The legal regime for the conduct of clinical trials of medicinal products for human use in the European Union is set out in Directive 2001/20/EC (the Clinical Trials Directive). Pursuant to this, every EU clinical trial that involves a pharmaceutical form or placebo being given to individual subjects must now have a “sponsor” that is established, or has a legal representative, in the European Union.
The sponsor is an individual, company, institution or organisation that must take responsibility for the proper initiation, management and/or f inancing of the clinical trial. The sponsor is also legally responsible for applying for the authorisation for a trial, as well as for ensuring there is sufficient insurance or indemnity in place to cover the liability of the sponsor and its sub-contractors. The conduct of the trial will often be sub-contracted to a trial centre, more formally known as a Clinical Research Organisation (CRO). The CRO will in turn use investigators, usually doctors on site in hospitals, to collect data from trial participants. However, such sub-contracting does not shift the sponsor’s potential legal exposure to penalties for breach under the Clinical Trials Directive.
In parallel with the Clinical Trials Directive, any human subject clinical trials that require the collection, analysis, transfer, storage and eventual destruction of data taken from individuals must also comply with the European data protection regime, as set out in Directive 95/46/EC (the Data Protection Directive) and in the legislation of individual Member States.
The roles and responsibilities of the parties set out clearly in the Clinical Trials Directive may not be as easy to determine under the data protection regime. As such, a clinical trial may involve more than one controller, or indeed more than one processor. It is crucial to get a sense of the obligations under the respective data protection regime in the relevant jurisdiction(s) before starting a clinical trial in any European country.
The Data Protection Directive
It is important to identify clearly the roles of the parties in any clinical trial, as the roles will determine the following: who will be responsible for compliance with EU data protection rules, which Member State laws apply, which data protection authorities are competent to supervise data processing operations and how data subjects can exercise their rights.
On 16 February 2010, the Article 29 Working Par ty, an independent EU advisory body for data protection matters, adopted Opinion 1/2010, which confirms that the current definitions of the terms “data controller” and “data processor,” as set out in the Data Protection Directive, continue to be relevant and workable.
The Working Party, however, recognised the difficulty in applying these concepts to complex processing environments (such as clinical trials) and provided guidance intended to clarify the allocation of the two roles and their respective responsibilities. Although the opinion is not legal ly binding, it is likely that national authorities will take it into account when applying the national laws transposing the Data Protection Directive.
The Data Controller
The Working Party identifies and interprets the three main building blocks of the data controller definition:
- “Natural or legal person”—the potential addressee
- “Which alone or jointly with others”—allows pluralistic control
- “Determines the purposes and means of processing”—the decisive competence of the data controller
When considering point 3 (i.e., the why and how of processing activities), the Working Party highlighted the importance of the factual circumstances. Contracts stipulating who determines the purpose and who, thus, shall be the data controller, may only give an indication of the parties’ intentions, and it will be the conduct of the parties that will be determinative. Even if a contract is silent on who is the data controller, it can still contain sufficient elements to assign the responsibility of data controller to a party that apparently exercises, at least in practice, a dominant function in that regard.
In determining the purposes and means, the Working Party focuses on the “purpose” of processing rather than the “means” of processing. Accordingly, whoever decides on the purposes of the data processing operation triggers the qualification to be the (de facto) data controller. Determination of the means of processing can be delegated by the data controller as far as technical or organisational measures are concerned. Substantial decisions that may af fect the lawfulness of the data processing, however, may only be determined by the data controller. In a situation where both trial centres and sponsors make important determinations with regard to the way personal data relating to clinical trials is processed, they may be regarded as joint data controllers. For example, if the trial centre carries out trials autonomously— albeit in compliance with the sponsor’s guidelines—and the centre is responsible for the safekeeping of documents, it would appear that responsibilities are vested in the individual parties.
The Data Processor
Because a data processor must be a legal person or entity separate to the data controller and must process personal data on the data controller’s behalf, it is expected to execute and implement the data controller’s instructions. A data processor may, however, at its own discretion, choose the most suitable technical and organisational means for processing without qualifying as (joint) data controller.
The lawfulness of the processing by the data processor depends on the specific mandate given by the data controller, but a data processor working beyond that mandate could be viewed as assuming the responsibilities of a ( joint) data controller. There is, of course, a certain degree of flexibility in sharing and allocating data protection obligations and responsibilities provided all parties are compliant. Also, the relationship between the sponsor and the trial centres could be structured so that the sponsor determines the purposes and the essential elements of the means while the trial centre is left with a very narrow margin for manoeuvre and autonomy.
According to the Working Party, the Directive allows several entities to be designated as data processors or data subprocessors, as long as they comply with the instructions of the data controller(s).
Assuming personal data is collected, on the surface it would appear that the sponsor will be a data controller, because it is responsible for designing the study and consequently determines the purpose of the processing of the data. The CRO will be a data processor because it carries out the trials in compliance with the sponsor’s guidelines. Although an individual investigator is likely to be a data processor, much will depend on how the data is being collected from participants and whether the trial data is being collected discretely from any other personal data.
What is clear from the opinion is that the factual matrix is the key to determining roles within the data protection regime. Although it is always a good starting point to set out in any commercial agreements and codes of practice the roles between parties, there must be periodic review to ensure that roles have not evolved or changed. A contractual agreement will not provide any defence for the data processor whose role has morphed into that of a data controller and who fails to comply with the increased burdens placed on the data controller. With data protection authorities in Europe focusing increasingly on enforcement, and sanctions for noncompliance reaching US$750,000, the risks of failure to understand and to comply with the regime are now more serious than ever.