Legal Resources

European Parliament and Council

• REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR):
• In particular, see article 40 and REGULATION (EU) 536/2014 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 16 April 2014 on clinical trials on medicinal products for human use and repealing Directive 2001/20/EC [2014] OJ L 158/1:

European Data Protection Board (EDPB)

Guidelines

• European Data Protection Board, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679
• European Data Protection Board, Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak
• European Data Protection Board, Guidelines 05/2020 on consent under Regulation 2016/679
• European Data Protection Board, Guidelines 07/2020 on the concepts of controller and processor in the GDPR
• European Data Protection Board, Guidelines 04/2021 on codes of conduct as tools for transfers

Opinions

• European Data Protection Board, Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection regulation (GDPR) (Art. 70.1.b))
• European Data Protection Board, Opinion 9/2019 on the Austrian data protection supervisory authority draft accreditation requirements for a code of conduct monitoring body pursuant to article 41 GDPR
• European Data Protection Board, Opinion 1/2020 on the Spanish data protection supervisory authority draft accreditation requirements for a code of conduct monitoring body pursuant to article 41 GDPR
• European Data Protection Board, Opinion 2/2020 on the Belgium data protection supervisory authority draft accreditation requirements for a code of conduct monitoring body pursuant to article 41 GDPR
• European Data Protection Board, Opinion 3/2020 on the France data protection supervisory authority draft accreditation requirements for a code of conduct monitoring body pursuant to article 41 GDPR
• European Data Protection Board, Opinion 10/2020 on the draft decision of the competent supervisory authorities of Germany regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR
• European Data Protection Board, Opinion 11/2020 on the draft decision of the competent supervisory authority of Ireland regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR
• European Data Protection Board, Opinion 12/2020 on the draft decision of the competent supervisory authority of Finland regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR
• European Data Protection Board, Opinion 13/2020 on the draft decision of the competent supervisory authority of Italy regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR
• European Data Protection Board, Opinion 18/2020 on the draft decision of the competent supervisory authority of the Netherlands regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR
• European Data Protection Board, Opinion 19/2020 on the draft decision of the competent supervisory authority of Denmark regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR
• European Data Protection Board, Opinion 20/2020 on the draft decision of the competent supervisory authority of Greece regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR
• European Data Protection Board, Opinion 31/2020 on the draft decision of the competent supervisory authority of Poland regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR
• European Data Protection Board, Opinion 10/2021 on the draft decision of the competent supervisory authority of Hungary regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR
• European Data Protection Board, Opinion 11/2021 on the draft decision of the competent supervisory authority of Norway regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR
• European Data Protection Board, Opinion 23/2021 on the draft decision of the competent supervisory authority of Czech Republic regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR
• European Data Protection Board, Opinion 24/2021 on the draft decision of the competent supervisory authority of Slovakia regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR
• European Data Protection Board, Opinion European Data Protection Board, Opinion 37/2021 on the draft decision of the competent supervisory authority of Malta regarding the approval of the requirements for accreditation of a code of conduct monitoring body pursuant to article 41 GDPR

Deontological Rules

• Deontological Guidelines of the European Council of Medical Orders, (ceom-ecmo.eu)
• National Codes | C.E.O.M (ceom-ecmo.eu) 

Other Codes of Conduct (according to Art. 40/41 of the GDPR, and/or relevant for research and secondary use of data)

According to Directive 95/46 (prior to the GDPR):

INNOVATIVE MEDICINES INITIATIVE (IMI), Code of Practice on Secondary Use of Medical Data in Scientific Research Projects – 27 Aug 2014 FINAL DRAFT (europa.eu)

Valid as internal Consortium code

RD Connect Genome-Phenome Analysis Platform (GPAP), Code of Conduct for User Access to the GPAP for Health-related Information

According to Art. 40/41 of the GDPR:

European CRO Federation’s GDPR Code of Conduct for Service Providers in Clinical Research (EUCROF GDPR Code or Code)

GEANT, Data protection Code of Conducts, GÉANT Code of Conduct (CoCo) for Service Providers using identity federations (not yet approved by a Data Protection Authority)

National Codes according to Art. 40/41 of the GDPR (approved by National Data Protection Authorities):

Italy: code enacted by Veneto region and approved by the Italian DPA, Code of conduct for the use of health data for educational and scientific publication purposes

Poland: Code of conduct for health care sector under approval before the DPA

Code of Conduct on protection of personal data in small health care facilities under approval before the DPA

Poland is also working on a code of conduct on biobanking, which is currently under consultation before the Polish DPA

Spain: Spanish Code of Conduct of the Pharmacy sector for clinical trials and pharmacovigilance, February 2022

Companies’ or associations’ codes:

Federation of Dutch Medical Scientific Societies (Federa), Code of Conduct for Medical Research

ALLEA– European Federation of Academies of Sciences and Humanities, European Code of Conduct for Research Integrity, 2017