European Regulator Provides Guidance on Conducting Clinical Trials Under the General Data Protection Regulation

February 4, 2019Alerts

Companies conducting clinical trials in the EU have been grappling with many questions regarding how to conduct a clinical trial that complies with the requirements of the GDPR. Two key questions have arisen:

  • What is the legal basis for processing a participant’s personal data in the course of a trial?
  • Is consent needed in all cases?

European regulator the European Data Protection Board (the EDBP) has released a guidance to answer these very questions. However, while it provides some clarity on the topic, the guidance still leaves many questions unanswered for U.S.-based clinical trial sponsors.

Per the EDPB, the legal basis for data processing activities related to safety is the performance of the sponsor’s legal obligation. The legal basis for all other research-related activities could be either the participant’s consent or that it is a task carried out in the public interest or in the sponsor’s legitimate interest. In assessing the relationship between GDPR and the Clinical Trials Regulation (CTR), the EDPB opined that:

  • GDPR and the Clinical Trials Regulation (CTR) apply simultaneously and CTR constitutes a sectoral law containing specific provisions relevant from a data protection viewpoint but no derogations to the GDPR. And that:
  • Different processing operations in the course of a specific clinical trial could pursue different purposes and fall within different legal bases.

Processing for safety and reliability

  • The legal basis for processing operations expressly provided by the CTR and by relevant national provisions, and which are related to reliability and safety purposes is “legal obligation(s) to which the controller is subject” under Article 6(1)(c) of the GDPR.
  • This specifically includes:
    • performance of safety reporting
    • archiving of the clinical trial master file
    • the medical files of subjects
    • any disclosure of clinical trial data to the national competent authorities in the course of an inspection
  • The corresponding appropriate condition for lawful processing of special categories of data in the context of these obligations shall be Article 9(2)(i): “processing is necessary for reasons of public interest in the area of public health, such as [...] ensuring high standards of quality and safety of health care and of medicinal products or medical devices.”

Processing operations for research activities

The legal basis for processing operations purely related to research activities in the context of a clinical trial would, depending on the facts of the case be either:

  • The data subject’s explicit consent (Article 6(1)(a) in conjunction with Article 9(2)(a)), or
  • A task carried out in the public interest (Article 6(1)(e)), or the legitimate interests of the controller (Article 6(1)(f)) in conjunction with Article 9(2)(i) or (j) of the GDPR
  • Consent:
    • Data controllers should conduct a particularly thorough assessment of the circumstances of the clinical trial before relying on individuals’ consent as a legal basis for the processing of personal data for the purposes of the research activities of that trial.
    • Informed consent is not the same as consent as a legal ground for the processing of personal data under the GDPR. Informed consent is intended to protect the person's dignity and integrity and not to be an instrument of data protection compliance.
    • In order to assess whether the individual’s explicit consent can be a valid legal basis for the processing of sensitive data in the course of a clinical trial, data controllers should take into account the Working Party 29 Guidelines on consent, and check if all the conditions for a valid consent can be met in the specific circumstances of that trial.
    • If there is an imbalance of power between the sponsor/investigator and participants, consent will not be deemed freely given and cannot serve as a legal basis for the clinical trial. This can occur when the potential participant:
      • belongs to an economically or socially disadvantaged group
      • is in a situation of institutional or hierarchical dependency or
      • is not in good health condition
    • If an individual withdraws his consent, all research activities carried out with the clinical trial data relating to that individual shall cease. However, the withdrawal of consent does not affect the processing operations that are based on other lawful grounds, in particular legal obligations to which the sponsor/investigator are subject such as the ones related to safety purposes.
  • Task carried out in the public interest or legitimate interest of the controller:
    • The processing of personal data in the context of clinical trials can be considered necessary for the performance of a task carried out in the public interest when the conduct of clinical trials directly falls within the mandate, missions and tasks vested in a public or private body by national law.
    • For all other situations in which the conduct of clinical trials cannot be considered necessary for the performance of the public interest, tasks vested in the controller by law, the EDPB will consider that the processing of personal data could be “necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.” Article 6(1)(f) GDPR.
    • Depending on the specific circumstances of a clinical trial, the appropriate Article 9 condition for all processing operations of sensitive data for purely research purposes could either be “reasons of public interest in the area of public health [...] on the basis of Member State law” ((Article 9(2)(i)), or “scientific ... purposes in accordance with Article 89(1) based on Union or Member State law”(Article 9(2)(j)).
    • If a sponsor or an investigator would like to further use the personal data gathered for any other scientific purposes, other than the ones defined by the clinical trial protocol, it would require another specific legal ground other than the one used for the primary purpose. The chosen legal basis may or may not differ from the legal basis of the primary use.
    • The EDPB believes, however, that such secondary use of clinical trial data outside the clinical trial protocol for other scientific purposes may, in some cases be compatible with the original purpose and, where that is the case, the controller could be able, under certain conditions, to further process the data without the need for a new legal basis.

While providing much needed clarity and reassurance on the subject, some practical questions remain, especially for U.S.-based trial sponsors:

  • What happens in practice when a participant withdraws their consent?
  • What can sponsors do when structuring clinical trial data processing to make handling a potential withdrawal of consent more manageable?
  • When performing functions required by U.S. laws or by the requirements of U.S. authorities such as the Food and Drug Administration (FDA), those not being “national law” of the EU, are the only legal bases available consent or legitimate interest? What does that mean in practice?
  • If relying on legitimate interest, in what situations will the sponsor’s interest overcome that of the trial participant’s such that the sponsor will not be required to erase the participant’s data pursuant to an erasure request?

Read the full text of the EDPB guidance.

Need assistance ensuring your clinical trial complies with GDPR? Contact Odia Kagan, Chair of GDPR Compliance and International Privacy, at [email protected] or 215.444.7313.