Fragen zum KI- & Datenrecht? Kontaktieren Sie uns!

4 Step Recipe to Implement New EMA Guideline (GDPR-compliant ICSRs to EudraVigilance)

Send GDPR-compliant ICSRs to EudraVigilance

Marketing authorisation holders are legally required to send Individual Case Safety Reports (ICSRs) to the EudraVigilance database.

The European Data Protection Supervisor (EDPS) audited the EudraVigilance database, which is jointly managed by the European Medicines Agency (EMA), the EU Commission and the supervisory authorities of the Member States. The EDPS is the data protection supervisory authority responsible for EU institutions.

Following this audit of the EudraVigilance database by the EDPS, the EMA issued a new Guideline on 22 July 2025 on the masking of personal data in ICSRs submitted to EudraVigilance (EMA Guideline GVP VI.Add.II). The instructions contained therein form an integral part of the guidance in GVP Module VI and are therefore directly applicable to marketing authorisation holders.

In this Guideline, the EMA specifies four key changes that marketing authorisation holders must make when submitting ICSRs to EudraVigilance.

To make it easier for pharmaceutical companies as marketing authorisation holders to implement the new EMA Guideline GVP VI.Add.II, we have identified the following four steps to ensure correct implementation of the guideline:

1. Certain data elements MUST be masked with nullFlavour MSK

Data elements (ICH E2B (R3) Guideline) MUST be masked using the nullFlavour MSK before submission if BOTH of the following conditions are TRUE:

  1. the data element is contained in Table VI.Add.II.1 of the EMA Guideline GVP VI.Add.II AND
  2. the data are available to the sender of the ICSR (i.e. the marketing authorisation holder).

Reason: These data elements may contain personal data, but are also NOT necessary for the purposes of signal management, duplicate detection or ICSR processing, AND the MSK token must only be used to indicate that while the sender has access to this data, the sender must not provide it pursuant applicable data protection law.

Explanation: A null value is a special value that can be entered into a data element instead of real data. The possible nullFlavors (also referred to as ‘nullFlavours’ in the EMA Guideline GVP VI.Add.II) for ICSRs are listed in the EMA’s EU Individual Case Safety Report (ICSR)1 Implementation Guide. There are different nullFlavors to indicate different reasons why a null value may be sent instead of real data. The nullFlavor MSK indicates that the data for the respective data element is available to the sender, but that the sender is not permitted to send it due to applicable data protection law.

If one or both of the conditions are not met, continue.

2. Certain data elements MUST EITHER be masked with a nullFlavour other than MSK OR left blank

Data elements MUST EITHER be masked using a nullFlavor other than MSK (e.g. ASKU, NASK, UNK) before submission OR left blank, if BOTH of the following conditions are TRUE:

  1. the data element is contained in Table VI.Add.II.1 of the EMA Guideline GVP VI.Add.II AND
  2. the data are NOT available to the sender of the ICSR (i.e. the marketing authorisation holder).

In this case, the marketing authorization holder is free to choose to provide an applicable nullFlavor or leave the data elements blank.

Reason: These data elements may contain personal data, but are also NOT necessary for the purposes of signal management, duplicate detection or ICSR processing, but MSK must not be used because the sender does not have access to this data.

If one or both of the conditions are not met, continue.

3. Certain data elements MUST be left blank

Data elements MUST be left blank, if this condition is TRUE:

  • the data element is contained in Table VI.Add.II.2 of the EMA Guideline GVP VI.Add.II.

Reason: These data elements may contain personal data, but are also NOT necessary for the purposes of signal management, duplicate detection or ICSR processing, but nullFlavors are not supported for these data elements according to ICH E2B (R3) Guideline.

4. Certain data elements MUST NOT be masked AND MUST NOT be left blank

Data elements MUST NOT be masked AND MUST NOT be left blank, if ONE OR BOTH of the following conditions are TRUE:

  1. the data element is contained in Table VI.Add.II.3 of the EMA Guideline GVP VI.Add.II AND/OR
  2. the data element is contained in Table VI.Add.II.4 of the EMA Guideline GVP VI.Add.II.

Reason: Data elements contained in Table VI.Add.II.3 DO contain personal data, but are necessary for the purposes of signal management, duplicate detection or ICSR processing, so NEITHER can the data be masked NOR left blank. Data elements contained in Table VI.Add.II.4 do NOT contain personal data AND are necessary for the purposes of signal management, duplicate detection or ICSR processing, so NEITHER can the data be masked NOR left blank.

Der Newsletter für
KI- und Datenrecht.

Jetzt anmelden