Guest
Hi,
If we're involving a European trial site in a study run by a sponsor in the US, what needs to be included in the consent form for the patient specifically with GDPR (such as risks)? Does there need to be a data processing agreement in place between the sponsor and trial site? The trial site will be entering pseudoanonymized data into a database that is GDPR compliant. Moreover, the site can enter the email of the patient into the database (purposes of sending study surveys) which the sponsor does not have access to. Similarly, only a few selected members of database Customer Support and the Engineering team have access to the sponsor’s production environment (live database), for maintenance purposes only. They; however, do not have access to the pseudonymized data. In that case, does there need to be a DPA between sponsor and site AND sponsor and database? Im not too sure who is the data controller vs processor. Some guidance would be appreciated. Thanks!