Skip to content

Information notice for clinical studies

6.8.2025


Orion Corporation is committed to protecting the study participants’ privacy in compliance with all applicable regulations and ensuring the security of their personal data. This privacy notice explains how we collect, use, and protect the study participants’ personal information.

Contact Details

Data Controller: Orion Corporation
Unit for clinical studies: clinicaltrials@orionpharma.com

Data Protection Officer (DPO): privacy@orionpharma.com
Telephone +358 (10) 4261

1. What data do we collect in our clinical studies?

In clinical studies, we typically collect and process the following types of personal data:

Clinical research data:

  • sex 
  • age 
  • certain physical features and habits 
  • necessary previous data concerning the participants’ health 
  • findings of the research doctor 
  • information describing the behaviour of the study medication in the human body and the results of the tests on the efficacy and safety of the study medication 

In addition, we process participants’ numbers, i.e. the codes, which prevents Orion from recognizing and identifying the study participant. Identification is possible only when the study participant´s number is combined with the code key kept by the study doctor. This so called pseudonymisation is explained in Chapter 2. 

Data is typically collected from the participants themselves, from the healthcare systems’ patient files, from the study doctor as well as from the results of the tests performed during the study. 

Orion also collects and processes personal data concerning the study site personnel, including the curricula vitae of the study doctors, their names, professional addresses, telephone numbers, email adresses and relevant bank account information needed for processing payments. Personal data including names, professional addresses, telephone numbers and email addresses, are also collected from other relevant study site staff members, e.g. study nurses and pharmacists.  

Orion also maintains contact information of service providers, cosultants, affiliates, licensing partners and other third parties who are involved in the conduct of clinical studies. This information includes names and contact information (telephone number and email address) of the contact persons. 

2. Pseudonymisation

Pseudonymisation, normally coding, is a safeguard measure that helps to protect the participants’ personal data. It means that personal data is processed in such a way that it can no longer be attributed to you without the use of additional information. The additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed directly to you.

The safeguard measure is implemented by giving the study participant a number, in other words a code, which prevents Orion from recognising and identifying the study participant. Identification is possible only when the participant’s number is combined with the code key kept by the study doctor. The personal data of study participants in Orion’s studies is pseudonymised at the study site and this means that Orion does not in fact have access to the directly identifiable personal information of study participants.

3. How do we use the collected data?

We process the collected personal data for the following purposes: 

  • Scientific research and clinical development of the study medication
  • Marketing authorisation applications
  • Study site processing purposes
  • Further scientific research

4. Legal Basis

The legal basis may vary from country to country, due to different local requirements. The following table presents the most typical legal grounds for processing clinical research data and any other personal data in connection with clinical studies:

Public interest and public interest in the area of health (EU GDPR 2016/679 Articles 6(1)(e) and 9 (2)(i)). 
  • Scientific research and clinical development of the study medication (except safety reporting and other reporting required by the regulatory authorities) 
  • Study site processing purposes

Compliance with the controller’s legal obligations based on binding law and public interest in the area of health (EU General Data Protection Regulation Article 6(1)(c) and 9 (2)(i)).
  • Scientific research and clinical development of the study medication (for safety reporting and other reporting required by the regulatory authorities)
  • Marketing authorization

Legitimate interests of the controller 
  • Scientific research and clinical development of the study medication
  • Marketing authorization
  • Study site processing purposes

Consent of the data subject (EU General Data Protection Regulation Article 6(1)(a) and 9(2)(a) for special categories of data). 
  • Scientific research and clinical development of the study medication
  • Marketing authorization
  • Study site processing purposes

Legitimate interests of the controller or a third party (the legitimate interest to be identified, such as direct marketing) and scientific research (EU General Data Protection Regulation Article 6(1)(f) and 9(2)(j)).
  • Further scientific use (whenever the data is not anonymized)

5. How do we share the collected data?

Orion uses other companies (service providers) when data is collected and processed from the study. We may share your information with other companies working with Orion, who assist us by performing data processing and technical operations such as data storage and hosting. Orion may also disclose the data to another pharmaceutical company, if we decide to continue the study in collaboration with such other company. In addition to Orion, companies specialised in clinical study services may be involved in the conduct of the study. If we if decide to sell or license the part of our products, services or assets changes, we may transfer your personal data to any new owner, successor or assignee.  In such cases, Orion will require that the other company or research organisation will handle the study data as specified in this information notice and the subject information and informed consent document.

If the data will be used for further scientific research conserning the study medication, it can be disclosed to companies and/or research organizations conducting scientific research that can help to advance medical science and improve future patient care where such data is relevant. In these cases the data will always be in coded format (you will not be identified personally) or anonymised whenever possible. 

