Newsletter 48 January 2023

On January 1st, 2023, 2 U.S. comprehensive state privacy laws took place, respectively in California and in Virginia. And in July 2023 the Colorado Privacy Act will come into force. In addition, Virginia Senate introduced a new Healthcare Data Bill.


The California Privacy Rights Act (CPRA) amends the existing California Consumer Privacy Act and hands enforcement powers to the California Privacy Protection Agency. Final CPRA regulations are pending final approval ahead of July 1 enforcement. 


The Virginia Consumer Data Protection Act (VCDPA) incorporates concepts from the CPRA, while other provisions carry their own nuances. The Virginia General Assembly used the 2022 legislative session to pass amendments to the law before it took effect. 


The International Association of Privacy Professionals (IAPP) constructed a very clear table to compare privacy laws in California, Colorado and Virginia: click here to download the table.


In addition, Virginia introduced Bill No. 1432 on January 20th, 2023 on Health records privacy and consumer-generated health information, see here.


Feel free to contact us for any question you may have at contact ( at ) pharmarketing.net


The General Inspection Coordination of Brazil's data protection authority, the Autoridade Nacional de Proteção de Dados (ANPD), published a form for security incident reporting by personal data controllers


The new document, required as of Jan. 1, includes expanded structured responses and guidelines on the incident reporting process. The ANPD said an "expected benefit is the improvement in the quality of responses to allow the structuring of a reliable database on security incidents."


Read more on this new form here.
To download the new template for reporting security incidents, click here.


Feel free to contact us for any question you may have at contact ( at ) pharmarketing.net


The director of Belarus' National Center for Personal Data Protection signed an order implementing rules for the cross-border transfer of personal data. 


The order includes member states of the Eurasian Economic Union and defines allowable cases of cross-border data transfers, including transfers by state bodies and other organizations. The Data Protection Authority (DPA) said this will solve "issues related to the cross-border transfer by employers of personal data of their employees in cases necessary for the implementation of their labor functions."


Let's remind that The Law on data protection from Belarus was voted on 7 May 2021 No. 99-Z.


From 15 November 2021, a new Ukaz of the President of the Republic of Belarus on measures to improve protection of personal data dated 28 October 2021 No. 422 also comes into legal force. This Ukaz establishes the National data protection center of the Republic of Belarus (NDPC) and also its competence and authority.


Feel free to contact us for any question you may have at contact ( at ) pharmarketing.net


A citizen requested Österreichische Post, the principal operator of postal and logistical services in Austria, to disclose to him the identity of the recipients to whom it had disclosed his personal data. He relied on the EU General Data Protection Regulation (GDPR). 


That regulation provides that the data subject has the right to obtain from the controller information about the recipients or categories of recipient to whom his or her personal data have been or will be disclosed.


This is a basic right that the GDPR gives to all Data Subjects everywhere, not only to people based in Europe.


In response to the citizen’s request, Österreichische Post merely stated that it uses personal data, to the extent permissible by law, in the course of its activities as a publisher of telephone directories and that it offers those Personal data to trading partners for marketing purposes. 


The citizen therefore brought proceedings against Österreichische Post before the Austrian courts.
During the judicial proceedings, Österreichische Post further informed the citizen that his data had been forwarded to customers, including advertisers trading via mail order and stationary outlets, IT companies, mailing list providers and associations such as charitable organisations, non-governmental organisations (NGOs) or political parties.


The Oberster Gerichtshof (Supreme Court, Austria), hearing the dispute at last instance, wishes to know whether the GDPR leaves the data controller the choice to disclose either the specific identity of the recipients or only the categories of recipient, or whether it gives the data subject the right to know their specific identity.


In its judgment dated January 12th, 2023, the Court of Justice of the European Union (CJEU) replied that where personal data have been or will be disclosed to recipients, there is an obligation on the part of the controller to provide the data subject, on request, with the actual identity of those recipients. 


It is only where it is not (yet) possible to identify those recipients that the controller may indicate only the categories of recipient in question. That is also the case where the controller demonstrates that the request is manifestly unfounded or excessive.


The CJEU pointed out that the data subject’s right of access is necessary to enable the data subject to exercise other rights conferred by the GDPR, namely his or her right to rectification, right to erasure (‘right to be forgotten’), right to restriction of processing, right to object to processing or right of action where he or she suffers damage.


Read the press release from the CJEU here: Every person has the right to know to whom his or her personal data have been disclosed (europa.eu)


Feel free to contact us for any question you may have at contact ( at ) pharmarketing.net


The World Health Organization (WHO) is developing appropriate guidance for Member State and non-state actors on best practices for clinical trials in response to the World Health Assembly Resolution 75.8 “Strengthening clinical trials”. 


Following a public consultation to seek input and identify relevant existing guidances (including the Collaborative), the WHO has issued a call for experts to apply to join the Technical Advisory Group for guidance development.


The call had a deadline for applications of Tuesday, 24 January, see here. 


Feel free to us for any question you may have at contact ( at ) pharmarketing.net


In October last year, the White House’s Office of Science and Technology (OSTP) launched an initiative to review US and international capabilities to coordinate large-scale clinical trials that can be efficiently carried out to address outbreaks of disease and other emergencies.


The OSTP’s Request for Information is live and accepting comment until Friday, 27 January here.


Feel free to us for any question you may have at contact ( at ) pharmarketing.net


A series of new information has been released recently on the EU Clinical Trial Regulation (CTR) and the CTIS portal, see below:


31st January: Mandatory Use of CTIS:


On 31 January 2023, the clinical trial information system (CTIS) will become the single-entry point for sponsors and regulators of clinical trials for the submission and assessment of clinical trial data which includes a public searchable database for healthcare professionals, patients, and the public. The last date for sponsors to submit initial Clinical Trial Applications under the Clinical Trials Directive is 30 January 2023.


