EDPB adopts an opinion on the GDPR and Clinical Trials Regulation –clarifying the basis for processing personal data in a clinical trial context

On the 23 January 2019, the European Data Protection Board (the EDPB) adopted an opinion on the interplay between the EU Clinical Trials Regulation (536/2014) (the CTR) and the General Data Protection Regulation (2016/679) (the GDPR) (the Opinion).

The Opinion aims to provide greater certainty for those conducting clinical trials, clarifying:

• the distinction between consent requirements under the CTR and the GDPR;
• perhaps most importantly, that there is no one legal basis that must be relied upon in all instances of personal data processing for clinical trials - depending on context, different approaches are possible; and
• the distinction between primary and secondary use of personal data, ie processing within the clinical trial and processing for scientific purposes outside the clinical trial protocol.

The case-by-case view taken by the Opinion is unsurprising given the many debates between countries, organisations and regulatory bodies as to which legal basis is most appropriate when processing clinical trial data, with, in some instances, contradictory views held.
As a result, data controllers operating in the field of clinical trials would be well advised to review their approach to legal basis and determine whether they are sufficiently aligned with the Opinion.

In any event, care should be taken to ensure the legal basis relied upon is genuinely satisfied and, for example, the data controller does not fall foul of the more stringent GDPR conditions for consent, particularly when dealing with ill or vulnerable people.

Distinction between the CTR and the GDPR
Helpfully, the Opinion explains that both the GDPR and the CTR apply simultaneously and that whilst the CTR contains specific data protection provisions, it does not allow derogation from the GDPR.
The opinion also clarifies that “informed consent” provided under the CTR with respect to participation in a clinical trial is not the same as consent to process personal data under the GDPR. The EDPB explains that whilst CTR informed consent may still be possible even where there is be a clear imbalance of power between the participant and the sponsor/investigator, such an imbalance of power would not enable consent to be “freely given” as required under the GDPR.

Processing of personal data during a clinical trial
The Opinion identifies the following two main categories of processing activities during clinical trials:

• processing operations relating to the protection of health activities (reliability and safety related purposes), and
• processing operations relating to research activities.

The Opinion sets out that processing operations relating to reliability and safety purposes can be performed on the basis of the controller's legal obligations, such as those arising out of the CTR itself regarding safety reporting, archiving of master files, or disclosure of clinical trial data (Article 6(1)(c)). In the case of special categories of data, the Opinion suggests that the legal basis of necessity for reasons of public interest in the area of public health (Article 9(2)(i)) would be appropriate.

In contrast, the Opinion considers that processing operations related to research activities in the context of clinical trials may be processed on the basis of:

• a data subject’s explicit consent (which could also justify the processing of special categories of personal data, Article 6(1)(a) and 9(2)(a)); or alternatively,
• the legitimate interests of the controller (Article 6(1)(f)), or performance of a task carried out in the public interest (Article 6(1)(e)) with Article 9(2)(i) or (j) relied upon if processing special categories of data (necessity for reasons of public interest in the area of public health or necessity for archiving purposes in the public interest, scientific or historical research or statistical purposes).

As noted above, an imbalance of power such as that arising when a trial participant is ill, from a disadvantaged group or in a situation of dependency, may prevent a data controller obtaining “freely given” GDPR consent and alternative legal basis may be required. The Opinion suggests that a particularly thorough assessment of circumstances of the trial should be carried out before consent is relied upon as the legal basis for processing personal data.
According to the Opinion, whether or not the “public interest” legal basis can be relied upon will depend on whether the clinical trials fall “within the mandate, missions and tasks vested in a public or private body by national law”. This may not always be possible in the context of commercial data controllers.
And data controllers should be mindful that their legitimate interest to process personal data in the context of a clinical trial will need to be balanced against those of the individual and this legal basis cannot be relied upon if overridden by the interests or fundamental rights and freedoms of the individual.
To the extent any consent to process personal data is withdrawn by a trial subject, processing carried out in reliance on an alternative legal basis (eg processing relating to reliability and safety) need not be affected. The Opinion also clarifies that withdrawal of informed consent under the CTR is not the same as withdrawal of consent under the GDPR.

Distinction between primary and secondary processing
Separately, the Opinion addresses the question of the legal basis to process personal data in the case of secondary use, for scientific purposes outside the scope of the clinical trial protocol.
It is not possible to rely solely on CTR consent to do so and a separate GDPR legal basis to process is required. That said, the legal basis may be the same or different to that relied upon for primary data processing.
Perhaps more importantly, the Opinion confirms that secondary use for scientific research shall not be considered incompatible with primary use (subject to compliance with safeguard requirements) and therefore, the controller may be able to further process the personal data without reliance upon another legal basis. However, the EDPB does acknowledge that further guidance will be required on this point.