Summary

The EDPS checklist for human intervention in automated decision-making is crucial for GDPR compliance in clinical trials. It sets a standard for genuine oversight, directly impacting sponsors and CROs by operationalizing oversight principles and enhancing accountability in decision-making processes involving health data.

Contact us

What the EDPS Checklist on ADM Actually Requires

The EDPS checklist defines meaningful human oversight as a structured, documented and risk-proportionate process, not merely the presence of a named reviewer. Published in 2025 by the European Data Protection Supervisor (the independent authority responsible for monitoring data protection within EU institutions under Regulation (EU) 2018/1725), the checklist operationalises the principle that oversight mechanisms must reflect genuine capability to intervene, not symbolic assignment.

The checklist targets EU institutions deploying ADM systems, but its criteria map onto obligations that already apply to private-sector sponsors and contract research organisations (CROs) under GDPR. Specifically:

  • GDPR Article 22 grants data subjects the right not to be subject to solely automated decisions that produce legal or similarly significant effects, unless specific conditions are met.
  • GDPR Article 35 requires a DPIA for processing likely to result in high risk, which routinely includes algorithmic patient-stratification, safety-signal detection and eligibility-screening tools used in clinical research.
  • GDPR Recital 71 specifies that suitable safeguards include "the right to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision".

The checklist translates these abstract requirements into observable indicators: Is the oversight role formally defined? Does the reviewer have access to the underlying logic? Is there a documented escalation path? Are decisions logged for audit? For life-sciences organisations, each of these indicators corresponds to a gap that supervisory authorities such as the CNIL, the ICO or the German Datenschutzkonferenz may examine during an inspection.

Focus: The Example of France and the CNIL

The CNIL (Commission Nationale de l'Informatique et des Libertés) is the French data protection authority responsible for enforcing GDPR and the French Data Protection Act (Loi Informatique et Libertés, as amended). In the clinical-trials context, sponsors operating under Méthodologie de Référence MR-001 must document the legal basis for each processing operation, including any automated profiling of participants. Where an ADM tool is used, for example to generate safety signals or to rank adverse event severity, the CNIL expects that the human reviewer's role is described in the processing record (Registre des activités de traitement) and that the reviewer is not structurally prevented from overriding the system's output. A checklist-style self-assessment aligned with the EDPS framework would directly support this expectation.

Why Cosmetic Human Oversight Fails GDPR Clinical Trials Obligations

Cosmetic or "rubber-stamp" human oversight fails GDPR clinical trials obligations because it does not constitute a genuine safeguard as required by GDPR Article 22(3) and Recital 71. Regulators and courts are increasingly scrutinising whether the designated reviewer had the practical capacity to alter an outcome, not merely whether a human was nominally present in the process.

Three structural failure modes are common in clinical research environments:

1. Automation bias. Reviewers systematically defer to algorithmic recommendations because the system presents with apparent precision and authority. This is particularly acute when the underlying model is a large language model (LLM) or a complex predictive algorithm where the output is confident but the reasoning is opaque.

2. Time pressure and throughput constraints. In large multi-site Phase III trials, safety-review teams may process hundreds of automated flags per day. When cycle time per review is reduced to seconds, the review becomes procedurally compliant but substantively ineffective.

3. Lack of escalation authority. Reviewers who lack the organisational standing to reject or pause an automated decision cannot exercise meaningful oversight. Where the Data Protection Officer (DPO) is not consulted on ADM governance, this gap is unlikely to be caught before a supervisory-authority enquiry.

The EDPS checklist addresses all three failure modes by requiring organisations to demonstrate not only that a reviewer exists but that the reviewer has sufficient context, authority and time. This aligns with GDPR Article 5(1)(f) (integrity and confidentiality) and Article 5(2) (accountability), which together require sponsors to be able to demonstrate compliance, not merely assert it.

Focus: The Example of Germany and the Datenschutzkonferenz

The Datenschutzkonferenz (DSK) is the conference of German federal and state data protection authorities, which issues joint guidance on GDPR application in Germany. German data protection law (Bundesdatenschutzgesetz, BDSG) imposes mandatory DPO appointment on all entities that process special-category data on a large scale under BDSG Section 38, which in practice covers most clinical sponsors and CROs active in Germany. The DSK has consistently emphasised that automated processing of health data requires documented human review procedures. Sponsors without a formally chartered oversight process risk enforcement action, particularly following the DSK's 2023 orientation on AI-assisted processing.

