SOP for GDPR Data Subject Rights (Access, Deletion, Restriction) Handling

{
“@context”: “https://schema.org”,
“@type”: “Article”,
“mainEntityOfPage”: {
“@type”: “WebPage”,
“@id”: “https://www.clinicalstudies.in/sop-for-gdpr-data-subject-rights-access-deletion-restriction-handling”
},
“headline”: “SOP for GDPR Data Subject Rights (Access, Deletion, Restriction) Handling”,
“description”: “This SOP provides detailed procedures for handling GDPR data subject rights in clinical trials, including access, deletion, and restriction requests. It ensures compliance with EMA and EU data protection regulations, while safeguarding subject privacy and maintaining trial integrity.”,
“author”: {
“@type”: “Organization”,
“name”: “ClinicalStudies.in”
},
“publisher”: {
“@type”: “Organization”,
“name”: “ClinicalStudies.in”,
“logo”: {
“@type”: “ImageObject”,
“url”: “https://www.clinicalstudies.in/logo.png”
}
},
“datePublished”: “2025-08-26”,
“dateModified”: “2025-08-26”
}

Published on 22/12/2025

Standard Operating Procedure for GDPR Data Subject Rights (Access, Deletion, Restriction) Handling

SOP No.	CR/OPS/138/2025
Supersedes	NA
Page No.	1 of 79
Issue Date	26/08/2025
Effective Date	01/09/2025
Review Date	01/09/2026

Table of Contents

Purpose

The purpose of this SOP is to define standardized procedures for handling General Data

Protection Regulation (GDPR) data subject rights in clinical trials, specifically access, deletion, and restriction requests. It ensures compliance with EU CTR 536/2014, GDPR Articles 12–23, and EMA guidance while safeguarding subject confidentiality and data integrity.

Scope

This SOP applies to sponsors, investigators, CROs, data protection officers (DPOs), and regulatory affairs staff handling subject personal data in EU clinical trials. It covers receipt, assessment, processing, and documentation of data subject requests relating to access, rectification, erasure, and restriction of processing.

Responsibilities

Sponsor: Ensures GDPR-compliant handling of all data subject rights requests and maintains oversight of CRO and site practices.
Investigator: Communicates subject requests to sponsor and ensures local site compliance with GDPR obligations.
DPO: Oversees GDPR compliance, reviews requests, and advises on legal obligations.
CRO: Supports sponsors in tracking, responding to, and documenting GDPR requests.
Regulatory Affairs: Ensures requests and responses align with EMA/CTR timelines and obligations.
QA: Audits GDPR-related processes and documentation for compliance.

Accountability

The Sponsor’s Data Protection Officer (DPO) is accountable for ensuring GDPR compliance in relation to data subject rights in clinical trials.

Procedure

1. Receipt of Requests
1.1 Accept data subject requests via email, written communication, or verbal notification at sites.
1.2 Record in GDPR Request Log (Annexure-1).

2. Verification of Identity
2.1 Confirm identity of requestor before processing.
2.2 Document verification in Identity Verification Log (Annexure-2).

3. Assessment of Request
3.1 Determine if request relates to access, deletion, or restriction.
3.2 Verify whether trial records can be altered without compromising scientific validity or regulatory obligations.
3.3 Record assessment in GDPR Assessment Log (Annexure-3).

4. Response Timelines
4.1 Provide acknowledgment of request within 7 calendar days.
4.2 Provide formal response within 30 days (extendable to 60 days with justification).
4.3 Document in Response Timeline Log (Annexure-4).

5. Access Requests
5.1 Provide subject with copy of their personal data upon request.
5.2 Ensure sensitive data is redacted where legally necessary.

6. Deletion (Right to Erasure)
6.1 Evaluate if deletion is possible without violating clinical trial obligations (e.g., GCP retention requirements).
6.2 If erasure is not possible, provide justification in writing.
6.3 Record action in Deletion Log (Annexure-5).

7. Restriction of Processing
7.1 Restrict data processing where legally required.
7.2 Maintain data in secure archive until restriction is lifted.
7.3 Document in Restriction Log (Annexure-6).

8. Documentation and Archiving
8.1 Archive all GDPR requests and responses in TMF and ISF.
8.2 Retain documentation for minimum 25 years per EU CTR requirements.

Abbreviations

SOP: Standard Operating Procedure
GDPR: General Data Protection Regulation
DPO: Data Protection Officer
EMA: European Medicines Agency
CTR: Clinical Trials Regulation
CRO: Contract Research Organization
QA: Quality Assurance
TMF: Trial Master File
ISF: Investigator Site File

Documents

GDPR Request Log (Annexure-1)
Identity Verification Log (Annexure-2)
GDPR Assessment Log (Annexure-3)
Response Timeline Log (Annexure-4)
Deletion Log (Annexure-5)
Restriction Log (Annexure-6)

References

Version: 1.0

Approval Section

Prepared By	Ravi Kumar, Data Protection Specialist
Checked By	Sunita Reddy, QA Officer
Approved By	Dr. Anil Sharma, Head Clinical Operations

Annexures

Annexure-1: GDPR Request Log

Date	Request Type	Subject ID	Received By	Status
01/09/2025	Access	GD101	Site Coordinator	Open

Annexure-2: Identity Verification Log

Date	Subject ID	Verification Method	Verified By	Status
02/09/2025	GD101	Passport Check	Investigator	Verified

Annexure-3: GDPR Assessment Log

Date	Request Type	Assessment	Reviewed By	Status
03/09/2025	Access	Permissible under GDPR	DPO	Approved

Annexure-4: Response Timeline Log

Date	Subject ID	Acknowledged	Response Due	Status
03/09/2025	GD101	Yes	02/10/2025	Pending

Annexure-5: Deletion Log

Date	Subject ID	Deletion Request	Action Taken	Status
05/09/2025	GD101	Erase Data	Retained due to GCP	Closed

Annexure-6: Restriction Log

Date	Subject ID	Restriction Request	Action Taken	Status
07/09/2025	GD101	Restrict Processing	Data Secured	Active

Revision History

Revision Date	Revision No.	Revision Details	Reason for Revision	Approved By
26/08/2025	00	Initial version	New SOP creation	Head Clinical Operations

For more SOPs visit: Pharma SOP