TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | How does GDPR apply to clinical trial sponsors outside EEA? Views of EEA DPAs Related reading: White Paper – DPAs on the Ground

rss_feed

""

""

""

While many organizations across the world have acclimatized to life under the EU General Data Protection Regulation, certain industries are still reconciling how it applies to them.

In the life sciences sector — particularly in the context of clinical trials — there is a stark variance in the way different stakeholders interpret how the GDPR applies to their data-processing activities. Surprisingly, this variance of interpretation also appears to exist among the relevant data protection authorities within the European Economic Area.

Why the confusion? There are three primary reasons for this uncertainty.

First, other than the EDPB Guidelines on the Concepts of Controller and Processor in the GDPR, there is no substantial Union-level guidance on how the GDPR identifies the controllership roles of various parties in a clinical trial. Although the European Data Protection Board previously published an opinion on the interplay between the EU Clinical Trials Regulation and the GDPR, this opinion did not address the questions of whether the GDPR applies to clinical trial sponsors situated outside the EEA or whether the sponsor would be considered a data controller or data processor.

Second, some clinical trial sponsors situated outside of the EEA have adopted the view that the GDPR does not apply to them at all because they do not have access to identifiable patient data.

Finally, many DPAs are unwilling to issue binding opinions on this topic since clinical trials exist within a highly regulated environment, replete with its own laws, regulations, guidelines and industry standards relating to patient safety and privacy.

In light of the widespread confusion about this issue, VeraSafe’s data protection team reached out to DPAs in various EEA member state jurisdictions to pose the following questions (written below as they were sent to the DPAs):

  1. Does the GDPR apply to a clinical trial sponsor based outside of the EEA if it is conducting clinical studies in the EEA?
  2. Is patient data processed under a clinical trial considered "personal data" even if it is pseudonymized?
  3. If a clinical trial is being conducted in your jurisdiction, would the sponsor and the principal investigator be considered joint controllers of the personal data of the trial participants (data subjects)? Alternatively:
    1. Is the sponsor the data controller while the principal investigator acts as a processor on behalf of the sponsor?
    2. Is the principal investigator an independent data controller together with the sponsor?

In turn, we highlight and categorize the responses of various EEA DPAs to the questions listed above. VeraSafe’s outreach to the DPAs spanned over six months, and the responses we obtained are described in more detail in the chart below. 

Clinical trial sponsors and the territorial scope of GDPR

There is a compelling argument that the processing undertaken by the sponsor triggers the application of the GDPR under Article 3(2)(b), even when the sponsor is located outside of the EEA, because the sponsor is effectively monitoring the behavior of data subjects within the EEA. The EDPB Guidelines 3/2018 on the Territorial Scope of the GDPR (page 20) lists "monitoring or regular reporting of an individual's health status" as an example of monitoring data subjects as contemplated in Article 3(2)(b).

To confirm our understanding of the questions we've listed, the authors polled DPAs in 34 EEA member state jurisdictions. Sixteen of the DPAs confirmed the GDPR does apply to the processing of EEA personal data by a clinical trial sponsor situated outside the EEA. Eight DPAs advised that this must be assessed by a factual analysis (i.e., on a case-by-case basis). Refer to the chart at the end of this article for further detail on the responses from the various DPAs.

Clinical trial sponsors and the material scope of GDPR

Some sponsors situated outside of the EEA have adopted the view that the GDPR does not apply to them because they do not have access to identifiable patient data. Sponsors usually have access to “key-coded” data, with the key that unlocks the data held by a third party, such as the CRO. Key-coded data is “pseudonymized,” meaning the data cannot be linked to an individual without some additional information. Recital 26 of the GDPR makes clear that pseudonymized data is considered personal data under the GDPR, which was further supported by the DPAs responding to our questions.

Out of the 34 DPAs we polled, 24 verified that pseudonymized data is personal data, many of them specifically referring to Recital 26 in their response.

Therefore, the argument that the GDPR does not apply to a sponsor situated outside the EEA on the basis that the sponsor does not have access to identifiable EEA patient data is considered incorrect by applicable DPAs.

Who is the controller in a clinical trial in the EU?

The next question that automatically flows from the conclusion above is whether the sponsor would be considered an independent data controller with regard to the personal data processed in the context of the trial or whether the sponsor is considered a joint controller with any other party (most likely the principal investigator).

