On 23 January 2019, the European Data Protection Board (EDPB) published its Opinion 3/2019 concerning the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection Regulation (GDPR). Shortly thereafter, the European Commission also published the “Q&A” document on this topic. Even though a large part of this will be relevant only when the CTR becomes applicable, other parts already provide useful guidance under the current Clinical Trials Directive.
Background of the EDPB Opinion 3/2019
The EDPB Opinion starts by recalling that the CTR entered into force on 16 June 2014, but that the date of its entry into application, which depends on the development of a fully functional EU clinical trials portal and database, is currently estimated to be in 2020.
As the GDPR makes as well express references to the relevant legislation applicable to clinical trials in its recitals, it follows logically that both regulations apply simultaneously and that the CTR constitutes a sectoral law containing specific provisions relevant from a data protection viewpoint (without containing any derogations to the GDPR).
The EDPB moreover considers that the information provided in the European Commission’s “Q&A” document constitutes a good basis for a GDPR compliant clinical trial.
Guidelines on the appropriate legal basis for clinical trials
The EDPB and the European Commission’s “Q&A” document essentially distinguish between the following purposes of data processing and the distinct legal grounds that can be used to justify/legitimise the processing of personal data for such purposes:
- Primary use of personal data for the purpose of executing a clinical trial protocol:
- Processing for reliability and safety purposes: legal obligation (Articles 6.1(c) and 9.2(i) GDPR) is legal ground for the processing of personal data in the context of safety reporting or in the context of an inspection by national competent authority, or the retention of clinical trial data in accordance with archiving obligations set up by the CTR or national legislation;
- Processing for research purposes: explicit consent (Articles 6.1(a) and 9.2(a) GDPR), or a task carried out in the public interest (Article 6.1(e) GDPR), or the legitimate interests of the controller (Articles 6.1(f) and 9.2(i) or (j) GDPR) can – depending on the particular circumstances – be a valid legal ground for the processing of personal data.
- Secondary use of personal data outside the scope of the study protocol, but only - and “exclusively” - for scientific purposes:
- While the CTR considers that consent for this specific processing purpose should be sought from the data subject at the time of the request for informed consent for participation in the clinical trial, consent set out in Article 28(2) CTR is not the same consent referred to in the GDPR as one of the legal bases for the processing of personal data;
- If a sponsor or an investigator would like to use the personal data gathered further for any other scientific purposes, other than the ones defined by the clinical trial protocol, it would require another specific legal ground, which may or may not differ from the legal basis of the primary use of the personal data.
Please also read the EDPB Opinion and the European Commission’s “Q&A” document for further clarification on the circumstances in which one or more of these legal grounds is/are appropriate.
In addition, note that the “informed consent” under the CTR must not be confused with the notion of consent as a legal ground for the processing of personal data under the GDPR. They should be considered as two distinct legal concepts relating to two different legal obligations.
Further guidance in the future?
Opinion 3/2019 is only the first EDPB opinion on the interplay between the CTR and the GDPR, focussing specifically on the available legal grounds for the processing of personal data in the context of a clinical trial. Additional opinions and guidelines on the other aspects of convergence/divergence between these two pieces of EU legislation are still to be expected. This can only be encouraged, as several other ‘GDPR topics’ (such as the (joint) controller / processor qualification, the DPO requirement, the extra-territorial scope of application, etc.) still raise practical questions and should be clarified by the EU Data Protection Authorities (unified in the EDPB).