Ronan Tigner and Alex van der Wolk
Privacy + Data Security
In response to the opinion of European Data Protection Board (EDPB) (see our alert), the European Commission has issued its Question and Answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection Regulation (GDPR) (Q&A). The non-binding Q&A offers some additional clarifications for data processing within clinical trials. However, the Q&A also falls short in other respects. In particular, it omits some core issues, deferring to national data protection authorities instead.
The Q&A aligns with the opinion that he EDPB issued on the Q&A ahead of its publication on:
The Q&A also provides some additional insights, for example:
Where the Q&A falls short
Although the European Commission’s Q&A offers some clarifications on personal data processing within clinical trials, especially in confirming that consent is not the appropriate justification for processing personal data, it nevertheless omits some core issues for which guidance would be useful. As a result, disparities are likely to remain and should be taken into account when implementing a clinical trial across various EU jurisdictions (e.g., additional time will be necessary to negotiate and adapt local agreements and notices). As noted in our previous alert, the EDPB intends to opine further on the issue of secondary use, and this may be an opportunity to advocate for further consistency for other issues. Finally, for additional details, a table showing the GDPR legal bases in the Q&A is set forth below (and it is slightly updated to the Q&A in comparison to our prior alert).
Legal Basis (GDPR Art. 6)
Derogation (GDPR Art. 9)
Reliability and Safety (safety, disclosures, archiving)
Legal obligation (6.1(c))
Public interest in the area of health (9.2(i))
Consent (6.1(a)) (under specific circumstances)
Explicit consent (9.2(a)) (under specific circumstances)
Public interest (6.1(e))
Scientific research (9.2(j))
Legitimate interest (6.1(f)) (if public interest does not work)
Emergencies (new compared to EDPB opinion)
Vital interests (6.1(c))
Vital interests (9.2(c))
 Although one could argue in that case that the GDPR’s legal basis is scientific research and additional consent is being sought only as a safeguard under GDPR Art. 89(1), and not as standalone GDPR consent.
 Section 3.e of the Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018.
 Article 24.c of the Dutch Data Protection Act.
©1996-2019 Morrison & Foerster LLP. All rights reserved.