Focus: The Example of the United Kingdom and the ICO

The Information Commissioner's Office (ICO) is the UK supervisory authority responsible for enforcing the UK GDPR and the Data Protection Act 2018. Post-Brexit, the UK GDPR mirrors the EU GDPR in its Article 22 provisions on automated decision-making. The ICO's guidance on explaining AI decisions explicitly warns against "meaningful human review" that is in practice perfunctory. For sponsors running UK clinical trial sites, this means that the EDPS checklist criteria, while formally directed at EU institutions, represent the kind of documented evidence the ICO would expect to see in a DPIA or in response to a subject-access request challenge.

How Does the EU AI Act Change the Human-Oversight Standard for Clinical Research AI?

The EU AI Act (Regulation (EU) 2024/1689), which entered into force on 1 August 2024 and applies progressively from 2 August 2026, introduces binding human-oversight obligations that go beyond GDPR by specifying technical and organisational design requirements. AI systems classified as high-risk under Annex III of the EU AI Act, a category that includes AI intended to be used in the medical domain for patient management, must by design enable human oversight under Article 14.

Article 14 of the EU AI Act defines human oversight as the ability of natural persons to understand, monitor and, where appropriate, stop the AI system. It requires deployers to assign oversight to individuals with the necessary competence, authority and resources. This is structurally identical to the EDPS checklist's demand for organisational and technical safeguards, and it extends to clinical AI tools such as:

  • Patient eligibility and stratification algorithms.
  • Automated adverse event detection and coding systems.
  • Predictive biomarker analysis tools.
  • AI-assisted imaging and diagnostic support used as trial endpoints.

The EU AI Act also introduces the concept of the AI Officer (Article 26), an internal role responsible for coordinating AI governance. Where a sponsor or CRO deploys high-risk AI in a trial, the AI Officer and the DPO must co-ordinate on Article 22 GDPR compliance and Article 14 EU AI Act oversight, ensuring that the DPIA conducted under GDPR Article 35 and the conformity assessment required under EU AI Act Article 43 reflect consistent assumptions about human-review capacity.

Focus: The Example of the European Medicines Agency (EMA)

The European Medicines Agency (EMA) is the EU agency responsible for the scientific evaluation of medicines, including the oversight of clinical trials under EU Clinical Trials Regulation 536/2014. The EMA's reflection paper on the use of artificial intelligence in the lifecycle of medicines (EMA/CHMP/SAWP/813765/2023) notes that the reliability and explainability of AI outputs are preconditions for meaningful human review. Sponsors submitting trial data that has been processed or summarised by AI tools should therefore document the human-oversight measures applied, in a manner consistent with both GDPR Article 22 and the emerging EU AI Act obligations. The EDPS checklist provides a practical template for structuring that documentation.

Focus: The Example of Spain and the AEPD

The Agencia Española de Protección de Datos (AEPD) is the Spanish data protection authority. In its 2022 guide on artificial intelligence and data protection, the AEPD articulates that human oversight must be substantive, noting specifically that the reviewer must be able to access the information necessary to understand and challenge the automated output. Spanish clinical sponsors deploying ADM tools, for instance in automated randomisation or safety-signal prioritisation, should map the AEPD's substantiveness criteria against the EDPS checklist indicators as part of their DPIA update cycle.

Comparison Table: GDPR Article 22, EU AI Act Article 14 and the EDPS Checklist

DimensionGDPR Article 22 and Recital 71EU AI Act Article 14EDPS ADM Checklist (2025)Legal instrumentRegulation (EU) 2016/679Regulation (EU) 2024/1689EDPS supervisory guidanceScopeAll controllers processing personal data with solely automated decisions of significant effectDeployers and providers of high-risk AI systemsEU institutions (benchmark for all sectors)Who overseesHuman reviewer able to interveneNatural person with competence, authority and resourcesNamed role with documented mandateKey obligationEnsure human intervention on request; provide explanationDesign-in oversight; enable stopping the systemSelf-assess maturity across defined criteriaProportionalityRisk of significant effect triggers the rightRisk classification (Annex III) triggers the requirementRisk level determines depth of oversight measuresDocumentationProcessing records, DPIATechnical documentation, conformity assessmentSelf-assessment record, escalation logsAudit trailAccountability principle (Article 5(2))Logging obligations (Article 12)Documented decisions and review historyExplainabilityMeaningful information about the logic involved (Article 13/14)Transparency to deployer and user (Article 13 EU AI Act)Reviewer must access underlying logicRelevance to clinical trialsPatient eligibility, safety coding, pharmacovigilance signalsAI-assisted diagnosis, imaging endpoints, biomarker toolsAll ADM in regulated research workflows

Contact us

FAQs

Our frequently questions

Does the EDPS checklist apply directly to private-sector clinical sponsors?

