makes clinical study sponsors rely on external consultants, which adds to the cost of the projects.

National divergence and local governance variation

Although the GDPR is directly applicable across the EU, it leaves room for member state rules in areas central to oncology research and the protection of the deceased. Sector-specific laws (e.g., public health codes, biobank statutes, social insurance rules) layer additional requirements on top of the CTR (67,68). The result for multi‑country oncology sponsors is a mosaic: different mandatory consent clauses, divergent retention periods, localization mandates, and variable expectations about re‑use of samples and data.

Governance practices also vary within member states. We have observed that ethics committee requests for information on data privacy language have risen markedly in recent years, and the depth of review has increased in several member states. This greater engagement can improve participant protection, yet its implementation is uneven: some ethics committees now scrutinize legal basis rationales, retention language and secondary use provisions in detail, while others provide minimal comment. In a number of jurisdictions, ethics committees have rejected the inclusion of even an ethics level broad consent statement for undefined future research, despite sponsors clarifying that such text does not constitute a GDPR legal basis and that any later study would return for ethics committees’ review. When applied rigidly, this stance can close off secondary use of high-value oncology datasets and samples. Relatedly, to fulfil transparency and information obligation, sponsors often include a data protection appendix to the patient information sheet and informed consent package. Some ethics committees in certain member states have recently challenged this practice, suggesting that a simple statement that the sponsor will “adhere to the GDPR” is sufficient and that detailed privacy information need not appear in the consent form. We respectfully disagree. In oncology trials, participation necessarily entails extensive data processing. Participants should receive clear, accessible information about what data will be collected, how it will be used, how long it will be kept, and who may access it before enrolment. Omitting this detail risks under‑informing participants and undermining the adequacy of ethical consent. Current EU guidance distinguishes roles. The data controller determines the GDPR legal basis and safeguards, which are then subject to data protection law and supervisory authority oversight. Ethics committees review focuses on participant information and ethical acceptability but inevitably interfaces with privacy choices. Sponsors, therefore, need practical strategies to navigate divergent expectations while preserving scientific value.

Fragmentation also appears within member states. Taking Spain as an example, its decentralised health system means that autonomous community health services and individual hospitals frequently use site-specific patient information and informed consent templates and data protection clauses that they consider nonnegotiable. Many sites insist on being treated as independent data controllers for participant-level (directly identifiable) data generated in care and for trial-related activities conducted on their premises, while recognising the sponsor as controller only of the coded central trial database. This position echoes the national Farmaindustria GDPR Code of Conduct for Clinical Research (69). However, EDPB guidance on processing of personal data through clinical trials indicates that, for data entered into the sponsor-defined estimated CRF (eCRF) and trial database under the sponsor’s documented instructions, the site in practice acts in a processor role (or at least shares controllership for distinct processing operations) (70). The tension became visible in Spanish Data Protection Agency [Agencia Española de Protección de Datos (AEPD)] Resolution PS/00106/2024, which reviewed a research collaboration (71). Although the resolution acknowledged the hospitals’ own clinical care controllership, it held that their trial data handling also triggered GDPR Article 28 processor agreement requirements vis-à-vis the sponsor (8). That reading departs from the Code of Conduct baseline and has unsettled stakeholders. For sponsors, reconciling site asserted independent controllership, fixed local patient information and informed consent privacy language, and supervisory expectations for processor clauses generate repeated document cycles and delays.

In practice, sponsors are often uncertain which allocation will be accepted as compliant: the site’s local policy, the national Code of Conduct model, or the supervisory authority’s interpretation in a particular case? Divergent views among site and regional DPOs compound the difficulty. Some align with the multi‑controller approach of the Code, others (citing the AEPD decision) insist on processor clauses, or additional opt‑ins, and many hospitals will not alter their standard patient information and informed consent or site‑agreement templates. The result is again parallel document stacks, inconsistent participant messaging, and prolonged negotiations in multi‑centre oncology trials. Practical mitigation steps may include supplying a concise data protection summary with each submission (legal bases, coding, retention, transfer architecture), mapping national derogations and site-specific addenda in advance, designating a “country privacy lead” to consolidate EC/DPO feedback, and documenting how conflicts are resolved. These measures can markedly reduce start‑up friction in large oncology trials, but they demand time, specialist expertise, and pre‑trial budget, which can be challenging, particularly for academic or smaller sponsors.

