1. Introduction

The GDPR aims to ensure the protection of individuals in terms of processing of personal data and provides harmonized rules on the free movement of such data. The CTR, on the other hand, provides a greater level of harmonization of the rules for conducting clinical trials within the EU. EDPB, an EU body in charge of adopting guidelines on the interpretation of the GDPR to ensure its uniform application in the EU, considers that, once in force, both the CTR and GDPR will apply interlinked. As such, the CTR is deemed to constitute a sectoral law containing specific provisions relevant from a data protection viewpoint but no derogation to the GDPR.

This article will consider the opinion adopted by the EDPB concerning the relationship between the two regulations and specifically EDPB’s opinion that investigators and sponsors to clinical trials will need to carefully consider the lawful basis for processing special categories personal data, such as health data. As the CTR is yet to come into force, the emphasis will be on the GDPR. First the article will evaluate processing of personal data during a clinical trial protocol, referred to as the primary use of clinical trial data, and secondly it will consider the processing of personal data outside the clinical trial protocol, qualified as secondary use of clinical trial data.

2. Primary use of clinical trial data

The EDPB considers that all processing of personal data related to a specific clinical trial protocol during its whole lifecycle, from the starting of the trial, to deletion at the end of the archiving period, is to be understood as primary use of clinical trial data.

The EDPB distinguishes between two main subcategories of processing of personal data for primary use. Namely such related to (i) the purpose of protection of health, while setting standards of quality and safety for medicinal products by generating reliable and robust data (reliability and safety related purposes), or on the other hand, such related to (ii) research activities. The EDPB recognizes that the two purposes fall within separate legal bases under the GDPR.

2.1 Processing related to reliability and safety purposes

Processing of non-sensitive personal data is allowed to the extent that at least one of the legal bases provided under Article 6 of the GDPR is fulfilled. The EDPB is of the opinion that the processing operations which are related to reliability and safety purposes, can be considered to fall within Article 6(1)(c) (legal obligation(s) to which the controller is subject) of the GDPR. The EDPB recognizes that such a legal obligation could for example be the obligation to disclose clinical trial data to the national competent authorities in the course of an inspection under relevant national laws. Overall, the EDPB is of the opinion that, the processing of non-sensitive personal data in the context of the relevant national laws to clinical trials, have to be considered as necessary to comply with legal obligations to which the sponsor and/or the investigator are subject to.

Regarding special categories of personal data (“sensitive personal data”), such as health data, the EDPB provides further in their opinion that lawful processing of such data in the context of legal obligations under national law shall be deemed to be qualified under Article 9(2)(i) (public interest in the area of public health) of the GPDR.

In light of the above, processing operations related to safety and reliability purposes, makes obtaining consent from the data subjects under the GDPR arguably unnecessary. Instead, the appropriate lawful grounds for processing of personal data is derived from legal obligations to which the investigator or sponsor is subject (cf. Article 6(1)(c)) and from public interest in the area of public health (cf. Article 9(2)(i)).

2.2 Processing operations purely related to research activities

EDPB is further of the opinion that depending on the circumstances of the trial and the specific data being processed, research related activities may either fall within the scope under (i) the participant’s (data subject) explicit consent (Article 6(1)(a) in conjunction with Article 9(2)(a)), (ii) a task carried out in the public interest (Article 6(1)(e)), or under (iii) the requirement of legitimate interests of the controller (Article 6(1)(f)) in conjunction with Article 9(2)(i) or (j) of the GDPR.

2.2.1 The issues related to consent

Processing related to research activities in the context of clinical trials will in most cases involve processing of sensitive data. Sponsors and investigators usually rely on the data subject’s consent in order to lawfully process such data. Please note that the conditions for the informed consent under national laws (or the CTR which also provides for an informed consent requirement) and other requirements for obtaining a valid consent under the GDPR are interdependent and should both be met if consent is used as a legal basis for processing of personal data. The GDPR does not rule out other provisions related to consent for the purposes of processing personal data in clinical trials.

With regards to the GDPR and the requirement of obtaining an explicit consent from the data subject, the term explicit refers to the way consent is expressed by the data subject. The EDPB advises that in order for data controllers to assess whether the individual’s explicit consent can be a valid legal basis for the processing of sensitive personal data in the course of a clinical trial, the data controllers should duly take into account the Working Party 29 Guidelines on consent, and check if all the conditions for a valid explicit consent can be met in the specific circumstances of that trial. Such conditions refer to a consent being freely given, specific, informed and an unambiguous indication of the data subject’s wishes.

The EDPB further considers that data controllers should pay particular attention that the consent is in fact freely given. This element implies a real choice and control for the data subject. According to the EDPB, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the data controller. Consequently, even if data controllers follow the procedures of consent under the national and EU laws to which they are subject, a clear situation of imbalance of powers between the participant and the investigator will imply that the consent is not freely given within the meaning of the GDPR. EDPB highlighted that this may be so, where a participant is not in good health conditions, when participants belong to economically or socially disadvantaged groups or in any situation of institutional or hierarchical dependency.

The conclusion to draw from this is that consent will not always be an appropriate legal basis for the purposes of research related activities in clinical trials.

2.2.2 Alternative legal bases

The EDPB considers that as an alternative or additional legal basis to consent as a lawful ground for processing of personal data, the purpose of public interest provided (cf. Article 6(1)(e)) or legitimate interests of the data controller provided (cf. Article 6(1)(f)) are more appropriate.

Article 6(3) of the GDPR provides that the processing referred to in Article 6(1)(e) as necessary for the performance of a task carried out in the public interest shall be laid down by Union or Member State law and that the processing shall be laid down in that legal basis. The GDPR further states that the regulation does not require a specific law for each individual processing. A law as a basis for several processing operations based on a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercises of an official authority may be sufficient. EDPB is of the opinion that, the processing of personal data in the context of clinical trials can be considered as necessary for the performance of task carried out in the public interest when the conduct of clinical trials directly falls within the mandate, missions and tasks vested in a public or private body by national law.

In cases where the conduct of clinical trials cannot be considered as necessary for the performance of the public interest tasks vested in the controller by law, the EDPB will consider that the processing of personal data could be “necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject” as provided under Article 6(1)(f) of the GDPR.

Finally, the EDPB is of the opinion that depending on the specific circumstances of a clinical trial, the appropriate legal basis for processing sensitive personal data could either be “reasons of public interest in the area of public health […] on the basis of Member State law” as provided for under Article 9(2)(i), or “scientific … purposes in accordance with Article 89(1) based on Union or Member State law” under Article 9(2)(j).

3. Secondary uses of clinical trial data outside the clinical trial protocol for scientific purposes

An investigator, sponsor or similar, acting as the data controller, may want to further the use of the personal data gathered for any scientific purposes, other than the ones defined by the clinical trial protocol. The EDPB considers such use to be a secondary use, which would require another specific legal ground other than the use for the primary purpose. The chosen legal basis may differ from the legal basis of the primary use.

4. Conclusion

To conclude:

  • Data controllers should distinguish between the processing activities related to reliability and safety and processing for research activities.
  • Data controllers should reevaluate their use of consent as legal basis for processing sensitive personal data.
  • Data controllers’ secondary use of clinical trial data will require the same or other legal bases.

Finally, it may be considered to completely disregard consent from participants and rely on other legal bases under the GDPR. However, investigators and sponsors will still need to obtain informed consent as required under national ethical requirements with regard to clinical trials or the CTR. Please keep in mind, if obtaining consent is disregarded, it will be necessary to amend relevant privacy policies/notices in order to reflect such change of legal basis.