According to Art. 40 GDPR, associations and other bodies representing categories of controllers or processors are encouraged to prepare codes of conduct, or amend or extend such codes, for the purpose of contributing to the proper application of the GDPR in specific sectors.

When such codes of conduct – or amendments to existing ones – have been prepared, they shall be submitted to the supervisory authority which is competent pursuant to Article 55 GDPR for review. The supervisory authority shall provide an opinion on whether the draft code, amendment or extension complies with the GDPR and approve it if it finds that it provides sufficient appropriate safeguards.

Once approved by the supervisory authority, where the code of conduct concerned does not relate to processing activities in several member states, the supervisory authority shall register and publish the code.  However, where the submitted code of conduct does relate to processing activities in several member states, the concerned supervisory authority shall, before approving the draft code, amendment or extension, submit it, following the procedure referred to in Article 63 GDPR, to the European Data Protection Board which shall provide an opinion on whether the draft code, amendment or extension complies with the GDPR. Where such opinion from the European Data Protection Board confirms that the draft code, amendment or extension complies with the GDPR, the Board shall submit its opinion to the Commission.

The Code of Conduct for Service Providers in Clinical Research relates to processing activities in several member States and as such has been submitted to the EDPB by the CNIL, according to the process described above. The contents of the Opinion adopted by the EDPB are discussed below.

Opinion 12/2024 regarding the “Code of Conduct for Service Providers in Clinical Research”

According to the above-described procedure, on June 18, 2024 the European Data Protection Board (EDPB) published its Opinion 12/2024 on the draft decision for a “Code of Conduct for Service Providers in Clinical Research”, submitted by the CNIL. This code of conduct (henceforth “the Code”) was developed by the European Federation of Contract Research Organizations (EUCROF).  In this sense, the “code owner” is “EUCROF” which is a not-for-profit legal entity registered in the Netherlands.

According to the procedure laid down in Article 40 of the GDPR, the draft “Code of Conduct for Service Providers in Clinical Research” was submitted by EUCROF to the CNIL for approval in March 2021. After an appropriate review, the CNIL forwarded its draft decision on the Code to the EDPB in accordance with Article 64(1)(b) GDPR on February 5, 2024, for further consideration.

The EDPB’s opinion discussed in this article is addressed to the CNIL and has been published in accordance with Article 64(5)(b) of the GDPR.

The Opinion in Detail

Clinical research projects are usually initiated by a sponsor, in general a pharmaceutical company- which may use the services of a contract research organization (CRO).  Contracts between sponsors and CROs specify the services to be provided by the CRO and its obligations under Art. 28 GDPR.  The purpose of the Code prepared by EUCROF is to describe such obligations of the CROs as processors within the meaning of Art. 28 GDPR in the context of the performance of their contract with the sponsor.  The Code covers both clinical trials and non-interventional research.

The election of the CNIL as the competent supervisory authority is justified by the EUCROF based on the proximity of France to the location of a large density of the CROs in Europe and the fact that in their opinion the CNIL has considerable experience in the protection of personal data in the field of health care and clinical research.

Following Recital 99 GDPR, the EUCROF consulted its affiliates as well as representatives of other stakeholders, among them, those in the pharmaceutical industry, patient associations, medical devices companies, representatives of ethics committees, representatives of various academic organizations, lawyers specialized in electronic health systems as well as experts in ISO certifications for the purpose of drawing up the concerned Code.

On the Territorial Scope of the Code

The scope of the Code is transnational and it’s intended to apply across the EU.  As such EUCROF has identified all European supervisory authorities as concerned SAs.

On the Role of the Code Facilitating the Application of the GDPR

According to the EDPB, the Code:

  1. Helps CROs understand clearly what their obligations under the GDPR are;
  2. Facilitates best practice compliance by CROs;
  3. Improves upon the state of the art for data protection in the sector; and
  4. Helps sponsors to optimize and simplify the process to monitor compliance of adhering CROs with the GDPR.

In general, the Code brings clarity regarding the specific measures CROs shall take to ensure compliance with the GDPR.  By its very nature, the provisions of the Code are mandatory for the adhering CROs with regard to the classes of services defined in the statement of applicability.

On the Provided Safeguards

The opinion of the EDPB does not refer to all of the safeguards included in the proposed Code, conversely, it provides comments on the dispositions which according to it need to be reviewed and amended.  Below is a summary of the comments provided by the EDPB regarding several sections of the proposed Code.

