Skip to content
A photography of Confident business male and female team discussing a project, A male siting on chair have laptop in front

Pharmacovigilance Data Protection in the EEA: A Compliance Guide to GVP VI Addendum II and GDPR (Part 2 of 3)

May 4, 2026

Reviewed by Fabien Pezous - CEO

 

Transferring ICSRs to non-EEA countries: are your SDEAs still fit for purpose? | Apotech Consulting

Pharmacovigilance · GDPR · International Transfers

Transferring ICSRs to non-EEA countries: are your SDEAs still fit for purpose?

Apotech Consulting  ·  24 March 2026  ·  Part 2 of 3

If your organisation shares Individual Case Safety Report (ICSR) data with affiliates or licensing partners outside the EEA, ask yourself a simple question: when was the last time anyone reviewed the Safety Data Exchange Agreement (SDEA) that governs those transfers? Most SDEAs in circulation today were drafted before Schrems II. Many predate GDPR itself. The pharmacovigilance team assumes the legal terms are handled; the legal team assumes the PV data flows are documented. In practice, neither side has checked since 2020, and the transfer framework has moved on significantly.

This article examines the GDPR framework that applies specifically to pharmacovigilance data transfers, sets out the two primary transfer mechanisms available to MAHs and Sponsors, and outlines what an SDEA review should address to be considered current and compliant.

EEA-based MAHs and Sponsors are data controllers for ICSR data they hold, process, and transfer, including data downloaded from EudraVigilance. Controller status does not end at the EV gateway. It follows the data wherever it goes.

Why pharmacovigilance teams cannot treat GDPR as someone else’s problem

There is a persistent assumption in some pharmacovigilance functions that data protection is the responsibility of legal or the DPO, and that PV teams are simply following regulatory reporting requirements. That assumption does not hold under GDPR.

Under Regulation (EU) 2016/679, MAHs and Sponsors are data controllers for the personal data processing activities they carry out under clinical trials and pharmacovigilance legislation. This includes:

  • Receiving and processing ICSRs from reporters or investigators
  • Submitting ICSRs to EudraVigilance
  • Downloading ICSRs from EudraVigilance (L2A or L2B access)
  • Sharing or transferring ICSR data to third parties, including non-EEA affiliates and licensing partners under an SDEA

Every one of these activities is subject to GDPR. Further processing (the term used by the EMA) explicitly includes onward transfers of ICSRs originating in the EU, irrespective of how or where the data was accessed.

When does a transfer become an international transfer?

An international transfer of personal data occurs whenever personal data originating from within the EEA is sent to a recipient in a country outside the EEA. For pharmacovigilance purposes, this typically arises in two scenarios.

Affiliates and subsidiaries in third countries. EEA-based MAHs with affiliates or subsidiaries in non-EEA markets (the United States, Japan, India, China, Brazil) may be required to share ICSR data with those affiliates to support local pharmacovigilance reporting obligations. Even where the receiving affiliate is part of the same corporate group, a transfer of personal data to a non-EEA entity requires a legal basis and a transfer mechanism under GDPR Chapter V.

Licensing partners under SDEAs. Where a MAH has a Safety Data Exchange Agreement with a licensing partner in a third country, ICSR data shared under that agreement constitutes an international transfer. The SDEA governs the commercial and pharmacovigilance terms of the arrangement. It does not, by itself, provide a lawful basis for the data transfer under GDPR. That requires a separate legal instrument.

Are your ICSR transfer arrangements still legally compliant?

Apotech Consulting brings together pharmacovigilance and regulatory compliance expertise to support organisations in reviewing and updating their ICSR transfer arrangements — covering transfer flow mapping, SDEA gap analysis, SCC version review, and Transfer Impact Assessment support.

Discuss your SDEA review

The GDPR transfer framework: what Chapter V requires

Chapter V of the GDPR (Articles 44 to 49) sets out the conditions under which personal data may be transferred outside the EEA. The overarching principle is that the level of protection afforded to data subjects must be essentially equivalent to that guaranteed within the EEA, regardless of where their data goes.

