Today we will zoom on the role and responsibilities of the Processors under the DPDPA, the India's New Data Privacy Law.

As our title suggest, their role is not very clear at this time; most of the DPDPA talks about the obligations of the Data Fiduciaries (equivalent of the Controllers in the EU GDPR); so it looks like that, unlike with the GDPR, in the DPDPA all responsibilities fall on the Fiduciaries in case something happens: personal data breach, request from a data principal (= data subject), etc. Which is not surprising as India is a huge offshoring industry, so a lot of big organisations act as sub-contractors to foreign clients.

So we encourage all organisations acting as Fiduciaries to put as much data privacy language as they can in the contracts with their sub-contractors: putting the language recommended by the GDPR is a good start; in addition, the fiduciary should mandate the Processor to have all employees trained, to have security measures in place, not to sub-contract to another entity unless agreed by the fiduciary, provide evidence of their compliance with DPDPA, answer to a data privacy questionnaire, etc. 

In addition, the Fiduciary should also add clauses which hold the processor financially and legally responsible in case of a non-compliance to DPDPA, and in case of a personal data breach caused by the processor or by one of its sub-processors, and also if not reporting quickly a request from a person.

Joint Fiduciaries: 

Unlike the GDPR, the DPDPA doesn't talk about joint fiduciaries (or 'co-fiduciaries); to address that, we recommend that when a fiduciary considers that a sub-contractor plays a role of joint-fiduciary, they add in the contract clauses addressing this point: the processor should recognize in written that it acts as a joint-fiduciary and that therefore it accepts the obligations of a fiduciary.

On the same topic:

• 28 October 2023: India IT minister says DPDPA draft rules nearing completion: read article from the Hindustan Times here.
• 14 October 2023: India's tech minister says sectoral regulators can impose stronger rules under DPDPA, as reported by the Indian Express.

Not sure how to make your contracts robust? We can provide ready to use data privacy language for client-vendor contracts: contact us at contact ( at ) pharmarketing.net if you need support.

In the November Newsletter we will talk about the processing of personal data of European people by Indian processors, another hot topic!

The GDPR states that the requests of any person should be answered in its local language.

For example, if a patient in Poland wants to ask a question directly to the sponsor of a clinical study, the sponsor must be able to answer in Polish.

Of course, most patients nowadays speak English and the local teal at the clinical site can help for the translation, but if the answer is complex and needs several sentences, then it's better to have a local person in Poland who can answer directly to the data subject in its native language.

This is why at PharMarketing we have consultants in most European countries as far as clinical research is concerned.

And in addition, our consultants know the local laws and guidelines, and can reach to local authorities to get direction on a specific situation.

To contact our team, write at contact ( at ) pharmarketing.net

There is a urban legend circulating in our industry that it is mandatory to host your clinical databases and TMFs in a certified Healthcare Data Hosting.

This is a myth:

First, Healthcare Data Hosting certification doesn't exist in all countries of Europe; To our knowledge, it exists today in the UK and in France and maybe in a few other countries, but it is not a general requirement.

Second, in the UK and in France, the obligation to use a Certified Healthcare Data Hosting provider applies only to data collected when providing care. In other words, it applied only to patient data from healthcare professionals working in town or in hospital.

It DOESN'T APPLY to patient data collected in Clinical Studies.

So, the next time that a software provider tells you 'and our database is hosted at a Certified Healthcare Data Hosting' you can reply: 'it's nice, but= it's not an obligation.

As such certified hosting is more expensive, it's good to know!

If you want to know more about certified healthcare data hosting, or to get a letter explaining that it is not mandatory in medical research, contact one of our IT / data privacy gurus at contact ( at ) pharmarketing.net

As explained in our previous Newsletters, the new Data Privacy Framework ('DPF') is now in force. If a US organisation self-registers as compliant with the DPF on the website of the US Department of Commerce, then any organisation the EU/EEA/UK (and soon Switzerland) can send personal data to them.

In other words, it is not necessary to put in place a Data Transfer Agreement with the EU Standard Contractual Clauses in it anymore.

So this reduces a lot the paperwork for US organisations which deal with many organisations in Europe. The benefits are clear.

But what about the additional burden?

Like the Privacy Shield Framework before, an US organisation wanting to join the DPF will need:

• to pay an annual fee to the US department of commerce (between a few hundreds USD and a few thousand USD depending on the sales revenue of the US organisation).

• to document that they comply with each item of the DPF (to do only once, but to check on a regular basis if the organisation buys a new software or changes o its processes)

• to appoint a US based independent organisation to act on its behalf as part of the redress mechanism (in clear is somebody in Europe wants to exercise its rights on its personal data).

• to appoint an independent consultant to audit them every year for compliance with DPF.

• to appoint somebody, internal or external to manage inbound access requests by European data subjects.

So the annual costs could range between 10 000 euros and several dozen thousand euros, depending of the size of the US organisation.

So who is in the target?

In our opinion, the DPF provides benefits for 2 types of organisations:

• Big organisations which do a lot of business with EU/EEA/UK/Switzerland and can afford the additional cost.

• SMBs which offer services to organisations in EU/EEA/UK/Switzerland, and which will process personal data from people based in that geography: typically CROs, labs, software providers, etc. The reason is that being registered with the DPF can be an important marketing argument for them.

We are already supporting small US service organisations for the DPF: for any question, contact Bertrand at b.p.lebourgeois ( at ) pharmarketing.net

The Court of Justice of the European Union (CJEU) stated that a patient has the right to a get free first copy of its medical records under the EU General Data Protection Regulation. 

The case was raised by a German patient who asked a copy of its dossier to its dentist. The dentist asked the patient to pay for the costs connected with providing a copy of the medical records, as is provided for in German law.

Read more on the CJEU website here.

1. Is it mandatory for a Medical Doctor working as a full time employee for a pharma or MedTech company to be registered with their country's national association of medical doctors?  yes / no
   
   
2. We plan to recruit 10 healthy volunteers in the UK for our next Phase 1 clinical study; we don't have an office in the UK: is it mandatory to appoint a UK Data Protection Representative?  yes / no
   

The answers will be provided in our November Newsletter.