When conducting clinical trials, sponsors outside of the EU that sponsor clinical trials in the EU should consider the far-reaching impact of the GDPR — including case law and opinions of regulators — to determine whether the GDPR will apply to them. Sponsors based outside of the EU occasionally operate under the incorrect assumption that the GDPR does not apply to their clinical trials because the sponsor receives merely key-coded data and only the contract research organization (CRO) and staff at clinical trial sites will have access to the uncoded patient data.
This begs the question: Is key-coded data considered personal data under the GDPR?
A 2016 decision by the Court of Justice of the European Union (CJEU) may provide some guidance. The CJEU, in the case of Breyer v. Bundesrepublik Deutschland specifically considered whether key-coded personal data (in this case an IP address) could be considered personal data in the context of Directive 95/46/EC (the GDPR’s predecessor). The CJEU held that key-coded data in the hands of one party (even if another party holds the key) could, in some circumstances, be personal data if that first party has the “means likely reasonably to be used” to access to the key and to combine the key with the key-coded data. However, the question as to whether a sponsor, holding health-related key-coded data, has the means likely reasonably to be used to access the key must still be answered by the supervisory authorities or the CJEU.
Opinion 4/2007 (WP136) of the former Article 29 Working Party could shine some light on this uncertainty. When considering the same question, the Working Party was of the view that clinical key-coded data held by sponsors should be considered personal data since “the identification of individuals (to apply the appropriate treatment in case of need) is one of the purposes of the processing of the key-coded data”. The Working Party founded their conclusion of the fact that the sponsor would have determined the means for the processing and the necessary measures in which a CRO should hold the key to key-coded data. In this case, the Working Party held that “identification of the individuals is not only something that may happen, but rather as something that must happen under certain circumstances“.
The view of the Working Party is further supplemented in the European Commission’s 2019 whitepaper Questions and Answers on the interplay between the draft Clinical Trials Regulation and the GDPR. In its Q&A paper, the Commission held that sponsors situated outside of the EU that process personal data in the context of managing a clinical trial in the EU will be subject to the provisions of the GDPR in its entirety, “including the obligation to designate a representative in the EU (Article 27 GDPR)”.
In summary, a clinical trial sponsor cannot escape the far-reaching territorial scope of the GDPR simply because it is not based in the EU. A legal assessment, based on the specific facts surrounding the sponsor’s activities in the EU, must be performed to determine whether the GDPR applies to a sponsor outside the EU. However, generally speaking if your organization is sponsoring clinical trials in the EU, personal data processed in the context of such trials will almost certainly be regulated by the GDPR.
VeraSafe assists many healthcare organizations and related service providers outside the EU to comply with their GDPR obligations. Here’s what Kim Kundert, Vice President of Operations for VirTrial, a market leading telehealth provider, has to say about VeraSafe’s services:
“VirTrial has been using VeraSafe for the past two years to assist with questions and needs relating to the EU and for guiding us through the GDPR process. VeraSafe was very helpful in walking us through the Privacy Shield certification process last year. Their team is responsive and knowledgeable.”
Kim Kundert, Vice President of Operations for VirTrial
How Can a Non-EU Organization Appoint VeraSafe as its Representative in the EU?
Numerous clinical trial sponsors have made use of VeraSafe’s Article 27 Representative Program by appointing VeraSafe to act as an EU data protection representative through VeraSafe’s establishments in the Czech Republic, the Netherlands, Ireland, and the United Kingdom. Likewise, VeraSafe serves as the Data Protection Officer for pharmaceutical companies sponsoring clinical trials in the EU.
“I am confident in the ability of VeraSafe’s European subsidiary to provide Techsol with services to help us meet the requirements of GDPR Article 27. This is because of VeraSafe’s long term commitment and experience handling data security and privacy issues, especially in the EU.”
Richard Lipman, Data Protection Officer for Techsol Corporation
EU data protection authorities expect that your representative will be able to engage in productive and informed dialogue regarding your organization’s data protection practices. As your data protection representative in the EU, our in-house team of EU and U.S. attorneys, data protection consultants, and IT security experts are well equipped to interface with EU regulators on your behalf.
Click here if you would like to learn more about the appointment of an EU data protection representative under Article 27 of the GDPR.
Need a GDPR Expert?
If you would like to learn more about VeraSafe’s services, schedule a free consultation with a VeraSafe GDPR expert today.
