Pharmacovigilance Data Protection in the EEA: A Compliance Guide to GVP VI Addendum II and GDPR
Contents
Contents
- Introduction
- Executive Summary
- Chapter 1 – GDPR meets pharmacovigilance: what EMA’s new masking guidance means for your safety database
- Chapter 2 – Transferring ICSRs to non-EEA countries: are your SDEAs still fit for purpose?
- Chapter 3 – The L2A vs L2B download problem: what MAHs get wrong about EudraVigilance data sharing
Introduction
This whitepaper sets out a single, connected argument: the masking policy, the international transfer framework, and the EudraVigilance Access Policy are not three separate compliance exercises. They form a layered data governance framework, and organisations that treat them in isolation are the ones most likely to have gaps when an inspector looks at the joins.
This whitepaper is intended for pharmacovigilance managers, QA leads, qualified persons for pharmacovigilance (QPPVs), heads of pharmacovigilance, legal and data protection officers, and regulatory affairs professionals. It is written to be technically precise without assuming a legal or data science background.
Executive Summary
Most pharmacovigilance teams think they are compliant because they submit ICSRs on time. The real exposure is in what happens to the data after submission. Here is what this whitepaper covers, and what your team should take away from each chapter:
- Your safety database configuration certainly needs some updates. GVP Module VI Addendum II (July 2025) introduced a binding field-level masking standard: 13 fields must now carry nullFlavour MSK, 11 must be left blank, and over-masking the remaining fields is itself a compliance failure. Chapter 1 sets out the full field-by-field breakdown and what a compliant submission process looks like.
- If your SDEAs have not been reviewed in recent years, your transfer arrangements might not fulfill the Standard Contractual Clauses (updated June 2021) and you probably do not have Transfer Impact Assessments on file. Chapter 2 walks through the six things an SDEA review should cover.
- L2B data cannot be shared onward; only L2A can. Most organisations do not have the data lineage controls to prove which is which. Chapter 3 identifies the four most common compliance gaps and the questions your QPPV should be asking.
These three challenges are connected. The gaps that inspectors find are almost always at the joins between them.
To know more and have full access to the whitepaper, please see below.