Pharmacovigilance Data Protection in the EEA: A Compliance Guide to GVP VI Addendum II and GDPR (Part 3 of 3)
The L2A vs L2B download problem: what MAHs get wrong about EudraVigilance data sharing
Most pharmacovigilance teams treat the EudraVigilance Access Policy as a technical access control: L1 is public, L2A is for PV obligations, L2B is for signal management. That framing is accurate but incomplete. The Access Policy is a legal framework that governs what you can do with ICSR data after download, not just what data you can see. The distinction matters because the most common compliance gaps are not about accessing the wrong level. They are about using the data outside its permitted scope once it has been downloaded, and most teams do not realise they are doing it.
The EV Access Policy is not simply a technical access control mechanism. It is a legal framework that governs what MAHs can do with EudraVigilance data after it has been downloaded. Accessing data at the wrong level, or using it outside the permitted scope, is a data protection and regulatory compliance failure, not just an operational one.
Understanding the EV access levels
Public Access
The public subset of ICSR data elements, accessible to anyone via the ADRReports.eu portal. Covers spontaneous post-marketing reports only. For MAHs, L1 is background context; it does not form part of their pharmacovigilance data management.
PV Obligations Access
A richer dataset for use in fulfilling pharmacovigilance obligations under EU legislation. Used for routine PV activities: case review, duplicate detection, and ICSR management. The only level from which ICSR data may be shared onward.
Signal Management & PSUR Access
A broader dataset for signal evaluation and specific pharmacovigilance assessment activities. Restricted to two defined circumstances under the EV Access Policy (Annex C). May not be used for routine case review or shared onward.
L2B access is permitted only in two circumstances: following completion of the initial signal management steps as set out in GVP Module IX, including reference to the corresponding electronic Risk Management Report (e-RMR) where applicable; or in the context of a pharmacovigilance assessment procedure, specifically a PSUR as outlined in GVP Module VII, or where required by the PRAC in a referral or signal assessment procedure.
L2B data may not be used for routine case review, ongoing surveillance, or any purpose outside these defined activities. L2B data may not be shared onward. It is restricted to internal use within the specific signal management or PSUR context for which it was downloaded.
Apotech Consulting works with MAHs and Sponsors to assess and strengthen their EudraVigilance data governance frameworks, including L2A/L2B access mapping, PV database access control reviews, and mock inspection preparation.
Speak to our teamThe most common L2A/L2B compliance gaps
Treating L2B data as general-purpose pharmacovigilance data
The most frequent misapplication is using L2B downloads for activities that fall outside GVP Module IX signal management or GVP Module VII PSUR processes. This includes using L2B case data for periodic aggregate analysis, ad hoc safety reviews, or internal signal tracking that has not followed the formal GVP Module IX pathway. The trigger for L2B access is defined by the EV Access Policy. It is not a judgment call left to the MAH. If the signal management steps in GVP Module IX have not been completed and there is no e-RMR reference to document them, L2B access is not yet appropriate regardless of the PV team’s operational assessment.
Sharing L2B-sourced data with third parties
The restriction on onward sharing applies specifically to L2B data. Where a MAH shares ICSR data with a non-EEA affiliate or licensing partner, that data must come from the L2A download. If L2B data has been included in an outbound data transfer, whether deliberately or through insufficient data lineage controls, the organisation is operating outside the EV Access Policy. Where safety databases are integrated and access levels are not clearly mapped to downstream processes, L2A and L2B data can become commingled in exported datasets. The onus is on the MAH to demonstrate data lineage: that outgoing transfers contain only L2A-sourced records.
No documented basis for L2B requests
Access to L2B data requires a documented basis: the GVP Module IX reference, the e-RMR where applicable, or the PSUR or PRAC procedure being supported. In practice, many organisations submit L2B download requests without creating or retaining the documentation that justifies the request. This creates an audit trail gap that is difficult to remediate retrospectively. If an inspector asks you to demonstrate the basis on which a specific L2B download was requested, you should be able to produce the GVP Module IX signal management record or the PSUR procedure reference. If that documentation does not exist, the download may not have been compliant with the EV Access Policy.
Confusing the L2A/L2B distinction with GDPR controller obligations
Some PV teams treat the L2A/L2B distinction as purely an access control question: a matter of which data they can see, not what obligations govern how they handle it. This is incorrect. Under GDPR, MAHs are data controllers for all ICSR data they access from EudraVigilance, regardless of whether it is L2A or L2B. Controller obligations (including data minimisation, purpose limitation, access controls, and technical and organisational measures) apply to both access levels. The EV Access Policy adds restrictions on top of those GDPR obligations. It does not substitute for them.
The controller accountability framework in practice
The EMA is clear: MAHs and Sponsors are data controllers for the personal data processing activities they carry out under pharmacovigilance legislation. Controller accountability under GDPR means the organisation must be able to demonstrate compliance, not merely assert it.
For EudraVigilance data, this translates to a set of documented technical and organisational measures:
Access controls
Password protection and role-based access to the PhV safety database, reviewed and recertified at regular intervals.
User management
Access to the PhV database granted only to defined authorised users, with access rights reviewed periodically.
Purpose limitation
Data processed only for the specific legal purpose for which it was accessed: L2A for PV obligations, L2B for defined signal management or PSUR activities.
Data minimisation on transfers
Only the personal data necessary for the purpose is included in any outbound transfer, not a full case export by default.
Technical measures
Encryption, pseudonymisation, and data segregation measures appropriate to the sensitivity of health data under GDPR Article 9.
Each of these measures should be documented in a way that is auditable. A mock inspection of your PV data governance framework should be able to surface evidence of each control, not just a policy that asserts controls exist.
What QPPVs should be asking their teams
QPPV readiness questions
- Can you demonstrate which ICSR data in your outbound transfers is sourced from L2A versus L2B?
- For every L2B download in the past 12 months, is there a documented GVP Module IX signal management record or PSUR procedure reference?
- Has your safety database access control list been reviewed in the last 12 months?
- Does your SDEA with non-EEA partners specify that shared data must be sourced from L2A only?
- Is your organisation’s EV Access Policy Confidentiality Undertaking reflected in your data governance SOPs?
If any of these questions do not yet have documented answers, that is a clear starting point for strengthening your framework ahead of your next inspection.
The inspection risk
EMA and national competent authority inspections increasingly scrutinise pharmacovigilance data governance alongside traditional PV system compliance. Inspectors are looking for evidence that MAHs understand and can demonstrate their obligations as data controllers, not just that they have submitted ICSRs on time.
The EV Access Policy, GVP VI Add. II, and GDPR Chapter V together constitute a layered data governance framework for pharmacovigilance data. Organisations that treat them as separate, disconnected compliance domains are more likely to have gaps at the interfaces, and those gaps are precisely what inspection programmes are designed to find.
We work with MAHs and Sponsors to assess and strengthen their EudraVigilance data governance frameworks. This includes L2A/L2B access mapping, PV database access control reviews, EV Access Policy compliance gap analyses, and mock inspection preparation focused on pharmacovigilance data protection.
Get in touch Read more articles