Clinical trials data are the ones more frequently processed by pharma and medical device companies: trial centers are also involved in this data processing.
Under the data protection legislation, pharma and medical device companies are controllers and trial centres are processor, most of the time.
But these roles are not always clear.
In the WP 29 Opinion 1/2010 about the roles of "controller" and “processor”, you can read:
The pharmaceutical company XYZ sponsors some drug trials and selects the candidate trial centres by assessing the respective eligibility and interests; ………
Although the sponsor does not collect any data directly, it does acquire the patients' data as collected by trial centres and processes those data in different ways (evaluating the information contained in the medical documents; receiving the data of adverse reactions; entering these data in the relevant database; performing statistical analyses to achieve the trial results). The trial centre carries out the trial autonomously – albeit in compliance with the sponsor's guidelines; it provides the information notices to patients and obtains their consent as also related to processing of the data concerning them; it allows the sponsor's collaborators to access the patients' original medical documents to perform monitoring activities; and it handles and is responsible for the safekeeping of those documents. Therefore, it appears that responsibilities are vested in the individual actors.
Against this background, in this case both trial centres and sponsors make important determinations with regard to the way personal data relating to clinical trials are processed. Accordingly, they may be regarded as joint data controllers.
The relation between the sponsor and the trial centres could be interpreted differently in those cases where the sponsor determines the purposes and the essential elements of the means and the researcher is left with a very narrow margin of manoeuvre.
According to this Opinion, if both trial centers and sponsors (pharma and medical devices companies) make important determinations regarding the purpose and/or the way of data processing, they are joint data controllers.
In this case, the new GDPR require a specific agreement between the parties.
The Article 26 states what follows:
Article 26 - Joint controllers
1. Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement may designate a contact point for data subjects.
2. The arrangement referred to in paragraph 1 shall duly reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects. The essence of the arrangement shall be made available to the data subject.
3. Irrespective of the terms of the arrangement referred to in paragraph 1, the data subject may exercise his or her rights under this Regulation in respect of and against each of the controllers.
Sponsor and trial centers shall essentially determine with a specific agreement:
who does what, when and how to guarantee the data processing complies with the GDPR
who provides the information to the people concerned (according to Article 13 and 14)
who has to meet the rights of the data subjects
who manages a contact point for data subjects
the joint data controllers are required to make available to data subjects the essential content of the agreement;
the data subjects may exercise their rights against each of the joint data controllers.