Operational and financial challenges

The cumulative complexity of GDPR compliance poses significant operational and financial burdens on clinical study sponsors in oncology clinical research (11). The combination of legal uncertainties, fragmented regulatory interpretations, and strict data protection standards drives up costs and creates logistical problems that may be too heavy for some clinical study sponsors.

One of the financial challenges is the cost of hiring and maintaining a DPO. The salary of a DPO varies depending on factors such as region, industry, and level of experience. In 2018, global salaries for DPOs were reported to range from $71,000 to $354,000 (72). This can be a substantial financial commitment, especially for smaller clinical study sponsors. Beyond staffing, implementing GDPR-compliant security infrastructure, such as encryption, pseudonymization, and secure servers, can add to additional expense (73). These costs are magnified for multi-center clinical trials where data must be securely managed and transferred across multiple jurisdictions. Many clinical study sponsors chose to collaborate with CROs and delegate most of the data-related tasks to them, but this does not transfer the accountability of the data controller. Moreover, the clinical study sponsors still need to manage compliance when they will most likely store the data in the archiving phase.

Operationally, the complexity of data flows in oncology trials adds to the difficulties. Many stakeholders are involved in the oncology clinical trial, such as clinical study sponsor, CROs, clinical sites, analytical labs, central labs, insurance companies, drug shipment vendor, cloud server providers, other types of service providers, etc (74). Making a clear data flow mapping among all parties is not simple. As a data controller, the clinical study sponsor must be aware of any aspects of its processing activity, including where data comes from and where data goes to. Contractually, it is important to ensure all data transfer clauses are compliant with the GDPR. For non-EU clinical study sponsors, such as one in China that is not an adequate country recognized by the EU, they must implement additional safeguards, such as Standard Contractual Clauses (SCCs) with all parties transferring data from EU to them. Moreover, clinical study sponsors also need to ensure that they only engage processors who provide sufficient guarantees of security measures to meet GDPR requirements (8). This increases the administrative workload in the due diligence and/or processor assessment process. All these efforts need to be properly documented.

Finally, the disproportionate impact on smaller clinical study sponsors cannot be overlooked. While large pharmaceutical companies may have the internal resources to manage GDPR compliance, smaller clinical study sponsors often lack dedicated privacy teams or financial flexibility. These organizations must rely heavily on costly external consultants to manage compliance challenges. This imbalance not only increases operational difficulties but also limits smaller clinical study sponsors’ ability to remain competitive in an already resource-intensive field.

Brief note on oncology studies outside the CTR

Even within IMP studies conducted under the CTR, GDPR already generates multiple operational dilemmas, such as legal basis selection, data minimization versus scientific endpoints, longterm retention, localization, and managing data subject rights across many centres (13). These challenges are often magnified in other oncology study types: observational cohorts, disease registries, secondary use of routine‑care data, and audit/serviceperformance projects (75). Such designs usually lack the harmonized CTR framework. Data originating in clinical care are collected under heterogeneous consents. Controllership is distributed across hospitals, registries, and academic groups, at times, public agencies. And national rules diverge on whether “public interest” alone suffices for large epidemiological datasets (76,77).

Italian commentators have drawn attention to these limits. Cagnazzo and colleagues argue that invoking “public interest” as a catchall justification for observational or epidemiological processing risks harming participant protection and fails to reflect the practical requirements imposed by regional ethics bodies, which frequently insist on explicit consent in cancer registries and real-world evidence initiatives (76). Such fragmentation hinders multicentre observational oncology research and can delay registry harmonization.