The CTIS was launched on 31 January 2022, starting the clock for the one-year transition time for all sponsors of clinical trials. During the transition period clinical trial sponsors can still choose whether to submit an initial clinical trial application in line with the Clinical Trials Directive or under the Clinical Trials Regulation, via CTIS. On 31 January 2023, the use of CTIS will become mandatory.


CTIS is the information system supporting the implementation of the Clinical Trials Regulation, which changes the way that applications for authorisation of clinical trials in the EU are submitted, how the clinical trials are authorised and supervised. The provisions of the Clinical Trial Regulation bring extensive changes in practices by all stakeholders and require effective change management.


A new CTIS release was implemented on 12 January 2023


A CTIS release was deployed on 12 January 2023, implementing several functional improvements:

  • Improved functionality on the submission of an application to add a new Member State Concerned.
  • Sponsors are now able to add or remove the Proof of Payment during the response to an RFI in all evaluation phases.
  • Sponsors are now able to change an application that is part of the response to an RFI raised in the context of an Additional Member State Concerned application or Substantial Modification.
  • Sponsors will be prevented from submitting an initial application that does not contain a valid EudraCT number.
  • Sponsor users will no longer receive a validation error message when users work in parallel in the IMPD-Q and Safety & Efficacy placeholders, ensuring only documents or a justification is included in both.


More information on the latest system improvements are available in the published release notes as well as in the Lists of known issues and proposed workarounds.


Sponsor Responsibilities with regard to Handling and Shipping of IMPs


Following the entry into application of the CTR at the beginning of last year, the final version of the "Guideline on the responsibilities of the sponsor with regard to handling and shipping of IMPs" has been published. IMPs may not be used in a clinical trial in a member state of the European Union until the completion of the two-step procedure referred to in this guideline.


EMA Sponsor Handbook: How to Manage Clinical Trials Transitioned to the CTR?


In order to help sponsors using the CTIS, the EMA has published a sponsor

handbook. The EMA is continuously updating the CTIS Sponsor Handbook with

further priority topics and a revised version 3 has now been published.


Clinical Trials: EMA clarifies Dates for the Transition Period


Following the previous update on how to manage clinical trials transitioned to the CTR, the EMA now clarifies the timelines for the transition period.


Also, we would like to remind that the European Commission has published an updated version of the Questions and Answers document for the Clinical Trials Regulation (EU) No 536/2014 in December 2022.


Feel free to us for any question you may have at contact ( at ) pharmarketing.net


The U.S.-UK Comprehensive Dialogue on Technology and Data started end of 2022.


The Dialogue was jointly launched by U.S. Secretary of Commerce Gina Raimondo and UK Secretary of State for the Department of Digital Culture, Media, and Sport (DCMS) Michelle Donelan in October 2022, building on the commitment of President Biden and then Prime Minister Johnson at the Carbis Bay meeting in 2021.

The Dialogue was supposed to start earlier with a UK law presented to UK Parliament early 2023, but due to the changes in the UK Prime Minister roles, this work has been delayed.

The United States and United Kingdom identified deliverables to address in 2023, including:

  • Collaborate to facilitate global trusted data flows, including multilateral discussions with the Global Cross-Border Privacy Rules Forum.
  • Finalize and implement a data bridge for U.S.-UK data flows.
  • Promote open, interoperable, reliable, and secure telecommunication systems, such as open radio access networks (Open RAN), and work to ensure a complementary and cooperative approach to telecommunications R&D.
  • Hold roundtable discussions on next-generation license exempt technologies in the 6 GHz band.
    Champion the new OECD Global Forum on Technology in support of our shared ambition to build a wider community of partners committed to ensuring technology is designed, developed, and deployed, in a way that reflects our values.
  • Identify opportunities for cooperation between the UK and the U.S. semiconductor industry on skills, investments and R&D.
  • Strengthen UK-U.S. collaboration on AI technical standards development and tools for trustworthy AI – including through joint research and information sharing, and support for commercial cooperation.

    The four senior U.S. and UK principals agreed to review progress on a quarterly basis and to identify future areas of cooperation on technology and data.     The next formal Dialogue will take place in January 2024.


Feel free to contact us for any question you may have at contact ( at ) pharmarketing.net


  1. Can individual safety reports on EU patients be transferred to the FDA in the way that we stay GDPR compliant?: yes / no

    Yes, it is compliant with EU GDPR, as it is a legal obligation to send such safety reports to the FDA. So, the legal basis as of article 6 of EU GDPR is the existence of a legal obligation. That said, we recommend that you try to pseudonymise the healthcare data of the data subjects as much as possible, so that the probability that someone could re-identify a patient is negligible.

  2. A nurse from a clinical calls me: she wants to put me in contact with a patient who wants to exercise its rights on its personal data: can I accept? yes / no


No, you should not be in contact directly with a patient taking part in a clinical study, as it would be against the Good Clinical Practices, which state that only healthcare professionals who are part of the clinical site team can know the identity of such patient. In this situation, ask the nurse to tell the patient to contact the DPO of your organisation: the DPO is independent of the personal data processings performed by your organisation, which gives him/her the possibility to be in touch directly with a patient. Then, when the DPO will forward the patient's request to your organisation, the DPO should only give you the patient number. To say it differently, the DPO should not provide your organisation with any direct identifier from the patient. In other words, the DPO is a 'go between' the patient and your organisation, and this is why it is mandated that the DPO is completely independent from the personal data processings.


Share by: