Data Protection Law in Clinical Trials – A European Overview

Clinical trials serve to continuously improve diagnostic and therapeutic procedures and are thus an indispensable part of medical progress. Inseparably linked to clinical trials are tests and examinations carried out on patients.

Therefore, a large amount of health and genetic data is generated and evaluated. It is of significant importance that clinical trials are compatible with data protection laws.

When designing clinical trials, trial sites and sponsors must ensure in due time that the right path is set in terms of data protection law. This is not an easy task when clinical trials are conducted in different European countries. This is because Art. 9 para. 2 and 4 of the General Data Protection Regulation (“GDPR”) contains so-called opening clauses, according to which the Member States can enact national legislation for the processing of health data. At the same time, different requirements have emerged based on opinions of local data protection authorities. Therefore, numerous legal provisions and guidance at local levels exists that must be considered when processing personal health data in the context of clinical trials.

We have therefore taken a closer look at the following data protection topics in the European context and summarized them in a Local Country Report:

Assignment of responsibilities under data protection law

Clinical trials involve numerous actors who are granted access to personal research data (e.g. sponsors, trial sites, clinical research organizations). The key element for clinical trial agreements is that the data protection roles of the actors are correctly defined and the necessary data protection requirements are fulfilled (e.g. Data Processing or Joint Controller Agreement).

It is striking that despite the EU-wide application of the GDPR, there is considerable legal uncertainty as to whether and when these actors (jointly or solely) are qualified as data controllers or processors under data protection law. This concerns in particular the data protection role of the trial site.

The local data protection authorities sometimes have very different views on this. In some countries (e.g. in Germany, Austria and Belgium), the trial site and the sponsor usually are qualified as joint controllers within the meaning of Art. 26 GDPR. In other countries (e.g. in France, Portugal and the UK) the trial site is usually qualified as a processor of the sponsor.

In the Guidelines 7/2020 (Version 2.1, p. 23), the European Data Protection Board (“EDPB”) decides depending on the individual case and focuses on the characteristics of the involvement of the trial site in the development of the study protocol. A consistent assessment of the distribution of roles is therefore not possible.

In our Local Country Report, we show you which data protection roles you typically have to expect in the respective European countries when drafting study agreements.

Legal basis for data processing in the context of primary use

For the processing of health data in the context of conducting clinical trials (so-called primary use), the correct legal basis for the data processing must be identified, which meets the specific requirements of Art. 9 GDPR.

Here, too, different views have emerged in the individual European countries. For example, some specific data protection laws (e.g. in Germany) always require the consent of the trial subject under data protection law (Art. 9 para. 2 lit. a GDPR). While other countries (e.g. France, Belgium and the UK) allow data processing without consent on the basis of the general research privilege (Art. 9 para. 2 lit. j GDPR). The latter complies with the guidelines of the EDPB in its Opinion 3/2019.

In our Local Country Report, we show you the legal bases on which data processing can be based on in the context of primary use and whether you may have to consider a specific data protection consent in informed consent form or whether a general privacy notice may be sufficient.

Legal basis for data processing in the context of secondary use

As with primary use, secondary use, i.e. the further processing of already obtained personal research data for downstream research purposes, raises the question of whether and under what conditions such data processing is permissible. Here, too, different views have emerged in the European countries. However, the legal regulations and regulatory requirements (if any) are very inconsistent.

In some countries, secondary use must be based on separate consent (Art. 9 para. 2 lit. a GDPR). In some cases, broad consent is considered permissible (e.g. in Spain, Austria and the UK), which can already be obtained in the context of primary use. In other countries, however, broad consent is rejected due to a lack of transparency. Here, either a new consent must be obtained (e.g. in Italy and Hungary), which is very elaborate in practice, or the data processing – if recognized in the respective countries – must be based on the so-called research privilege (Art. 9 para. 2 lit. j GDPR) (e.g. in France, Belgium and the UK). In some cases, official authorisation may be required (e.g. in Denmark and Sweden). In any case, the EDPB indicated in its Opinion 3/2019 (p. 8 f.) that other legal bases for processing (such as Art. 9 para. 2 lit. i or lit. j GDPR) may come into consideration in addition to consent.

In our Local Country Report, we show you the legal bases on which data processing can be based on in the context of secondary use and whether you may need to obtain broad consent under data protection law in the context of primary use or whether you can rely on the general research privilege in the context of such further processing. This may for example have an impact on the choice of research location.

Download Local Country Report here

Please note that the Local Country Report is for general information purposes only and cannot replace legal advice on a case-by-case basis. Please do not hesitate to contact us if you require an assessment in an individual case. With our international network, we are able to support you quickly and efficiently with a single point of contact.