National frameworks can, however, mitigate some of these frictions. Spain’s Biomedical Research Law (Ley 14/2007) and the implementing biobank regulation (Real Decreto 1716/2011), supported by guidance from the National Biobank Network (Instituto de Salud Carlos III), enable broad consent for future biomedical research under ethical oversight and provide standardized agreements for coded sample and data exchange (30-32). This structured pathway has been viewed as comparatively facilitative for multi-centre oncology data sharing while maintaining participant safeguards.

The outlook: can we ever be fully compliant with all the data protection requirements in multi-regional oncology studies?

Despite the difficulties, oncology clinical trial sponsors are trying to survive these complexities through adaptive strategies, risk management and collaborations (78). For example, large clinical study sponsors invest in dedicated compliance teams, advanced data management systems, and legal expertise to address regulatory gaps. Internally, the privacy events are managed centrally by privacy management tools such as OneTrust and TrustArc. IT is often in-house. Policies and procedures are in place as privacy by design is implemented in all processes of their business operations. Medium-sized clinical study sponsors may have smaller privacy teams, sometimes one person as the DPO, or outsource compliance tasks to consultants. Information technology (IT) can be internal or external, depending on the organizational structure. Smaller clinical study sponsors, however, face disproportionate burdens. Privacy compliance is not the priority for them. They often do not have a full-time DPO and sometimes even lack their own IT team. No matter how many efforts have been put in, it seems never enough for non-EU clinical study sponsors to demonstrate full compliance with the GDPR.

What makes it harder is the emerging additional compliance requirements from EU member states regarding health data, and the increased global complexity in the privacy landscape. While GDPR sets a baseline, member states like Germany and France impose stricter rules on data storage and data transfer. Beyond the EU, many countries have developed their own privacy laws and imposed distinctive privacy requirements for the clinical study sponsors (79). For example, Turkey and Brazil have their own privacy laws, Kişisel Verileri Koruma Kanunu (KVKK) and Lei Geral de Proteção de Dados (LGPD), respectively, and have developed their own SCCs for cross-border data transfers. Also, the Court of Justice’s Schrems II ruling further complicates cross-border transfers, which requires clinical study sponsors to conduct detailed risk assessments of recipient jurisdictions. This global patchwork, with no doubt, puts clinical study sponsors in a position where there is too much to comply with.

Now, one does not want to but must admit, full compliance with all data protection requirements in multi-regional oncology clinical trials has become increasingly difficult (1,11,80). Instead of seeking perfection, clinical study sponsors must adopt a risk-based approach, focusing on mitigating high-priority risks while balancing scientific objectives. Besides the GDPR compliance tasks such as ROPA maintenance and DPIA, clinical study sponsors need to stay vigilant by conducting regular evaluations to identify compliance gaps and prioritize mitigation efforts based on the severity and likelihood of risks. No matter the size of the organization, they should adhere to the privacy by design principle and cultivate a privacy and risk-based culture. By treating compliance as an iterative process rather than a static goal, clinical study sponsors can advance global oncology trials while upholding data privacy standards. The ultimate objective is not perfection but continuous improvement. Privacy compliance should never be neglected, but also should never be the blocking point for oncology clinical trials. All in all, there are many patients to save, there are many research questions to be answered, and clinical study sponsors are responsible for balancing the efforts.

Conclusions

The GDPR has unquestionably raised the bar for transparency, accountability, and individual control in Europe. Its interaction with the CTR, national health data laws and emerging localization mandates has made day‑to‑day privacy compliance in oncology trials exceptionally complex. Experience shows that perfect conformity across all jurisdictions is rarely realistic in large, multi‑country programmes. A proportionate, well-documented, risk-based strategy is both more attainable and more protective of scientific value.

Several practical priorities emerge from the issues reviewed. At study level, define scope early, as the legal bases, consent expectations and role allocations differ from CTR‑governed IMP trials to non‑IMP interventional, registry, observational or secondary use projects. These should be evaluated in each Member State and summarized for ethics committees, if sponsors would like to reduce the rounds of questions. Sponsors should also consider providing layered transparency. It is essential to clarify trial participation consent, GDPR information duties, optional language for biobanking/storage, and permissions (if any) for re‑contact or future research, and make withdrawal pathways for each layer explicit. Keep re‑identification keys local and adopt site‑mediated workflows for data subject rights so these can be honored without compromising trial conduct. Apply data minimization to endpoints but consider justifying narrowly defined “buffer” variables or biospecimens when downstream scientific value is high. And distinguish sample retention from data retention and document linkage key custody.

