SOP for archiving GDPR requests – Clinical Research Made Simple https://www.clinicalstudies.in Trusted Resource for Clinical Trials, Protocols & Progress Fri, 17 Oct 2025 07:23:59 +0000 en-US hourly 1 https://wordpress.org/?v=6.9.1 SOP for GDPR Data Subject Rights (Access, Deletion, Restriction) Handling https://www.clinicalstudies.in/sop-for-gdpr-data-subject-rights-access-deletion-restriction-handling/ Fri, 17 Oct 2025 07:23:59 +0000 ]]> https://www.clinicalstudies.in/?p=7078 Read More “SOP for GDPR Data Subject Rights (Access, Deletion, Restriction) Handling” »

]]> SOP for GDPR Data Subject Rights (Access, Deletion, Restriction) Handling

{
“@context”: “https://schema.org”,
“@type”: “Article”,
“mainEntityOfPage”: {
“@type”: “WebPage”,
“@id”: “https://www.clinicalstudies.in/sop-for-gdpr-data-subject-rights-access-deletion-restriction-handling”
},
“headline”: “SOP for GDPR Data Subject Rights (Access, Deletion, Restriction) Handling”,
“description”: “This SOP provides detailed procedures for handling GDPR data subject rights in clinical trials, including access, deletion, and restriction requests. It ensures compliance with EMA and EU data protection regulations, while safeguarding subject privacy and maintaining trial integrity.”,
“author”: {
“@type”: “Organization”,
“name”: “ClinicalStudies.in”
},
“publisher”: {
“@type”: “Organization”,
“name”: “ClinicalStudies.in”,
“logo”: {
“@type”: “ImageObject”,
“url”: “https://www.clinicalstudies.in/logo.png”
}
},
“datePublished”: “2025-08-26”,
“dateModified”: “2025-08-26”
}

Standard Operating Procedure for GDPR Data Subject Rights (Access, Deletion, Restriction) Handling

SOP No. CR/OPS/138/2025
Supersedes NA
Page No. 1 of 79
Issue Date 26/08/2025
Effective Date 01/09/2025
Review Date 01/09/2026

Purpose

The purpose of this SOP is to define standardized procedures for handling General Data Protection Regulation (GDPR) data subject rights in clinical trials, specifically access, deletion, and restriction requests. It ensures compliance with EU CTR 536/2014, GDPR Articles 12–23, and EMA guidance while safeguarding subject confidentiality and data integrity.

Scope

This SOP applies to sponsors, investigators, CROs, data protection officers (DPOs), and regulatory affairs staff handling subject personal data in EU clinical trials. It covers receipt, assessment, processing, and documentation of data subject requests relating to access, rectification, erasure, and restriction of processing.

Responsibilities

  • Sponsor: Ensures GDPR-compliant handling of all data subject rights requests and maintains oversight of CRO and site practices.
  • Investigator: Communicates subject requests to sponsor and ensures local site compliance with GDPR obligations.
  • DPO: Oversees GDPR compliance, reviews requests, and advises on legal obligations.
  • CRO: Supports sponsors in tracking, responding to, and documenting GDPR requests.
  • Regulatory Affairs: Ensures requests and responses align with EMA/CTR timelines and obligations.
  • QA: Audits GDPR-related processes and documentation for compliance.

Accountability

The Sponsor’s Data Protection Officer (DPO) is accountable for ensuring GDPR compliance in relation to data subject rights in clinical trials.

Procedure

1. Receipt of Requests
1.1 Accept data subject requests via email, written communication, or verbal notification at sites.
1.2 Record in GDPR Request Log (Annexure-1).

2. Verification of Identity
2.1 Confirm identity of requestor before processing.
2.2 Document verification in Identity Verification Log (Annexure-2).

3. Assessment of Request
3.1 Determine if request relates to access, deletion, or restriction.
3.2 Verify whether trial records can be altered without compromising scientific validity or regulatory obligations.
3.3 Record assessment in GDPR Assessment Log (Annexure-3).

4. Response Timelines
4.1 Provide acknowledgment of request within 7 calendar days.
4.2 Provide formal response within 30 days (extendable to 60 days with justification).
4.3 Document in Response Timeline Log (Annexure-4).

5. Access Requests
5.1 Provide subject with copy of their personal data upon request.
5.2 Ensure sensitive data is redacted where legally necessary.

6. Deletion (Right to Erasure)
6.1 Evaluate if deletion is possible without violating clinical trial obligations (e.g., GCP retention requirements).
6.2 If erasure is not possible, provide justification in writing.
6.3 Record action in Deletion Log (Annexure-5).

7. Restriction of Processing
7.1 Restrict data processing where legally required.
7.2 Maintain data in secure archive until restriction is lifted.
7.3 Document in Restriction Log (Annexure-6).

8. Documentation and Archiving
8.1 Archive all GDPR requests and responses in TMF and ISF.
8.2 Retain documentation for minimum 25 years per EU CTR requirements.

Abbreviations

  • SOP: Standard Operating Procedure
  • GDPR: General Data Protection Regulation
  • DPO: Data Protection Officer
  • EMA: European Medicines Agency
  • CTR: Clinical Trials Regulation
  • CRO: Contract Research Organization
  • QA: Quality Assurance
  • TMF: Trial Master File
  • ISF: Investigator Site File

Documents

  1. GDPR Request Log (Annexure-1)
  2. Identity Verification Log (Annexure-2)
  3. GDPR Assessment Log (Annexure-3)
  4. Response Timeline Log (Annexure-4)
  5. Deletion Log (Annexure-5)
  6. Restriction Log (Annexure-6)

References

Version: 1.0

Approval Section

Prepared By Ravi Kumar, Data Protection Specialist
Checked By Sunita Reddy, QA Officer
Approved By Dr. Anil Sharma, Head Clinical Operations

Annexures

Annexure-1: GDPR Request Log

Date Request Type Subject ID Received By Status
01/09/2025 Access GD101 Site Coordinator Open

Annexure-2: Identity Verification Log

Date Subject ID Verification Method Verified By Status
02/09/2025 GD101 Passport Check Investigator Verified

Annexure-3: GDPR Assessment Log

Date Request Type Assessment Reviewed By Status
03/09/2025 Access Permissible under GDPR DPO Approved

Annexure-4: Response Timeline Log

Date Subject ID Acknowledged Response Due Status
03/09/2025 GD101 Yes 02/10/2025 Pending

Annexure-5: Deletion Log

Date Subject ID Deletion Request Action Taken Status
05/09/2025 GD101 Erase Data Retained due to GCP Closed

Annexure-6: Restriction Log

Date Subject ID Restriction Request Action Taken Status
07/09/2025 GD101 Restrict Processing Data Secured Active

Revision History

Revision Date Revision No. Revision Details Reason for Revision Approved By
26/08/2025 00 Initial version New SOP creation Head Clinical Operations

For more SOPs visit: Pharma SOP

]]>