European Commission Directorate-General For Health And Food Safety: Question and Answers on the interplay between the Clinical Trials Regulation and the General Data Protection Regulation

All processing operations related to a specific clinical trial protocol during its whole lifecycle, from the starting of the trial to deletion at the end of the archiving period including data in marketing authorisation, shall be understood as primary use of clinical trial data. Not all processing operations relating to such “primary use” of clinical trial data pursue the same purposes and fall within the same legal basis. 

The overall objective of the CTR is to achieve a harmonised internal market as regards clinical trials and medicinal products for human use, taking as a starting point a high level of protection of health, while setting high standards of quality and safety for medicinal products by ensuring that data generated in clinical trials are reliable and robust (13).

The overall objective of the GDPR is to protect fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. For transparency reason, protection of personal data should be at the centre of the data controllers ‘decision.

In particular, processing operations purely related to research activities must be distinguished from processing operations related to the purposes of protection of health, while setting standards of quality and safety for medicinal products by generating reliable and robust data (reliability and safety related purposes); these two main categories of processing activities fall under different legal base.

1. Processing operations related to reliability and safety purposes

The processing operations which are necessary for compliance with a legal obligation to which the controller is subject may be justified under Article 6(1) (c) of the GDPR. The legal obligations to which the sponsor and/or the investigator are subject to may be expressly provided by the CTR and by relevant Union and national provisions.

This is notably the case, for instance, for obligations relating to the performance of safety reporting under Articles 41 to 43 of the CTR, and obligations concerning the archiving of the clinical trial master file (25 years according to Article 58 CTR) and the medical files of subjects (which is to be determined by national law according to the same provision). The same applies to any disclosure of clinical trial data to the national competent authorities in the course of an inspection in accordance with relevant national rules (see Article 78 CTR).

The corresponding appropriate condition for lawful processing of special categories of data in the context of these obligations shall be Article 9(2)(i): “processing is necessary for reasons of public interest in the area of public health, such as […] ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or member State law, which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy.”

2. Processing operations purely related to research activities (14)

Processing operations purely related to research activities in the context of a clinical trial cannot, however, be derived from a legal obligation. According to the European Data protection board (EDPB, the processing of personal data is lawful and falls under one of the three legal bases, depending on the whole circumstances attached to a specific clinical trial:

• a task carried out in the public interest under Article 6(1) (e) in conjunction with Article 9(2), (i) or (j) of the GDPR; or
• the legitimate interests of the controller under Article 6(1) (f) in conjunction with Article 9(2) (j) of the GDPR; or
• under specific circumstances, when all conditions are met, data subject’s explicit consent under Article 6(1) (a) and 9(2) (a) of the GDPR

2.1 Public Interest

Article 6 (1) (e) allows processing of personal data where such processing is necessary for the performance of a task carried out in the public interest, on the basis of an EU or national law. The Clinical Trials Regulation defines by law certain processing activities, which are necessary for the performance of a task carried out in the public interest for purposes outlined in the approved clinical trial protocol, in this case to pursue the general public interest of the Union in safeguarding public health. Therefore, in such cases EU law provides the legal basis for the processing of personal data gathered in the context of clinical trials. The processing of personal data in the context of clinical trials can thus be considered as necessary for the performance of a task carried out in the public interest when the conduct of clinical trials directly falls within the mandate, missions and tasks vested in a public or private body by Union or national law.

The legal basis identified under Article 6 shall be supplemented with the condition for processing special categories of data under Article 9 of the GDPR. Depending on the specific circumstances of a clinical trial and on the legal basis used as described above, the appropriate Article 9 condition for all processing operations of sensitive data for purely research purposes could be “reasons of public interest in the area of public health […] on the basis of Union or Member State law” (Article 9(2)(i)), or “scientific … purposes in accordance with Article 89(1) based on Union or Member State law”(Article 9(2)(j)).

2.2 Legitimate Interest

For other situations where the conduct of clinical trials cannot be considered as necessary for the performance of the public interest tasks vested in the controller by law, the processing of personal data could be “necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject” following Article 6(1) (f) GDPR.

2.3 Consent 

Under the GDPR, consent must be freely given, specific, informed, unambiguous, and where consent is used as a justification for processing special categories of data, such as health data, such consent must be explicit (Article 9(2) (a) GDPR). Data controllers should pay particular attention to the condition of a “freely given” consent. As stated in the Working Party 29 Guidelines on consent, this element implies real choice and 6 control for data subjects. Besides, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller.

Depending on the circumstances of the clinical trial, situations of imbalance of power between the sponsor/investigator and participants may occur. The CTR expressly addresses these risks and requires the investigator to take into account all relevant circumstances, in particular whether the potential subject belongs to an economically or socially disadvantaged group, or is in a situation of institutional or hierarchical dependency that could inappropriately influence her or his decision to participate (15).

As explained in the Guidelines on consent of the Working Party 29, consent will not be the appropriate legal basis in most cases, and other legal bases than consent must be relied upon (see above alternative legal bases).

Download all questions and answers in the Florence Beginner’s Guide to GDPR for Clinical Trials.

The information presented in our library is for informational purposes only, they are not for implementation in operations. Please consult official GDPR guidance documents for operational use.

This information was sourced from the European Commission Directorate-General For Health And Food Safety: Question and Answers on the interplay between the Clinical Trials Regulation and the General Data Protection Regulation.