At the country level, expect divergence. It is advised to keep privacy by design and by default in mind and navigate the privacy requirements at a stage as early as possible. Sponsors should clearly map their privacy solutions, investigate national derogations (public‑interest research limits, deceased data rules, localization) and nominate a country privacy lead to reconcile ethics committee and DPO comments. Over time, sponsors may pick up best practices for facilitating their privacy compliance tasks.

At the system level, coordinated solutions could ease the current friction to some extent. An EU‑endorsed library of modular consent/participant information clauses (trial, storage, future use) that Member States can adapt but recognise would reduce template divergence. More clarification, guidance and recognition on controller/processor allocation in clinical trials that reconciles EDPB positions with national Codes of Conduct and recent supervisory rulings, is also needed. A publicly accessible register of Member State research derogations (legal bases, retention minima/maxima, localization triggers) would save time and reduce error. In addition, investment in federated analytics infrastructures and accredited biobanks to support coded secondary use and capacity building, so ethics committees can readily consult data protection expertise, would further lower barriers.

Many of these steps require time, specialist expertise and budget that academic or smaller sponsors may lack. Collaborative approaches such as shared template libraries, accredited biobank networks, and multi-sponsor collaborations can spread costs and accelerate start-up. In the end, progress depends less on reaching an elusive ideal of uniform compliance than on transparent trade‑offs, documented safeguards and continuous learning across studies. With that discipline, oncology research can continue to advance while respecting the people whose data make it possible.

Acknowledgments

None.

Footnote

Peer Review File: Available at https://cco.amegroups.com/article/view/10.21037/cco-25-31/prf

Funding: None.

Conflicts of Interest: All authors have completed the ICMJE uniform disclosure form (available at https://cco.amegroups.com/article/view/10.21037/cco-25-31/coif). The authors have no conflicts of interest to declare.

Ethical Statement: The authors are accountable for all aspects of the work in ensuring that questions related to the accuracy or integrity of any part of the work are appropriately investigated and resolved.

Open Access Statement: This is an Open Access article distributed in accordance with the Creative Commons Attribution-NonCommercial-NoDerivs 4.0 International License (CC BY-NC-ND 4.0), which permits the non-commercial replication and distribution of the article with the strict proviso that no changes or edits are made and the original work is properly cited (including links to both the formal publication through the relevant DOI and the license). See: https://creativecommons.org/licenses/by-nc-nd/4.0/.

