What is the issue?

As you might know already, it is FORBIDDEN to transfer personal data from EU/EEA to a country outside, unless you have a specific waiver in place:

Such transfers are possible only in the following situations:

1. If the destination country has been deemed as  Adequate by the European Commission (EC).
2. If the destination country is NOT  Adequate, the transfer is possible only if  essential guarantees have been implemented, e.g., the  Standard Contractual Clauses (SCCs) of the EC.
3. If none of the above conditions is met, the transfer can happen only if it falls within one of the  waivers described in GDPR Article 49: for example, if the data subjects gave explicit consent to the international data transfer.

If the data transfer doesn’t fall in one of the cases above, such data transfer is forbidden, except if the transfer is occasional and relates to limited number of data subject and of personal data.

EU SCCs are the most commonly used waiver to make a data transfer compliant with GDPR: your organisation needs to draft a Data Transfer Agreement between the Data Exporter and the Data Importer, and to insert the EU SCCs in it.

On 4 June 2021, the European Commission ('EC') released new SCCs which included specific working to address the situation when the destination country has specific surveillance laws, like the US or China.

Another key improvement was that it had a modular approach, to cover the 4 typical situations:

• Data Controller to Data Controller
• Data Controller to Data Processor
• Data Processor to Data Controller
• Data Processor to Data Processor

The EC said that the 'old SCCs, released in 2001 and in 2010, could still be used until 26 December 2022.

How can I know if I transfer personal data outside EU/EEA/UK?

Data transfer is a very wide notion. Typical examples of data transfers are:

• If you send personal data to somebody based outside EU/EEA/UK by email, by Postmail, through a portal or a tool like Microsoft SharePoint or wetransfer or a similar tool.
• If you have a web conference with somebody based outside EU/EEA/UK and you share a document containing personal data.
• If you or one of your partner companies gives access to a software to somebody based outside EU/EEA/UK.
• If you are based outside EU/EEA/UK and you reforward personal data to somebody outside EU/EEA/UK.
• If you think that one of your sub-contractors or clients is doing such transfer (as you share responsibility).

Remember: even if all direct identifiers have been removed, the data set is still considered as personal data in Europe and it falls under the GDPR.

Why is it important?

It is important so that  your organisation stays compliant with GDPR.

If you have drafted DTAs with the old SCCs from the EU commission, these cannot be used anymore starting next 27 December, and you need to replace them with the new SCCs provided by the EU Commission on 4 June 2021.

Same if you transfer personal data outside of the UK, you need to replace the old EU SCCs with the new SCCs provided by the UK in March 2022.

What do you need to do?

Contact a PharMarketing Consultant asap: he/she will identify with you the data transfer agreements that you have already in place and which need updating.

The consultant will also help you identify any data transfer for which you don’t have a Data Transfer Agreement in place, and draft one with your sub-contractor, partner or Client.

When should you do this?

Before December 26th, 2022. If you won’t be able to do it before that date, please contact us.

Feel free to us for any question you may have at contact ( at ) pharmarketing.net

On 13 December the European Commission (EC) concluded in its draft adequacy decision that US ensures an adequate level of protection for Personal Data transferred from EU to US.

The next steps will be the following:

• Validation by the European Data Protection Board (EDPB).
• Review by European Parliament and by a special Committee.
• Then the EC will be able to adopt the adequacy decision. 

After this last step, personal data can flow freely from the EU to the US.

The improvements to the Privacy Shield Framework following the Schrems II decision in July 2020 are contained in the Executive Order signed by President Biden on 7 October 2022, and are the following:

• It imposes limitations and safeguards on access to data by US intelligence agencies, and
• Enhanced oversight of activities by US intelligence services to ensure compliance with limitations on surveillance activities; and
• It establishes an independent and impartial redress mechanism, which includes a new Data Protection Review Court, to handle and resolve complaints from Europeans concerning the collection of their data for national security purposes. 