  1. On pseudonymization of personal data that identify the data subject directly: The Code lays down that CROs shall not process personal data that identify the data subject directly unless instructed to do so by the sponsor or required to deliver the services and that they shall process only pseudonymous data according to Art. 4 para. 5 GDPR. Regarding this disposition, the EDPB considers that this instruction shall be supplemented with: a) specifications on the aims of the pseudonymization process and the circumstances and safeguards under which a CRO may exceptionally access the identity of study subjects; and, b) references to EDPB guidance and recommendations on pseudonymization methods. The wording of the instruction regarding pseudonymization included in the Code is also commented by the EDPB which recommends to amend it to make it clear that the methods used to pseudonymize the data shall deliver a random sequence of symbols with no recognizable pattern which could pose a reidentification risk.  Furthermore, according to the EDPB, the Code shall include an instruction laying down the obligation of CROs to consider the risk of reidentification and choose appropriate techniques to mitigate the risk identified.
  2. On the secondary use of personal data: the EDPB recommends to modify the language of the disposition to clarify that Arts. 5 para. 1 lit. b and 6 para. 1 and 4 GDPR don’t necessarily apply cumulatively when the further processing operations pursue scientific research. Likewise, reference to Art. 9 para. 2 GDPR as a legal basis shall be made for the cases when special categories of personal data are processed for this purpose. It’s indeed surprising that the EUCROF omitted Art. 9 para. (2) as a legal basis for the secondary use of data as scientific research necessitates in general health and genetic data, both special categories of personal data.
  3. Deletion of data for which no purpose can be identified: the EDPB reminds the CNIL firstly, that it’s a prerogative of the Controller to decide when data shall be deleted or returned and that the CRO (processor) shall not decide whether they should delete or anonymize the concerned data once the service has been provided. Furthermore, the EDPB reiterates that the disposition of Art. 28 para. 3 GDPR lays down that data shall be “deleted or returned” upon the conclusion of the services, hence, it demands the CNIL to require the code owner to delete the reference to the anonymization of the data, to align such disposition with Art. 28 para. 3 GDPR and to clarify that the CRO shall act only upon instructions provided by the data controller.
  4. Compliance with Art. 32 GDPR regarding Technical and Organizational Measures: The EDPB reminds the CNIL that referring – and strongly relying on references to – an Information Security Management System (“ISMS”) is not enough to comply with Art. 32 GDPR which focus is on the right of the data subject to the protection of her data and not on the protection of the data processing institution as is the focus of an ISMS.

On the Mechanisms for Monitoring Compliance with the Code

  • Adherence to the Code: According to the EDPB, an effective adhesion mechanism shall develop a process in three phases, namely, phase 1 in which it is precised that members shall comply with the dispositions of the Code and that the monitoring body will assess eligibility of candidates to the Code; phase 2 on which it is described how the monitoring is carried out on an ongoing basis and phase 3 which describes monitoring on an ad hoc basis. In the opinion of the EDPB, the Code developed by EUCROF fulfills the three phases of monitoring, however, other than the possibilities of “approval” and “conditional approval” the potential “rejection” of candidates shall appear. The Board recommended however for the Code to contain dispositions aimed at guaranteeing that candidate CROs provide detailed documentation proving their compliance with all the provisions of the Code and for the monitoring body to have the ability to request additional documents if required.
  • Monitoring of the Code: As the owner of the Code, the EUCROF establishes the supervisory body COSUP. COSUP’s obligations are established in Art. 41 GDPR, in particular Art. 41 para. 4 GDPR regarding its responsibilities in monitoring compliance with the Code, in particular, taking appropriate action in cases of infringement of the Code by a CRO, including suspension or exclusion of the concerned organization from the Code. According to this same article, the COSUP shall inform the competent supervisory authority of such actions and the reasons for taking them. The Board provided recommendations regarding the legal responsibility and liability of COSUP which, according to this opinion, shall be borne directly by COSUP and not by the code owner. Likewise, the EDPB recommended for such responsibility and liability to be guaranteed in practice. At the same time, in order to avoid CROs from being over-represented in the COSUP, the EDPB has requested for the Code to be amended to include a disposition according to which, in any given mandate, the chairman and vice-chairman are not both representatives of a CRO. The EDPB reiterates as well that the Code will not be operational until the COSUP has been properly accredited.
  • Sanctions: the draft Code includes an enforcement framework which determines the sanctions applicable which shall be followed by the monitoring body.
  • Review of the Code: the Code currently contains provisions aimed at allowing and facilitating regular reviews of the Code to reflect legal, technological and operational changes and best practices.

We will follow the progress of this very important and report in our blog when new developments are available.