References

1. Sweeney SM, Hamadeh HK, Abrams N, et al. Challenges to Using Big Data in Cancer. Cancer Res 2023;83:1175-82. [Crossref] [PubMed]
2. Heudel P, Crochet H, Durand T, et al. From data strategy to implementation to advance cancer research and cancer care: A French comprehensive cancer center experience. PLOS Digit Health 2023;2:e0000415. [Crossref] [PubMed]
3. Lawlor RT. The impact of GDPR on data sharing for European cancer research. Lancet Oncol 2023;24:6-8. [Crossref] [PubMed]
4. Hobden B, Turon H, Fakes K, et al. Systems-level audit and feedback interventions to improve oncology care: a scoping review. Transl Behav Med 2022;12:654-62. [Crossref] [PubMed]
5. Dixon N. Review of Ethics Issues related to Clinical Audit and Quality Improvement Activities Clinical audit tool to promote quality for better health services. 2020:1-46. Available online: https://www.researchgate.net/publication/346530718_Review_of_Ethics_Issues_related_to_Clinical_Audit_and_Quality_Improvement_Activities_Clinical_audit_tool_to_promote_quality_for_better_health_services
6. Casali PG, Vyas MEuropean Society for Medical Oncology (ESMO). Data protection and research in the European Union: a major step forward, with a step back. Ann Oncol 2021;32:15-9. [Crossref] [PubMed]
7. Gourd E. GDPR obstructs cancer research data sharing. Lancet Oncol 2021;22:592. [Crossref] [PubMed]
8. European Parliament, of the European Union C. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). 2016. Available online: https://eur-lex.europa.eu/eli/reg/2016/679/oj
9. Quelle C. Enhancing Compliance under the General Data Protection Regulation: The Risky Upshot of the Accountability- and Risk-based Approach. Eur J Risk Regul 2018;9:502-26.
10. Cagnazzo C. The thin border between individual and collective ethics: the downside of GDPR. Lancet Oncol 2021;22:1494-6. [Crossref] [PubMed]
11. Lalova-Spinks T, De Sutter E, Valcke P, et al. Challenges related to data protection in clinical research before and during the COVID-19 pandemic: An exploratory study. Front Med (Lausanne) 2022;9:995689. [Crossref] [PubMed]
12. European Parliament, of the European Union C. Regulation (EU) No 536/2014 of the European Parliament and of the Council of 16 April 2014 on clinical trials on medicinal products for human use, and repealing Directive 2001/20/EC (Clinical Trials Regulation). Official Journal of the European Union; 2014. Available online: https://eur-lex.europa.eu/eli/reg/2014/536/oj
13. Dalrymple HW. The general data protection regulation, the clinical trial regulation and some complex interplay in paediatric clinical trials. Eur J Pediatr 2021;180:1371-9. [Crossref] [PubMed]
14. Patrick-Brown TDJH, Bourner J, Kali S, et al. Experiences and challenges with the new European Clinical Trials Regulation. Trials 2024;25:3. [Crossref] [PubMed]
15. Frankel PH, Groshen S, Beumer JH, et al. Ethics and Clinical Research: Improving Transparency and Informed Consent in Phase I Oncology Trials. J Clin Oncol 2023;41:2155-8. [Crossref] [PubMed]
16. Zhou Y, Tao L, Qiu J, et al. Tumor biomarkers for diagnosis, prognosis and targeted therapy. Signal Transduct Target Ther 2024;9:132. [Crossref] [PubMed]
17. Liu C, Yang M, Zhang D, et al. Clinical cancer immunotherapy: Current progress and prospects. Front Immunol 2022;13:961805. [Crossref] [PubMed]
18. Waithira N, Kestelyn E, Chotthanawathit K, et al. Investigating the Secondary Use of Clinical Research Data: Protocol for a Mixed Methods Study. JMIR Res Protoc 2023;12:e44875. [Crossref] [PubMed]
19. Wang R. Combining Data from Multiple Studies. NEJM Evid 2023;2:EVIDe2300066.
20. Quinten C, Coens C, Mauer M, et al. Baseline quality of life as a prognostic indicator of survival: a meta-analysis of individual patient data from EORTC clinical trials. Lancet Oncol 2009;10:865-71. [Crossref] [PubMed]
21. Government of the French Republic. La loi Informatique et Libertés. 2015. Available online: https://www.legifrance.gouv.fr/loda/id/JORFTEXT000000886460
