European regulators are expected to align their processes and guidance to accommodate the EDPB’s recommended approach to processing special categories of personal data.
By Gail E. Crawford, Frances Stocks Allen, and Mihail Krepchev
In January, the European Data Protection Board (EDPB) issued an opinion (Opinion) on the interplay between the General Data Protection Regulation (GDPR) and the Clinical Trials Regulation (CTR), which: (1) confirms that consent under the GDPR and CTR are different concepts; and (2) sets out the EDPB’s recommendations on the appropriate legal basis required for processing personal data in connection with clinical trials conducted in the EEA (which is unlikely to be consent).
Practical Takeaways
While the Opinion brings some much-needed certainty to the area of consent and other legal grounds for clinical trials, challenges remain. Outlined below are the key challenges and the steps that sponsors of clinical trials in the EEA (Sponsors) should take when designing their research activities:
Many sponsors of clinical trials believe that companies based outside the EU who sponsor clinical trials conducted in the EU through clinical research organisations (CROs) and/or clinical sites do not themselves need to comply with the General Data Protection Regulation (GDPR). Sponsors believe the GDPR does not apply to them as they do not conduct the research directly but only receive results in key-coded form, and only their CROs and/or clinical sites will have access to the raw data and/or the key that connects the key-coded data to individual patients. However, sponsors need to reconsider this presumption in light of current guidelines and the Breyer case. Similar issues arise in other fields, for example, data and market research, in which only key-coded data is received by the organisation commissioning the research. But following the GDPR and the Breyer decision these organisations may still be subject to the requirements of the GDPR.