The European Data Protection Board (EDPB) has provided a clear guidance on the legal basis for processing personal data when conducting clinical trials. Although the opinion refers specifically to the interaction between the GDPR and the Clinical Trial Regulation (CTR), in this article we summarize the premises applicable for the processing of personal data in the context of clinical trials under the GDPR.

On the 23rd of January 2019, in exercise of their tasks under article 70 of the GDPR, the EDPB published Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection regulation (GDPR) (art. 70.1.b)), in response to the Q&A submitted by the European Commission (DG SANTE). The request for consultation was submitted to the EDBP in October 2018, and it provides guidance on the interplay between the two regulations whenever clinical trials are conducted.

The CTR is a regulation that seeks to achieve a greater level of harmonisation when conducting clinical trials in the EU. This regulation has been in force since the 16th of June 2014, however, its application has been suspended until the development of the EU clinical trials portal and database. The entry into application of the CTR is estimated for 2020, thus the requirement for clarification between the two regulations.

Recitals 156 and 161 of the GDPR make explicit reference to the specific regulation applicable for clinical trials. The EDPB has emphasised that from a data protection point of view, the CTR is a sectoral law that is applicable simultaneously with the provisions of the GDPR. On this matter, the EDBP has clarified that in the context of clinical trials, there is a primary and secondary use of personal data, and that different legal basis are applicable depending on the purposes.

The EDBP mentions in the opinion that the primary use of clinical trial data is to be assumed as the complete data processing operation within the lifecycle of the clinical trial protocol. This is to be understood as from the beginning of the trial, until the deletion once the archiving period has concluded. Within this primary use, not all processing operations have the same purpose or legal basis. When processing personal data while conducting a clinical trial, there are 2 categories to be considered:

1. Reliability and safety purposes.

The first category refers to the processing operations that involve the reliability and safety purpose related to the protection of health, while setting standards of quality and safety for medicinal products by the generation of reliable and robust data. The legal basis applicable to this category is comprised under article 6 (1) (c) of the GDPR, when the “processing is necessary for compliance with a legal obligation to which the controller is subject to”; at the same time, Art. 9(2) (i) GDPR will apply since special categories of personal data within the meaning of that norm are concerned.  This legal obligation is subject to certain conditions, primarily that the obligation must comply with data protection regulation. The legal obligation must be clear as to the personal data required for its compliance, and the controller should not have an undue degree of discretion over how to comply with such obligation. The obligations the sponsor and/or investigator are subject to within the CTR are: the performance of safety reporting[1], the archiving of clinical trials master files[2], medical files of subjects[3], and inspection by national authorities in compliance with national law[4].

2. Research activities:

Concerning the concept of scientific research, the article 29 WP has stated that scientific research should not be interpreted in a broad spectrum. This concept should be interpreted as a research project set up in accordance with relevant sector related methodological and ethical standards, in conformity with good practice[5]. Taking this into consideration, within a clinical trial, the purpose of research may be based on the consent of the data subject, or on the public or legitimate interest of the controller. For these legal bases to be applicable, the activity should contain the following characteristics.

a) Consent:

Concerning the GDPR, the consent of the data subject must be explicit in compliance with the provisions of article 6 (1)(a) alongside the specific requirements of article 9 (2)(a). The obligation of informed consent contained within the CTR[6], refer to the core ethical requirements of research projects involving humans as established within the Helsinki Declaration[7]. The EDBP has clarified that the informed consent under the CTR refers to the protection of the right to human dignity and integrity of individuals[8], and should not be conceived as an instrument for compliance with data protection standards.

Explicit consent as required under the GDPR must meet the requirements under Article 4 (11), and 7 of the GDPR, along with the conditions as established by the Article 29 WP[9]. The EDBP specifies that the concept of a “freely given consent” is fundamental for this condition to be met. In the case of clinical trials, the imbalance of power between the data subject and the controller from an economic or hierarchical perspective may be problematic[10]. It is important for the controller to consider, within the special circumstances of the trial, whether there might be an imbalance of power between the sponsor/investigator and participants. However, the EDBP has made it clear that even if the participants are informed of the existence of an imbalance of power between them and the sponsor/investigator, this would lead to the consent not being “freely given” under the GDPR. Due to this conflict consent may not be considered as appropriate legal basis in most cases.

