Clinical Trials and the GDPR: do I really need the participant’s consent?
On 23 January 2019, the European Data Protection Board (EDPB) issued its Opinion 3/2019 on the interplay between the General Data Protection Regulation (GDPR; applying since 25 May 2018) and the Clinical Trials Regulation (CTR; probably applying from 2020). In its Opinion, the EDPB has provided clarification on the GDPR’s application on the processing of personal data in the context of clinical trials. In particular, the EDPB has provided guidance on the appropriate processing ground for the processing of personal data in the context of clinical trials (primary use) and in the context of other scientific purposes (secondary use). The EDPB has concluded that, even though the CTR requires the informed consent of the participant for him/her to participate in the trial, it is not necessary to obtain the participant’s consent under the GDPR to process his/her personal data. According to the EDPB, other processing grounds are possible.
GDPR applies to clinical trials
During clinical trials, the investigators and sponsors must always process personal data. Consequently, the investigators and sponsors must take into account the GDPR’s provisions. As the EDPB recalls: “the CTR constitutes a sectoral law containing specific provisions relevant from a data protection viewpoint but no derogations to the GDPR”. Indeed, the CTR stipulates that the GDPR must apply to the processing of personal data carried out under the CTR.
Processing grounds in the context of clinical trials (primary use)
According to the EDPB, “all processing operations related to a specific clinical trial protocol during its whole lifecycle, from the starting of the trial to deletion at the end of the archiving period, shall be understood as primary use of clinical trial data”. However, not all processing activities pursue the same purpose and fall under the same processing ground. It is necessary to distinguish two main categories of processing activities during the lifecycle of a clinical trial: (i) processing activities related to reliability and safety purposes and (ii) processing activities purely related to research activities. These two main categories fall under different processing grounds.
Processing ground for reliability and safety purposes:
The EDPB believes that the processing activities expressly provided by the CTR (or similar national provisions) that relate to reliability and safety purposes can fall within the processing ground “legal obligation(s) to which the investigator/sponsor is subject”. This is especially the case for (i) obligations relating to the performance of safety reporting, (ii) obligations concerning the archiving of the clinical trial master files and the medical files of the test subjects, and (iii) obligations to disclose clinical trial data to national authorities during inspections.
Processing ground for research activities:
Processing activities purely related to research activities, however, cannot be derived from a legal obligation. For these processing activities, the investigators/sponsors will need to invoke another processing ground. The EDPB has proposed 3 alternatives:
- Explicit consent: it is important to note that the ‘informed consent’ set out by the CTR is not the same as the processing ground ‘consent’ set out by the GDPR. Moreover, the EDPB believes that even if you meet the conditions for obtaining an informed consent under the CTR, this does not mean that you will have a valid consent under the GDPR. The EDPB believes that consent will often not be “given freely” within the meaning of the GDPR.
- Tasks carried out in the public interest: the processing of personal data in the context of clinical trials can be considered as necessary for the performance of a task carried out in the public interest when the clinical trial directly falls within the mandate, missions and tasks vested in a public or private body by national law.
- The controller’s legitimate interests: for all other situations in which the conduct of clinical trials cannot be considered as necessary for the performance of the public interest tasks vested in the controller, the EDPB believes that the processing can be necessary for the purposes of the legitimate interests pursued by the controller or a third party.
According to the EDPB, the data subject’s consent will mostly not be the most appropriate processing ground. A controller must conduct a thorough assessment of the circumstances of the clinical trial before relying on consent as a processing ground. According to the EDPB, controllers should investigate whether the other processing grounds are more appropriate.
Processing ground outside the context of clinical trials (secondary use)
The EDPB has acknowledged that controllers might want to process the clinical trial subject’s data outside the scope of the protocol of the clinical trial for scientific purposes. According to the EDPB, a controller can possibly rely on the presumption of compatibility, following which the further processing of personal data for scientific research purposes will not be considered as incompatible with the initial purpose, provided that the controller adheres to specific adequate safeguards and conditions. This means that the controller does not need to identify a new processing ground for this secondary use. The EDPB will issue guidance on these safeguards and conditions in the future.
If the presumption of compatibility does not apply, because the controller cannot meet its conditions, then the controller must identify a separate processing ground (which can be the same as the processing ground for the primary use of the clinical trial data).
Sponsors and investigators should review their processing grounds
When conducting clinical trials, sponsors and investigators should rethink whether they really need to rely on the trial subject’s consent to process personal data, as there are other (possibly more appropriate) processing grounds available. Consequently, they should also review their consent forms. ALTIUS is available to help with such analysis.
Recommended articles
Belgium gears up to enforce the EU Deforestation Regulation
The EU Deforestation Regulation (EUDR) was published on 9 June 2023 and came into force on 29 June 2023. Member States, including Belgium, must establish legal frameworks for enforcement.
Read onEU Court of Justice interprets import ban on Chinese animal products: fish oil for feed is not an exempted “fishery product”
On 21 March 2024, the EU Court of Justice (‘CJEU’) handed down its ruling in case C‑7/23, concerning a dispute between a feed company and the Federal Agency for the Safety of the Food Chain. The parties differed in their interpretation of an EU import ban on products of animal origin coming from China. The Council of State sought the CJEU’s guidance.
Read onCJEU balances strict obligations for wholesalers of medicines with proportional penalties
On 21 September 2023, the EU Court of Justice ('CJEU’) handed down its ruling in the Apotheke B. case (C-47/22), and it is a good example of the high threshold set by the EU Court of Justice to uphold the Community Code’s main aim of protecting public health.
Read on