22. Kwok CS, Muntean EA, Mallen CD, et al. Data Collection Theory in Healthcare Research: The Minimum Dataset in Quantitative Studies. Clin Pract 2022;12:832-44. [Crossref] [PubMed]
23. Olivieri DJ, Berridge-Green A, Othus M, et al. Biobanking and consent to future biospecimen use among adults enrolled in SWOG trials from 2000 to 2024. Blood Cancer J 2025;15:85. [Crossref] [PubMed]
24. Grech L, Grech CA, Calleja-Agius J, et al. Biobanking and gynecologic oncology - Special considerations, challenges and opportunities. Eur J Surg Oncol 2025;51:109713. [Crossref] [PubMed]
25. Satter E. Journal of Cancer Clinical Trials Short Communication Ensuring Data Quality and Integrity in Cancer Clinical Trials. 2023. Available online: https://www.hilarispublisher.com/open-access/ensuring-data-quality-and-integrity-in-cancer-clinical-trials.pdf
26. Trentham-Dietz A, Corley DA, Del Vecchio NJ, et al. Data gaps and opportunities for modeling cancer health equity. J Natl Cancer Inst Monogr 2023;2023:246-54. [Crossref] [PubMed]
27. Chico V. The impact of the General Data Protection Regulation on health research. Br Med Bull 2018;128:109-18. [Crossref] [PubMed]
28. Gazzetta Ufficiale della Repubblica Italiana. Decreto legislativo 30 giugno 2003, n. 196 – Codice in materia di protezione dei dati personali, art. 2 terdecies. 2003. Available online: https://www.normattiva.it/uri-res/N2Ls?urn:nir:stato:decreto.legislativo:2003-06-30;196!art2ter%21vig=
29. Salgkamis D, Sifakis EG, Agartz S, et al. Systematic review and feasibility study on pre-analytical factors and genomic analyses on archival formalin-fixed paraffin-embedded breast cancer tissue. Sci Rep 2024;14:18275. [Crossref] [PubMed]
30. Red Nacional de Biobancos (España). Guía de la Red Nacional de Biobancos: gestión y calidad de muestras biológicas para la investigación. 2019. Available online: https://redbiobancos.es/wp-content/uploads/guia-implantaciones-sistema-gestion-calidad-biobanco.pdf
31. Boletín Oficial del Estado (España). Real Decreto 1716/2011, de 18 de noviembre, por el que se regulan los requisitos de autorización de los bancos de tejidos, órganos y muestras de origen humano. 2011. Available online: https://www.boe.es/eli/es/rd/2011/11/18/1716
32. Boletín Oficial del Estado (España). Ley 14/2007, de 3 de julio, de investigación biomédica. 2007. Available online: https://www.boe.es/buscar/act.php?id=BOE-A-2007-12920
33. Harvey H, Carroll H, Murphy V, et al. The Impact of a National Cyberattack Affecting Clinical Trials: The Cancer Trials Ireland Experience. JCO Clin Cancer Inform 2023;7:e2200149. [Crossref] [PubMed]
34. Joyce C, Roman FL, Miller B, et al. Emerging Cybersecurity Threats in Radiation Oncology. Adv Radiat Oncol 2021;6:100796. [Crossref] [PubMed]
35. McGraw D, Greene SM, Miner CS, et al. Privacy and confidentiality in pragmatic clinical trials. Clin Trials 2015;12:520-9. [Crossref] [PubMed]
36. Yeo LH, Banfield J. Human Factors in Electronic Health Records Cybersecurity Breach: An Exploratory Analysis. Perspect Health Inf Manag 2022;19:1i.
37. Amoresano K, Yankson B. Human Error-A Critical Contributing Factor to the Rise in Data Breaches: A Case Study of Higher Education. HOLISTICA–Journal of Business and Public Administration 2023;14:110-32.
38. Brodin M. A Framework for GDPR Compliance for Small- and Medium-Sized Enterprises. European Journal for Security Research 2019;4:243-64.
39. Article 29 Data Protection Working Party. Guidelines on Data Protection Officers (DPOs). European Commission; 2017. Available online: https://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp243_en_40855.pdf
40. Eggl B. Learning to walk a tightrope: Challenges DPOs face in the day-to-day exercise of their responsibilities. Journal of Data Protection & Privacy 2019;3:69-81.
41. Article 29 Data Protection Working Party. Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679. European Commission; 2017. Available online: https://ec.europa.eu/newsroom/article29/items/611236
42. van den Akker OR, Stark S, Strech D. Ethics practices associated with reusing health data: an assessment of patient registries. BMC Med 2024;22:577.
