by Asst. Prof. Dr. Komninos Komnios
Attorney at law (GR), Accredited Mediator
The European Data Protection Board (EDPB) has issued an Opinion discussing the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection Regulation (GDPR). The present paper focuses on discussing these guidelines for the processing of personal data in the context of clinical trials under the GDPR.
1 Introductory remarks
On 23.01.2019, after a request for consultation and in accordance with Article 70 GDPR, the EDPB issued Opinion 3/2019, in response to the document “Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection regulation (GDPR)” (hereafter the “Q&A”), submitted by the European Commission (DG SANTE). The Opinion focuses on identifying the appropriate legal ground for processing personal data when conducting clinical trials.
It is almost commonplace that since 25.05.2018 the GDPR which provides for a single set of data protection rules in the EU is directly applicable in the Member States legal orders (Article 288 para. 2 TFEU). The objective of the GDPR is to establish rules relating a) to the protection of natural persons with regard to the processing of personal data and b) to the free movement of personal data. In this respect the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States.
On the other hand, the CTR, a Regulation aiming at ensuring a greater level of harmonisation of the rules for conducting clinical trials on medicinal products for human use throughout the EU, entered into force on 16.06.2014. More specifically, the CTR harmonises the processes of assessing and monitoring clinical trials across the EU, through a Clinical Trials Information System (CTIS). CTIS shall contain the centralised EU portal and database for clinical trials laid down by the CTR. The European Medicines Agency (EMA), the Member States and the European Commission shall collaborate in establishing and maintaining CTIS. However, the start of CTR application has been postponed until the development of CTIS. It is currently estimated that the application of the CTR will commence this year.
According to Article 3(b) CTR, the purpose of a clinical trial is to generate reliable and robust data. Thus, the relevance with the GDPR is obvious. In order to address the need for compliance, Article 93 CTR provides that “Member States shall apply Directive 95/46/EC [now repealed by the GDPR] to the processing of personal data carried out in the Member States pursuant to this Regulation”.
Furthermore, Recitals 156 and 161 GDPR make explicit reference to the relevant EU legislation applicable for clinical trials. According to Recital 161,“[F]for the purpose of consenting to the participation in scientific research activities in clinical trials, the relevant provisions of Regulation (EU) No 536/2014 of the European Parliament and of the Council should apply.”
In its Opinion the EDPB clarifies that the CTR and the GDPR are not hierarchically related, but serve different purposes and apply in parallel. Thus, from a data protection point of view, the CTR is a sectoral law applicable simultaneously with the provisions of the GDPR. It contains specific provisions but no derogations to the GDPR.
For non – sensitive personal data to be processed lawfully, the processing must comply with one of the lawful grounds for making data processing legitimate, listed in Article 6 GDPR. As regards special categories of data (or sensitive data) Article 9 GDPR prohibits their processing. Deviations from the general prohibition on processing sensitive data may be made only in the cases specified exhaustively in Article 9 para. 2 GDPR.
Following the view of Q&A, the EDBP stresses that in the context of clinical trials, there is a primary and secondary use of personal data, and that different legal grounds may be applicable given that the relevant processing operations may pursue different purposes.
According to the EDPB, for the purpose of its Opinion, “all processing operations related to a specific clinical trial protocol during its whole lifecycle, from the starting of the trial to deletion at the end of the archiving period, shall be understood as primary use of clinical trial data”.
2 Legal bases of data processing in the context of clinical trials
In the context of clinical trials, the EDPB distinguishes “processing operations purely related to research activities from processing operations related to the purposes of protection of health, by setting standards of quality and safety for medicinal products by generating reliable and robust data (reliability and safety related purposes)”; for these two main categories of processing activities different legal grounds may be appropriate.
According to the principle of accountability (Article 5 para. 2 & 24 GDPR), the data controller (i.e. the sponsor/clinic-institution or the investigator) is responsible for determining the correct legal basis for personal data processing in the context of clinical trial since the latter must ensure compliance of the processing operations carried out in the context of a clinical trial with all the data protection rules in GDPR.
2.1 Processing operations related to reliability and safety purposes
In the view of the EDPB, all processing operations expressly provided for in the CTR and in the relevant national provisions and connected with the purposes of reliability and safety may be regarded as “legal obligations to which the controller is subject” under Article 6 para.1 lit. c) GDPR (“processing is necessary for compliance with a legal obligation to which the controller is subject to”).
According to Article 29 Working Party Opinion 6/2014 for this legal ground to apply“… the obligation must be imposed by law (and not for instance by a contractual arrangement). The law must fulfil all relevant conditions to make the obligation valid and binding, and must also comply with data protection law, including the requirement of necessity, proportionality and purpose limitation”.
For example, the processing of personal data in the context of safety reporting or in the context of an inspection by national competent authority, or the retention of clinical trial data in accordance with archiving obligations set up by the CTR may rely on Article 6 para.1 lit. c) GDPR as legal basis.
When special categories of data are processed in the context of the above legal obligations, Article 9 para. 2 lit. i) GDPR shall apply: “processing is necessary for reasons of public interest in the area of public health, such as […] ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or member State law, which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy”.
2.2 Processing operations purely related to research activities
Processing operations purely related to research activities in the context of a clinical trial cannot be based on legal obligation as legitimate data basis. However, other legal grounds may be used for guaranteeing lawful processing for these activities, i.e. the data subject’s explicit consent (Article 6 para. 1 lit a) in conjunction with Article 9 para. 2 lit. a) GDPR), or a task carried out in the public interest (Article 6 para. 1 lit. e) GDPR), or the legitimate interests of the controller (Article 6 para. 1 lit. f) GDPR in conjunction with Article 9 para. 2 lit. i) or j) GDPR).
2.2.1 Consent – explicit consent
In harmony with Q&A, the EDBP clarifies that “informed consent” of the CTR must be distinguished from the notion of consent as a legal ground for legitimate data processing. Within the CTR framework the obligation to obtain the informed consent of participants in a clinical trial serves primarily as an ethical standard or procedural obligation; it is above all a measure designed to protect human dignity and the right to integrity of individuals, as laid down in Articles 1 and 3 of the Charter of Fundamental Rights of the EU. Thus, it is not understood as an instrument for compliance with data protection rules, but it could be considered as an additional safeguard.
On the other hand, according to Article 4 Nr. 11 GDPR, consent as a legal ground for processing must be freely given, specific, informed and unambiguous. Moreover, explicit consent is required when the processing of special categories of data, such as health data, occurs (Article 9 para. 2 lit. a) GDPR).
Furthermore, the EDPB refers to the Working Party 29 Guidelines on consent as a roadmap, so as to evaluate if the consent of the data subject may be used as a valid legal ground for processing activities within the framework of a clinical trial. Moreover, data controllers should also take due account of the new EDPB Guidelines on consent, and consider whether all conditions for a valid consent can be met in the specific circumstances of the clinical trial.
126.96.36.199 “Freely given consent”
The EDPB recalls that for the consent to be considered as “freely given” the data subject must be offered a real choice. Of course in assessing whether consent is freely given, the specific situation should be taken into account. As a principle, the GDPR stipulates that if the data subject has no real choice, feels compelled to consent or will endure negative consequences if they do not consent, then consent will not be valid. Furthermore the notion of imbalance of power between the controller and the data subject is also taken into consideration, when assessing whether consent is freely given.
The EDPB points out that in the context of clinical trials, depending on the circumstances of the individual case, there may be an imbalance of power between the sponsor or investigator and the participant. For the data controller, this means that particular attention must be paid to the participants having a real choice. Otherwise consent will be an invalid basis for processing, rendering the processing activity unlawful. For example, there may be a clear imbalance if the participant is in poor health, belongs to an economically or socially disadvantaged group or is in institutional or hierarchical dependence. The controller should therefore be advised to pay particular attention to the circumstances of the clinical trial in question.
Accordingly, Recital 31 CTR suggests that “the investigator should take into account all relevant circumstances which might influence the decision of a potential subject to participate in a clinical trial, in particular whether the potential subject belongs to an economically or socially disadvantaged group or is in a situation of institutional or hierarchical dependency that could inappropriately influence her or his decision to participate.
188.8.131.52 Informed consent
No less important is the criterion of the informed consent. The consent of the data subject must be given in full knowledge of the facts. One of the fundamental principles of the GDPR is the principle of transparency (Article 5 para. 1 lit. a) GDPR). It is of central importance to provide the data subject with certain elements that are crucial to make a choice before consent is given in order to enable them to make an informed decision and understand the consequences of their decision.
