The Code of Conduct for CROs: what are the data protection obligations for Contract Research Organizations (CROs)?

With the recent approval of the EUCROF Code of Conduct by the CNIL, Contract Research Organizations (CROs) must now adapt to a new, demanding framework regarding the protection of personal data. Between GDPR compliance, strategic considerations, and practical obligations, what opportunities does this framework offer to clinical research actors? Discover how to fully benefit from this major evolution.

I. Presentation of the Code

1. The EUCROF Code of Conduct: a validated European framework by the CNIL for clinical research.

Article 40 of the GDPR¹ provides for the development of codes of conduct in order to establish common foundations of best practices in the field of personal data protection in specific sectors. To this end, associations and organizations representing categories of data controllers or subcontractors may develop such codes (Art 40.2). Once finalized, they are then submitted to the competent authority, which decides whether or not to approve them (Art 40.5).

Among these codes, there is the one carried by the EUCROF (European Contract Research Organisation Federation)². It applies to clinical research service providers (CROs – Clinical Research Organisations acting as subcontractors for sponsors (who are responsible for research conduct)).

This Code was recently approved by the CNIL by a resolution of September 12, 2024³, which makes it applicable to organizations in France.

The principle of the Code applies to organizations that choose to adhere to it. However, before benefiting from it, these organizations must submit a request to the competent entity, namely the internal supervisory committee of the EUCROF (COSUP), accompanied by a compliance file. These documents will allow any interested CRO to demonstrate its respect for the requirements of the Code of Conduct. Once a CRO has become a member, the CRO can declare that the services it provides, where they fall within the scope of the Code⁴, are compliant with the EUCROF Code. This compliance is officially recognized by a compliance mark that a CRO adhering to the EUCROF Code can display after approval by the COSUP (in the form of a badge or other distinguishing sign).

2. Structure and obligations of the EUCROF Code: a framework for CRO compliance.

The EUCROF Code of Conduct is structured into two distinct parts and comprises a total of 216 requirements. Of these, 91 are specific to the Code, 113 correspond to the requirements of ISO27001⁵ and 12 correspond to those of ISO27701⁶.

The first part of the Code presents the legal, organizational, and technical measures aimed at ensuring GDPR compliance for data processing carried out by data controllers. As for the second part, it proposes examples as well as a grid enabling data controllers to verify their obligations based on the services they provide to promoters.

It should also be noted that the Code of Conduct does not govern data transfers outside of the EU carried out by SROs.

II. What are the challenges for CRCs following the approval of the EUCROF code?

For CROs, within the framework of their adherence to the EUCROF Code of Conduct, the stakes are numerous and concern both compliance with GDPR, standardization of practices, and management of risks related to the processing of personal data in clinical research.

CROs play an important role in clinical research, as subcontractors involved in data processing. However, the absence of harmonization in the application of GDPR had led to divergences in the implementation of data protection measures. The EUCROF Code addresses this issue by providing a recognized framework that guarantees better compliance.

1. The Code harmonizes the risk management practices of SROs.

One of the main challenges for data protection officers (DPOs) is the assessment of risks related to data processing. Article 32 of the GDPR requires subcontractors to implement security measures, but in practice, in the absence of a common reference, each DPO applies its own risk assessment, which leads to discrepancies between organizations. Indeed, depending on the size of the company, its scope of intervention and the services it offers, the assessment of risks varies. Furthermore, this diversity of approaches complicates compliance⁷.

The EUCROF Code allows for the harmonization of these practices by defining a reference framework, approved by the CNIL, which constitutes a major tool for micro, small, and medium-sized CROs, which do not always have the necessary resources to conduct their own in-depth analysis of the GDPR.

2. The Code simplifies relations between CRs and promoters.

Another key issue concerns the relationship between CROs and clinical research sponsors. Article 28 of the GDPR requires the latter to collaborate only with subcontractors capable of guaranteeing an adequate level of protection of personal data. In the absence of specific sector standards, each sponsor (data controller) then applies its own criteria for evaluating the compliance of the CROs (subcontractor), which leads to a multiplicity of heterogeneous evaluations. Consequently, this situation has hindered the CROs from standardizing their internal processes and has compelled them to respond to requirements specific to each sponsoring client⁸.

Adherence to the EUCROF Code is thus a solution that allows CROs to rely on official recognition by competent authorities of their compliance, thereby reducing the burden associated with repeated assessments and strengthening their attractiveness and relationships with developers.

3. The Code is an advantage in the event of an audit by authorities.

Adherence to the Code also represents a strategic advantage in the event of an investigation by a data protection authority (CNIL in France). Although each CRO is responsible for its own compliance with the GDPR, adherence to the Code may be taken into account positively during the assessment of potential sanctions by competent authorities. Indeed, in accordance with Article 83(2)(j) of the GDPR, adherence to a code of conduct may be a mitigating factor in the event of a breach. Conversely, CROs that do not participate in a compliance approach framed by such a recognized framework may be more vulnerable to sanctions⁹.

4. The Code is a structuring tool for the clinical research sector.

Finally, the EUCROF Code constitutes a structuring tool for the entire clinical research sector. By defining standardized operational mechanisms, it facilitates the compliance of CRCs while taking into account the specificities of their activity. Its progressive adoption will contribute to strengthening the management of personal data and improving their level of protection in the field of clinical research.

