The new EU Clinical Trials Regulation entered into force. How will the provisions of this regulation interplay with the GDPR – an attempt for answer and more questions

The new EU Clinical Trials Regulation entered into force. How will the provisions of this regulation interplay with the GDPR – an attempt for answer and more questions

After several postponements of the implementation of Regulation (EU) No. 536/2014 on clinical trials on medicinal products for human use (“Clinical Trials Regulation”), the regulation entered into force on the last day of January 2022.

One of the objectives of this Regulation is to ensure safe conduct of clinical trials,through which to generate reliable and robust data. Unlike previous European regulations on this matter, the Regulation entered into force with direct effect fully and completely identically in all EU Member States and in the Member States of the European Economic Area. This Regulation prevails over any national provisions there may be to the contrary.

In the form of online platform known as unified Clinical Trials Information System (CTIS), the Regulation introduces a qualitatively new instrument for centralised approval, registration and exchange of information in cross-border clinical trials carried out in several EU Member States.

In accordance with the objectives set by the Clinical Trials Regulation, namely:

  • improving information-sharing and collective decision-making for clinical trials;
  • increasing the transparency of information оn clinical trials; and
  • ensuring high standards of safety for all subjects participating in the EU clinical trials,

there is no doubt that its provisions will be applied in close interaction with provisions of the General Data Protection Regulation, applicable in the EU (also known as the GDPR). In this regard, the provisions of the Clinical Trials Regulation will raise new and increasingly interesting questions for controllers and processors in the context of the multinational clinical trials.

The implementation of the new unified Clinical Trials Information System (CTIS) undoubtedly implies that huge amount of personal data of subjects participating in the clinical trials from all Member States will be processed in the context of clinical trials. Of course, this process should take place with the highest standard of due care in accordance with the requirements of the General Data Protection Regulation. This protection is extremely important in the context of clinical trials, as the so-called sensitive personal data related to the medical condition of the subjects will be intensively processed.

To what extent can personal data be processed in clinical trials without prejudice any provision of the GDPR? Answer to this question is given by the European Commission in its Opinion on the interplay between the Clinical Trials Regulation and the GDPR. The Commission divides the significant amount of personal data collected and processed in a clinical trial into two categories, namely “primary use” and “secondary use” of data.

The information for the primary use of data is fundamental for the purposes of the clinical trial. This group includes all personal data collected from the start of the clinical trial until its end (including the processes of ensuring market access for the medicinal product and storage of the information, which is collected in accordance with the law within the statutory time limits). With regard to the primary use of data, the provisions of GDPR are fully applicable, and the sponsor of the clinical trial should comply with all requirements of this regulation.

Of course, the main obligation is to be determined the correct basis for the processing of personal data. This will be a process of legal analysis in each specific clinical trial, examining the specific purposes for which the data are collected. For example, the processing of personal data of subjects participating in the clinical trial specifically for the purpose of the study will normally be carried out on the basis of a task carried out in the public interest. Particularly this task is the public health, as provided in the GDPR. Obviously, there is no dispute that the discovery of a therapy for various diseases would benefit society as a whole.

In certain cases, the consent of the subjects participating in the clinical trial may be used as a basis for the processing of personal data. Here, the sponsor should always be careful to ensure that the consent is given freely and without adverse consequences for the subjects participating in the clinical trial. In these cases, should not be missed that from the subject have to be obtained two different consents – one under the Clinical Trials Regulation concerning the participation of the subjects in the clinical trial itself, and another under the GDPR, which relates to the processing of personal data of the subject. Both consents could be formally contained in a common document provided to the subject participating in the clinical trial, but they should be easily identifiable and should have the appropriate legal content.

The processing of personal data in clinical trials in order to ensure the reliability and security of the clinical trial should be carried out on the basis of a legal obligation for the sponsor of the clinical trial. As far as sensitive personal data are concerned, the exception relating to the principle for protection of public health would be also applicable.

Even more interesting questions are raising from the perspective of processing personal data obtained in a clinical trial for the so-called “secondary purposes”, i.e. for purposes unrelated to the intended purposes of the clinical trial. The possibility of processing clinical trial data for a secondary use means that the collected information serves a medical, scientific, or even purely commercial purpose which is not necessarily inherent to the sponsor of the clinical trial but could be identified by him or by another organisation during the clinical trial, or with regard to the subjects, scope, or specific results of the clinical trial. Аnonymised data is indeed commonly used in such cases, i.e. the personal data is rendered anonymous in such a manner that the data subject is not identifiable. Accordingly, the requirements of the GDPR would not be applicable in such cases.

However, it is quite possible to be identified a need of processing of non-anonymised data of the subjects participating in the clinical trial for such “secondary purposes”. In that case the provisions of the GDPR will have to be carefully observed, both in order to find and justify the basis for such processing for new purposes, and in relation to any specific activity with the already collected personal data.

To that end it is essential to be ensured the proper assessment of the basis for processing of personal data of the subjects participating in clinical trial. Through that is ensured the protection of the most sensitive information for the subjects participating in the clinical trial, while ensuring the highest possible degree of reliability of the results of the clinical trial.

Therefore, the application of the Clinical Trials Regulation without a proper analysis of the provisions of the GDPR poses risks, arising from breach of essential requirements, both in terms of the quality of the results collected in the clinical trial and in relation to the regulatory compliance of data processing activities, the purposes of the clinical trial and for other possible secondary purposes.

For further information contact:
Ilya Komarevski, Partner
ilya.komarevski@kdp-law.com
Mileslava Bogdanova-Misheva, Senior Associate
mileslava.bogdanova@kdp-law.com