The EDPS checklist is formally addressed to EU institutions governed by Regulation (EU) 2018/1725. However, its criteria reflect the same substantive standards that GDPR Articles 5, 22 and 35 impose on all controllers, including private-sector sponsors. Supervisory authorities such as the CNIL, ICO and AEPD are likely to use comparable criteria when assessing whether a sponsor's human-oversight measures are adequate.

What is the difference between a human in the loop and meaningful human oversight under GDPR?

A human in the loop is a process description indicating that a person reviews an automated output before it takes effect. Meaningful human oversight, as required by GDPR Recital 71 and the EDPS checklist, goes further: the reviewer must have access to the underlying logic, sufficient time to examine it, the organisational authority to override the system and a documented escalation path. The absence of any one of these elements may render the oversight nominal rather than substantive.

Is a DPIA always required when using AI tools in a clinical trial?

A DPIA under GDPR Article 35 is required whenever processing is likely to result in a high risk to the rights and freedoms of natural persons. The use of AI for automated processing of health data, which is special-category data under GDPR Article 9, in a clinical trial almost always meets this threshold. The DPIA must describe the oversight measures in place and assess their adequacy, making the EDPS checklist a useful structuring tool.

How should a DPO document human oversight of ADM in a clinical trial?

The DPO should ensure that the Record of Processing Activities (ROPA) under GDPR Article 30 describes the ADM tool, its decision logic and the human-review procedure. The DPIA should assess the proportionality of oversight to risk. A separate operational document should specify the reviewer's role, their access to explainability outputs, the escalation procedure and the retention period for review logs. This documentation package directly mirrors the EDPS checklist structure.

What happens if an ADM system in a clinical trial requires constant human correction?

An ADM system that requires frequent human intervention to avoid harmful outcomes indicates deficiencies in its design and suitability for deployment. Under the EU AI Act Article 9 (risk management system) and GDPR Article 25 (data protection by design), sponsors should treat persistent correction requirements as a signal that the system should not be placed in production until those design deficiencies are remediated. Deploying a flawed system and relying on human review to compensate does not satisfy either instrument.

How does the EU AI Act affect human oversight obligations for clinical research AI tools?

The EU AI Act (Regulation (EU) 2024/1689), applying progressively from 2 August 2026, introduces binding human-oversight obligations beyond GDPR. AI systems classified as high-risk under Annex III — including those used for patient management, eligibility screening, adverse event detection and AI-assisted imaging — must by design enable human oversight under Article 14. Deployers must assign oversight to individuals with the necessary competence, authority and resources. Sponsors and CROs must also ensure their DPO and AI Officer co-ordinate so that GDPR Article 35 DPIAs and EU AI Act conformity assessments reflect consistent assumptions about human-review capacity.

Find out how iliomad can help your company.

[Map placeholder]
Only visible in production
38.709099
-39.182035
1.6
6d17042a3425c5b3
Your message has been received!
We'll get back to you as soon as possible.
Something went wrong, please try again.
Home

Discover our latest articles

View All Blog Posts
Abstract digital network connecting a hospital, a regulatory building and a courtroom, representing AI governance, health data privacy and transatlantic data transfer risks in 2026
July 8, 2026
Healthtech
Regulations & Guidelines
DPIA
Regulation
LLMS

AI Triage, Biopharma Workbenches and Crumbling Data Bridges: iliomad Weekly Digest

NHS AI triage, Anthropic Claude Science, medical AI privacy risks, MHRA GxP guidance, EDPS ADM checklist and the EU-US data transfer threat explained.

A clinical trial investigator reviewing an informed consent form with a data protection checklist highlighting the ethnicity data justification section
July 3, 2026
ICF
GDPR
Clinical Trials
Ethics Committee
Combination Products

Informed Consent Form (ICF) and Ethnicity Data: Justification Requirements Under GDPR and MR-001

Ethics committees require scientific justification for ethnicity data in the ICF. Learn how GDPR Article 9, MR-001 and EU CTR 536/2014 apply to your clinical trial.

Abstract digital illustration showing a medical cross symbol overlaid on a data-flow network map, representing health data privacy and AI regulation themes
July 3, 2026
Healthtech
Regulations & Guidelines
DPIA
AI
Data Transfers

Health Data Under Pressure: US Legislative Shifts, AI Privacy Risks and EU Cloud Sovereignty Disputes | Weekly Digest

This week: a US health data broker bill, Supreme Court FTC ruling threatening EU-US data flows, AI membership inference risks, and French cloud sovereignty tensions.