Data Protection & Privacy Notice

1. Introduction

This notice explains how personal data is processed when you use the INTrial Services Electronic Data Capture (EDC) system and related modules (e.g., ePRO). INTrial Services GmbH develops and operates regulated software systems for clinical trials where data protection is integrated into our development, hosting, and operational lifecycle.

The INTrial platform may also be used for non-interventional projects, surveys, registries, or other structured data collection activities outside the scope of formal clinical trial regulations. In such cases, the applicable regulatory framework and legal basis depend on the specific project and the responsible Controller.

2. Who Is Responsible for the Data?

Clinical Trial Data

For clinical trial participant data:

• Data Controller: The Sponsor of the clinical trial (your study sponsor) determines the purposes and means of processing.
• Investigators / Sites: Investigators and clinical sites may act as independent controllers for certain processing under medical confidentiality and applicable national law (e.g., local patient records).
• Data Processor: INTrial Services GmbH processes personal data only on behalf of and according to the documented instructions of the Sponsor (Art. 28 GDPR), including validated operation of the EDC system and related modules.

System User Data

For user account data (investigators, monitors, sponsor staff): The Sponsor typically remains Controller for study-related processing. INTrial Services acts as Processor for operating the system, maintaining security, and providing compliance-relevant functions such as validated audit trails and electronic signature records.

4. What Data Is Processed?

4.1 User Account Data

To ensure secure access and regulatory-compliant audit trails, we process: Name, business email, role/affiliation, username, encrypted password, electronic signature records, and access logs.

4.2 Pseudonymized & Isolated Clinical Trial Data

As a matter of principle and system design, clinical trial data is processed in pseudonymized form (e.g., using a study-specific subject ID). Direct identifiers and re-identification information remain with the clinical site and/or Sponsor unless explicitly required by the protocol and documented instructions. Where direct participant accounts are used (see Section 4.5), identifiers for account management are handled separately from study datasets.

In cases where the study protocol requires the collection of identifiable participant data (e.g., for ePRO modules), such data is strictly isolated, encrypted, and managed in separate database schemas to prevent unauthorized access and protect study blinding.

4.3 Special Categories of Data (Health Data)

In accordance with Art. 9 GDPR, health data is processed only under Sponsor instruction and protected through advanced encryption and strict Role-Based Access Controls (RBAC).

4.4 Technical and Security Data

We process IP addresses, login timestamps, and limited client information (browser, operating system, user agent) to ensure system security, fraud prevention, and inspection readiness.

4.5 Direct Participant Account Data (if applicable)

In certain study configurations (e.g., ePRO or patient-facing modules), trial participants may receive direct access to the system. In such cases, limited direct identifiers (e.g., email address, phone number) may be processed for account creation, authentication, password reset, reminder notifications, or multi-factor authentication.

Such identifiers are stored in a separate, logically and technically isolated database environment, encrypted at rest, and accessible only to the application and authorized personnel (e.g., designated site staff or system administrators) based on strict role-based access controls. These identifiers are separated from the study database.

Direct identifiers used for system access are not transferred to the Sponsor unless explicitly required by the study protocol and documented Sponsor instruction.

5. Purposes of Processing

Personal data is processed for the following purposes, depending on your role (e.g., system user, sponsor staff, investigator, participant) and the applicable project context:

• Provision and operation of the EDC system and related modules (e.g., ePRO), including authentication, authorization, and role management.
• Clinical data capture workflows such as data entry, query management, monitoring support, and data validation checks, as configured by the Controller (e.g., Sponsor) for the specific project.
• Regulatory compliance features, where applicable, including validated audit trails, electronic signatures, and inspection readiness (e.g., ICH-GCP, CTR, 21 CFR Part 11).
• System security, incident detection, fraud prevention, and ensuring service availability and integrity.
• Customer support and regulated change management, including troubleshooting and documentation where necessary.
• Participant account handling (where applicable), including account creation, password reset, reminders, and multi-factor authentication.

Automated validation rules (edit checks) & profiling

The system may apply automated validation rules (edit checks) to support data quality and generate queries for review by authorized users. INTrial Services does not perform automated decision-making or profiling that produces legal effects or similarly significant effects within the meaning of Art. 22 GDPR.

6. Legal Basis for Processing

Legal bases depend on the role (e.g., Controller vs. Processor), the specific processing activity, and the applicable project context. For system operation and delivery of contracted services, typical legal bases include Art. 6(1)(b) (Contract) and, for security and service integrity, Art. 6(1)(f) (Legitimate interest). Where processing is required to meet regulatory or other legal obligations, Art. 6(1)(c) (Legal obligation) may apply.

In the context of clinical trials, the Sponsor (as Controller) is responsible for determining the specific legal basis for processing trial participant data and documenting it within the study’s data protection documentation (e.g., protocol/privacy information/informed consent and applicable national rules). Processing operations related to reliability and safety obligations under applicable clinical trial rules may be based on Art. 6(1)(c) GDPR, while processing operations related to research activities may rely on a different legal basis depending on national requirements (e.g., Art. 6(1)(a) consent or Art. 6(1)(e) public interest), as determined by the Sponsor.

