DPIA Clinical Trials: How the EDPB Harmonised Template Reshapes Sponsor Obligations

Why DPIAs Are Non Negotiable in Clinical Research

Article 35 of Regulation (EU) 2016/679, the GDPR, requires a Data Protection Impact Assessment before any processing that is likely to result in a high risk to the rights and freedoms of natural persons.

The Article 29 Working Party, now the EDPB, confirmed in its DPIA Guidelines that several processing characteristics will generally meet this threshold. These include large scale processing of special category data, such as health, genetic and biometric data, systematic monitoring of data subjects, automated decision making with significant effects on individuals, and processing involving vulnerable data subjects, including patients enrolled in interventional studies.

In practice, almost every Phase I , II, Phase III or Phase IV clinical trial will meet at least two of these criteria. A sponsor conducting a 200 site oncology study that collects genomic sequences, patient reported outcomes and electronic health records is not merely likely to trigger Article 35. The obligation is close to certain.

Failure to conduct a DPIA when one is required is itself a breach of the GDPR, regardless of whether a data breach or actual harm occurs. Under Article 83(4), this may lead to administrative fines of up to EUR 10 million or 2 percent of global annual turnover, whichever is higher.

Beyond the general GDPR obligation, the EU Clinical Trials Regulation 536/2014 also sets expectations around data protection, including in relation to the Clinical Trials Information System. Sponsors submitting authorisation requests through CTIS must be able to show that participant data is adequately protected. A documented DPIA is increasingly viewed by ethics committees and national competent authorities as evidence of that assurance.

The EDPB Harmonised Template: What Has Changed

Before April 2026, each EU Member State data protection authority maintained its own DPIA template or guidance. The CNIL in France, the BfDI in Germany, the ICO in the United Kingdom, the Autoriteit Persoonsgegevens in the Netherlands and the AEPD in Spain each published structurally different frameworks.

For sponsors opening clinical sites in several European countries, this created unnecessary complexity. They either had to maintain several DPIA documents or produce one broader document that attempted to address all national structures, often leaving gaps.

The EDPB harmonised template, released for public consultation on 14 April 2026, aims to reduce this fragmentation. Its main innovations include a single structure for EU DPAs, a standard section on necessity and proportionality, a more structured risk identification methodology, explicit mapping between risks and mitigation measures, a dedicated DPO consultation section and a clearer pathway for deciding when prior consultation is required.

Once the consultation is complete and the template is finalised, EU DPAs are expected to adopt it either as their main template or as a reference structure for national variants. For clinical trial sponsors, this creates a real opportunity. A single master DPIA, supported by targeted national annexes, can become the basis for compliance across the EU.

Focus on France: CNIL and MR 001

France remains one of the more complex DPIA environments for clinical research. The CNIL Méthodologie de Référence MR 001, which applies to interventional studies involving human subjects, already includes a DPIA style assessment within its compliance framework.

Sponsors that comply with MR 001 benefit from a simplified declaration regime rather than a full prior authorisation process. However, they must still document their data protection measures in a way that is consistent with Article 35 GDPR.

Under the harmonised template, French sponsors will need to check whether their MR 001 documentation maps properly to the EDPB standard sections. In particular, the risk scoring methodology introduced by the new template is not currently required in the same way under MR 001. Existing French compliance documentation may therefore need supplementary annexes.

iliomad recommends that sponsors active in France conduct a gap analysis between their existing MR 001 files and the harmonised template before the final version is adopted.

Focus on Germany: BfDI and State DPAs

Germany federal structure means that clinical trials may fall under the supervision of one of the 16 state data protection authorities, in addition to the federal BfDI where public bodies are involved.

Historically, each authority has published its own guidance, and some state authorities have taken different approaches to risk scoring and DPIA structure. The harmonised template should reduce this divergence once implemented.

Sponsors should monitor the BfDI guidance and any state level transposition materials published after the EDPB template is finalised.

Focus on the United Kingdom: ICO and UK GDPR

The ICO operates under the UK GDPR and the Data Protection Act 2018, rather than the EU GDPR. The EDPB template will therefore not be binding in the United Kingdom.

However, the ICO DPIA guidance is broadly aligned with the EDPB approach. UK based sponsors running EU clinical trials will still need to prepare an EU compliant DPIA for their EU sites.

iliomad advises sponsors to maintain a dual template approach, with a UK DPIA aligned to ICO guidance and a separate EU DPIA aligned to the EDPB harmonised template. Both documents should be connected through a common risk register.

Focus on the Netherlands: Autoriteit Persoonsgegevens

The Autoriteit Persoonsgegevens has published one of the more detailed lists of processing operations that require a mandatory DPIA. Large scale health data processing and genetic data processing both appear on this list.

