The European Commission (EC) released a Question and Answers (Q&A) paper on the interplay between the Clinical Trials Regulation (EU) 536/2014 (CTR) and the General Data Protection Regulation (EU) 2016/6792 (GDPR). The Q&A document will be relevant when the CTR becomes applicable except for question 11 which explains the current situation under the Clinical Trials Directive (CTD). The paper shows that both legislations, GDPR & CTR, apply simultaneously. It reflects the state of play after the consultation of the European Data protection Board.
The following 11 questions and corresponding answers are provided:
What are the general obligations of the CTR with regard to personal data?
The sponsor is legally obliged by the CTR to carry out a range of activities (e.g. report trial-results, perform safety reporting, archive the trial master file (TMF) for 25 years). Subjects should be properly informed on the processing of his/her personal data.
Who is responsible for determining the correct legal basis for personal data processing in the context of a clinical trial (CT)?
It is the obligation of the data controller (sponsor / clinic-institution of the investigator) to implement the appropriate technical and organizational measures to ensure and be able to demonstrate that the personal data are processed in accordance with the GDPR.
What is the legal basis for processing of personal data of clinical trial subjects in the context of clinical trials (primary use) carried out in accordance with the CTR?
All processing operations related to a specific CT protocol during its whole lifecycle (from the beginning of the trial until the end of the archiving period), shall be understood as primary use of CT data. However, processing operations purely related to research activities must be distinguished from processing operations related to the purposes of protection of health and safety; these two main categories activities fall under different legal bases.
What is the difference between informed consent (IC) within the meaning of the CTR and consent within the meaning of the GDPR?
IC, in the context of the CTR, is a safeguard not a legal basis for data processing. Therefore, it is important to distinguish between the requirement for consent for a subject to participate in a CT and the requirements for a lawful processing of personal data under the GDPR.
How to understand the requirements of the GDPR regarding information that should be given to subjects participating in a CT?
Any person included in a CT should receive the relevant information related to the clinical trial as required by the CTR as well as the information according to the GDPR, in particular the legal basis for data processing.
What are the legal consequences of withdrawal of the consent for participation in the CT under the CTR?
Consent for participation in CTs must be distinguished from the consent for processing personal data. The withdrawal of consent to participate in a CT under the CTR may not necessarily affect the processing of personal data gathered in the context of that trial. The personal data may continue to be processed, in particular for legal obligations to which the sponsor / investigator are subject such as the ones related to safety purposes.
What is the meaning of Article 28(2) of the CTR and what are the implications for the use of personal data outside the protocol of the CT (secondary use) within the scope of the GDPR?
The CTR explicitly refers to the situation where consent may be sought for the use of personal data outside the CT protocol for future scientific purposes (= secondary use). Data which is anonymized does not fall within the scope of the GDPR. The sponsor may seek consent of the subject for a secondary use already in the beginning of the CT. However, it is important that this form of consent must be strictly distinguished from the IC. The sponsor must ask separately for consent of data processing within a secondary use (using different consent sheets). If the aim of using the data for further research outside the protocol of the CT arises after the CT has been completed, the sponsor must go back to the data subjects for specific consent. In any case the sponsor / investigator must inform the subject according to the GDPR (e.g. on the legal basis and the right to withdraw consent).
Processing of personal data in the context of emergency CTs
Once the strict conditions of Article 35 of the CTR are fulfilled, a subject can be enrolled in a CT in the situation of emergency, exceptionally without any prior IC. Following an intervention, the IC should be sought from a subject (or his/her legal representative) as soon as possible in order to maintain the subject in the CT. In case a subject / legal representative does not confirm his/her consent, the participation of the subject cannot be continued. If a data subject dies before the consent could be confirmed / refused, the processing of that data is no longer covered by the GDPR and the conditions for processing may be determined by national law.
Is a sponsor established in third country subject to EU data protection rules? The GDPR applies to controllers / processors established in the EU as well as outside the EU, if the processing activities are related to data subjects in the EU. Where the sponsor processes personal data of data subjects in the EU, including in the context of managing the CT, the GDPR is fully applicable, including the obligation to designate a representative in the EU.
What rules apply to the data transfers outside the EU?
EU entities that transfer personal data to an entity outside the EU (e.g. to controllers, processors or other recipients in third countries) have to comply with the rules on international transfers. Depending on the situation, transfers can for example take place on the basis of an adequacy decision (i.e. where the Commission has decided that a third country ensures an adequate level of protection), on the basis of an agreement or arrangement that contains appropriate data protection safeguards, or on the basis of one of the derogations listed in the GDPR (e.g. for important reasons of public interest).
How should a sponsor proceed in the case of CTs authorized under the CTD?
For new CT applications that will be submitted for authorization under the CTD until the CTR enters into application, the sponsor should continue to follow the rules in light of the respective national laws transposing the CTD. In case of CTs authorized under the CTD that are already ongoing the sponsor (i.e. the data controller) should consider the need to provide additional information to the data subject participating in the ongoing CT and whether the initial consent fulfils the requirements of the GDPR. If not, then re-consent may be required.