The European Commission has recently issued (on 10 April 2019) a Question & Answer document on the interplay between the General Data Protection Regulation 2016/679 (the “GDPR”) and Clinical Trials Regulation 536/2014 (the “CTR”), which is expected to enter into force in 2020 (subject to development of a fully functional EU clinical trials portal and database). The Q&A document reflects the state of play after the consultation of the European Data Protection Board, and it provides some clarifications in areas where the relationship between these both simultaneously applicable sets of rules appears complicated.
As a starting point, under the GDPR, it is the responsibility of data controllers to demonstrate that personal data are processed in accordance with the GDPR. To comply with this requirement 1) the data protection principles must be respected, 2) adequate information to clinical trial participants must be provided, 3) in some cases a data protection officer must be appointed, 4) records of processing activities must be maintained, and 5) the exercise of individual’s rights must be facilitated, to mention but a few. Furthermore, the controller must determine the legal basis for the various data processing activities. In this context, it should be noted that the informed consent required under the CTR is actually a research ethical standard and a procedural obligation. According to the Q&A document, it should not be confused with consent as a legal basis for the processing of personal data under the GDPR.
When it comes to the legal basis under the GDPR, the Q&A document sheds light upon various processing operations involving the use of clinical trial data, including operations related to research, as well as operations required for the protection of health. Such operations may rely on a different legal basis. It is possible to request consent from the participants (in addition to the consent required under the CTR), but there are also other alternative options, depending on the situation at hand, and it is always the data controller’s duty to assess and implement an adequate legal basis. As for the secondary uses of the research data, i.e. if clinical trial data are used for purposes of further research outside the scope of the actual research protocol, another legal basis may be required. Here it may prove useful to rely on a derogation provided by the Finnish Data Protection Act, under which personal data may be processed for scientific research purposes that pursue legitimate aims in the public interest. In practice, relying on this derogation would require that it can be demonstrated that 1) the further research is of scientific nature and undertaken to pursue a legitimate aim in the public interest, 2) that the secondary use is necessary for such research, and 3) the secondary use is proportionate to the legitimate aim pursued.
Furthermore, the Q&A document touches upon the impact of the entry into application of the GDPR on ongoing clinical trials that are governed by Clinical Trials Directive 2001/20/EC. In comparison to the Directive, it is indicated that under the GDPR, additional information may have to be provided to the participants of a clinical trial. In case of such trials, as a main rule, the legal basis for processing personal data that was valid under national data protection rules implementing Directive 2001/20/EC prior to the GDPR remains applicable. Yet, if the processing of clinical trial participant data is based on the trial participant’s consent, there is a need to assess whether such consent meets the more rigorous requirements of the GDPR. If these requirements are not fully met, there is a need for a careful assessment of whether a renewed consent is to be required.
Senior Associate at Hannes Snellman
Managing Associate at Hannes Snellman
Associate Trainee at Hannes Snellman