As a result, most clinical trials conducted in the Netherlands will require a DPIA regardless of any further threshold analysis. The harmonised template should fit relatively smoothly with the Dutch approach, provided sponsors complete the new risk scoring section in sufficient detail.

Conducting a DPIA for a Multi Site Clinical Trial

A DPIA for a multi site clinical trial is not a form filling exercise. It is a structured assessment that must explain the processing, assess the risks to participants and document the measures taken to reduce those risks.

A strong DPIA should include the following elements.

1. A systematic description of the processing

This should cover the nature, scope, context and purposes of the processing. For a clinical trial, this includes the protocol number, the categories of data collected, the identity of the controllers and processors, the legal basis under Articles 6 and 9 GDPR, the data flows between the sponsor, CRO, investigator sites, laboratories and any third country recipients, as well as the retention periods set out in the data management plan.

2. An assessment of necessity and proportionality

The sponsor must show that the data collected is limited to what is necessary for the scientific objectives of the trial. This should be aligned with the data minimisation principle under Article 5(1)(c) GDPR and the research safeguards set out in Article 89(1) GDPR.

3. A risk assessment

The harmonised template introduces a structured risk scoring approach. Sponsors must identify relevant threats, such as unauthorised access, data loss or re identification of pseudonymised data, then assess likelihood, severity and the resulting risk level before and after controls are applied.

4. Measures to address risks

Technical and organisational measures should be linked directly to the risks they mitigate. These may include pseudonymisation, encryption, access controls, audit logs, contractual safeguards with processors and controls around international transfers.

5. DPO consultation and sign off

Where a DPO has been appointed, the DPO written opinion should be included in the DPIA record. This is particularly important for sponsors established in Member States such as France and Germany, where large scale health data processing will often require DPO involvement.

6. Residual risk decision

If a high residual risk remains after mitigation measures are applied, Article 36 GDPR requires the controller to consult the competent supervisory authority before starting the processing. The harmonised template includes a clearer pathway for making this decision.

Country Specific Obligations and the Meta Template Mechanism

The meta template mechanism is one of the most useful aspects of the EDPB approach for sponsors. It allows sponsors to build a single DPIA around the harmonised structure, while adding national annexes for local requirements.

This reflects iliomad approach: create a strong GDPR baseline, then layer local requirements on top.

Sponsors should continue to address country specific obligations in national annexes. These may include prior authorisation requirements for sensitive health data processing, ethics committee reviews, local DPA notification requirements, and third country transfer documentation, including Standard Contractual Clauses and Transfer Impact Assessments where needed.

Focus on Spain: AEPD and High Risk Processing

The Agencia Española de Protección de Datos has published a list of processing operations requiring a mandatory DPIA. This includes health data processing and processing involving vulnerable data subjects.

Spain also expects DPIAs for clinical trials to be available to the Comité de Ética de la Investigación con Medicamentos upon request. Sponsors should therefore ensure that their DPIAs are not only legally robust, but also clear enough for ethics committee reviewers who may not be data protection specialists.

Focus on Poland: UODO

The Polish data protection authority, UODO, has taken an active approach to enforcement in recent years. DPIAs must be available for inspection during supervisory proceedings.

Where residual risk cannot be reduced to an acceptable level, consultation with UODO is required under Article 36 GDPR, alongside the procedural requirements established under the Polish Act on the Protection of Personal Data of 10 May 2018.

Sponsors opening sites in Poland should pay particular attention to the residual risk section of the DPIA and ensure that the reasoning is complete and well documented.

Practical Compliance Roadmap for Sponsors

The EDPB harmonised template is not yet final. The public consultation launched on 14 April 2026 will collect feedback before the final version is published and national authorities begin implementation.

Sponsors should not wait for finalisation before acting. The following steps are advisable now.

1. Audit existing DPIA documentation against the harmonised structure, especially the risk scoring and DPO sign off sections.
2. Involve the DPO in reviewing ongoing and planned trials to confirm which processing activities require a DPIA and which existing DPIAs need updating.
3. Map national DPIA templates currently used across active trial sites and identify where national annexes will still be required.
4. Review agreements with CROs, laboratories and technology vendors to confirm that Article 28 GDPR obligations are properly reflected and that processors can support the DPIA process.
5. Monitor the final EDPB template and national DPA implementation guidance.
6. Integrate DPIA updates into the trial master file as a standing document, to be reviewed whenever there is a substantial protocol amendment, a change in data flows or a new third country transfer.

The harmonised template represents a meaningful step forward for clinical research sponsors. A single, consistent DPIA structure can reduce duplication, support inspection readiness and make the prior consultation process easier to manage where it is triggered.

Sponsors who begin aligning their documentation now will be better prepared than those who wait for the final template.

‍