Since the implementation of the GDPR, there has been much discussion with respect to the appropriate legal basis for the processing of personal data in the context of a clinical trial, in particular how this relates to the Clinical Trials Regulation (CTR) which is expected to enter into force in 2020. There was a lack of consensus among the different ethics committees and regulatory bodies with respect to the appropriate legal bases: in some countries consent was the way to go, whilst in other countries a clear message was given that legitimate interests is the most appropriate legal basis in the context of clinical trials.
In order to provide more clarity, recently, the European Data Protection Board (EDPB) adopted an opinion on the interplay between the Clinical Trials Regulation (CTR) and the GDPR. This opinion addresses the appropriate legal basis for the processing of personal data in the context of a clinical trial. The opinion makes a distinction between processing operations in the course of a clinical trial protocol (‘primary use’) and (ii) processing operations outside the clinical trial protocol for scientific purposes (‘secondary use’).
- Primary use
According to the EDPB, primary use includes “all processing operations related to a specific clinical trial protocol during its whole lifecycle, from the starting of the trial to deletion at the end of the archiving period”. For purposes of identifying a legal basis, the EDPB makes a distinction between the following two main categories of primary processing.
- a) Processing operations related to reliability and safety purposes
This category concerns the processing operations expressly provided by the CTR and national laws, which are related to reliability and safety purposes. The EDPB refers to obligations relating to the performance of safety reporting (Articles 41 to 43 CTR), obligations concerning the archiving of the clinical trial master file (25 years according to Article 58 CTR) and the medical files of subjects (to be determined by national law) or the disclosure of clinical trial data to national competent authorities (Articles 77-79 CTR). The appropriate legal basis for such processing operations is the “legal obligation(s) to which the controller is subject” (Article 6(1)c GDPR). The corresponding appropriate condition for the processing of special categories of personal data in the context of these obligations lies in the necessity for reasons of public interest in the area of public health (Article 9(2)i GDPR).
- b) Processing operations purely related to research activities
This category concerns processing activities that are purely related to research activities and not required to comply with a legal obligation. For these activities, the EDPB identifies one of the three following legal bases under Article 6 GDPR:
- Explicit consent – first of all, the EDPB points out that informed consent under the CTR must not be confused with the notion of consent as a legal ground for processing personal data under the GDPR. A data controller can only rely on explicit consent as legal basis if all the conditions for a valid consent – as set out by the Working Party 29 Guidelines on consent – can be met in the specific circumstances of a clinical trial. For example, a clear situation of imbalance of powers between the participant and the sponsor/investigator will imply that the consent is not “freely given”, such as will be the case when a participant is not in good health conditions, belongs to an economically or socially disadvantaged group or in any situation of institutional or hierarchical dependency. On this basis, the EDPB concludes that consent will not be the appropriate legal basis in most cases, and other legal bases than consent must be relied upon (see below). The EDPB considers that data controllers that wish to rely on explicit consent of the data subject for purposes of research activities, should first conduct a particularly thorough assessment of the circumstances of the clinical trial.
- Task carried out in the public interest – this legal basis only becomes relevant when the conduct of clinical trials directly falls within the mandate, mission and tasks vested in a public or private body by national law, and is therefore unlikely to apply to commercial companies.
- Legitimate interests – for all other situations where clinical trials cannot be considered to be necessary for the performance of the tasks carried out in the public interests, the EDPB considers that Article 6(1)f GDPR may be used as a legal basis (subject to, as always, the stringent conditions that apply thereto).
With respect to the processing of special categories of personal data, the EDPB considers that – depending on the specific circumstances of a clinical trial – the appropriate legal bases could either be Article 9(2)i GDPR (reasons of public interest in the area of public health) or Article 9(2)j GDPR (scientific research).
2. Secondary use
Secondary use concerns the (further) processing of personal data for scientific research purposes, other than those purposes defined in the clinical trial protocol. The EDPB states that the secondary use of clinical trial data outside the clinical trial protocol for other scientific purposes, shall be presumed compatible with the initial purpose (conducting the clinical trial), provided that the processing is in accordance with Article 89 GDPR (i.e. appropriate safeguards must be implemented to ensure that technical and organisational measures are in place). In other words: the “secondary use” is permitted without the need for a new legal basis. However, the EDPB mentions that these conditions will require specific attention and guidance from the EDPB in the future. Furthermore, the EDPB reminds us that such secondary use must be conducted in compliance with all other relevant applicable data protection provisions.
With the above in mind, it is safe to say that the EDPB has brought more clarity (and hopefully uniformity) with respect to the appropriate legal bases for the processing of personal data in the context of clinical trials. The remaining question is how ethics committees and regulatory bodies will respond to the opinion of the EDPB and whether they will follow the same approach, in particular with respect to the use of consent. In any case, data controllers acting in a clinical trial are recommended to review their current legal bases and, where necessary, swift to another legal basis and possibly conduct a legitimate interest balancing test, in order to act in accordance with the EDPB’s latest opinion.