Has your Clinical Trials project assured all the required DPA’s ?


Post-2020, Clinical Trials, and Data Privacy is an important topic here at Pearl.Clinic. CT Projects have to be executed at high speed with high accuracy and at the same time under the regulator’s watchful eye. Pearls.Clinic has relevant resources to guide any CT Project on that path. This article provides a reminder regarding the important and not well-understood topic of the Data Protection Agreement (DPA)

What is an “official order” or “commission for data processing”?

As soon as your company or your client’s Clinical Trials Project stores personal data on some online service, it is defined as an order or commission for data processing according to Article 28 of the GDPR (General Data Protection Regulation, a European Union regulation). If this applies to the said CT Project, the project is required by law to complete a Data Processing Agreement (DPA) with the Online Service Vendor.

So if CT Project uses e.g. Google Docs or Microsoft One Drive or some such service it is the responsibility of the project management, the DPA is signed with the Google or Microsoft or whoever is the online service vendor.

Where can one find the Data Processing Agreement (DPA)?

On line service vendor has to have DPA ready for customers to review and sign upon customers’ request.

How should one fill out the Data Processing Agreement (DPA)?

There are of course various forms of DPA’s but each of them should generally provide these sections.

Information about the project and company who are using the service. That is an excellent opportunity for checking the validity of information stored, and existing Service Level Agreements.

There should be a section called Types of data, where CT Project Management, can add additional categories of data for different types of personal data stored with the service vendor.

There should be a section called  Affected People, where one should have a similar choice. Re-check the list of affected groups of people or add other types of people who are affected.

It is important to be able to add anything to Types of data or Affected People after CT Project has finished DPA. That is not unusual and one should be able to simply create a new agreement and delete the old one. Or create a completely separate DPA. CT Project and companies or institutions behind can have several different DPAs at the same time. It is the responsibility of the Online Service Vendor Data Protection Officer (DPO) to be available to your CT Project to manage numerous DPA’s one CT Project might require.

After this, CT Project designated DPO will hold the document with the title 

Data Processing Agreement in Accordance with Article 28 of the General Data Protection Regulation (GDPR).

That is the actual DPA itself, which can be downloaded and kept in safe storage off-site..

The other important section in the DPA that has to exist should be called “Technical and organizational measures in accordance to Art. 32 GDPR and Amendments” Here the CT Project management will find the actual technical and organizational measures regarding information security. CT Project DPO should be able to understand this section and/or preview it with the rest of the project leadership.


The DPA will be made up of CT Project/Organization data, the content of the DPA itself, Appendix or section with the Types of data and Affected People, and Appendix or section with the Technical and organizational measures in accordance to Art. 32 GDPR and Amendments.

The DPA contract will be automatically signed by the Online Service Vendor. CT project designated DPO should print it out, sign it, and put it somewhere safe with any other data protection documents CT Project is associated with.

If you have any questions, please contact us at

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.