While clinical trials pave the way for innovations in the field of healthcare, they proceed on a sensitive ground in terms of data protection law due to the processing of personal data of volunteers. The Personal Data Protection Law numbered 6698 (“PDPL”) in Turkey and the General Data Protection Regulation (GDPR) in the European Union stand out as the main regulatory texts in this field. The Clinical Trials Association's assessment report dated January 31, 2025 sets out the similarities and differences between these two regulations and makes important recommendations.
Uncertainties in the PDPL and the Regulation on Clinical Trials
Under Turkish law, clinical trials are mainly regulated by the Regulation on Clinical Trials (“Regulation”). Pursuant to Article 20 of the Regulation, personal data obtained from volunteers may be used in future scientific studies provided that they comply with the PDPL. However, this guidance is insufficient to detail the situations where data processing processes may be considered as scientific exceptions within the scope of Article 28/1-c of PDPL. Compared to GDPR, PDPL draws a more ambiguous framework, thus creating grey areas in practice.
Clinical Research under GDPR
Under GDPR, clinical research-related data processing activities must rely on specific legal bases such as the performance of a task carried out in the public interest, the legitimate interests of the data controller, or explicit consent of the data subject. Especially when taken together with the Clinical Trials Regulation (CTR), the basis on which data processing activities are based is clearly defined. This approach not only protects the rights of volunteers throughout the research process but also strengthens research quality and ethical standards.
It should be noted that one of the important differences in GDPR is the distinction between informed consent and consent to data processing. The ethical consent required for participation in clinical trials may not always constitute a sufficient legal basis for data processing. Therefore, data controllers should proceed with separate and explicit consent forms.
Emergencies and Secondary Data Use
The report also considers how data processing should be carried out in situations where it is not possible to obtain prior consent, such as for urgent clinical trials. In this context, GDPR provides for alternative legal bases, such as the necessity of processing to protect the vital interests of the data subject or another natural person, or the necessity for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. We would like to emphasize that informed consent must be obtained as soon as possible thereafter.
In order to process data collected within the scope of clinical research for non-protocol purposes (secondary use), a new legal basis is required under GDPR. In this context, obtaining explicit consent is preferred, but compatibility of purpose is accepted under certain conditions in scientific research.
Compliance and Future Steps
The protection of personal data in clinical trials is of critical importance in terms of both supporting scientific progress and securing the fundamental rights and freedoms of individuals. While PDPL provides a significant framework for data protection, it lacks the level of detail and comprehensiveness that GDPR offers, particularly in the context of clinical research. The absence of clearly defined legal bases for processing, ambiguities in consent management, and the lack of specific safeguards for scientific research activities create various legal risks in practice.The report makes several recommendations to harmonize PDPL with EU legislation:
- Restructuring Article 28/1-c of PDPL with more specific regulations;
- Strengthening the explicit consent, particularly for sensitive data;
- Establishing legal frameworks specifically tailored for scientific research activities;
- Expanding data subject rights (e.g. the right to erasure, the right to portability)
- Enhancing oversight mechanism and institutional capacities.
These measures would not only elevate data protection standards but also build a robust infrastructure to integrate Turkey’s clinical research capabilities into international collaborations.
Conclusion
The implementation of these steps would significantly enhance the compliance of clinical trials conducted in Turkey with international standards and would contribute to Turkey’s harmonization process with the European Union’s data protection framework. Furthermore, establishing a secure and standardized clinical research data pool in Turkey would provide a valuable foundation for contributing to scientific developments at the international level.
You can access the full text of the assessment report via this link.