Latest Updates

News - November 2021


1. NEW EU Standard Contractual Clauses

According to the General Data Protection Regulation (GDPR), contractual clauses ensuring appropriate data protection safeguards can be used as a ground for data transfers from the EU to third countries. This includes model contract clauses – so-called standard contractual clauses (SCCs) – that have been “pre-approved” by the European Commission.

On 4 June 2021, the Commission issued modernised standard contractual clauses under the GDPR for data transfers from controllers or processors in the EU/EEA (or otherwise subject to the GDPR) to controllers or processors established outside the EU/EEA (and not subject to the GDPR):

These modernised SCCs replace the three sets of SCCs that were adopted under the previous Data Protection Directive 95/46. Since 27 September 2021, it is no longer possible to conclude contracts incorporating these earlier sets of SCCs.

Until 27 December 2022, controllers and processors can continue to rely on those earlier SCCs for contracts that were concluded before 27 September 2021, provided that the processing operations that are the subject matter of the contract remain unchanged.

Standard contractual clauses for international transfers (Word) area available at this link:

2. Healthcare Market Research and Turkish legislation

The Ethics Committee has been made aware of a recent change in Turkish law concerns payment to hospital-based physicians. In essence, it appears that the hospital ‘owns the time’ of the physician. Any payment to a physician must be made through the hospital, with the latter taking potentially a large proportion of the payment. This applies to all public hospitals who each have different systems for payments.  The Ethics Committee checked with several fieldwork and full-service agencies who confirm the new system applies and is proving difficult. There is additional bureaucracy and affects the ability to conduct market research with physicians in Turkey unless they are not paid an incentive.

EPHMRA picked up the issue and is currently engaging with TUAD, the Researchers Association of Turkey, IPSOS Turkey and ERA Research Turkey in order to investigate the issue and find a practical solution. A first meeting has been held in which steps were taken to clarify the issue also involving research-based pharmaceutical companies. Talks are ongoing.

Any further update will be communicated to EPHMRA members as soon as available.


3. France: On-going Country Update

The reinforced anti-gift restrictions detailed in ordonnance n° 2017-49 du 19 janvier 2017[1]; and requires interactions between physicians/CNOM/IDAHE 2 platform.

EPHMRA is monitoring the situation very closely since the introduction of the new legislation. All information, news and updates available at this time can be found on the EPHMRA website.

ASOCS Association des Sociétés d'étude de l'Opinion et du Comportement dans le domaine de la Santé., Federation SYNTEC and CNOM Conseil national de l'Ordre des Médecins, are currently engaging in the discussion and are keeping EPHMRA informed about progress.

Any further update will be communicated to EPHMRA members as soon as available


[1] Payments and other benefits of value from pharmaceutical and medical devices companies to the healthcare sector are governed by: • Articles L. 1453-1 and L. 1453-2 as well as Article D 1453-1 and Articles R 1453-2 to R 1453-12 of the Public Health Code (Code de la santé publique or CSP) that relate to transparency, i.e. public disclosure of (authorised) benefits/payments to the healthcare sector; and • Articles L. 1453-3 to L. 1453-14 CSP that set out the general prohibition of benefits/payments and the exceptions thereto. • Ordinance No 2017-49, which created new sections in the Code de la santé publique (Public Health Code), amended the existing provisions by extending the list of covered beneficiaries, specified which forms of payments and other benefits are not covered by the Gift Ban, harmonised the criminal provisions, and adapted the public enforcement officers’ powers. • Decree No 2020-730, which implements the provisions of Ordinance No 2017-49 and which provides specifications for the required agreements between parties transferring value that falls under an exception to the prohibition


2016 - August: European Commission adopts the EU – US Privacy Shield

From August 1, 2016, US companies will be able to certify their compliance with the new EU- US Privacy Shield agreement. 

The EU - US Privacy Shield is designed to protect the privacy rights of citizens of the European Economic Area (EEA) when their personal data is transferred to the USA.  This new framework is the replacement for the invalidated Safe Harbor Framework.  The Privacy Shield places stronger obligations on US organisations to protect the personal data of EEA citizens.  It requires greater transparency about transfers of personal data to the US and it offers more accessible redress options in case of complaints.

More details here - pdf

July 2016: GDPR Update: more details here

The General Data Protection Regulation (GDPR) has now been agreed by the European Council, Parliament and Commission.  The final text was published in Official Journal on 24 May 2016 and came into force on the 24th of May 2016, which means it will apply from 25 May 2018 - giving us a two year window to prepare.  The GDPR updates and replaces the current data protection rules based on the 1995 Data Protection Directive.

The Regulation will establish a single, pan-European law for data protection meaning that organisations deal with one law, not many laws.  However there will be some country variations as Member States still have discretion on specific provisions.  Over 50 articles have been left to member states to implement in their own national law - including provisions governing the processing of personal data for research purposes.

The new rules mean we must build in data protection by design and by default, carry out privacy impact assessments for riskier or larger scale projects, and implement privacy-friendly techniques such as pseudonimysation, data minimisation and encryption.  They are designed to be future-proof, technologically neutral, fit for innovation and big data analytics.

May 2016: The EU General Data Protection Regulation (GDPR) has been approved by the European Parliament

The GDPR updates and replaces the current data protection rules based on the 1995 Data Protection Directive. The final stage of the legislative process will be publication of the GDPR in the official journal, which is expected by June this year. Based on publication by June of this year, it will come into force in mid-2018, so members will have approximately two years to prepare.

The Regulation will establish a single, pan-European law for data protection meaning that organisations deal with one law, not 28. However there will be some country variations as Member States still have discretion on specific provisions. The new rules encourage privacy-friendly techniques such as pseudonimysation, anonymisation, encryption and data protection by design and by default, they are designed to be future-proof: technologically neutral and fit for innovation and big data analytics.

The GDPR will also mean that any company - regardless of whether it is established in the EU or not - will have to apply EU data protection law if they wish to offer their services in the EU.

EphMRA is currently working on providing you with more detailed guidance on the implications of the GDPR and will be in touch again soon.

 May 2016: The EU-US Privacy Shield – Replacement for the Safe Harbor Agreement

European data regulators (the Article 29 Working Party) have recently reviewed and have expressed concerns about the EU-US 'Privacy Shield' (the successor to the now invalid Safe Harbour Agreement) which is designed to cover the transfer of data between the EU and the USA. The regulators said the latest version needs further amendments and clarification.

The European Commission has indicated that they are hoping to seek approval for the Privacy Shield in May with adoption in June 2016. When we have further news, we will be in touch again.

March 2016: Country Differences Grid - a handy guide showing the country differences in the Code - brought together for easy reference. Available via Members Login.