The European Data Protection Board (EDPB) has adopted an Opinion (3/2019) on the interplay between the EU Clinical Trials Regulation (536/2014) (CTR) and the GDPR, following a request from the European Commission to review its Q&A on the topic. The CTR, which is expected to enter into force in 2020, aims to harmonise the rules for conducting clinical trials throughout the EU. It does not contain any derogations from the GDPR and will therefore apply simultaneously with the GDPR.
The EDPB’s Opinion focuses: (1) the legal basis under the GDPR for processing personal data in the course of a clinical trial protocol (primary use), and (2) further use of clinical trial data for other scientific purposes (secondary use). Some highlights of the EDPB’s Opinion are set out below.
(1) Primary Use
- Primary use of personal data includes all processing operations during the lifecycle of a clinical trial protocol, from the start of the trial to deletion of data at the end of the archiving period.
- Not all processing operations relating primary use of clinical trial data pursue the same purposes and fall within the same legal basis.
- There are two main categories of processing activities during the lifecycle of a clinical trial: (i) processing operations relating to the protection of health and setting standards of quality and safety for medicinal products by generating reliable and robust data (reliability and safety purposes) and (ii) processing operations related to research activities.
- The appropriate legal basis for processing operations relating to reliability and safety purposes is: Article 6(1)(c) GDPR (processing necessary for compliance with a legal obligation to which the controller is subject), and in regard to special categories of data, Article 9(1)(i) (necessary for reasons of public interest in the area of public health). This is because the CTR includes specific legal obligations related to safety reporting, archiving and disclosure obligations.
- The EDPB identifies three alternative legal bases for processing operations related to research activities (depending on the circumstances of the specific clinical trial):
- Article 6(1)(a) in conjunction with Article 9(2)(a) (explicit consent);
- Article 6(1)(e) (a task carried out in the public interest) in conjunction with Article 9(2)(i) or (j) (processing necessary for reasons of public interest in the area of public health, or necessary for archiving purposes in the public interest, scientific or historical research or statistical purposes) or
- Article 6(1)(f)) (legitimate interests of the controller) in conjunction with Article 9(2)(j) (necessary for archiving purposes in the public interest, scientific or historical research or statistical purposes).
- For the processing of special categories of data (e.g. health data), the legal basis identified under Article 6 shall be applied, only if Article 9 GDPR provides for a specific derogation from the general prohibition to process special categories of data.
- The EDPB considers that, in most cases, consent will not be an appropriate legal basis for processing clinical trial data for research purposes, due to an imbalance of power between the sponsor/investigator and the trial participants (for example where the participant is not in good health condition or in a situation of institutional dependency), and that alternative lawful grounds of processing should be considered.
- The EDPB notes that informed consent under the CTR must not be confused with the notion of consent as a legal basis for the processing of personal data under the GDPR. The provisions of Chapter V of the CTR (primarily Article 28) that relate to informed consent primarily seek to ensure the protection of the rights of human dignity and to integrity of individuals, and were not conceived as an instrument for data protection compliance.
(2) Secondary Use
- Article 28(2) of the CTR specifically addresses the issue of secondary use. It provides that, at the time a clinical trial subject gives informed consent to participate in a clinical trial, the sponsor may ask the participant for consent to the use his or her data outside the protocol of the clinical trial, exclusively for scientific purposes. Such consent is not considered the same as consent for processing personal data under the GDPR.
- If a sponsor or investigator would like to make further use of the personal data gathered for any scientific purpose other than those defined in the clinical trial protocol, the sponsor or investigator should have a specific legal basis under the GDPR for doing so. The chosen legal basis may be the same or different from the legal basis of the primary use.
- However, pursuant to Article 5(1)(b) GDPR, where secondary use of the clinical trial data is for archiving purposes in the public interest, scientific, historical research or statistical purposes, these shall not be considered as incompatible with the initial purpose, provided appropriate safeguards are in place. In such a case, the controller may further process the data without the need for a new legal basis.
The EDPB recommends that the European Commission modify its Q&A in regard to the lawful basis for processing clinical trial data under the GDPR, to distinguish between processing activities related to reliability and safety and those related to research activities. The EDPB’s Opinion will now be transmitted back to European Commission for further consideration.
In addition to having an appropriate legal basis to process clinical trial data under the GDPR, organisations carrying out health research activities in clinical trials, and operating in Ireland, should ensure they have put in place appropriate data protection safeguards as required by the Data Protection Act 2018 (Section 36((2)) (Health Research) Regulations 2018 (SI 314/2018 (discussed here).