The interaction between the Clinical Trials Regulation (CTR) and the General Data Protection Regulation (GDPR)
On January 31, 2022, the new Clinical Trials Regulation 536/2014 (hereinafter CTR) entered into force. With the implementation of the CTR, greater emphasis has been placed on protecting personal data during clinical trials.
In this blog, we will discuss the importance of CTR and how it interacts with GDPR.
1. Emergence of the CTR
The CTR entered into force on Jan. 31, 2022, replacing the Clinical Trials Directive (EC) No. 2001/20/EC. It applies to all clinical trials conducted in the EU.
A clinical trial is a study conducted to assess the safety or efficacy of a drug. Often, human volunteers will cooperate in these clinical trials by, for example, donating their blood.
The goal of the CTR is to create a more consistent and favorable environment for large-scale clinical research, with high standards of transparency and safety for clinical trial participants.
To ensure this transparency and safety, the CTR introduced the Clinical Trial System (hereafter CTIS). The CTIS is a clinical trials database in which drug research data are submitted, recorded and accessed. In addition, submission of drug research for medical, ethical review also takes place through CTIS.
The CTR harmonizes the assessment, authorization and supervision procedure for clinical trials across the EU by requiring sponsors to submit their trial applications through the CTIS portal. In addition, the CTIS database aims to increase transparency by making information on clinical trials and their results accessible to the public.
2.Interaction between the CTR and the GDPR
Both legislations are
applicable, with the CTR as a sectoral law containing specific provisions relevant from a data protection perspective. According to the EDPB, the CTR contains no deviations from GDPR requirements.
The CTR regulates the conduct of clinical trials by establishing regulations to ensure the “rights, safety, dignity and well-being of subjects and to ensure that trials produce reliable and robust data. The GDPR ensures the protection of individuals with respect to the processing of their personal data (i.e., any information about an identified or identifiable person), including personal data about health.
Personal data concerning health:
They include all data regarding a subject’s health status. These data may include information about the person’s past, present or future physical or mental health status.
Often the subject will be assigned a number, symbol or attribute to uniquely identify him for health purposes. In addition, in the context of clinical trials, Information derived from the testing or examination of a body part or body substance, including genetic data and biological samples; and any information about, for example, an illness, disability, disease risk, medical history, clinical treatment, or the physiological or biomedical condition of the individual will also often be exchanged.
These are undoubtedly (sensitive) personal data that fall under the principles of the GDPR. This is true even if the trial data is no longer identified (or “pseudonymized”), as such data is still personal data under the GDPR.
On the one hand, the CTR provides that the GDPR should be applied to data processing that takes place in the context of clinical trials, as well as scientific research that uses data collected for a trial but takes place outside the clinical trial protocol.
The EU Member States must consider data protection compliance when reviewing the assessment report. On the other hand, the Data Protection Directive requires personal data to be processed lawfully. The GDPR’s recitals add that the processing of personal data for scientific purposes must comply with relevant laws, such as those applicable to clinical trials.
When the CTR went into effect, there was confusion surrounding the relationship between the CTR and the GDPR. For example, some questioned whether the CTR could not be used as an exemption for GDPR compliance in some cases.
The European Data Protection Board (EDPB) examined this interaction in its Opinion 2/2019.
The opinion distinguishes between the primary use of data and the secondary use of data in clinical trials.
Primary use of data
Primary use of data includes “all processing related to a specific protocol of a clinical trial throughout its life cycle, from the beginning of the trial to the disposal of the data at the end of the archival period.”
There are two main categories of primary processing:
- Processing for reliability and security purposes: This is the case when the CTR requires processing for reliability and security purposes. For example, safety reporting and archiving of clinical trial files. The appropriate legal basis for such processing is the “legal obligation(s) to which the controller is subject.” In the case of sensitive personal data, this means that the processing is “necessary for reasons of public health.”
- Processing for research activities : This category includes processing activities for research purposes that are not required by law. The EDPB identifies four appropriate legal bases: explicit consent, public interest, legitimate interests and, when the data are sensitive, scientific purposes. There is an important distinction between consent under the CTR and consent under the GDPR:
- Informed consent to participate in a clinical trial under the CTR should be distinguished from the legal basis of explicit consent under the GDPR.
- Consent under the CTR may not be sufficient under the GDPR: the lack of balance of power between a participant and a principal may prevent consent from being freely given.
- A withdrawal of informed consent under the CTR is only prospective and does not affect the activities already carried out and the use of the data obtained on the basis of the informed consent prior to its withdrawal. In contrast, the revocation of consent under the GDPR is retrospective, and all data processing activities based on consent must cease.
Secondary use of data
Secondary use is the processing of data for scientific purposes, but outside the scope of the clinical trial protocol.
Based on the CTR, a separate legal basis is required for the secondary use of data. If this is consent, it should be sought at the same time as informed consent to participate in the clinical trial.
However, the EDPB suggests that the GDPR’s compatibility presumption applies here. Therefore, it is assumed that the secondary use is not incompatible with the original purpose (and thus falls within the scope of the protocol). If the data are processed for archival purposes of public interest, scientific research, historical research or statistical purposes, and appropriate safeguards are in place.
The EDPB’s opinion provides some clarity on the relationship between the CTR and the GDPR. Sponsors, who will usually be the data controllers, will especially benefit from the guidance on legal bases.
The CTR confirms and reinforces the data protection obligations under the GDPR to be observed when conducting clinical trials in the EU (e.g. transparency for data subjects, data quality and confidentiality, rights of data subjects).
Controllers must be able to demonstrate that personal data are adequately protected and that they can ensure the protection of such data.
This is critical to obtaining regulatory approval to conduct a clinical trial in the EU.
Therefore, in the earliest stages of clinical trial development, both sponsors, and investigators should consider how to fulfill their data protection obligations.
It is therefore extremely important for clients and researchers to strictly comply with the provisions of the GDPR.
For more information regarding the applications of the GDPR in clinical trials, you can always consult an accreditedDPO.