Data Protection FAQ

Data Protection FAQ

Medidata FAQ – The ECJ Decision regarding the EU-US Safe Harbor Program and its impact on Medidata’s Customers and CRO Partners.

In light of the October 6, 2015 European Court of Justice (ECJ) ruling regarding the validity of the EU-US Safe Harbor Program, Medidata is providing this FAQ to our customers and Contract Research Organization (CRO) partners to answer questions about the impact of that ruling.

In this FAQ, Medidata is also (1) providing a new Data Processing Amendment that incorporates the European Commission’s (EC’s) approved Standard Contractual Clauses (SCCs) and (2) providing recommendations about the use of Informed Consent Documents (ICDs) for data protection purposes.  Both are valid bases for the transfer of personal data to Medidata in the US for processing.

What is the EU-US Safe Harbor Program?

The Safe Harbor Program was established by the EC and the US Department of Commerce in 2000 to provide an efficient process for US companies to self-certify compliance with EU data protection requirements as a basis for transferring personal data from the EU to the US. Over 4,000 US companies, including Medidata, are certified under the Safe Harbor Program.

What does the ECJ’s decision do to the Safe Harbor program?

The ECJ declared the Safe Harbor Program invalid from a European perspective as a basis of data transfer.  Rather than being a ‘cease and desist’ to those data transfers, the ECJ ruling put an end to a presumption that the Safe Harbor Program meant the US itself provides adequate data protection via the Safe Harbor Program.

What does the ECJ’s decision mean for Medidata’s customers and CRO partners?

Be assured that the ECJ’s decision has no effect on the security of your data – Medidata continues to maintain very strict data privacy and data security measures that meet or exceed all Safe Harbor principles.  In addition to the Safe Harbor Program, two other mechanisms relevant to Medidata’s customers and CRO partners are approved by the EC – SCCs and ICDs.  These mechanisms allow our customers and CRO partners to export personal data (including sensitive data such as clinical data) from the EU to the US.

What are the Standard Contractual Clauses?

The SCCs (also known as Model Clauses) are contract templates developed by the EC as a basis for parties to legalize the transfer of personal data outside of Europe. With SCCs, the transfer of personal data to US companies can meet EU data protection requirements (the “adequate safeguards” as required by Article 26 (2) of directive 95/46/EC, established by the EC).

How does my company execute the Standard Contractual Clauses with Medidata?

Medidata customers and CRO partners who wish to utilize the SCCs as a basis for transferring personal data (e.g., data concerning the users of Medidata’s services) from the EU to the US should enter into Medidata’s Data Processing Amendment to the Medidata Services Agreements, which incorporates the SCCs and Medidata-specific details.

What do Informed Consent Documents have to do with data protection laws?

ICDs remain a key component both for the conduct of clinical trials in Europe and for ensuring consent for the transfer of personal data to the US for processing and submission to regulatory authorities.  Unlike in the social media context (such as Facebook, at the center of the ECJ ruling), appropriate consent to the processing and transfer of a patient’s personal data (e.g., clinical data) is a basis for the continued validity of EU-US transfers of that data.

Does Medidata have any recommendations for ICD language?

Medidata recommends that our customers and CRO partners continue to use ICDs that disclose clinical data flows from the EU to the US for processing and regulatory submission.  While our customers and CRO partners should obtain their own data protection advice, as ICDs remain their responsibility, Medidata recommends that ICDs include at a minimum:

  1. the name of the organization, and its website, that will process the personal data (i.e., Medidata Solutions,;
  2. disclosure that the clinical data will be transferred to and processed in the US;
  3. disclosure that the data will be processed only for our customers and CRO partner’s purposes; and
  4. disclosure of the anticipated regulatory authorities to which the data subject’s clinical data may be disclosed.

Medidata also recommends that our customers and CRO partners:

  1. provide notification of or receive approval for their use of SCCs to the data protection authorities of European countries as may be required;
  2. adhere to ICH Good Clinical Practices related to the informed consent process (section 4.8) which details confidentiality of subject data and access by third parties; and
  3. obtain the consent of their employees, authorized users and/or study site personnel for the transfer of their personal data using Medidata’s services.

What about future developments to European data protection law?

Medidata will continue to monitor the ongoing Safe Harbor negotiations and the EU’s efforts to clarify its data protection requirements, and will make any changes needed to keep up with those developments.

Please contact us at with any questions.