While many organizations across the world have acclimatized to life under the EU General Data Protection Regulation, certain industries are still reconciling how it applies to them.
In the life sciences sector — particularly in the context of clinical trials — there is a stark variance in the way different stakeholders interpret how the GDPR applies to their data-processing activities. Surprisingly, this variance of interpretation also appears to exist among the relevant data protection authorities within the European Economic Area.
Why the confusion? There are three primary reasons for this uncertainty.
First, other than the EDPB Guidelines on the Concepts of Controller and Processor in the GDPR, there is no substantial Union-level guidance on how the GDPR identifies the controllership roles of various parties in a clinical trial. Although the European Data Protection Board previously published an opinion on the interplay between the EU Clinical Trials Regulation and the GDPR, this opinion did not address the questions of whether the GDPR applies to clinical trial sponsors situated outside the EEA or whether the sponsor would be considered a data controller or data processor.
Second, some clinical trial sponsors situated outside of the EEA have adopted the view that the GDPR does not apply to them at all because they do not have access to identifiable patient data.
Finally, many DPAs are unwilling to issue binding opinions on this topic since clinical trials exist within a highly regulated environment, replete with its own laws, regulations, guidelines and industry standards relating to patient safety and privacy.
In light of the widespread confusion about this issue, VeraSafe’s data protection team reached out to DPAs in various EEA member state jurisdictions to pose the following questions (written below as they were sent to the DPAs):
- Does the GDPR apply to a clinical trial sponsor based outside of the EEA if it is conducting clinical studies in the EEA?
- Is patient data processed under a clinical trial considered "personal data" even if it is pseudonymized?
- If a clinical trial is being conducted in your jurisdiction, would the sponsor and the principal investigator be considered joint controllers of the personal data of the trial participants (data subjects)? Alternatively:
- Is the sponsor the data controller while the principal investigator acts as a processor on behalf of the sponsor?
- Is the principal investigator an independent data controller together with the sponsor?
In turn, we highlight and categorize the responses of various EEA DPAs to the questions listed above. VeraSafe’s outreach to the DPAs spanned over six months, and the responses we obtained are described in more detail in the chart below.
Clinical trial sponsors and the territorial scope of GDPR
There is a compelling argument that the processing undertaken by the sponsor triggers the application of the GDPR under Article 3(2)(b), even when the sponsor is located outside of the EEA, because the sponsor is effectively monitoring the behavior of data subjects within the EEA. The EDPB Guidelines 3/2018 on the Territorial Scope of the GDPR (page 20) lists "monitoring or regular reporting of an individual's health status" as an example of monitoring data subjects as contemplated in Article 3(2)(b).
To confirm our understanding of the questions we've listed, the authors polled DPAs in 34 EEA member state jurisdictions. Sixteen of the DPAs confirmed the GDPR does apply to the processing of EEA personal data by a clinical trial sponsor situated outside the EEA. Eight DPAs advised that this must be assessed by a factual analysis (i.e., on a case-by-case basis). Refer to the chart at the end of this article for further detail on the responses from the various DPAs.
Clinical trial sponsors and the material scope of GDPR
Some sponsors situated outside of the EEA have adopted the view that the GDPR does not apply to them because they do not have access to identifiable patient data. Sponsors usually have access to “key-coded” data, with the key that unlocks the data held by a third party, such as the CRO. Key-coded data is “pseudonymized,” meaning the data cannot be linked to an individual without some additional information. Recital 26 of the GDPR makes clear that pseudonymized data is considered personal data under the GDPR, which was further supported by the DPAs responding to our questions.
Out of the 34 DPAs we polled, 24 verified that pseudonymized data is personal data, many of them specifically referring to Recital 26 in their response.
Therefore, the argument that the GDPR does not apply to a sponsor situated outside the EEA on the basis that the sponsor does not have access to identifiable EEA patient data is considered incorrect by applicable DPAs.
Who is the controller in a clinical trial in the EU?
The next question that automatically flows from the conclusion above is whether the sponsor would be considered an independent data controller with regard to the personal data processed in the context of the trial or whether the sponsor is considered a joint controller with any other party (most likely the principal investigator).
Example 25 of the EDPB Guidelines 3/2018 on the Territorial Scope of the GDPR illustrates that a non-EU sponsor would be a data controller. The EDPB Guidelines on the Concepts of Controller and Processor in the GDPR provide that if a principal investigator and a sponsor decide to launch a clinical trial together with the same purpose and collaborate on drafting the study protocol, they may be considered joint controllers for the clinical trial because they jointly determine and agree on the purpose and essential means of the processing.
The EDPB clarified that if the principal investigator does not participate in drafting the protocol and the protocol is solely designed by the sponsor, then the principal investigator should be considered a processor and the sponsor the controller for that clinical trial.
It is, therefore, clear that the controllership of each party should be determined by assessing the facts of each particular situation. A sponsor will always act as a controller, though whether it is an independent controller or a joint controller will vary according to circumstance. If the principal investigator does not jointly determine the purposes and means of processing for the trial with the sponsor, then the principal investigator will be considered a data processor in the context of the data processing done on behalf of the sponsor pursuant to the clinical trial protocol.
However, it is important to understand personal data is processed for different reasons within the scope of a clinical trial. So far, we have been discussing the processing of personal data for the purpose of clinical research or furthering the study. The principal investigator also processes personal data to provide medical care to the data subjects, which may not necessarily form part of the clinical trial protocol. The principal investigator could, therefore, “wear different hats” depending on the particular activities they are conducting within the ambit of the clinical trial.
