Clinical trials: data transfer to commercial subjects is now possible. Focus on privacy aspects.


On March 3, 2022, Decree 30/11/2021 of the Italian Ministry of Health entered into force. This decree allows sponsors to transfer the data and results of non-profit clinical trials to traders, against payment of a price.

For many years, industry regulation did not allow nonprofit experimentation to impact drug regulatory activities. The results of these trials could not bring benefits to clinical practice and, therefore, to the treatment of patients.

Overcoming these limits opens up new positive and challenging scenarios for the field of research.

So let’s describe the scope of the decree (art. 2). It applies to:

  • Non-commercial or not-for-profit clinical trials have the following requirements:
    1. they are not intended for the industrial and/or commercial development of drugs, nor for the purposes of economic exploitation;
    2. the promoter is not for profit;
    3. the sponsor does not hold the marketing authorization (MA) for the experimental medicinal product and has no economic interests – including intellectual property rights – with the MA holder;
    4. the sponsor owns the data and results of the trial, as well as any decision concerning their publication;
  • low intervention clinical trialsnot-for-profit and for-profit;
  • Observational clinical trialsnon-profit and for-profit.

Let’s see now how to transfer data:

  1. whether the test is in progress or completed, it is important to ensure that the data and results of the test can be used for record purposes. The sponsor and the potential assignee then ask a patent expert to estimate the value of the results of the clinical trials;
  2. if the potential transferee intends to proceed with the purchase, he will have to pay the amount determined:
  1. to the promoter
  2. to the funds implemented by local health authorities, hospital authorities and other bodies identified by the decree
  3. to the fund created at AIFA.
  1. the parties must regulate the transfer of data in a Contract. The sponsor must send AIFA, the competent ethics committee and the trial centers concerned a official communication with which he notifies the transfer.

Pharmaceutical companies will finally be able to buy data from non-profit trials for registration purposes, and the promoters will be able to finance their activities. Thus, trials and intellectual property will finally have the economic value they deserve.


With regard to the transfer of personal data relating to the persons concerned enrolled in the experiments, sponsors and pharmaceutical companies cannot escape compliance with data protection regulations.

The decree simply specifies that the transferee becomes the data controller from the time of transfer.

However, there are many aspects of privacy that parties need to consider, especially in the stipulated contract for data transfer.

The first is data quality. A high level of data quality ensures a better chance of obtaining valid and more attractive results for pharmaceutical companies.

Second, sponsors will need to assure pharmaceutical companies that trial data has been collected and processed in accordance data protection regulations, as set out in the GDPR and the Clinical Trials Authority guidelines. Specifically:

  • they ensure that this data has been processed with the consent of the persons concerned, if necessary;
  • that the promoter has given the persons concerned the information on the processing of data, including the possibility of their communication to third parties, provided that this is not one of the cases in which it is impossible to inform the persons concerned;
  • that the sponsor must transfer data to the pharmaceutical companies in a pseudonymised form.

For their part, from the moment of the transfer, the pharmaceutical companies will be able to independently determine the objectives and methods data processing, considering that:

  • they will be directly responsible for the choices relating to the data processing carried out from that moment on;
  • they will have to adopt technical and organizational measures such as to guarantee a level of security adapted to the risks linked to the specific processing of the data carried out;
  • will have to assess whether it is necessary to carry out a data protection impact assessment (DPIA);
  • Due to responsibilitythey must be able to demonstrate GDPR compliance.

Comments are closed.