Category: Series on Data Protection and Clinical Trials

Data Protection and Clinical Trials – Part 1

10. February 2021

In the two and a half years since the General Data Protection Regulation (GDPR) has come into effect, a lot of organizations have gotten used to the new laws and standards it has established. However, there are still a lot of unanswered questions in certain industries, one of those industries being life sciences, and more specifically clinical trials.

The GDPR and the guidance of the European Data Protection Board (EDPB) allow for a lot of speculation, due to the fact that they are unable to fully specify the reach and definitive approach to data protection in a lot of industries.

This short series aims to give an overview on the handling of clinical trials from a data protection point of view, as well as answers to important questions that come up in day to day business in the industry.

In general, clinical trials are a processing activity according to Art. 4 (2) GDPR, therefore the basic data protection obligations are to be applied to clinical trials, such as:

  • Following the basic GDPR principles laid out in Art. 5 GDPR, namely lawfulness, fairness and transparency, purpose limitation, data minimisation, data accuracy, storage limitation, integrity, confidentiality and accountability
  • Information obligations of the controller according to Art. 13, 14 GDPR
  • Data Subjects Rights according to Art. 15 to Art. 21 GDPR
  • Obligation to have a record of processing activities according to Art. 30 para. 1, 2 GDPR
  • Security Measures need to be in place, in compliance with Art. 32 GDPR
  • Data Breach Notifications to the supervisory authority as well as the data subjects according to Art. 33, 34 GDPR
  • A Data Protection Impact Assessment has to be done prior to the start of the clinical trials, according to Art. 35 GDPR

However, the first and foremost important question regarding the processing of personal data for clinical trials is:

Which legal basis is applicable to the processing?

The EDPB addressed this issue in their Opinion on the Interplay between Clinical Trials and the GDPR, and has, in a first instance, differentiated between the processing of personal data for clinical trial protocols as primary purpose of the processing, and, on the other hand, clinical trials as a secondary purpose next to, for example, patient care.

According to the EDPB’s opinion, the applicable legal basis is to be determined by the controller on a case by case basis. However, the EDPB does give their own general assessment on the legal basis applicable for the different scenarios that have crystalized in the eyes of the EDPB:

  • Primary use of the processed personal data for clinical trials
    a. Processing activities related to reliability and safety
    -> Legal obligations of the controller, Art. 6 para. 1 (c) GDPR in conjunction with Art. 9 para. 1 (i) GDPR
    b. Processing activities purely related to research activities
    -> Task carried out in the public interest, Art. 6 para. 1 (e) GDPR in conjunction with Art. 9 para. 2 (i) or (j) GDPR
    -> Legitimate interest of the controller, Art. 6 para. 1 (f) GDPR in conjunction with Art. 9 para. 2 (j) GDPR
    -> In specific circumstances, explicit consent of the data subject, Art. 6 para. 1 (a) GDPR and Art. 9 para. 2 (a) GDPR
  • Secondary use of the clinical trial data outside the clinical trial protocol for scientific purposes
    -> Explicit consent of the data subject, Art. 6 para. 1 (a) GDPR and Art. 9 para. 2 (a) GDPR

While the guidance in assessing the legal basis for the processing is helpful, the EDPB does not address any further open issues regarding clinical trials in their opinion. Nonetheless, there are further subjects that cause confusion.

However, some of these subjects will be treated in our next part of this series, where we will have a closer look at clinical trial sponsorship from outside the EEA as well as the questions revolving around controllership roles in clinical trials.