To meet this standard, organisations must satisfy three requirements for every international transfer:

  • Have an appropriate legal basis for the transfer under GDPR
  • Rely on an appropriate transfer tool (Article 45 or Article 46)
  • Apply data minimisation: only transfer the personal data necessary for the specific purpose of the transfer
Transfer Tool 1

Adequacy Decisions (Article 45)

The European Commission has determined that certain third countries offer an adequate level of data protection. Where an adequacy decision is in place, personal data may flow freely without any additional safeguard being required. Countries currently include the UK (subject to ongoing review), Switzerland, Japan, Canada, New Zealand, and Israel. The US has a partial arrangement under the EU-US Data Privacy Framework.

Transfer Tool 2

Appropriate Safeguards (Article 46)

Where no adequacy decision exists, organisations must rely on appropriate safeguards — most commonly Standard Contractual Clauses (SCCs). Following Schrems II, SCCs alone are not always sufficient: a Transfer Impact Assessment (TIA) is also required to determine whether the destination country’s legal environment allows the SCCs to be effectively honoured.

Adequacy decisions can be challenged or revoked: Schrems I (2015) invalidated Safe Harbor; Schrems II (2020) invalidated Privacy Shield. Any compliance framework built on an adequacy decision should include a mechanism for monitoring its continued validity.

Schrems II is now more than four years old. If your SDEAs have not been reviewed in recent years, it is almost certain that your transfer arrangements predate the current SCC framework (updated June 2021) and the requirement for Transfer Impact Assessments.

What an SDEA review should cover

1

Identify all international data flows

Map every jurisdiction to which ICSR data is transferred, including indirect transfers through processors, IT platforms, or service providers hosted outside the EEA. Many organisations discover during this exercise that data flows exist that were never formally documented.

2

Confirm the legal basis for each transfer

For each flow, identify whether an adequacy decision applies, or whether the transfer relies on Article 46 safeguards. If the transfer currently has no documented legal basis, that is an immediate remediation priority.

3

Review the SCC version in use

The European Commission adopted new Standard Contractual Clauses in June 2021. Agreements entered into before September 2021 that relied on the old SCCs were required to migrate to the new version by December 2022. If your SDEAs still reference the pre-2021 SCCs, they are no longer legally compliant as a transfer mechanism.

4

Conduct or update Transfer Impact Assessments

For each Article 46 transfer, a TIA should be on file assessing the legal framework of the destination country. Key considerations include whether local surveillance laws could compel access to the transferred data, and whether supplementary measures such as encryption, pseudonymisation, or contractual limitations are required.

5

Apply data minimisation to transfer scope

Under the GDPR data minimisation principle, you should only transfer the personal data strictly necessary for the purpose of the transfer. For ICSR sharing under an SDEA, this means reviewing what fields are actually required by the receiving party for their local reporting obligations, not simply transferring the full case record by default. This is particularly relevant in the context of GVP VI Add. II: if you are sharing L2A ICSR downloads with a non-EEA affiliate, the same pseudonymisation principles that apply to EV submissions should inform what data you share onward.

6

Confirm alignment with the EV Access Policy confidentiality undertaking

MAHs accessing EudraVigilance data are bound by the EV Access Policy Confidentiality Undertaking (EMA/337295/2016). This undertaking restricts how EV-sourced ICSR data may be used and shared. Any SDEA arrangement that involves sharing EV downloads with third parties must be assessed for compliance with this undertaking; it is a separate obligation layered on top of GDPR.

What this means for your compliance programme

The intersection of pharmacovigilance legislation and GDPR is not a niche legal question. It sits at the heart of how EEA-based organisations manage global safety data. Regulators, including the EMA, the EDPB, and national DPAs, are increasingly aligned in their expectation that organisations can demonstrate a coherent data protection governance framework for their PV activities.

That means documented transfer arrangements, current SCCs, Transfer Impact Assessments on file, and SDEAs that reflect the post-Schrems II regulatory environment. It also means the PV function, legal, and the DPO are working from the same framework, not operating in parallel with separate, disconnected compliance programmes.

Apotech Consulting: SDEA review and GDPR transfer compliance

We bring together pharmacovigilance and regulatory compliance expertise to support organisations in reviewing and updating their ICSR transfer arrangements. Our support covers transfer flow mapping, SDEA gap analysis against the current GDPR framework, SCC version review, and Transfer Impact Assessment support.

Get in touch   Read more articles
Continue reading this series
← Part 1: EMA’s new masking guidance Part 3 → The L2A vs L2B download problem