Example 25 of the EDPB Guidelines 3/2018 on the Territorial Scope of the GDPR illustrates that a non-EU sponsor would be a data controller. The EDPB Guidelines on the Concepts of Controller and Processor in the GDPR provide that if a principal investigator and a sponsor decide to launch a clinical trial together with the same purpose and collaborate on drafting the study protocol, they may be considered joint controllers for the clinical trial because they jointly determine and agree on the purpose and essential means of the processing.

The EDPB clarified that if the principal investigator does not participate in drafting the protocol and the protocol is solely designed by the sponsor, then the principal investigator should be considered a processor and the sponsor the controller for that clinical trial.

It is, therefore, clear that the controllership of each party should be determined by assessing the facts of each particular situation. A sponsor will always act as a controller, though whether it is an independent controller or a joint controller will vary according to circumstance. If the principal investigator does not jointly determine the purposes and means of processing for the trial with the sponsor, then the principal investigator will be considered a data processor in the context of the data processing done on behalf of the sponsor pursuant to the clinical trial protocol.

However, it is important to understand personal data is processed for different reasons within the scope of a clinical trial. So far, we have been discussing the processing of personal data for the purpose of clinical research or furthering the study. The principal investigator also processes personal data to provide medical care to the data subjects, which may not necessarily form part of the clinical trial protocol. The principal investigator could, therefore, “wear different hats” depending on the particular activities they are conducting within the ambit of the clinical trial.

To this end, the EDPB has stated “the collection of personal data from the medical record of the patient for the purpose of research is to be distinguished from the storage and use of the same data for the purpose of patient care, for which the health care provider remains the controller.” In the latter case, the principal investigator is the health care provider and, therefore, a controller.

It is possible in the context of a clinical trial for a principal investigator to be either a joint controller together with the sponsor or a processor for clinical research purposes and an independent data controller solely for the purpose of providing health care to patients.

These nuances should be kept in mind when determining the respective roles of the parties involved in a clinical trial. Interestingly, of the 34 DPAs we polled, 16 DPAs advised that the determination of whether the sponsor is a joint controller or an independent controller must be done through a factual analysis or on a case by case basis. Four DPAs responded the parties may be joint controllers and one of those DPAs also believed that the parties could be independent controllers (however, this outcome would depend on the facts of the situation). These results are indicated in the chart below.

Final thoughts on controllership in EU clinical trials

We suggest that sponsors perform an evaluation of the particular circumstances of their situation when determining how the GDPR applies to their data processing and confirming the controllership roles of various parties conducting a clinical trial, taking into account the varying opinions of the DPAs, health authorities and EDPB to tailor their GDPR compliance programs on a member-state by member-state basis. This evaluation should be documented and maintained internally.

Another possible approach to resolving these questions on an industry-wide scale would be developing a code of conduct for the life sciences sector. This code of conduct could set forth the proper application of the GDPR to various parties involved in a clinical trial. A certification scheme to demonstrate compliance with the GDPR pursuant to Article 42, which leverages existing health regulations applicable to patient privacy, is an additional possibility.

It is important to note that most DPAs responded to our queries prior to the publication of the updated EDPB Guidelines on the Concepts of Controller and Processor in the GDPR. It is possible the DPAs may form different opinions after reviewing the example in the EDPB guidelines, which specifically applies to the relationship between the sponsor and investigator.

