The Danish Act on Processing of Personal Data applies to all processing of data for the purpose of carrying out medical trials and other scientific or statistical studies. Prior to the commencement of the processing of data, a private controller, i.e. a pharmaceutical company, shall notify the Danish Data Protection Agency and obtain the authorisation of the Agency. The article presents the various conditions laid down by the Agency for the carrying out of the processing operations. Furthermore, special attention is drawn to the data subject's various rights. In order to ensure the privacy of the data subject and to protect data against accidental or unlawful destruction, loss or alteration and against unauthorized disclosure, the controller shall implement certain technical and organisational security measures laid down by the Agency. When a controller leaves the processing of data to a processor, the processor is obliged to ensure compliance with the given measures. The Data Protection Agency supervises that the processing is carried out in compliance with the provisions of the Act and the conditions laid down by the Agency.