Another aspect that need to be considered when relying on consent as a legal basis for processing is the data subject’s right to withdraw consent. The withdrawal of informed consent under the CTR[11] must not be confused with the withdrawal of consent under  the GDPR. When a data subject withdraws his/her consent under data protection regulation, all processing operations related to the research activities that are based upon that consent, should cease so long as it is personal data, as required under article 7 of the GDPR. The processing of anonymized data sets for research purposes may continue as it is not considered personal data. Processing operations that are carried out based on other legal grounds, however, may continue.

The EDBP has expressly mentioned that the following two legal bases are to be considered primarily when processing personal data within a clinical trial for research purposes.

b) Tasks carried out in the Public Interest:

The conditions for considering that the personal data is being processed as a task carried out in the public interest, require that the processing is a task vested in a public or private body by national law[12]. Under this legal basis, the personal data must be processed necessarily to comply with this obligation under public interest when the clinical trials are mandated under the authority of a public or private body[13].

c) Legitimate Interest of the Controller:

Whenever the processing of personal data for research purposes is not comprised as a task carried out in the public interest, this legal basis may be applicable. The related articles are Article 6 (1) (f) in conjunction with either a task carried out for public interest under article 9 (2) (i), or scientific purposes under article 9 (2) (j) of the GDPR. The relevant exception for the processing of special categories of personal data will depend upon the research activity itself.

Secondary use of Clinical Trial Data outside the Clinical Trial protocol for Scientific Purposes.

As mentioned above, the consent as defined by the CTR is not to be considered as the same consent required for the processing of personal data. For this reason, the EDBP has stressed that if the sponsor wishes to process the personal data for other scientific purposes, not initially within the clinical trial protocol, this would require another specific legal ground.  The second legal ground may or may not be the same as the one for the primary use.

The EDPB has pointed out that the presumption of compatibility under article 5 (1)(b) of the GDPR is to be interpreted as where data is further processed for archiving purposes in the public interest, scientific, historical research or statistical purposes, in accordance with the provisions of article 89 of the GDPR. The processor could further process personal data, as long as certain conditions are applicable, without the need for a new legal basis for processing[14]. Due to the complexity of these conditions, the EDBP will be providing further guidance on this matter. In the meantime, the conditions within article 89 of the GDPR should not be excluded from the secondary use of clinical trial data outside the clinical trial protocol, for other specific purposes. Whenever personal data is to be further processed and the presumption of compatibility is applicable, the requirements of the GDPR and local data protection law must also apply to the processing operation as established under article 28(2) of the CTR.

With this opinion, the EDBP analysed the synergy between the Clinical Trial Regulation and the GDPR when conducting clinical trials.  Furthermore, it clarifies the fact that the consent of the data subject for processing personal data differs from the consent required to conduct the clinical trial. The opinion narrows down the legal basis for processing for research purposes and enhances the need to rely on the public or legitimate interest of the controller rather than consent within the context of clinical trials. Although some matters remain open to the further guidance of the EDPB, these opinions should already be taken into consideration within the development of clinical trial protocols. For further clarification of the opinion herein please refer to Figure 1.

Figure 1

[1] Article 41 to 43 of the CTR.

[2] Article 58 of the CTR.

[3] As determined by national law.

[4] Article 77 to 79 of the CTR.

[5] Article 29 Working Party Guidelines on consent under Regulation 2016/679 of 10 April 2018, p.27.

[6] REGULATION (EU) No 536/2014 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 16 April 2014 on clinical trials on medicinal products for human use, and repealing Directive 2001/20/EC, Article 29.

[7] WMA Declaration of Helsinki- Ethical Principles for Medical Research Involving Human Subjects, Articles 25-32 on informed consent.

[8] Charter of Fundamental Rights of the European Union, 2012/C 326/02, articles 1 and 3.

[9] Article 29 Working Party Guidelines on consent under Regulation 2016/679 of 10 April 2018, as endorsed by the EDPB on 25 May 2018.

[10] Recital 31 of the CTR:

“In order to certify that informed consent is given freely, the investigator should take into account all relevant circumstances which might influence the decision of a potential subject to participate in a clinical trial, in particular whether the potential subject belongs to an economically or socially disadvantaged group or is in a situation of institutional or hierarchical dependency that could inappropriately influence her or his decision to participate.”

[11] Article 28(3) of the GDPR.

[12] Article 6 (1)(e) of the GDPR complemented by article 6(3).

[13] Recital 45 of the GDPR, See also Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC adopted on 9 April 2014, WP 217, p. 21-22.

[14] Recital 50 of the GDPR.