43. European Data Protection Board. Guidelines 05/2021 on the Interplay between the Application of Article 3 and the Provisions on International Transfers as per Chapter V of the GDPR. European Data Protection Board; 2023. Available online: https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-052021-interplay-between-application-article-3_en
44. Marelli M. Transferring personal data to international organizations under the GDPR: an analysis of the transfer mechanisms. International Data Privacy Law 2024;14:19-36.
45. Juliussen BA, Kozyri E, Johansen D, et al. The third country problem under the GDPR: enhancing protection of data transfers with technology. International Data Privacy Law 2023;13:225-43.
46. Christakis T. European Digital Sovereignty, Data Protection, and the Push toward Data Localization. Data Sovereignty. New York: Oxford University Press; 2023:371-94.
47. Government of the French Republic. French Public Health Code. France; 2024. Available online: https://www.legifrance.gouv.fr/codes/id/LEGITEXT000006072665/
48. Government of Germany. Sozialgesetzbuch (SGB) Fünftes Buch (V) - Statutory Health Insurance. WHO MiNDbank Collection; 2013. Available online: https://www.gesetze-im-internet.de/sgb_5/
49. Bonawitz K, Kairouz P, Mcmahan B, et al. Federated learning and privacy. Commun ACM 2022;65:90-7.
50. Casaletto J, Bernier A, McDougall R, et al. Federated Analysis for Privacy-Preserving Data Sharing: A Technical and Legal Primer. Annu Rev Genomics Hum Genet 2023;24:347-68. [Crossref] [PubMed]
51. European Parliament, of the European Union C. Regulation (EU) 2025/327 of the European Parliament and of the Council of 11 February 2025 on the European Health Data Space and amending Directive 2011/24/EU and Regulation (EU) 2024/2847. 2025. Available online: https://eur-lex.europa.eu/eli/reg/2025/327/oj/eng
52. Rambla J, Baudis M, Ariosa R, et al. Beacon v2 and Beacon networks: A "lingua franca" for federated data discovery in biomedical genomics, and beyond. Hum Mutat 2022;43:791-9. [Crossref] [PubMed]
53. Rehm HL, Page AJH, Smith L, et al. GA4GH: International policies and standards for data sharing across genomic research and healthcare. Cell Genom 2021;1:100029. [Crossref] [PubMed]
54. Tagliamento M, Morfouace M, Loizides C, et al. EORTC-SPECTA Arcagen study, comprehensive genomic profiling and treatment adaptation of rare thoracic cancers. NPJ Precis Oncol 2024;8:37. [Crossref] [PubMed]
55. Morfouace M, Stevovic A, Vinches M, et al. First results of the EORTC-SPECTA/Arcagen study exploring the genomics of rare cancers in collaboration with the European reference network EURACAN. ESMO Open 2020;5:e001075. [Crossref] [PubMed]
56. Camps J, Noël F, Liechti R, et al. Meta-Analysis of Human Cancer Single-Cell RNA-Seq Datasets Using the IMMUcan Database. Cancer Res 2023;83:363-73. [Crossref] [PubMed]
57. Le Rochais M, Garaud S, Hemon P, et al. 194P Achieving reproducible maturation staging of tertiary lymphoid structures: From imaging mass cytometry data to pathology applications. Immuno-Oncology and Technology 2023;20:100653.
58. Carmona J, Chavarria E, Donoghue K, et al. Cancer Core Europe: Leveraging Institutional Synergies to Advance Oncology Research and Care Globally. Cancer Discov 2024;14:1147-53. [Crossref] [PubMed]
59. Gefenas E, Lekstutiene J, Lukaseviciene V, et al. Controversies between regulations of research ethics and protection of personal data: informed consent at a cross-road. Med Health Care Philos 2022;25:23-30. [Crossref] [PubMed]
60. European Data Protection Board. Response to the European Commission for Clarifications on the Consistent Application of the GDPR, Focusing on Health Research. 2021. Available online: https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_replyec_questionnaireresearch_final.pdf
61. European Data Protection Board. Guidelines 1/2024 on Processing of Personal Data Based on Article 6(1)(f) GDPR. 2024. Available online: https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf
62. Government of Italy. Personal Data Protection Code (Codice in materia di protezione dei dati personali). 2022. Available online: https://registrodelleopposizioni.it/wp-content/uploads/2022/07/ITALIAN_PERSONAL_DATA_PROTECTION_CODE.pdf
63. Government of Germany. Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG). 2018. Available online: https://www.gesetze-im-internet.de/englisch_bdsg/
64. Board EDP. Study on the Secondary Use of Personal Data in the Context of Scientific Research. 2025. Available online: https://www.edpb.europa.eu/system/files/2025-04/20250401_study_on_the_secondary_use_of_personal_data_in_the_context_of_scientific_research_23102020_en.pdf
65. Becker R, Thorogood A, Ordish J, et al. COVID-19 Research: Navigating the European General Data Protection Regulation. J Med Internet Res 2020;22:e19799. [Crossref] [PubMed]
66. Supervisor EDP. A Preliminary Opinion on Data Protection and Scientific Research. 2020. Available online: https://www.edps.europa.eu/sites/default/files/publication/20-01-06_opinion_research_en.pdf
67. Tzortzatou O, Slokenberga S, Reichel J, et al. Biobanking Across Europe Post-GDPR: A Deliberately Fragmented Landscape. 2021. Available online: https://library.oapen.org/bitstream/handle/20.500.12657/46125/1/2021_Book_GDPRAndBiobanking.pdf#page=396
68. Befring AK. Norwegian Biobanks: Increased Complexity with GDPR and National Law. 2021. Available online: https://library.oapen.org/bitstream/handle/20.500.12657/46125/1/2021_Book_GDPRAndBiobanking.pdf#page=323
69. Farmaindustria. Code of Conduct Regulating the Processing of Personal Data in Clinical Trials and Other Clinical Research and Pharmacovigilance Activities. 2022. Available online: https://www.aepd.es/documento/farmaindustria-code-conduct-regulating-processing-personal-clinical-en.pdf
70. European Data Protection Board. Guidelines 07/2020 on the concepts of controller and processor in the GDPR. 2020. Available online: https://www.edpb.europa.eu/our-work-tools/documents/public-consultations/2020/guidelines-072020-concepts-controller-and_en
71. Agencia Española de Protección de Datos. Resolución del procedimiento sancionador PS-00442-2024 contra GETECCU por incumplimiento del artículo 28 del RGPD. 2025 Jan. Available online: https://www.aepd.es/documento/ps-00442-2024.pdf
72. Chander A, Abraham M, Chandy S, et al. Achieving Privacy: Costs of Compliance and Enforcement of Data Protection Regulation. 2021. Available online: https://scholarship.law.georgetown.edu/facpub/2374
73. Frey CB, Presidente G. Privacy regulation and firm performance: Estimating the GDPR effect globally. Econ Inq 2024;62:1074-89.
74. Committee on Strategies for Responsible Sharing of Clinical Trial Data, Board on Health Sciences Policy, Institute of Medicine. Sharing Clinical Trial Data: Maximizing Benefits, Minimizing Risk. Washington, DC: National Academies Press (US); 2015. Available online: https://www.ncbi.nlm.nih.gov/books/NBK286000/
75. Mourby M, Gowans H, Aidinlis S, et al. Governance of academic research data under the GDPR—lessons from the UK. International Data Privacy Law 2019;9:192-206.
76. Cagnazzo C, Ficara B, Palermo F, et al. Mind the gap with Europe. Why public interest cannot be a good reason to perform observational and epidemiological research? Tumori 2024;110:6-9. [Crossref] [PubMed]
77. Eva G, Liese G, Stephanie B, et al. Position paper on management of personal data in environment and health research in Europe. Environ Int 2022;165:107334. [Crossref] [PubMed]
78. Stahel RA, Lacombe D, Cardoso F, et al. Current models, challenges and best practices for work conducted between European academic cooperative groups and industry. ESMO Open 2020;5:e000628. [Crossref] [PubMed]
79. Walters R, Trakman L, Zeller B. Data Protection Law. Singapore: Springer Nature Singapore; 2019.
80. Peloquin D, DiMaio M, Bierer B, et al. Disruptive and avoidable: GDPR challenges to secondary research uses of data. Eur J Hum Genet 2020;28:697-705. [Crossref] [PubMed]