Personal data from the register is transferred or disclosed to countries of the European Union (EU) or the European Economic Area (EEA), as well as outside the EEA to regulatory authorities, affiliates, other companies working with Orion, to countries where the level of data protection legislation may not be at the same level as in the EU. The protection of personal data being transferred outside of the EU or the EEA is based on one or several of the following transfer mechanisms: the adequacy decision made by the EU Commission in accordance with the GDPR article 45; the signing of the Standard Contractual Clauses by the controller and the recipient in accordance with the GDPR article 46(2); or in specific situations on safeguards in accordance with the GDPR article 49.  

6. How long do we store the data?

The personal data shall be retained by Orion for a minimum of 25 years after completion of the study or longer if required by local law. 

For products with a marketing authorization approval Orion is obligated to store the data for at least ten years after the end of the expiration of the marketing authorization or longer if any local legislation so requires.

The pharmacokinetic and pharmacogenetic samples, whenever collected, will be stored at Orion for maximum of 20 years, after which the samples will be destroyed. 

7. What are the rights and options for the participants?

In principle, the study participants have the following rights with regard to their personal data, unless this is technically or otherwise legally impossible due to the deletion of the identifying features for decryption that has been carried out in the meantime:

  • Access their data: They can request from the study site information and a copy of their personal data that have been collected in the context of the clinical study.
  • Rectify inaccurate data: In order to keep their data up-to-date and accurate, they can request the study doctor to modify their data.
  • Restrict processing: In some cases, they may have the right to limit the processing of their personal data. 
  • Data portability (only where consent is used as the legal basis): they have the right to data portability, i.e. the right to receive their personal data, which they have provided to the site and that is being processed by automated means, in a structured and machine readable format and the right to transmit those data to another controller, where the basis for processing is consent or the fulfilment of a contract between the controller and the data subject.  
  • Withdraw consent (only where consent is used as the legal basis): The participant can withdraw the consent they have given us for data processing activities. However, in the event of withdrawal, their data may continue to be used if this is necessary to determine the effects of the study medication being tested, to ensure that their interests worthy of protection are not adversely affected, and to meet the obligation to submit complete documents for approvals. Please note that withdrawal of consent does not render the processing of personal data performed prior to such withdrawal unlawful.

8. Security Measures

The study site will keep the participants’ names, personal identification numbers and contact details confidential and will not pass this information to Orion. The study site will use this information as needed, to contact the participants about the research study, and make sure that relevant information about the study is recorded for their care, and to oversee the quality of the study. Certain auditing individuals from Orion and regulatory organisations may look at the participants’ medical and research records to check the accuracy of the clinical study. Orion will only be given information without any identifying information. The people who analyse the study data will not be able to identify the participants and will not be able to find out their names, personal identification numbers or contact details.

The participants’ personal data is held in a combination of secure computer storage facilities and paper-based files.

We have implemented appropriate measures to ensure the level of security around the collected personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage to it.

We have put in place appropriate technical and organisational measures to ensure a level of security appropriate to the risk of harm that might result from 

  • unauthorised or unlawful processing, 
  • accidental or unlawful loss, destruction or alteration, 
  • unauthorised (or disclosure of) access or damage to the collected personal data 

These measures include e.g.

  • locks and security systems;
  • encryption
  • usernames and passwords;
  • virus checks and data security updates;
  • auditing procedures and regular data integrity checks; and
  • recording of file movements.

We limit access to personal data to those employees, agents, contractors and other third parties who have a business need to know. They must only process the personal data on our instructions and subject to the access controls listed above. They are also subject to a duty of confidentiality.

We have agreed on security-related measures with the third parties we share your personal data with to ensure that it is treated by those third parties in a way that is consistent with how we safeguard the personal data.

We have also put in place procedures to deal with any suspected personal data breach and will notify the data subjects and any applicable supervisory authority where we are legally required to do so.

9. Changes to this Notice

We reserve the right to change this notice from time to time. We will review this notice periodically and update it accordingly if we change our processes materially. We may make changes to this notice when we believe it is reasonable to do so e.g. to comply with legal or regulatory requirements.

10. Contacts 

In case the participant wished to use their rights or to obtain more information regarding the processing of their personal data, they can make a request by contacting the study site where the clinical study is performed and the study doctor as described in more detail in the study participant’s information sheet. Since Orion as the controller has only information related to the coded number, it is impossible for Orion to recognize or identify the participant or provide further information regarding the processing of their personal data. If the participant have concerns regarding Orion’s processing of their personal data, they have the right to make a complaint to a supervisory authority, in particular in the Member State of their habitual residence, place of work or place of the alleged infringement if they consider that the processing of your personal data infringes the General Data Protection Regulation.