Jurisdiction Does the GDPR apply to a clinical trial sponsor situated outside the EU? What are the controllership roles of the investigator and sponsor? Is Pseudonymized Personal Data Regulated by the GDPR?
Belgium Factual analysis. The authority’s view has not been confirmed as of the date of publication.* Yes.
Bulgaria The authority’s view has not been confirmed as of the date of publication. The authority issued a formal opinion indicating that the Investigator and Sponsor are joint controllers. The authority’s view has not been confirmed as of the date of publication.
Croatia Factual analysis. Factual analysis. Yes.
Cyprus Yes, by virtue of either Article 3(1) or Article 3(2). Factual analysis. Yes.
Czech Republic Yes, by virtue of Article 3(2)(b). Joint controllers. Yes.
Denmark Factual analysis. The authority’s view has not been confirmed as of the date of publication. Yes.
Estonia Yes, by virtue of Article 3(2). Factual analysis. Yes.
France Yes, by virtue of Article 3(2). Investigator is a processor on behalf of the sponsor. Yes.
Germany (Bremen) Factual analysis. Factual analysis. Yes.
Germany (Federal) The authority’s view has not been confirmed as of the date of publication. Factual analysis. The authority’s view has not been confirmed as of the date of publication.
Hungary Yes. Factual analysis. Yes.
Iceland Yes. Factual analysis. Yes.
Ireland Factual analysis. The authority’s view has not been confirmed as of the date of publication. Yes.
Italy Yes. Independent controllers or joint controllers, contingent on factual analysis. Yes.
Latvia Yes, by virtue of Article 3(2)(b). Factual analysis. Yes.
Liechtenstein Yes, by virtue of Article 3(2). Factual analysis. Yes.
Lithuania Yes. Factual analysis. Yes.
Luxembourg Factual analysis. Factual analysis. Yes.
Malta Yes, by virtue of Article 3(2). Joint controllers. Yes.
Netherlands Factual analysis. The authority’s view has not been confirmed as of the date of publication. Yes.
Norway Factual analysis. The authority’s view has not been confirmed as of the date of publication. Yes.
Portugal Yes. Investigator is a processor on behalf of the sponsor. Yes.
Romania Yes, by virtue of Article 3(2). Factual analysis. Yes.
Slovakia Yes, by virtue of Article 3(2). Factual analysis. Yes.
Slovenia Yes, by virtue of Article 3(2)(b). Factual analysis. Yes.
Sweden The authority’s view has not been confirmed as of the date of publication. Factual analysis. The authority’s view has not been confirmed as of the date of publication.
United Kingdom Yes. The authority’s view has not been confirmed as of the date of publication. Yes.

As of the date of publication, the following DPAs’ responses to our questions have either not been received or we are in ongoing communication with the DPA to clarify their view:

  • Austria.
  • Finland.
  • Germany (Bavaria).
  • Germany (North Rhine-Westphalia).
  • Greece.
  • Poland.
  • Spain.

*This outcome in the table indicates that, at the date of writing, we have not yet received a response on this point or are in ongoing communication with the DPA to clarify their view on this matter. We will post an update in 2021 on the VeraSafe Data Protection Blog.

Photo by Satheesh Sankaran on Unsplash

To clarify some of the terms used in the article:
  • An “independent data controller” means an entity that alone determines the purposes and the means of the data processing it undertakes. Multiple independent data controllers could share a pool of personal data, but each independent data controller assumes all of the responsibilities of a data controller.
  • A “sponsor” is typically a natural or legal person (e.g., a pharmaceutical company or a research and development company) that initiates, manages or finances the clinical trial but does not actually conduct the investigation or research.
  • A “principal investigator” is an individual who is responsible for conducting the clinical trial at the study site.
  • A “study site” is a clinical research site or location where the trial is conducted.
  • A “CRO” (contract research organization) is a person or an organization contracted by the sponsor to perform one or more of a sponsor’s trial-related duties and functions.

Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

7 Comments

If you want to comment on this post, you need to login.

  • comment Kristin Williams • Jan 26, 2021
    Working in clinical research, this is a great article and highlights the misunderstanding of so many of pseudonymized v. anonymized data.  Is there any way you could discuss the legal basis for clinical trials as I see so many conflicting opinions in the research (especially for privately-funded research)?  Some say it's consent since subjects have to sign informed consent, but there's a solid argument that it is not completely freely given as it's required to participate in the trial.
  • comment Lee Parker • Feb 5, 2021
    This is a great summary showing the disharmony around Europe which has a real impact on pharmaceutical companies' ability to conduct uniform clinical trials across the EU.  Patients suffer because of this disharmony, because: (a) trial speed/efficiency/costs are hindered when pharma companies have to take a piecemeal approach across dozens of countries, even though they theoretically have the same law (GDPR); and (b) patients end up having different rights in different countries due to differing Member State interpretations of the same law.  This was not the intention of a General Data Protection Regulation for all EU citizens!
  • comment Matthew Clayton • Feb 5, 2021
    <p>Very interesting article, thank you - useful to see the different approaches which DPAs are taking to these questions.  It's also worth remembering that clinical trial sponsors who aren't established in the EEA or the UK (as the case may be) may well need to appoint an organisation as EEA and/or UK Representative under Article 27, for the purposes of the trial.  EDPB guidance is clear that the CRO, if acting as data processor, should not also be the Representative.</p>
    
  • comment Zia Maharaj • Feb 9, 2021
    Hi Kristin, 
    
    That’s a great question!
    