The EDPB in the Guidelines 05/2020 on consent under Regulation 2016/679 points out that for consent to be informed and thus valid, at least the following information is required:
i. the controller’s identity,
ii. the purpose of each of the processing operations for which consent is sought,
iii. what (type of) data will be collected and used,
iv. the existence of the right to withdraw consent,
v. information about the use of the data for automated decision-making in accordance with Article 22 para. 2 lit. c) GDPR where relevant, and
vi. on the possible risks of data transfers due to absence of an adequacy decision and of appropriate safeguards as described in Article 46 GDPR
When asking for consent, controllers should ensure that clear and simple language is used in all cases. This means that a message must be easily understood by the average person, not just lawyers.
In the context of clinical trials when providing the above information explicit reference has to be made to the fact that consent is required for the processing of health data. Before consent is obtained, the data subject must be specifically informed about all processing activities. Moreover, for transparency reasons, any data transfers e.g. to the sponsor, to the regulatory authority or to the centralised EU portal and database for clinical trials (Article 40 para. 1 CTR) must also be addressed. In addition, the data subject must be informed about their right to withdraw consent (Article 7 para. 3 GDPR) and about the fact that withdrawal only has “ex nunc” effect.
184.108.40.206 Withdrawal of consent
Also the withdrawal of consent as a legal ground for legitimate data processing must be distinguished from withdrawal of informed consent under Article 28 para. 3 of the Regulation on clinical trials.
Article 28(3) CTR provides that, «without prejudice to Directive 95/46/EC [now repealed by the GDPR]» withdrawal of the informed consent to participate in a clinical trial shall not affect any activities already carried out and the use of data obtained on the basis of the informed consent before that withdrawal.
On the other hand, if consent is used as a lawful basis for processing the data subject shall have the right to withdraw their consent at any time and without giving any reasons. The EDPB stresses that this rule knows no exceptions even for scientific research. However, the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal (Article 7 para. 3 GDPR). In any case, the controller is obliged to stop the processing activities and delete the data, where there is no other legal ground for the processing (Art. 17 para. 1 lit. b) and para. 3 GDPR).
In the event of withdrawal of the data subject’s consent, all research activities carried out with clinical trial data relating to that subject shall have to be discontinued. However, the withdrawal of consent would not affect processing operations based on other legal bases, in particular legal obligations (for example with regard to safety) to which the sponsor or investigator is subject.
To conclude, where consent is used as a lawful basis, it is advisable that the investigator determines with the trial subject whether their withdrawal of consent under the CTR relates solely to participation in trial activities or whether they also withdraw consent to the processing of their data. It goes without saying that if processing of personal data is based upon another lawful ground, the withdrawal of consent to participate in a clinical trial under the CTR shall not affect the processing of personal data gathered in the context of that clinical trial.
In the view of the EDPB, the legal grounds of processing provided under Article 6 para. 1 lit. e) or 6 para.1 lit. f) GDPR are more appropriate in comparison with consent.
2.2.2 Task carried out in the public interest
According to Article 6 para. 1 lit. e) GDPR, processing of personal data is allowed where such processing is necessary for the performance of a task carried out in the public interest on the basis of an EU or national law. More specifically, Article 6 para. 1 lit. e) GDPR provides that processing shall be lawful only if and to the extent that it “is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
The processing of personal data relating to clinical trials may be considered necessary for the performance of a task carried out in the public interest where “the conduct of clinical trials falls directly within the mandate, tasks and mission assigned to a public or private body under Union or national law” in safeguarding public health.
2.2.3. Legitimate interest of the controller
In cases where the conduct of clinical trials cannot be considered as necessary for the performance of the public interest tasks vested in the controller by law, the EDPB points out that the processing of personal data could be “necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject” following Article 6(1)(f) GDPR”.
However, for all situations where clinical trials include processing operations of sensitive data for purely research purposes, Article 9 para. 2 GDPR provides for two relevant exceptions from the general prohibition of processing special categories of personal data: “reasons of public interest in the area of public health […] on the basis of Union or Member State law” (Article 9 para. 2 lit. i) GDPR), or “scientific … purposes in accordance with Article 89(1) based on Union or Member State law” (Article 9 para. 2 lit. j) GDPR).
3 Secondary use of clinical trial data
In its Opinion, the EDPB observes that the CTR addresses the issue of secondary use in Article 28(2) with a particular focus on consent. This secondary use deals exclusively with situations where the sponsor wishes to use the subject’s data “outside the clinical trial protocol”, but only – and “exclusively” – for scientific purposes.
