Data Protection: If It ain’t broke, don’t fix it?

Posted on 02.12.2022

On May 25, 2018, the GDPR became effective across the EU, simultaneously resulting in a ‘consistent and homogenous application’ of data protection rules across the Union (per Recital 10 of the Regulation).

After several decades of explaining to patients wishing to enrol in clinical investigations of experimental medical technology that by choosing to enrol, they are consenting to the collection of personal data about them for purposes of the research, data protection authorities decided that the GDPR doesn’t allow this.

Instead, they said, medical researchers should be relying on legal bases other than consent, like ‘legitimate interests’, for the processing of personal data in clinical investigations. Except, that is, in those member states where consent is still required for such data processing. In those member states, of course, you should still rely on consent.