The hot topic of the month is the enforcement of the EU Clinical Trial Regulation on 31st January: Ersi Michailidou, our expert lawyer in Clinical Research and GDPR explains the impacts for Data Privacy compliance.

Entry into application of the New EU Clinical Trials Regulation: What Does it change for Data Privacy?

As of January 31st 2022, the long-awaited EU Clinical Trials Regulation 536/2014 (“CTR”) entered into force, replacing Directive 2001/20/EC.

The CTR introduces a new era for submitting and performing clinical trials in the EU. The CTR also applies to Norway, Iceland and Liechtenstein, which, with the 27 countries of the EU, make the European Economic Area (EEA). The CTR applies to interventional medical research for drugs. Medical research on medical devices falls under the Medical Devices Regulation (EU) 2017/745 (MDR), and medical research for In Vitro Diagnostics (IVD) falls under the In Vitro Diagnostic Medical Devices Regulation (EU) 2017/746 (IVDR).

The goal of the CTR is to simplify and harmonise the administrative provisions and the deadlines governing clinical trials, as well as to ensure a great level of transparency and quality for all clinical research performed throughout the EU/EEA. The CTR provides for a transitional period of 18 months: during this period, new medical research can choose to fall under the previous regime of Directive 2001/20/EC, or under the new CTR.

Clinical studies which started before the 31st January 2022 can continue under the former Directive until January 31st 2025.

How does the CTR impact the conduct of clinical trials in Europe?

Up to now, Sponsors wanting to submit a clinical trial in more than one EU country had to request a separate approval in each participating European Member State, and to comply with each local legal framework and processes. This meant following a completely different process and different deadlines in each and every country and made it complex for multinational clinical trials.

The key change of the CTR is the introduction of a single-authorisation procedure in one member state only (‘one-stop-shop’ mechanism), which is filled through the new Clinical Trial Information System (CTIS), as well as the provision of streamlined and strict timeliness to complete the evaluation of the application. Following the submission of the application through the CTIS, an assessment process begins, led by one Reporting Member State. The Reporting Member State is in charge of reviewing Part I or the Assessment Report, which addresses the aspects common to all EU/EEA countries (e.g. trial risks and benefits, quality of the Investigator Brochure).

Each Member State in which the trial will be run is in charge of Part II of the assessment; Part II covers the ethical aspects of the trial (e.g. Informed Consent Form (ICF), protection of human rights of trial subjects), and addresses aspects interacting with country specific laws (e.g. remuneration of patients or the age when a child can give an independent consent). In the end, each Member State decides whether to approve the clinical trial, based on the outcome of the Assessment Report. As soon as a clinical trial is approved, information on this trial will be made public and searchable through the CTIS.

Data protection in the context of clinical trials: How does the CTR interact with the GDPR? 

As PharMarketing has demonstrated*, if an organisation complies with Good Clinical Practices (GCP), this organisation is likely to be 99% compliant with the General Data Protection Regulation EU 579/2016 (GDPR). Then, only the 7 specific GDPR deliverables need to be drafted, and the organisation needs to check the 11 points where GCP and GDPR are not on the same line.

The new CTR, as the previous Guidelines, is aligned with GCP, so it is no surprise that the CTR considers that safeguarding study subjects’ privacy and personal data is one the conditions to be met for the authorisation and conduction of the clinical trial (article 28.1(d), 56 CTR).

( * ) Feel free to contact us to get a copy of this research.

As a consequence, Member States assess in Part II on the Assessment Report that Sponsors comply with their data protection obligations (article 7.1(d) CTR).

The GDPR, which came into force in the EU/EEA in 25th May 2018, has set a harmonised EU data protection framework. The GDPR interacts with the CTR, providing rules applicable to the processing of personal data for scientific research purposes, including clinical trials.. Thus, the GDPR regulates data processing activities performed in the context of a clinical trial.

The European Data Protection Board has already issued several documents providing guidance for the processing of personal data in the context of medical research, for example:

• 23 January 2019: Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection regulation (GDPR) (art.70.1.b)): guidance on which legal basis to use and for the secondary use of clinical trial data;
• 21 April 2020: ‘Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak’;
• 4 May 2020: Guidelines 05/2020 on consent under Regulation 2016/679;
• 2 September 2020: ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’ page 21;
• 2 February 2021: ‘EDPB Document on response to the request from the European Commission for clarifications on the consistent application of the GDPR, focusing on health research’.

Sponsors (and their sub-contractors) performing clinical trials in Europe must implement and document all appropriate Technical and Organisational Measures ('TOMs') for the protection of personal data.

In addition, sponsors (and their sub-contractors) need to inform data subjects of the processing of their personal data, appoint a Data Protection Officer (DPO) and draft a Data Protection Impact Assessment. 

Furthermore, sponsors residing outside the EU/EEA or using non-EU/EEA vendors should comply with the GDPR rules for international data transfers.

The GDPR and the CTR both allow for a certain regulatory local flexibility to Member States: for this reason, sponsors running multinational trials must also explore the regulatory landscape of each EU Country on data protection and clinical research. For example, country-specific laws may provide for a specific legal basis for the processing of trial participants’ data (consent or legitimate interest), define the role of the Investigator in the Clinical Trial Agreement (Controller-Processor), or follow specific guidelines for remote monitoring or home based trials.

It should also be noted that the CTR specifically allows consenting study participants to the use of their data outside the protocolexclusively for scientific purposes, aligning with the research-friendly and ‘broad consent’ approach of the GDPR.

Conclusion 

During the last two years of dealing with the COVID-19 pandemic, the significance of speeding up clinical research and producing safe and effective medical products through reliable research data, has proved more urgent than ever. Hopefully, the application of the CTR will greatly contribute to rapid access to new innovative treatments, and at the same time protect personal data with robust measures, and enhance people’s eagerness to participate in clinical trials and safeguard the quality of clinical research.

So, in conclusion, the new CTR doesn’t bring very significant changes for data privacy in clinical trials, as the European Directive and local laws were already following the GCPs, which cover already most of the mandates of the GDPR.

References:
 

• CTR 536/2014: https://eur-lex.europa.eu/legal-content/FR/TXT/?uri=celex%3A32014R0536
• GDPR 2016/679: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679
• MDR 745/2017: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32017R0745
• IVDR 746/2017: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32017R0746
  

  Feel free to contact Ersi if you have any questions at: 
  e.c.michailidou ( at ) pharmarketing.net

An anti-gift law has been passed in France and agreed with the French Order of Nurses. This law states that nurses should not receive a payment of more than 2000 euros per year from commercial companies.

At the same time, sponsors of medical research are using more and more nurses to visit patients at home, instead of having patients going to the site. For this type of work, some nurses are working full time and obviously they would receive much more than 2000 euros from some of the sponsors, which would be non compliant.

The question is : Does this French Anti-Gift law apply to medical research? 

We asked a French lawyer, and his response was that Anti-Gift regulations do not apply to the nurses working on clinical research studies.

The lawyer explained that this law is geared towards payment of medical professionals who are consultants or are on advisory boards on speak at congresses.

Home trial nurses are exempt because they are getting paid for their day to day services related to their profession/normal job duties as a healthcare professional providing care in a medical research in public interest, which objectives have been validated by an ethics committee.

In other words, Home Trial Nurses don't fall under this annual limit of 2 000 euros.

If you would like to know the specific articles of the French Healthcare Law which address this point, contact one of our French Consultants

• Julia Croizier: j.a.croizier ( at ) pharmarketing.net
• Karine Renault: k.i.renault ( at ) pharmarketing.net
• Sandrine Rosso: s.e.rosso ( at ) pharmarketing.net