To this end, the EDPB has stated “the collection of personal data from the medical record of the patient for the purpose of research is to be distinguished from the storage and use of the same data for the purpose of patient care, for which the health care provider remains the controller.” In the latter case, the principal investigator is the health care provider and, therefore, a controller.
It is possible in the context of a clinical trial for a principal investigator to be either a joint controller together with the sponsor or a processor for clinical research purposes and an independent data controller solely for the purpose of providing health care to patients.
These nuances should be kept in mind when determining the respective roles of the parties involved in a clinical trial. Interestingly, of the 34 DPAs we polled, 16 DPAs advised that the determination of whether the sponsor is a joint controller or an independent controller must be done through a factual analysis or on a case by case basis. Four DPAs responded the parties may be joint controllers and one of those DPAs also believed that the parties could be independent controllers (however, this outcome would depend on the facts of the situation). These results are indicated in the chart below.
Final thoughts on controllership in EU clinical trials
We suggest that sponsors perform an evaluation of the particular circumstances of their situation when determining how the GDPR applies to their data processing and confirming the controllership roles of various parties conducting a clinical trial, taking into account the varying opinions of the DPAs, health authorities and EDPB to tailor their GDPR compliance programs on a member-state by member-state basis. This evaluation should be documented and maintained internally.
Another possible approach to resolving these questions on an industry-wide scale would be developing a code of conduct for the life sciences sector. This code of conduct could set forth the proper application of the GDPR to various parties involved in a clinical trial. A certification scheme to demonstrate compliance with the GDPR pursuant to Article 42, which leverages existing health regulations applicable to patient privacy, is an additional possibility.
It is important to note that most DPAs responded to our queries prior to the publication of the updated EDPB Guidelines on the Concepts of Controller and Processor in the GDPR. It is possible the DPAs may form different opinions after reviewing the example in the EDPB guidelines, which specifically applies to the relationship between the sponsor and investigator.
| Jurisdiction | Does the GDPR apply to a clinical trial sponsor situated outside the EU? | What are the controllership roles of the investigator and sponsor? | Is Pseudonymized Personal Data Regulated by the GDPR? |
| Belgium | Factual analysis. | The authority’s view has not been confirmed as of the date of publication.* | Yes. |
| Bulgaria | The authority’s view has not been confirmed as of the date of publication. | The authority issued a formal opinion indicating that the Investigator and Sponsor are joint controllers. | The authority’s view has not been confirmed as of the date of publication. |
| Croatia | Factual analysis. | Factual analysis. | Yes. |
| Cyprus | Yes, by virtue of either Article 3(1) or Article 3(2). | Factual analysis. | Yes. |
| Czech Republic | Yes, by virtue of Article 3(2)(b). | Joint controllers. | Yes. |
| Denmark | Factual analysis. | The authority’s view has not been confirmed as of the date of publication. | Yes. |
| Estonia | Yes, by virtue of Article 3(2). | Factual analysis. | Yes. |
| France | Yes, by virtue of Article 3(2). | Investigator is a processor on behalf of the sponsor. | Yes. |
| Germany (Bremen) | Factual analysis. | Factual analysis. | Yes. |
| Germany (Federal) | The authority’s view has not been confirmed as of the date of publication. | Factual analysis. | The authority’s view has not been confirmed as of the date of publication. |
| Hungary | Yes. | Factual analysis. | Yes. |
| Iceland | Yes. | Factual analysis. | Yes. |
| Ireland | Factual analysis. | The authority’s view has not been confirmed as of the date of publication. | Yes. |
| Italy | Yes. | Independent controllers or joint controllers, contingent on factual analysis. | Yes. |
| Latvia | Yes, by virtue of Article 3(2)(b). | Factual analysis. | Yes. |
| Liechtenstein | Yes, by virtue of Article 3(2). | Factual analysis. | Yes. |
| Lithuania | Yes. | Factual analysis. | Yes. |
| Luxembourg | Factual analysis. | Factual analysis. | Yes. |
| Malta | Yes, by virtue of Article 3(2). | Joint controllers. | Yes. |
| Netherlands | Factual analysis. | The authority’s view has not been confirmed as of the date of publication. | Yes. |
| Norway | Factual analysis. | The authority’s view has not been confirmed as of the date of publication. | Yes. |
| Portugal | Yes. | Investigator is a processor on behalf of the sponsor. | Yes. |
| Romania | Yes, by virtue of Article 3(2). | Factual analysis. | Yes. |
| Slovakia | Yes, by virtue of Article 3(2). | Factual analysis. | Yes. |
| Slovenia | Yes, by virtue of Article 3(2)(b). | Factual analysis. | Yes. |
| Sweden | The authority’s view has not been confirmed as of the date of publication. | Factual analysis. | The authority’s view has not been confirmed as of the date of publication. |
| United Kingdom | Yes. | The authority’s view has not been confirmed as of the date of publication. | Yes. |
As of the date of publication, the following DPAs’ responses to our questions have either not been received or we are in ongoing communication with the DPA to clarify their view:
- Austria.
- Finland.
- Germany (Bavaria).
- Germany (North Rhine-Westphalia).
- Greece.
- Poland.
- Spain.
*This outcome in the table indicates that, at the date of writing, we have not yet received a response on this point or are in ongoing communication with the DPA to clarify their view on this matter. We will post an update in 2021 on the VeraSafe Data Protection Blog.
Photo by Satheesh Sankaran on Unsplash