Processing of special categories of data (health data), where applicable, is performed under the responsible Controller’s determination and based on an applicable Art. 9 GDPR condition (e.g., Art. 9(2)(i) or Art. 9(2)(j), as applicable) and any relevant national provisions. INTrial Services processes such data only on documented Controller instructions where acting as Processor.

For projects conducted outside regulated clinical trials, the applicable legal basis and regulatory framework depend on the nature of the project and the responsible Controller.

7. Hosting, Security Measures & Sub-Processors

We apply a risk-based security framework aligned with ISO 27001 principles. Our primary hosting is performed in high-security, certified data centers located in Germany by our hosting provider conyu.de, supporting data residency within the EEA for hosting under our operational responsibility.

• Encryption in transit (TLS 1.2+) and at rest (AES-256).
• Multi-factor authentication (MFA) for privileged access.
• Encrypted backups with documented restore testing.

Sub-processors: We may use carefully selected sub-processors (e.g., hosting and IT service providers) to support operation of the system. A current list of sub-processors is available upon request.

Security incidents: In the event of a personal data breach, INTrial Services maintains documented procedures to notify the responsible Controller without undue delay and to support investigation and applicable notification obligations.

8. Recipients & International Data Transfers

Access to and disclosure of personal data occurs only where necessary, and in line with roles and permissions configured for the project and system:

• Responsible organization(s) for the project (e.g., Sponsor, commissioning entity) and authorized users as configured (e.g., investigators, monitors, data managers, project staff).
• Hosting and IT service providers acting as processors/sub-processors under contractual safeguards.
• Auditors and inspectors (e.g., competent authorities, ethics committees) where required for audits/inspections and under applicable confidentiality obligations.

International transfers driven by project setup

Projects (including clinical trials) are frequently conducted globally. Depending on the project configuration and Controller decisions, project data and/or access to project data may be made available to organizations, sites, monitors, or other authorized recipients located outside the EEA (e.g., for global project management, monitoring, or regulatory activities). In such cases, international transfers are performed under the Controller’s responsibility and in accordance with Chapter V GDPR.

Where INTrial Services performs processing that involves access from or transfers to recipients outside the EEA on Controller instruction (e.g., support activities or project-specific setups), we support the Controller in implementing appropriate safeguards (e.g., Standard Contractual Clauses and additional technical/organizational measures as appropriate) and document such arrangements within the applicable contractual framework.

Where required for a specific transfer scenario, the Controller and/or the relevant data exporter will assess the third-country legal environment and the effectiveness of the chosen transfer mechanism (commonly referred to as a Transfer Impact Assessment) and implement supplementary measures as needed to maintain an essentially equivalent level of protection.

9. Retention and Deletion

Project data, system records, and audit trail entries are retained in accordance with the Controller’s documented retention requirements and applicable laws/regulations. In regulated contexts, audit trail entries cannot be deleted to ensure data integrity and 21 CFR Part 11 traceability, and are retained as part of the validated record. Audit trail entries are accessible according to role-based permissions.

Retention periods in clinical trials may be long. For example, under the EU Clinical Trials Regulation, the sponsor and investigator must archive the clinical trial master file for at least 25 years after the end of the clinical trial, unless other Union law requires longer archiving. Retention of study data and system records is determined by the responsible Controller based on applicable requirements.

Security and access logs are retained for a limited period necessary for security monitoring, incident investigation, and compliance. After applicable retention periods expire, data is deleted, anonymized, or returned to the Controller (as applicable) in accordance with documented procedures and contractual agreements.

10. Your Rights Under GDPR

You have the right to access, rectification, restriction of processing, and data portability. You also have the right to object to processing based on Art. 6(1)(f) GDPR for reasons arising from your particular situation.

Trial Participants: In most clinical trial configurations, INTrial Services cannot identify participants by name from pseudonymized subject IDs. Where participants have direct system accounts (e.g., ePRO access), identification may be possible for account management purposes but remains technically separated from study datasets. To exercise your rights, please contact your study doctor (Investigator) or the Sponsor as the responsible Controller. If you have a Subject Identification Number (Subject ID) assigned by the clinical site, please include it in your request to facilitate coordination without disclosing additional identifiers.

Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement.

Identity verification: To protect confidentiality and prevent unauthorized disclosure, we may request additional information to verify your identity before responding to a request.

Support for Controller obligations

Where INTrial Services acts as Processor, we support the responsible Controller in fulfilling data protection obligations (e.g., responding to requests and providing information about technical and organizational measures), to the extent applicable and feasible within the Processor role.

11. Cookies & Session Handling

This application uses strictly necessary cookies required for secure session management and proper operation of the website. In addition, certain usability cookies (e.g., storing a username for the next login, language selection, UI settings) are set only if you actively opt in (e.g., by selecting the checkbox “Save username for next login as cookie on this computer.”). You can withdraw your consent at any time by changing the setting and deleting the cookie in your browser. These cookies are not used for tracking or profiling. We do not use tracking, profiling, or third-party analytics cookies.