Germany's new standard contractual clauses (SCCs) for Clinical Trial Agreements (CTAs), which are in principle mandatory and may only be waived through an explicit agreement, took effect on 18 December 2025. The SCCs give data protection a prominent role within the standardized contract framework. Annex 2 of the SCCs expressly designates the sponsor and the trial site as joint controllers for the processing of clinical trial participants' data and sets out a joint controller arrangement pursuant to Article 26 GDPR. These provisions seek to harmonize a practice that is still fragmented across German sites, thereby ensuring legal certainty for sponsors conducting trials in Germany.

Annex 2 assigns clear roles and responsibilities:

• sponsors handle pseudonymized participant data under the study protocol, remote monitoring, and secure transmission according to Article 32 GDPR; and
• sites manage lawful data collection, safety reporting, and secure handling up to transfer.

Personal data of site staff and activities outside this scope – such as pre-contract steps or post-database-lock tasks like scientific evaluation beyond the protocol, regulatory submissions, and archiving – are excluded, reducing sponsor exposure but requiring careful review of data flows.

The SCCs require that all information obligations under Articles 13, 14, and 26(2) GDPR – including the essence of the joint-controller arrangement – be addressed directly in the ICF. This underscores that ICFs cannot be drafted in isolation but need to reflect the data protection setup of roles and responsibilities. They reaffirm the established practice that the site serves as the primary point of contact for data subjects seeking to exercise their rights, although such requests may be submitted to either party. Both parties are required to cooperate closely in handling these requests, including deletion requests under Articles 17(1) and 17(3) GDPR, where retention obligations related to trial data may apply.

One further notable feature is the right of either party to suspend data sharing if doubts arise regarding the lawfulness of the underlying processing or international transfers under GDPR Chapter V. This mechanism reflects the increasing regulatory scrutiny of appropriate safeguards for international data transfers, and requires sponsors to monitor legal developments closely.

The SCCs streamline negotiations but set out clear, stringent obligations for sponsors, including: ensuring GDPR-compliant ICF language that accurately reflects joint-controller roles, implementing a shared deletion concept with auditable logs, guaranteeing secure data transmissions, and continuously monitoring transfer safeguards to prevent suspension. Coordinated planning across ICFs, CTAs, and internal processes is critical for compliance and seamless collaboration.