info@eucrof.eu
Find a CRO

GDPR Code of conduct

The EUCROF GDPR Code of Conduct for Service Providers in Clinical Research (the Code) is the first transnational code of conduct in the area of health, applicable in all 27 EU Member States.

The lead supervisory data protection authority for the Code is the French Data Protection Authority (CNIL).

The EUCROF GDPR Code will help ensure the privacy rights and freedoms of trial participants while promoting the lawful, fair and meaningful use of personal data in the field of Clinical Research.

The Code has been approved the 12 September 2024 – See EDPB opinion published June 18th, 2024 [here] – See CNIL’s decision nb 2024-064 published 12 September 2024 [here]

The Code is a sign of the continued progress the organizations and Supervisory Authorities are making toward establishing harmonized standards applied to various industries across the European Union related to data protection.

Code Adherents earn the right to display a Compliance Mark for 3 years. The Mark signifies the level of adherence.

This Code is a tool to foster transparency towards patients, investigational sites, pharma, biotechs, medtechs, ethics committees, authorities ...

The Code is now public and can be obtained by filling a request form

Request here

Who is covered?

    • Service Providers for clinical research acting as a Data Processor for the research/study sponsor in the frame of a Service Contract
    • Service Providers are full-service CROs and specialised single-service vendors e.g., IT
What is covered?
    • 23 classes of services that a CRO can deliver. Click here to access the description of the 23 classes of services
Whose data are covered?
    • Patients & healthcare professionals
What geographical area?
    • 27 European Union Member States
What is the current status?
    • EUCROF is now establishing the monitoring body that needs to be accredited by the lead supervisory authority before it starts operations
As a service provider in scope of the Code, when will it be possible to initiate a request for adherence?
    • This can be started now by registering in the registry. Adherence dossiers will be studied on a first in first served order. Take a position from now!

Learn more about the Code

Click here to download a short introduction to the Code.
Click here
Send a request to COSUP@eucrof.eu and the EUCROF Team will guide you on this process. We expect the first adherence decisions to be taken in the course of Q1 2026

Have a question? check these answers.

  • A Code of Conduct developed under Article 40 of the GDPR (Regulation).
  • A compliance framework for adhering organisations to demonstrate aligning of their services with the Regulation.
  • An interpretive guide to the Regulation created and endorsed by multiple stakeholders and opinion leaders in clinical research.
  • An effective governance and accountability mechanism for which the Commission Nationale de l’Informatique et des Libertés (CNIL) is the Competent Supervisory Authority; responsible for the approval, establishment and monitoring adherence to the Code.
  • A transnational Code, recognized by the 27 EU data protection authorities and approved by the European Data Protection Board (EDPB).

  • Any data processing activities for the services delivered by CROs and other service providers in clinical research as data processors.
  • GDPR requirements shown in application to 23 classes of services typically delivered by CROs.
  • Personal data of European Union study subjects and healthcare professionals processed for interventional and non-interventional studies.

  • To reduce administrative and operational waste caused by conflicting interpretations of the GDPR.
  • To obtain the practical instructions on demonstrating and maintaining compliance.
  • To exchange practical experience with other Adherents.
  • To achieve high efficiency in delivering services to Sponsor of clinical trials.
  • To earn the right to display one of the Code’s Compliance Marks as the compliance seal.
  • To demonstrate compliance and high standards of services to Sponsors conducting clinical trials in the European Union.

EUCROF Code Public Registry

The companies listed on this Public Registry have initiated their submission file for adherence
Explore

How to Adhere

  • Adherents are included into the List of Code Adherents and can display a Level 1 or Level 2 Compliance Mark for 3 years.
  • Level of Compliance Mark depends on the evaluation model selected by the candidate CRO.
  • CROs may be audited for the validity of a Compliance Mark within 3 years.

Adherence Scheme 1: Self-declaration

  • Complete an organizational profile and a Code’s compliance questionnaire (“Compliance Dossier”).
  • Submit your compliance dossier to the Code’s Supervisory Body (COSUP).
  • COSUP will review the Compliance Dossier and issue its resolution.

Adherence Scheme 2: Audit

  • Complete the Compliance Dossier and submit it through the EUCROF website to the COSUP.
  • COSUP Auditor will review each Compliance Dossier for eligibility and completeness, and report to COSUP on the eligibility of the Candidate Adherent.
  • Eligible Candidate Adherent will receive the audit plan and be requested to confirm agreement to the proposed process.
  • Two COSUP auditors responsible for legal and technical compliance respectively will audit the Candidate Adherents on-site in accordance with the audit plan.
  • Upon audit completion, the auditors will report the audit results to the ISO Auditor who will prepare the final report for the COSUP.
  • COSUP will communicate the final decision on the Candidate Adherent.

Close
Search

Hit enter to search or ESC to close

Subscribe to our monthly newsletter

EUCROF eNews service facility allows subscribers to stay in touch with all forthcoming events, our numerous achievements and initiatives involving us
cookie By using this website, you agree to our cookie policy. Close