Clinical Trials and the GDPR: do I really need the participant’s consent?

Clinical Trials and the GDPR: do I really need the participant’s consent?
May 2, 2019

On 23 January 2019, the European Data Protection Board (EDPB) issued its Opinion 3/2019 on the interplay between the General Data Protection Regulation (GDPR; applying since 25 May 2018) and the Clinical Trials Regulation (CTR; probably applying from 2020). In its Opinion, the EDPB has provided clarification on the GDPR’s application on the processing of personal data in the context of clinical trials. In particular, the EDPB has provided guidance on the appropriate processing ground for the processing of personal data in the context of clinical trials (primary use) and in the context of other scientific purposes (secondary use). The EDPB has concluded that, even though the CTR requires the informed consent of the participant for him/her to participate in the trial, it is not necessary to obtain the participant’s consent under the GDPR to process his/her personal data. According to the EDPB, other processing grounds are possible.

GDPR applies to clinical trials

During clinical trials, the investigators and sponsors must always process personal data. Consequently, the investigators and sponsors must take into account the GDPR’s provisions. As the EDPB recalls: “the CTR constitutes a sectoral law containing specific provisions relevant from a data protection viewpoint but no derogations to the GDPR”. Indeed, the CTR stipulates that the GDPR must apply to the processing of personal data carried out under the CTR.

Processing grounds in the context of clinical trials (primary use)

According to the EDPB, “all processing operations related to a specific clinical trial protocol during its whole lifecycle, from the starting of the trial to deletion at the end of the archiving period, shall be understood as primary use of clinical trial data”. However, not all processing activities pursue the same purpose and fall under the same processing ground. It is necessary to distinguish two main categories of processing activities during the lifecycle of a clinical trial: (i) processing activities related to reliability and safety purposes and (ii) processing activities purely related to research activities. These two main categories fall under different processing grounds.

Processing ground for reliability and safety purposes:

The EDPB believes that the processing activities expressly provided by the CTR (or similar national provisions) that relate to reliability and safety purposes can fall within the processing ground “legal obligation(s) to which the investigator/sponsor is subject”. This is especially the case for (i) obligations relating to the performance of safety reporting, (ii) obligations concerning the archiving of the clinical trial master files and the medical files of the test subjects, and (iii) obligations to disclose clinical trial data to national authorities during inspections.

Processing ground for research activities:

Processing activities purely related to research activities, however, cannot be derived from a legal obligation. For these processing activities, the investigators/sponsors will need to invoke another processing ground. The EDPB has proposed 3 alternatives:

  • Explicit consent: it is important to note that the ‘informed consent’ set out by the CTR is not the same as the processing ground ‘consent’ set out by the GDPR. Moreover, the EDPB believes that even if you meet the conditions for obtaining an informed consent under the CTR, this does not mean that you will have a valid consent under the GDPR. The EDPB believes that consent will often not be “given freely” within the meaning of the GDPR.
  • Tasks carried out in the public interest: the processing of personal data in the context of clinical trials can be considered as necessary for the performance of a task carried out in the public interest when the clinical trial directly falls within the mandate, missions and tasks vested in a public or private body by national law.
  • The controller’s legitimate interests: for all other situations in which the conduct of clinical trials cannot be considered as necessary for the performance of the public interest tasks vested in the controller, the EDPB believes that the processing can be necessary for the purposes of the legitimate interests pursued by the controller or a third party.

According to the EDPB, the data subject’s consent will mostly not be the most appropriate processing ground. A controller must conduct a thorough assessment of the circumstances of the clinical trial before relying on consent as a processing ground. According to the EDPB, controllers should investigate whether the other processing grounds are more appropriate.

Processing ground outside the context of clinical trials (secondary use)

The EDPB has acknowledged that controllers might want to process the clinical trial subject’s data outside the scope of the protocol of the clinical trial for scientific purposes. According to the EDPB, a controller can possibly rely on the presumption of compatibility, following which the further processing of personal data for scientific research purposes will not be considered as incompatible with the initial purpose, provided that the controller adheres to specific adequate safeguards and conditions. This means that the controller does not need to identify a new processing ground for this secondary use. The EDPB will issue guidance on these safeguards and conditions in the future.

If the presumption of compatibility does not apply, because the controller cannot meet its conditions, then the controller must identify a separate processing ground (which can be the same as the processing ground for the primary use of the clinical trial data).

Sponsors and investigators should review their processing grounds

When conducting clinical trials, sponsors and investigators should rethink whether they really need to rely on the trial subject’s consent to process personal data, as there are other (possibly more appropriate) processing grounds available. Consequently, they should also review their consent forms. ALTIUS is available to help with such analysis.

Recommended articles

September 05, 2023

The Belgian Competition Authority has declared itself competent to examine mergers and acquisitions between hospitals under its merger control regime, following the Act of 29 March 2021

A lot of uncertainty has existed about the requirement for hospitals to notify M&A transactions to the Belgian Competition Authority (“BCA”). On 28 June 2023, the BCA decided to partially lift the stand-still obligation regarding a concentration between two hospitals, and it further clarified the applicable rules in a follow-up Communication of 14 July 2023.

Read on
July 03, 2023

WEBINAR VIDEO | The New EU Deforestation Regulation: Stay Compliant, Succeed Sustainably

In this Life Sciences session, the experts from our agri-food law team Philippe de Jong and Bart Junior Bollen provided valuable insights into the Regulation's implications and equiped businesses with the necessary knowledge to ensure compliance in this evolving landscape.

Read on
June 16, 2023

Hi ChatGPT, how do you feel about the upcoming EU AI Act?

On 14 June 2023, the European Parliament adopted its positionon the draft AI Act, which brings one step closer an EU regulation for generative AI and other AI systems. This blog gives the highlights of the current draft text, taking into account the newest amendments that have been proposed.

Read on