According to the CTR, consent to this specific processing should be obtained from the trial subject or their legal representative at the time when informed consent to participate in the clinical trial is requested. Since consent to the clinical trial and data protection consent must be distinguished, this cannot apply to the subject’s consent to data processing.
The principle of purpose limitation under the GDPR requires that each processing operation must correspond to the primary purposes established when the data were collected. Since the data processing for a different purpose is no longer covered by the previous purpose, but it is a “new” data processing operation, all conditions must be met for this as well. In other words, any further use of data for scientific purposes, other than the ones defined by the clinical trial protocol is only permissible if it can be based on the consent of the data subject or if it is covered by another legal ground.
However, a change of purpose requiring a new legitimisation under data protection law only occurs if further processing is not compatible with the initial purposes of processing (Article 5 para. 1 lit. b) GDPR). The benchmark for compatibility is the initial purpose defined at the time of collection. The compatibility test requires an evaluative comparison between the initial purpose and the secondary purpose. Whether the new purpose is compatible with the primary purpose usually depends on the specific case.
In this respect, Article 5 para. 1 lit. b) GDPR provides for a presumption of compatibility according to which further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89 para. 1 GDPR, not be considered to be incompatible with the initial purposes. In such a case, according to Recital 50 GDPR, “no legal basis separate from that which allowed the collection of the personal data is required”.
This flexibilisation of the purpose limitation principle does not exempt the responsible party from examining the compatibility of the secondary purpose with the initial purpose under Art. 6 para. 4 GDPR in each individual case. As a rule, however, it may be assumed that compatibility exists. This means that further processing of personal data which were collected for other purposes for scientific research purposes is generally possible without a separate legal basis.
In line with the above remarks, the EDPB argues that “the presumption of compatibility, subject to the conditions set forth in Article 89, should not be excluded, in all circumstances, for the secondary use of clinical trial data outside the clinical trial protocol for other scientific purposes”. However, the application of the presumption of compatibility has no influence on the other obligations of the data controller under data protection law. Regarding the applicability of the presumption, the EDPB promises further guidance.
The application of the relevant data protection provisions in the area of clinical trials is complex and requires a look at different pieces of legislation. The investigator and the sponsor have no choice but to draw up a comprehensive data protection concept before the start of a clinical trial and to check the legality of the intended data processing. The EDPB opinion on the interplay between the Clinical Trials Regulation and the General Data Protection Regulation has successfully addressed its purpose and provides a first solid basis of guidance for the investigator and sponsor.
 EDPB, Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection regulation (GDPR).
 Regulation (EU) No 536/2014 of the European Parliament and of the Council of 16 April 2014 on clinical trials on medicinal products for human use, and repealing Directive 2001/20/EC, OJEU L 158 27/05/2014.
 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJEU L 119 04/05/2016.
Question and Answers on the interplay between the Clinical Trials Regulation and the General Data Protection Regulation
 Recital 10 GDPR.
 Opinion 3/2019, p. 3.
 Article 94 para 1 GDPR.
 Opinion 3/2019, p. 3.
 Special categories of personal data are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership; data concerning health; or data concerning an individual’s sex life or sexual orientation, as well as genetic data and biometric data for the purpose of uniquely identifying an individual, Art. 9 para. 1 GDPR.
 Opinion 3/2019, p. 4.
 Opinion 3/2019, p. 4.
 Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, p. 19. Article 41 to 43 CTR.
 Article 77 to 79 CTR.
 Article 58 CTR.
 Opinion 3/2019, p. 5.
 Provisions of Chapter V CTR on informed consent, in particular Article 28 CTR.
 Opinion 3/2019, p. 6.
 See also Recital 161 of the GDPR.
 Article 29 Working Party Guidelines on consent under Regulation 2016/679 of 10 April 2018, as endorsed by the EDPB on 25 May 2018.
 EDPB, Guidelines 05/2020 on consent under Regulation 2016/679.
 See also Recital 43 GDPR.
 Opinion 3/2019, p. 6.
 Opinion 3/2019, p. 7.
 EDPB, Guidelines 05/2020 on consent under Regulation 2016/679.
 Article 94 para 1 GDPR.
 Opinion 3/2019, p. 7.
 Opinion 3/2019, p. 7.
 Opinion 3/2019, p. 8.
 Article 89 para. 1 GDPR: ”Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner”.
 Roßnagel, Datenschutz in der Forschung, ZD 2019, p. 162.