The CRCs involved in the management of health data must imperatively master the specific compliance of health data to avoid major legal risks.

III. Concrete Obligations and Best Practices for CRs

To adhere to the EUCROF Code of Conduct, Contract Research Organizations (CROs) must respect a set of requirements, numbering 216, which cover both those of the Code and those of ISO 27001 and 27701.

Thus, the main obligations can be summarized as follows:

1. Designation of a Data Protection Officer (DPO) – Section 4.1 of the Code

Each DPO is designated in the event that one of the requirements of Article 37 of the GDPR is met. This is the case here, as: “the core activities of the data controller or the processor consist of large-scale processing of categories of special data referred to in Article 9 (health data).”

If no DPO is appointed, the Data Protection Officer must document its decision and describe the alternative measures implemented.

Furthermore, the DPO must be chosen based on his qualifications and his ability to perform the tasks specified by the GDPR. He must also have sufficient resources to carry out his tasks. The DPO must report directly to the General Management of the CNIL. Finally, his contact details must be included in the registers of processing and made available to the data subjects, processors and supervisory authorities.

Learn more about our DPO outsourced services.

2. Security of Processing – Section 4.2

Section 4.2 of the Code requires SIAs to ensure a level of personal data security compliant with Article 32 of the GDPR. To this end, they must implement an Information Security Management System (ISMS) and apply the following measures:

• Implement a risk analysis methodology to assess risks.
• Implement security policies
• Implement security controls to reduce the identified risk.
• Assess the performance of each control implemented.
• Ensure corrective and preventive action to improve the performance of security measures.

3. Selection and management of subcontractors – Section 4.4

Data Processors are required to implement obligations concerning the selection, management, and audit of sub-processors. The primary objective is to ensure that engaged sub-processors comply with the same requirements as the Data Processor. These requirements include:

• Define procedures for the management of subcontractors (approval, management, termination).
• Select rigorously subcontractors on strict criteria, evaluating their guarantees of compliance.
• Provide regular audits, carried out by qualified auditors according to and following a defined plan.
• Ensure continuous monitoring of subcontractors to verify that data protection measures are properly observed.
• Notify the promoter of any significant unresolved non-compliance.

4. Collaboration with the Developer – Section 4.5

Section 4.5 of the Code highlights the key role and responsibility of the DPO in assisting the promoter, helping them to comply with data protection obligations. This collaboration is achieved through several areas (such as advice, impact assessments, handling requests from individuals, as well as notifications in the event of data breaches), for example:

• Provision of data protection advice: Immediately notify the promoter if the CNIL believes that the latter is not compliant with the GDPR.
• Data Protection Impact Assessment: Assist the promoter in undertaking a Data Protection Impact Assessment, where necessary.
• Requests from the individuals concerned: Facilitate the requests from the individuals concerned in cooperation with the promoter.
• Data breaches involving personal data: Notify the promoter of any data breach and provide the necessary information to assist the promoter in complying with obligations following a breach.

5. International Data Transfers – Section 4.6

Finally, section 4.6 of the Code states that adherence to the Code, in itself, does not constitute a mechanism for international data transfer as defined in Article 46 of the GDPR.

Therefore, it is incumbent upon each CRO to clearly inform the developer that its adherence to the Code does not substitute for existing transfer mechanisms within the GDPR. It must also ensure that any transfer is carried out in compliance with GDPR obligations, using the appropriate tools to guarantee data protection.

Each organization must therefore particularly monitor the legal framework for data transfers outside the EU in order to ensure compliance with GDPR.

Aumans Avocats: specialists in IT/Data, data protection and DPO outsourcing.

As a law firm specializing in IT/Data and data protection, we are at your disposal to assist you with all your projects. Whether you are a startup, a SME or a group of companies, our expertise will allow you to navigate smoothly within the complex landscape of regulation and compliance. Do not hesitate to contact us to benefit from personalized advice and secure your digital future.

Sources:

1. https://eur-lex.europa.eu/eli/reg/2016/679/oj?locale=fr – General Data Protection Regulation, Article 40 ↩︎
2. https://www.cnil.fr/sites/cnil/files/2024-10/2024codeeucrof-partie1_fr.pdf – Code de Conduite EUCROF ↩︎
3. https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000050248562 – CNIL, Decision n° 2024-064 of September 12, 2024 approving the European Code of Conduct carried by the EUCROF federation. ↩︎
4. https://cro.eucrof.eu/eucrof-code-classes-services ↩︎
5. https://certification.afnor.org/numerique/certification-iso-27001 – ISO 27001 standard on information system security ↩︎
6. https://certification.afnor.org/numerique/iso-27701-protection-vie-privee – ISO 27701 standard on private life protection ↩︎
7. https://www.cnil.fr/sites/cnil/files/2024-10/2024codeeucrof-partie1_fr.pdf – Code de Conduite EUCROF, p11, pt1 ↩︎
8. https://www.cnil.fr/sites/cnil/files/2024-10/2024codeeucrof-partie1_fr.pdf – EUCROF Code of Conduct, p11, pt2 ↩︎
9. https://www.cnil.fr/sites/cnil/files/2024-10/2024codeeucrof-partie1_fr.pdf – EUCROF Code of Conduct, p12, pt3 ↩︎