GDPR Code of Practice for Contract Research Organisations (CROs)

A Practical Guide to the European CRO Federation Code of Conduct.

In early 2026, the Contract Research Organisation (CRO) Code of Practice made a major leap forward when the French Supervisory Authority (CNIL) approved the supervisory body responsible for overseeing the Code of Conduct. This milestone brings CROs closer to a formally recognised, GDPR‑aligned compliance framework tailored specifically to clinical research service providers.

If you’re a CRO operating in clinical trials, biometrics, pharmacovigilance or related research services, here’s what you need to know.

What Is the CRO GDPR Code of Practice and Why Does It Matter?

The CRO Code of Practice (CoP) allows organisations to demonstrate that their covered services meet sector‑specific, GDPR‑compliant standards. By declaring conformity, CROs can earn an official Compliance Mark, offering Sponsors clear assurance that personal data is processed with consistent, independently overseen safeguards.

For CROs, this means:

• A recognised, industry‑wide GDPR benchmark

• Clear evidence of compliance for Sponsors and auditors

• Reduced ambiguity around Processor obligations

• Strong alignment with established ISO standards

  
  

Key Features of the CRO GDPR Code of Practice

1. It applies when CROs act as Processors

The Code covers situations where a CRO processes personal data on behalf of a Sponsor. It does not apply to Joint Controllership or independent data processing activities.

2. It is fully modular and flexible for different CRO services

CROs can declare conformity across 23 distinct Classes of Service, allowing organisations to adopt only the parts of the Code relevant to their operational scope.

3. It blends Code‑specific requirements with ISO27001/27701 controls

The CRO Code includes:

• 216 total requirements 

  • 91 unique Code requirements

  • 125 mapped to established ISO 27001 / ISO 27701 controls

    
    

How CROs Can Start Implementing the Code of Practice

To prepare for accreditation and demonstrate GDPR compliance, CROs should begin with these steps:

1. Identify your applicable Classes of Service

Document these in your Statement of Applicability, the foundation for determining which requirements you must meet.

2. Map the relevant requirements

Your chosen Classes directly determine which of the 216 requirements apply.

3. Build or update your Information Security Management System (ISMS)

Ensure the necessary controls and governance structures are in place to meet all applicable requirements under the Code.

Need Help Navigating the CRO GDPR Code of Conduct?

Are you a CRO looking to understand your obligations under this new sector‑wide GDPR framework? At Iniver, we specialise in strategic data protection compliance. If you need clarity on which requirements apply to your business, we’ve created a dedicated assessment tool to support your scoping process: