When a US Sponsor launches a clinical study which recruits patients in EU/EEA/UK, several big life science organisations at this time consider that the Sponsor is the Data Exporter. 

They might think that because the sponsor is the Data Controller, or because Good Clinical Practices state that the Sponsor is the ultimate responsible for everything which can happen in the study.

This not true: 

if we take a classic situation with a clinical site in Germany, a US CRO and a US sponsor: The US sponsor contracts with a vendor based in the US, which provides an eCRF and an eTMF. Both softwares have their data bases hosted in the US.

The data exporter is the clinical site in Germany, because they are entering the clinical data in the eCRF and the eTMF.

In other words, the patient data is collected from patients in Germany by the investigation team in Germany and transferred to the US sponsor through the softwares.

The Sponsor in the US is the Data Importer because they access the patient data in the softwares.

In some situations one might also say that the US CRO is the Data Importer, and then re-transfers the encoded patient data to the US Sponsor.

See also the Data Flow Diagram below. For more questions on International Data Transfers, contact us at contact ( at ) pharmarketing.net

On October 14th 2021, the International Council for Harmonization (ICH) adopted the new release of ICH guideline E8 (R1) on general considerations for clinical studies. It will come into effect on 14 April 2022.

This revision was necessary to refresh and to harmonise the content of this guideline with existing guidelines from the ICH as well as the Data Protection law and the least that can be said is that the ICH E8 R1 made a big step towards the EU GDPR Data Protection law.

First, this new release empowered the “quality by design” principle which was already recommended through other guidelines and therefore logically reminded as well in this new E8 release.

This “quality by design” is very close to the “privacy by design” stated to the EU GDPR law and the concept of being “proactive” from end-to-end standpoint perspective.

The ICH E8 R1 also introduced the principle of “data minimisation”; one of the key rule stated by EU Data Protection law and the need to collect only what is strictly needed for the purpose of the clinical research.

ICH obviously admits that certain clinical studies do require enrollment of some most vulnerable subjects ; for example, in the case of pregnant women, about foetus or child to collect and analyse medical data throughout the research of a medicinal product, nevertheless they constantly remind the necessity to reinforce and protect personal data at all time as well. 

For example, the E8 R1 says that “Information about study subjects that may be important to understanding the benefit/risk of the drug (e.g., age, weight, sex, co-morbidities, concomitant therapies) is specified in the protocol, captured and incorporated in the design, conduct, and analysis, as appropriate” …/…“Inappropriate access to data during the conduct of the study may compromise study integrity”.

The ICH E8 reminds the necessity to perform a risk analysis.

The risk management is in fact essential if not the ‘’KEY TASK’’ to rationalise, optimise and provide a consistent, accurate and efficient methodology to your overall quality and for maintaining data integrity. In addition, a well-managed risk analysis will help you prioritise the controls and other mitigation necessary to reduce the impact of the risks to an acceptable level. 

A risk analysis will serve as a roadmap throughout your project ; it will also help reach the “patient safety” objective as mandated by the GCP/ICH guideline or the “personal data protection” objective as mandated by EU GDPR law.

While the risk analysis should assess the risk of the drug by considering the patient safety like the age, some vital signs, the co-morbidities, the concomitant therapies, etc…when defining the study protocol, same can also be assessed from a data protection point of view as well to prevent unnecessary data collection.

Therefore, a risk analysis should take place from the start at the time of clinical study setup; the risk analysis should be periodically reviewed until the end which includes archiving and retention time frame as well. 

To download the ICH E8 (R1) click here.

If you look for some guidance to make in place such risk analysis and/or risk methodology in place to satisfy and meet ICH E8 R1 guideline and/or EU GDPR law, feel free to reach me out at k.i.renault ( at ) pharmarketing.net.

On 18 November 2021, the European Data Protection Board (EDPB) adopted guidelines clarifying the interplay between the territorial scope of the GDPR (Article 3) and the provisions on international transfers in Chapter V b(articles 44 to 49).

This follows the publication of the new EU Standard Contractual Clauses (SCCs) in June 2021 which still had a grey zone.

These new guidelines first give the definition of what a data transfer is, as there is no definition in the GDPR:

3 criteria must be met for a processing to be called a 'Data Transfer' in the GDPR sense, and for articles 44 to 49 from Chapter V to apply:

• A controller or a processor is subject to the GDPR for the given processing. 
• This controller or processor (“exporter” ) discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“importer”).
• The importer is in a third country or is an international organisation, irrespective of whether or not this importer is subject to the GDPR in respect of the given processing in accordance with Article 3.

As a consequence, it clarifies 2 "grey zones":

1. If a Data Subject (DS) in EU/EEA shares voluntarily his/her Personal Data with a company abroad in a third country, it is NOT a Data Transfer, and articles 44 to 49 of GDPR don't apply.
   
2. but the company abroad needs to secure the exchange of information and apply the GDPR to the personal data.
3. In our opinion, there should be an "ethical" limit to this though: imagine that a EU DS shares voluntarily a whole bunch of his/her healthcare data with a portal to help advance care or to potentially be invited to participate in a clinical study in the future, probably in this situation, this processing would be requalified as a Data Transfer as it would be probably have an impact on the private life of the DS in case of a data breach. In other words, we think that the Data Importer should perform a risk analysis to evaluate the risk generated by the personal data processing, and requalify in a Data Transfer if the risk could be important and then put in place appropriate safeguards as described in article 4+6 of GDPR.
4. Even if the Data Importer is subject to GDPR, the Data Exporter should demonstrate that the data transfer complies with articles 44 to 49 are in place: this is very important, as in 99% of data transfers, GDPR applies to the Data Importer as per article 3.2: if an organisation A based in a third country received personal data from an organisation B in the EU/EEA, then the GDPR states that the GDPR applies to organisation A, which means that A has to put in place all the principles and security measures of GDPR (e.g. inform data subjects, data minimisation, limit storage duration, etc.): in addition to this, A must demonstrate that it complies with articles 44 to 49 for this Data Transfer.

In addition, we remind our readers that Retransfers are data transfers also: If a US sponsor received encoded patient data from a German site, it is a Data Transfer; if then this US sponsor retransfers part of this patient data to a sub-contractor in Australia to perform biostatistics, it IS al a Data Transfer and articles 44 to 49 apply.

Lastly, the EDPB announced that it will release new Standard Contractual Clauses (SCCs) for the situation when the Data Importer falls under GDPR. (SCCs are one of the possible appropriate safeguards for an international data transfer as per article 46) .

Submit your comments!

The EDPB welcomes your comments until 31 January 2022 by using the appropriate form on its website here.

You can download the guidelines here.

A question? Write us to contact ( at ) pharmarketing.net

In case of non compliance to GDPR in a clinical study due to the CRO, who is legally responsible and which organisation might have to pay a penalty and face legal prosecution:

• the sponsor as per ICH?
• the CRO?
• Both of them?

Here again is a situation where the ICH and the GDPR are not saying the same thing:

ICH says that the sponsor is always the ultimate responsible GCP 5.2.1 and 5.2.2 addendum)

GDPR says that all stakeholders share jointly responsibility: the relevant local Data Protection Authority could either:

1. give a penalty only to one of the stakeholders
2. or give a penalty to both the sponsor and the CRO

In case #1, the Party which has received the penalty could then ask the other Party for compensation: this depends on local laws.

A question? An advice? Feel free to contact us at contact ( at ) pharmarketing.net

1. In its new Guidelines on the Interplay between Territorial Scope (article) 3 and Data Transfers, the EDPB says that a Data Importer in a third country can re-transfer the personal data anywhere in the world as long as the Data have been redacted (pseudonymised):

       No: re-transfers of Personal Data are also subject to GDPR, even if the Data and redacted (pseudonymised).

2. If a clinical study is deemed as non-compliant to GDPR by a local Data Protection Authority, both the Sponsor and the CRO could be fined and be subject to legal prosecution :

Yes: for the GDPR, the responsibilities are shared between all the stakeholders in the value chain.

3. We can collect the professional email addresses from medical doctors on the website of a hospital and then send them a Newsletter, but we need to obtain their consent first:

Yes and No: it depends on the local code of conduct for Direct Marketing in the relevant country:

For example, in countries like UK and France, you don't need the explicit consent of a professional for Business to Business direct marketing (but you could decide to first get their consent by politeness). But you have to put Data Privacy language at the bottom of your Newsletter, and especially give to the recipient an easy way to unsubscribe.

But in countries like Germany and Poland, you need to have obtained their consent first (also called 'opt-in')