Clinical investigations under the Medical Devices Regulation (EU) 2017/745 (MDR) involve the processing of personal data, including sensitive health data. This makes compliance with the General Data Protection Regulation (GDPR) but mandatory. A core compliance question often arises: who is the data controller, the sponsor, the investigator, or both?
Why it matters: consequences of being a data controller
Being defined as a data controller under the GDPR brings full legal responsibility for ensuring that personal data is processed lawfully, fairly, and transparently.
A controller must:
- identify and document the legal basis for processing (e.g., public interest, consent);
- inform data subjects (typically patients) of how their data will be used;
- carry out Data Protection Impact Assessments (DPIAs) where required;
- respond to data subject rights requests (access, erasure, etc.);
- ensure data is processed securely and notify breaches to authorities if needed;
- where necessary, appoint a Data Protection Officer (DPO).
Importantly, controllers are also accountable. They must be able to demonstrate compliance at any time. In the context of clinical investigations, failure to meet these obligations may result not only in administrative fines (Article 83 GDPR), but also reputational damage or regulatory action from ethics committees or national competent authorities.
Understanding the roles
Under Article 4(7) GDPR, a controller is the entity that determines the purposes and means of processing personal data. At the same time a processor is defined under Article 4(8) GDPR as the natural or legal person, public authority, agency or other body which processes the personal data on behalf of the controller. In clinical investigations, sponsors typically design the protocol, define objectives, and decide how data will be collected, analysed, and reported. Investigators, often hospital staff or clinicians, execute the investigation on-site according to the sponsor’s protocol.
This suggests that sponsors generally act as data controllers, as they determine both why and how data is processed. However, the picture becomes more nuanced when considering the role of investigators, who may simultaneously be controllers for certain activities and processors or joint controllers for investigation-related data.
Joint controllership
Where investigators and sponsors jointly define key aspects of data processing, joint controllership under Article 26 GDPR may apply. In such cases, a transparent arrangement must set out each party’s responsibilities, including how data subjects can exercise their rights.
However, in most industry-sponsored clinical investigations, the sponsor’s instructions dominate, making joint controllership less common and highly case-dependent.
EU vs. non-EU sponsors
Special attention is needed where the sponsor is established outside the EU. Article 3(2) GDPR applies if the sponsor targets EU data subjects (e.g., by conducting an EU-based trial). In such cases, the sponsor must appoint an EU representative under Article 27 GDPR and ensure that appropriate safeguards for international data transfers (e.g., SCCs) are in place.
Clearly defining roles is essential not only for GDPR compliance but also for accountability under the MDR. Sponsors should document their role in data protection notices, contracts, and Data Protection Impact Assessments (DPIAs). Failure to do so may lead to fragmented responsibilities and potential liability.
Need support?
Obelis can help you ensure GDPR compliance and act as your legal representative for non-EU sponsors of clinical investigations.
Georgios Mariolos
Regulatory Intelligence & Innovation Department
2 June 2025
The information contained on obelis.net is presented for general information purposes only, without obligation and it has been compiled with the utmost care to ensure it remains up to date. Nevertheless, Obelis Group cannot be held liable for the accuracy and completeness of the information published. Any reliance placed on such information is therefore strictly at the User’s risk.