As explained in a former Newsletter, (click here to see the content of last Newsletters) organisations which process personal data from data subjects based in EU/EEA but don't have an office in the EU need to appoint a EU Data Protection Representative (EU DPR).

Same applies for the UK.

After you appoint a DPR, you need to update some of your Standard Operating Procedures: click on the green button below to learn more:

As you know, we are working in a regulated industry, so processes need to be documented through Standard Operating Procedures.

For this reason, after appointing a DPR, your organisation will need to draft a SOP describing the role of such DPR and its interactions internally with your organisation, but also with your DPO if you appointed one, with data subjects, with authorities and with any other external stakeholder which might send a request or a question to the DPR.

In the role description, make sure you clearly define:

• the deadlines (e.g. the maximum time for the DPR to forward to you a request received from an authority).
• the deliverables that the DPR will draft and maintain to document that he/she performs his/her job according to article 27 of GDPR and/or the requirements of the ICO and also with your requirements.

The role description, the deadlines and the deliverables should also be inserted in your contract with the DPR (probably not as detailed though).

For any question about this topic, please contact us at b.p.lebourgeois ( at ) pharmarketing.net

Several of our Clients had patients moving from Ukraine to Poland. These patients were enrolled in Clinical Studies with sites in Ukraine:

• Sponsors would like to keep patients in the Trials to make the results of the Study meaningful.
• Patients want to continue to benefit from the drug, especially if there is no other treatment available.
• Investigators in Ukraine want to continue to have oversight on the health of their patients and any adverse events; it is also mandatory by healthcare laws and strongly recommended by medical ethics.

How to do this considering the logistic difficulties to reroute drugs/medical device to Poland, to transfer the medical record from the patients from Ukraine to Poland. How to perform the visits in Poland, and is it compliant to send back the completed source documents to the healthcare professionals in Ukraine?

The Good News is that this is feasible and is compliant with ICH guidelines and GDPR: there is no issue in doing that.

Once you have identified a clinical site in Poland to provide oversight to the patients, you will just need to ask the site in Poland to establish a Data Transfer Agreement with the sites in Ukraine, using the Processor to Processor module of the EU Standard Contractual Clauses (SCCs). 

In the SCCs, remove comments in [brackets] and populate annexes I, II and III.

Also, remember that it is mandatory to inform the patient and the Ukrainian and the Polish healthcare professionals that their personal data will be processed. In addition, the transfer of personal data should be done securely according to Good IT Practices and adequate security measures should be in place according to articles 46 and 49 of GDPR.

Once the DTA has been executed, the site in Poland can send an electronic copy of the completed source documents, laboratory results and any other patient healthcare data and images to the relevant Ukrainian site.

You can follow that with shipping the originals from Poland to Ukraine.

If it is complicated to have the Ukrainian patient go to a Polish hospital, consider organising a home trial visit by appointing a nurse: this can greatly simplify the job and is also compliant with GDPR and GCP.

See also the guideline from the Heads of Medicines Agencies (HMA): The Clinical Trials Coordination Group (CTCG) developed recommendations to sponsors on managing the impact of the war in Ukraine on clinical trials, download here. 

For any question on this topic, feel free to contact our Polish consultant Przemyslaw Chudy at contact ( at ) pharmarketing.net

As you might already know, explicit consent is the GDPR legal basis for processing personal data for health research in Ireland.

We are not talking here of the medical consent that the patient gives in the Informed Consent Form: we are talking of the consent to the processing of the personal data of the patient, in other words the 'GDPR Consent'. These are 2 different notions of consent.

3 guidances exist in Ireland as part of the Amendment to the Health Research Regulations from January 2021. 

These guidances relate to specific situations when it might be difficult to obtain the consent from the patient, or when the consent is not mandatory:

• Guidance on Deferred Consent
• Guidance on Pre-Screening
• Guidance on Retrospective Chart Review

We will focus this month on the Guidance on Deferred Consent

In limited situations (e.g., patient under legal guardian, or patient is in severe condition or is unconscious), obtaining consent will not be possible and the public interest of doing the research significantly outweighs the need for explicit consent.

It is in cases like this that the Health Research Consent Declaration Committee HRCDC has a decision-making role.

It is not mandatory to apply to the HRCDC, but the Research Ethics Committee might request the Sponsor to do so. The onus is on the Data Controller of a research study, that is the Sponsor, to determine whether an application to seek a declaration is required for health research study.

Read ‘What steps must be taken prior to submitting an Application?’
Download application form here and submit application form to secretariat@hrcdc.ie.
The guidance on deferred consent is available here.

For any question about this topic, please contact us at b.p.lebourgeois ( at ) pharmarketing.net