Pharmacovigilance obligations travel with products, not with companies. That principle sounds straightforward, but the contractual architecture that governs how safety data moves between licensors, licensees, co-development partners, and contract organisations remains one of the most persistently mismanaged areas of pharmaceutical compliance. Safety Data Exchange Agreements, commonly abbreviated as SDEAs, and sometimes referred to as Pharmacovigilance Agreements or PV Agreements, are the mechanism through which these obligations are allocated, documented, and fulfilled. They are also, in practice, one of the most commonly deficient documents audited by regulatory authorities.
The pattern is consistent across deal types: licensing negotiations focus on commercial terms, exclusivity provisions, milestone payments, and IP protections. When pharmacovigilance comes up at all, it is often addressed with a brief clause committing both parties to “comply with applicable PV regulations,” a statement that satisfies no regulatory requirement and provides no operational clarity. By the time the product reaches the market, both parties may discover that their SAE reporting timelines are misaligned, their signal management responsibilities are undefined, and their PSUR/PBRER obligations conflict.
Regulatory consequences follow. The EMA, FDA, MHRA, TGA, and most other major agencies have cited inadequate SDEAs in inspection findings and warning letters. The obligation is clear; the execution is where deals consistently fall short.
What a Safety Data Exchange Agreement Is and What It Must Do
An SDEA is a binding contractual document that defines how two or more parties involved in the development, manufacturing, or commercialisation of a medicinal product will share and manage individual case safety reports (ICSRs), aggregate safety data, safety signals, Risk Management Plans, and other pharmacovigilance obligations.
The regulatory basis for SDEAs derives from multiple sources. In the EU, Article 25 of Commission Implementing Regulation (EU) No 520/2012 explicitly requires marketing authorisation holders who share responsibilities with other parties to have written agreements in place describing their respective pharmacovigilance obligations. EMA’s Good Pharmacovigilance Practices (GVP) Module I reinforces this, and GVP Module VI details ICSR-related arrangements. FDA’s safety reporting regulations under 21 CFR Part 314 (drugs) and 21 CFR Part 600 (biologics) similarly presuppose clear delineation of safety reporting responsibilities between applicants and partners.
An SDEA must, at minimum, cover:
- Identity of the Marketing Authorisation Holder (MAH) or Applicant of Record in each jurisdiction where the product is approved or under evaluation
- Roles and responsibilities for ICSR collection, processing, evaluation, and regulatory submission, including timelines and formats
- Serious vs non-serious adverse event handling, with jurisdiction-specific reporting timelines
- Expedited reporting obligations (15-day and 7-day rules in the EU; 15-day rules in the US) and who bears responsibility for submissions in each territory
- Aggregate reporting: who prepares the PSUR/PBRER, who reviews it, and the timelines for exchange between parties
- Signal management: detection methodology, case review procedures, and escalation criteria
- Risk Management Plan (RMP) responsibilities: who develops, who approves, who maintains, and how updates are communicated between parties
- Source documents and case narratives: responsibilities for follow-up and documentation quality
- Audit rights: who may audit whom, on what notice, and for what scope
When the SDEA is poorly drafted, any of these areas can become a compliance gap. When it is absent entirely, which happens more frequently than industry would prefer to acknowledge, the gap is total.
The Licensing Deal Context: Where SDEAs Consistently Fail
Licensing agreements for pharmaceutical products regularly involve a portfolio of territorial rights. A licensor headquartered in the US may grant a licensee rights across the EU, Australia, Japan, and Latin America. Each territory has its own regulatory agency, its own ICSR reporting requirements, its own pharmacovigilance legislation, and its own language requirements for adverse event documentation.
The SDEA must address every active jurisdiction in the licensing arrangement. A single document that references “applicable local regulations” without specifying how those regulations are operationalised between the parties provides no regulatory protection and fails GVP Module I’s requirement for clarity.
The SDEA must specify:
- Which party holds the global safety database
- The transfer format and frequency of case data exchange (E2B R3 is the current ICH standard)
- Reconciliation procedures and timelines
- Responsibility for deduplication
- What happens to the database if the licensing relationship terminates
Database termination provisions are particularly significant. If the licensor terminates the agreement or the licensee loses its marketing authorisation, the continuity of safety data, including access to historical ICSRs, must be maintained. The SDEA should specify data custody arrangements and handover protocols.
The QPPV Requirement in the European Union
In the EU, every marketing authorisation holder must designate a Qualified Person Responsible for Pharmacovigilance (QPPV). The QPPV must be based in the EU, have access to the global safety database, and bear personal and professional accountability for the pharmacovigilance system.
In a licensing arrangement where a non-EU licensor grants EU rights to an EU-based licensee, the QPPV question appears straightforward; the licensee’s QPPV covers the EU marketing authorisations. But the complications arise immediately: does the licensee’s QPPV have access to the licensor’s global safety database? Who notifies the licensee’s QPPV when the licensor identifies a safety signal? Who ensures that the PSMF (Pharmacovigilance System Master File) maintained by the licensee reflects the actual pharmacovigilance system, including its interfaces with the licensor?
These questions must be answered in the SDEA, not in a separate communication, and not in the commercial licensing agreement.
Co-Development and Co-Promotion Arrangements: Added Complexity
SDEAs for co-development arrangements where two parties share clinical development responsibilities before regulatory approval are distinct from those governing post-approval marketing. Both carry significant obligations, but the pre-approval context introduces additional complexity around investigational product safety reporting, DSURs, and SUSAR (suspected unexpected serious adverse reactions) reporting.
SUSAR Reporting in Co-Development SDEAs
In clinical development, both the sponsor of record and any party that has contractual access to trial safety data bear obligations related to SUSAR identification and reporting. The SDEA for a co-development arrangement must specify:
- Who receives unblinded safety data from the clinical operations team
- The timeline for safety data transfer between parties (ideally defined in calendar hours or days, not simply “promptly”)
- Who makes the causality assessment for SUSARs
- Who submits to regulatory authorities (IND/CTA holders bear primary obligation, but the partner must be able to verify that submissions occurred)
- How the DSUR will be prepared, who contributes data, and who signs off
Post-Marketing Co-Promotion SDEAs
When two companies co-promote an approved medicine, both may receive spontaneous adverse event reports. Only one party, the MAH, is legally obligated to submit ICSRs to regulatory authorities, but both parties must have agreed procedures for transferring cases to the MAH within timelines that allow compliant regulatory submission.
Co-promotion SDEAs routinely underestimate the operational complexity of this requirement. Medical representatives, call centre staff, and medical affairs teams at the co-promoter will receive adverse event information from healthcare professionals. Internal triage and transfer procedures must be in place and the SDEA must specify the expected timelines, formats, and escalation procedures for case transfer from the co-promoter to the MAH.
SDEA Requirements by Region: Key Jurisdictional Variations
While the core pharmacovigilance services concepts embedded in SDEAs are globally consistent, specific regulatory requirements vary by jurisdiction. An SDEA designed only with EU GVP or FDA requirements in mind will have gaps for other markets.
European Union
GVP Module I is the primary reference. All MAHs are required to have a pharmacovigilance system, a PSMF, and documented agreements with any party involved in pharmacovigilance activities. The SDEA must be referenced in the PSMF. EMA’s PSUR single assessment procedure and the signal management procedures coordinated through the Pharmacovigilance Risk Assessment Committee (PRAC) must be reflected in SDEA provisions governing aggregate reporting and signal escalation.
United States (FDA)
FDA does not use the term “SDEA” explicitly, but the regulatory expectations are equivalent. Applicants must maintain documented procedures for safety reporting that account for their contractual relationships with partners. FDA inspection findings have cited inadequate safety data exchange procedures as a significant PV deficiency. The SDEA should be aligned with FDA’s current expedited and periodic reporting requirements under 21 CFR Part 314.81 and Part 600.
United Kingdom (post-Brexit)
The MHRA now operates a fully independent UK pharmacovigilance framework under the Human Medicines Regulations 2012 (as amended). MHRA-specific requirements, including UK-specific ICSR submissions, UK PSUR reporting timelines, and the MHRA’s Signal Management process, must be addressed in SDEAs covering UK marketing authorisations. Importantly, UK MAHs now require a UK Pharmacovigilance Contact (UKPC), analogous to the EU QPPV, and SDEAs should define the UKPC’s interfaces with the licensor’s global PV system.
Japan (PMDA)
Japan’s pharmacovigilance requirements under Good Post-Marketing Study Practice (GPSP) and Good Vigilance Practice (GVP) guidelines include Japan-specific adverse event reporting timelines and aggregate reporting requirements. PMDA expects adverse event reports in Japanese, which introduces a translation and verification process that must be specified in the SDEA. Foreign MAHs typically operate through a Marketing Authorisation Holder in Japan (often a local partner), and the SDEA must explicitly define the roles of both parties in the Japanese PV system.
Emerging Markets
SDEAs for licensing arrangements in markets such as Brazil (ANVISA), India (CDSCO), South Korea (MFDS), and the Gulf Cooperation Council countries should not simply reference “applicable local regulations” as a substitute for operational specificity. Each market has its own reporting timelines, language requirements, and regulatory contact expectations. An SDEA that is silent on how these are met in practice creates compliance exposure in every jurisdiction it fails to address.
SDEA Failures: Inspection Trends and Regulatory Consequences
EMA and MHRA inspection findings from 2022 to 2025 have consistently cited SDEA-related deficiencies among the most frequent pharmacovigilance non-compliances. Common findings include:
- SDEAs that exist but have never been operationalised
- Agreements that have not been updated to reflect changes in marketing authorisations, new indications, or partner changes
- Missing coverage for specific territories covered by the licensing arrangement
- Ambiguous definitions of “serious adverse event” or inconsistent use of MedDRA terminology between parties
- No clear definition of what constitutes an “expedited” case and the timelines for its exchange
- QPPV with no documented access to the global safety database held by the licensor
The regulatory consequences range from inspection observations requiring corrective action to formal compliance actions, marketing authorisation suspensions, and, in the most severe cases, criminal referrals. Companies that treat SDEAs as legal formalities rather than operational pharmacovigilance infrastructure absorb risks that far exceed the cost of getting the agreement right.
Conclusion
Safety Data Exchange Agreements are operational pharmacovigilance documents that must be treated with the same rigour applied to the submission of a clinical safety data package. A licensing deal that fails to establish a clear, jurisdiction-specific, operationally detailed SDEA does not transfer pharmacovigilance risk, it multiplies it. Regulatory authorities across the EU, US, UK, and Japan have demonstrated repeatedly that they expect MAHs to have documented, functional safety data exchange systems in place. The cost of failure is measured in inspection findings, regulatory action, and, ultimately, patient safety.
DDReg’s pharmacovigilance team supports pharmaceutical and biotechnology companies in drafting, reviewing, and operationalising Safety Data Exchange Agreements across global licensing, co-development, and co-promotion arrangements. From global safety database architecture and QPPV interface planning to jurisdiction-specific ICSR reporting provisions and audit programme design, DDReg provides expert support that ensures PV agreements are both regulatorily compliant and operationally functional across all licensed territories.