As part of our external DPO assignments, we often encounter difficulties during the elaboration or evaluation of Privacy Impact Assessments carried out to determine the compliance of personal data processing operations in the context of multicentric clinical trials conducted throughout the European Union.
Indeed, we are frequently asked to analyse contracts and information consent forms that expressly qualify the study sponsor and the study’s investigating centres as joint data controllers for the processing of personal data carried out in the course of clinical trials.
This interpretation of the situation in which the investigating centres are qualified as joint data controllers with the study sponsors is also backed by a number of supervisory authorities throughout the European Union. For instance, the Italian supervisory authority (Garante per la Protezione dei Dati Personali) stated in its Guidelines for Data Processing within the Framework of Clinical Drug Trials dated 24th July 2008 that “it appears that the responsibilities vested in the individual trial centres and sponsors are different as regards clinical trials – accordingly, they should be regarded as either separate data controllers or joint data controllers…”.
However, in light of the applicable regulations, namely Regulation (EU) n° 2016/679 of the European Parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the GDPR), this assertion appears to be incorrect.
Indeed, according to the latter Regulation, the data Controller is the natural or legal person, […] which, alone or jointly with others, determines the purposes and means of the processing of personal data, whereas the data Processor is the natural or legal person […] which processes personal data on behalf of the controller.
In the context of clinical trials, the informed consent which is required to carry out data processing is gathered by the investigators practising in the investigating centres, who are also in charge of collecting and transferring the data which will be processed and analysed by the different stakeholders for the performance of the clinical trial.
Therefore, it appears that the investigating centres carry out data processing operations on behalf of the study sponsor, i.e. data collection and data transfer, in the same way that the contract research organisations (CROs) process personal data on behalf of the study sponsors in the context of clinical trials.
Accordingly, within the framework of clinical trials, investigating centres (or trial centres) and CROs are among the legal persons who must be qualified as data processors.
This analysis of the situation is that of the French supervisory authority (i.e. the “CNIL”), which considers the study sponsor to be necessarily the data controller, as it is he that determines the purposes and means of the processing of the personal data. On the other hand, the CRO and investigating centres qualify as data processors, as they process the personal data in the context of the clinical trial exclusively in order to achieve the purposes that are pursued by the sponsor, and which are described in the protocol applied by the CRO and the investigating centres.
Furthermore, to back this position we can refer to the Regulation on clinical trials, which describes the sponsor as “an individual, company or organisation which takes responsibility for the initiation, for the management and for setting up of the clinical trial”, whereas investigator “means an individual responsible for the conduct of a clinical trial at a clinical trial site”.
Yet, if we strictly consider the aforementioned stipulations, it is clear that the sponsor takes responsibility for the initiation, the management and for setting up of the clinical trial, as well as determining the purposes of the processing of personal data which is to carry out the said clinical trial. Furthermore, the data that is processed are strictly limited to what is required by the study protocol and is necessary to conduct the clinical trial.
This analysis does not affect the assumption according to which a healthcare institution acting as an investigating centre is qualified as a data controller for the processing of personal data which it carries out on its own behalf, in the context of the management of patients’ medical files.
Ultimately, it should be acknowledged that the sponsor of a clinical trial is the sole data controller in the context of the trial, while the CRO and the investigating centres that collect and process data on its behalf must be qualified as a data processor in accordance with the applicable regulations on the protection of personal data.
By Mark Surman & Thomas Roche