US companies will be able to certify their participation in the EU-U.S. Data Privacy Framework (also called the Transatlantic Data Privacy Framework) by committing to comply with a detailed set of privacy obligations provided by the US Department of Commerce , probably as it was the case with the Privacy Shield Framework before. (such as purpose limitation and data retention, as well as specific obligations concerning data security and the sharing of data with third parties).

The Executive Order, together with the accompanying Regulation, establishes a new two-layer redress mechanism, with independent and binding authority.

Under the first layer, EU individuals will be able to lodge a complaint with the so-called ‘Civil Liberties Protection Officer' of the US intelligence community.

Under the second level, individuals will have the possibility to appeal the decision of the Civil Liberties Protection Officer before the newly created Data Protection Review Court.

Read the press release of the European Commission date 13 December 2022 here and the Questions & Answers here.

Feel free to send your questions on this topic to us at cpntact ( at ) pharmarketing.net

Following their meeting on 4 October 2022, the European Medicines Agency (EMA), the Heads of Medicines Agencies (HMA) and the European Commission (RC) published on 14 December 2022 a recommendation paper on decentralised elements in clinical trials.

The definition of what is a Decentralised Clinical Trial (DCT) is not written in stone at this moment in time: EMA, FDA and professional associations have different interpretations on what is a DCT.

At PharMarketing we work for CROs specialised in DCTs across the world and we have gained a thorough experience on the compliance issues of DCTs with GCP or Data Protection Laws.

Some persons say that if you ask a patient at home to complete a quality of life survey, it is already a DCT.

In this situation, usually the CRO sends the URL link to each patient: so the CRO has the personal email addresses of each patient, which is against the Good Clinical Practices and against the Data Protection laws in the EU (GDPR): in such situation, thelink to the survey should be sent by the site, and the survey should be completely anonymous, so that the CRO / software provider cannot infer the identity of the patients from the information collected in the survey (IP address for example).

 From our experience at PharMarketing, we can say that very few CROs and software providers comply with these principles.

At the opposite of the scale, for nursing agencies a DCT is when the patient does some visits of a clinical study at his/her home (instead of going to the site), and a nurse (also called Home Trial Professional or HTP) is assigned by the CRO at the request of the site to visit the patient at home. Such CRO also organises the shipping of drugs, medical devices, diagnostic equipment to patients' homes, a then after the visit books couriers to get such material back and also to collect bio samples and deliver them to a lab if relevant.

Here again, in order to identify an appropriate nurse, the CRO needs to have the postal code of the patient, which according to some data protection authorities is not compliant with GDPR.

Nurses should make sure that they don't keep any paper or electronic document from the patient's visit, whether on their computer or smartphone: all should be sent back to the site. It is the responsibility of the nursing agencies to check that nurses do so.

The nursing agency itself should keep only a minimum information on the patient's visit, as per the principle of data minimisation: no healthcare data and no direct identifier should be kept. Same for the CRO.

Regarding the recommendation paper on decentralised elements in clinical trials:

• Section 6 is dedicated to the use of softwares and will interest clinical data managers and IT focused persons.

• In the appendix, you will find an interesting table with localities for each EU country.
  

You can download the document here.

If you want to learn more about the important points in the personal data processing of DCTs and how to stay compliant, please contact Bertrand Le Bourgeois at b.p.lebourgeois ( at ) pharmarketing.net

1. Some guidelines from ICH / GxP are conflicting with the GDPR: yes / no

Yes, some guidelines from ICH / GxP are conflicting with the GDPR: for example, a patient can decide to stop being part of a clinical study, but all the personal data collected about him/her cannot be deleted, because they are part of the history of the scientific research. So, in this situation the patient cannot exercise its right to be forgotten (or right to deletion).

2. A software provider can send the url link of a quality of care survey to the patients: yes / no / it depends

No: according to Good Clinical Practices, and Data Protection Laws, someone who is not part of the investigation team cannot have the personal email addresses of patients.