    The regulatory requirement for clinical trial participants to provide informed consent to participate in the trial must be distinguished from the requirement to have a legal basis for processing personal data under privacy laws like the GDPR. If a data controller (like a clinical trial sponsor) relies on consent as the legal basis for processing under the GDPR, the consent must be freely given, specific, informed and unambiguous. As you’ve rightly pointed out, consent by a clinical trial participant might not meet this criteria if it is a prerequisite to participate in the trial (from a healthcare regulatory perspective).  
    
    There is some guidance on this issue in the recent EDPB Document on response to the request from the European Commission for clarifications on the consistent application of the GDPR, focusing on health research (https://edpb.europa.eu/our-work-tools/our-documents/other/edpb-document-response-request-european-commission-clarifications_en), which clarifies that consent can be relied on as a legal basis for processing personal data in medical research projects where it can be established that no imbalance of power between data subjects and researchers exists and the requirements for explicit consent in GDPR can be met. This will require a careful assessment on a case-by-case basis. 
    
    It can be argued that there is an imbalance of power between clinical trial participants and the researchers when consent is essentially a condition to participate in the trial based on health regulations. It also seems likely that an imbalance of power would in fact exist in the case where a data subject with a terminal illness is participating in a clinical trial researching a potential treatment for that illness. While the EDPB has yet to explicitly rule out reliance on consent in such a situation, it is clear that other bases of processing and derogations under Article 6 and Article 9 respectively, would likely be more appropriate. In our view, data controllers will have to carefully assess the facts of each case/research study to determine whether consent is the most appropriate basis for processing personal data under the GDPR, or if a different basis for processing should be relied on. The administrative burden created by conducting an appropriate analysis in each case, given the diversity of factors impacting such analyses, suggests that clinical trials sponsors should explore alternative bases of processing where possible.
    
    It is important to remember that not only is a legal basis for processing required pursuant to GDPR Article 6, but a derogation to process health data (as a special category of personal data) is also required pursuant to GDPR Article 9. If consent is relied on as a legal basis for processing personal data, the informed consent form signed by the clinical trial participant must make this clear, and distinguish the consent for processing personal data from the consent to participate in the clinical trial. Of note, also, is the distinction between “consent” under Article 6 and “explicit consent” as an exemption/derogation under Article 9.
    
    The EDPB also makes a point of noting that because certain bases of processing and derogations rely on the existence of an applicable Member State law requiring the processing in question, appropriate bases of processing and derogations will necessarily vary among Member States, and certainly, this view is quite clearly evidenced in the different opinions of various Data Protection Authorities and Ethics Committees across the various Member States. The EDPB is developing guidelines (which are due to be published this year) on the processing of personal data for scientific research purposes. These guidelines will provide further detail on the bases for processing personal data in the context of scientific research.
    
    In the meantime, please feel free to reach out to us directly (https://verasafe.com/about-us/contact-us/) if you have any other questions about how the GDPR applies to privately-funded clinical research.
  • comment Richard Pais • Feb 19, 2021
    I thoroughly enjoyed this article and am glad the authors addressed the challenges posed by GDPR in the life sciences sector.  I do want to mention here the ambiguity about anonymized data and the challenges faced by CROs. Anonymization under GDPR is completely different to the methods suggested by the HIPAA privacy rule - Safe Harbor and Statistical/Expert Determination.  I am not too sure whether these are considered equivalent under the GDPR.  Another area of ambiguity is whether "pseudonymized" data held by the sponsor can be considered "anonymized" by the CRO as the latter has no access or knowledge of key codes or statistical model used by the sponsor.  To further exacerbate the matter, the terms "anonymized" and "de-identified" are often used interchangeably under HIPAA.
  • comment Carl Hoyer • Mar 22, 2021
    I am not sure I fully understand your reasoning regarding 'key-coded data is pseudonymized'. Pseudonymised data is, in principal, personal data, but only if you did pseudonymise these data and/ or have the ability to reverse the pseudonymisation. Otherwise, it is just data.
    In this case the key-coded data is provided to a third party (i.c. the sponsor), which can't access the original (non-pseudonymised) data. Since the sponsor is a different legal entity without any controlling mechanism to manage the third party holding the key (i.c. trusted third party (TTP)), it is unable to either access the ‘raw’ data or reverse the pseudonymisation in a legal/ manageable way. It is well understandable that a sponsor therefore considers these data to be ‘just’ data and not personal data.
  • comment Uwe Fiedler • Mar 26, 2021
    Hi Carl, I agree and the article "Anonymised Data and the Rule of Law" from Daniel Groos and Evert-Ben van Veen (https://edpl.lexxion.eu/article/EDPL/2020/4/6) outline the problem quite well.