About the Code of Conduct

The European CRO Federation’s GDPR Code of Conduct for Service Providers in Clinical Research (EUCROF GDPR Code or Code) is the initiative subsidised and performed by the EUCROF to create a transnational GDPR Code of Conduct for data processors working in the clinical research industry. The EUCROF is the owner of the Code and establishes the supervisory body (COSUP).


When approved, the EUCROF GDPR Code will help to ensure the privacy rights and freedoms of trial participants while promoting the lawful, fair and meaningful use of personal data in the field of Clinical Research.

Note that the EUCROF Code has been submitted for approval in March 2021 and has currently passed the co-review and cooperation phases of the approval process. If finally granted, approval is targeted for Q3 2022.

The Code is a sign of the continued progress the organizations and Supervisory Authorities are making toward establishing harmonized standards applied to various industries across the European Union related to data protection.


Code Adherents earn the right to display a Compliance Mark for 3 years. The Mark signifies the level of adherence. 

What is the GDPR EUCROF Code?

    • A Code of Conduct developed under Article 40 of the GDPR (Regulation).
    • A compliance framework for adhering organisations to demonstrate aligning of their services with the Regulation.
    • An interpretive guide to the Regulation created and endorsed by multiple stakeholders and opinion leaders in clinical research.
    • An effective governance and accountability mechanism for which the Commission Nationale de l'Informatique et des Libertés (CNIL) is the Competent Supervisory Authority; responsible for the approval, establishment and monitoring adherence to the Code.
    • A transnational Code, recognized by the 27 EU data protection authorities and approved by the European Data Protection Board (EDPB).

What is within the Code’s scope?

    • Any data processing activities for the services delivered by CROs and other service providers in clinical research as data processors.
    • GDPR requirements shown in application to 23 classes of services typically delivered by CROs.
    • Personal data of European Union study subjects and healthcare professionals processed for interventional and non-interventional studies.

Why you would want to become an Adherent?

    • To reduce administrative and operational waste caused by conflicting interpretations of the GDPR.
    • To obtain the practical instructions on demonstrating and maintaining compliance.
    • To exchange practical experience with other Adherents.
    • To achieve high efficiency in delivering services to Sponsor of clinical trials.
    • To earn the right to display one of the Code’s Compliance Marks as the compliance seal.
    • To demonstrate compliance and high standards of services to Sponsors conducting clinical trials in the European Union.