Caroline Blaison has a Master’s degree in Quality in Bioindustries and brings 12 years’ experience supporting the implementation and continuous improvement of Quality Management Systems (QMS) for clinical biotech organisations in France, Europe & the United States. She has expertise in quality document management, training, deviations and audits (internal ; external).

Caroline is an expert in quality matters related to R&D activities (RQA, GLP), IMP activities (GMP) & Clinical activities (GCP). She has been acting as a Data Protection Officer since 2020 for a US clinical-stage biotech before joining PharMarketing in November 2024.

Caroline enjoys challenging sports like obstacle races, travelling & spending time with her loved ones.

She will support Karine Renault, Director at PharMarketing for a commercial stage pharma /medical device / IVD / cosmetic / Food supplements company with offices across the world. Caroline will also act as a Data Protection Officer (‘DPO’) for a US-French clinical-stage biotech, and as a EU Data Protection Representative for a US clinical-stage biotech.

You can contact Caroline at c.m.blaison ( at ) pharmarketing.net

On 24 October 2024, the French Data Protection Authority ('DPA'), the CNIL, issued a press release titled 'Clinical Research: the CNIL approves the European Code of Conduct of the EUCROF Federation', see here in French: https://www.cnil.fr/fr/recherc...

The wording might make people believe that the EUCROF Code of Conduct for Clinical Research has been validated for use in Europe: this not the case.

A Code of Conduct for application to all EU can only be approved by the European Commission ('EC'). The EC needs first the European Data Protection Board ('EDPB') to issue an opinion.

The EDPB released an opinion document several months ago which listed a long list of points that the EUCROF would need to amend in its Code of Conduct ('CC'), before the CC can ne reviewed by the EC.

So, in conclusion, the CC of the EUCROF is not validated at all, and it will take some time before it is approved by the EC and published on the website of the EDPB.

Thanks to our lawyer consultant Ersi Michailidou for clarifying this. Ersi is specialised on Privacy and Clinical Research.

For more information on Codes of Conduct, contact Ersi at e.c.michailidou ( at ) pharamrketing.net

Researchers say an AI-powered transcription tool used in hospitals invents things no one ever said;

Whisper is a popular transcription tool powered by artificial intelligence, but it has a major flaw: researchers claimed OpenAI's Whisper transcription tool used by health care organizations frequently reports hallucinations that can include racist and violent rhetoric, ABC News reports. 

Research Engineer and former OpenAI Member of Technical Staff William Saunders said the company should prioritize fixing and identifying the system's potential flaws to ensure users are not "overconfident about what it can do and integrate it into all these other systems."

Such mistakes could have “really grave consequences,” particularly in hospital settings, said Alondra Nelson, who led the White House Office of Science and Technology Policy for the Biden administration until last year.

“Nobody wants a misdiagnosis,” said Nelson, a professor at the Institute for Advanced Study in Princeton, New Jersey. “There should be a higher bar.”

This clearly show the limits of AI, and calls for having always a human being checking the recommendations made by an AI program, before handing out the result to other folks.

Read the article from ABC News here: https://abcnews.go.com/US/wire...

For any question about Artificial Intelligence and how to comply with the audit trail requirement, GxP or Privacy Laws, contact Bertrand at b.p.lebourgeois ( at ) pharmarketing.net

Turkey's data protection authority, the Kişisel Verileri Koruma Kurumu (KVKK), launched an online module for data controllers and processors to fulfill notification requirements to complete cross-border data transfers using standard contractual clauses.

The Personal Data Protection Board also deemed physical notification or registered electronic mail as acceptable notification methods.

Article 9 of the Law on the Protection of Personal Data No. 6698 (Law) titled "Transfer of personal data abroad" has been amended by Article 34 of the Law of the Criminal Procedure Law No. 7499 and some other Laws. Within the scope of the amendment, "standard contracts" are envisaged as an appropriate assurance method that data controllers and data processors can apply in the transfer of personal data abroad.

However, in the fifth paragraph of Article 9 of the Law, it is stipulated that standard contracts will be notified to our Authority within five working days from the signing of the contracts. In the fifth paragraph of Article 14 of the Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad, it is indicated that standard contract notifications can be made physically or by registered electronic mail (KEP) address or other methods determined by the Board.

In this context, with the decision of the Personal Data Protection Board dated 17 October 2024 and numbered 2024/1793, it has been decided that notifications can be made through the "Standard Contract Notification Module", which is prepared in order for data controllers and data processors to fulfill their notification obligations more quickly and effectively over the internet; The module in question has been made available to those concerned.

Read the article from the KVKK here (in Turkish): https://www.kvkk.gov.tr/Icerik...

Data Protection Authorities published several decisions related to the processing of health data in the past months.

Such decisions shed light on the key measures to implement to stay compliant with privacy (and healthcare) laws and avoid a critical finding.

Many thanks to GDPR hub NOYB and to IAPP for all this valuable information!

Global:

Fact:

Fitness app Strava's location tracking tools that allow users to track their runs have also shown the location data of politicians and U.S. Secret Service members on its platform, the Guardian reports. France's President Emmanuel Macron, as well as U.S. officials, told government workers to stop using the app to prevent further location data from being tracked.

Read article from the Guardian: https://www.theguardian.com/li...

Takeaway:

Politicians and members of secret services should only use apps certified by their government. The problem here is that even if governments ask such people to use only encrypted, secured and verified apps or software or web portals, we know that people continue using public apps like whatsapp, facebook, gmail, etc. the same happens with healthcare professionals: they should always use the government backed email app, but they use others as it is easier for them. In conclusion, personal data breaches (including cyberattacks) are often due to human error.

Canada:

Fact:

Information commissioners in British Columbia and Ontario released a joint report on the investigation into a data breach of genetic testing company LifeLabs that impacted the personal health data of approximately 15 million people. The investigation found LifeLabs did not have adequate privacy safeguards and was not compliant with Ontario's Personal Health Information Protection Act and British Columbia's Personal Information Protection Act. 
Full story

Takeaway:

All organisations should implement the basic security measures recommended by their country's IT security or cybersecurity agency, like NIST Cybersecurity Framework in the USA, The National Cyber Security Centre (NCSC) in the UK, ANSSI in France, etc. Organisations can also read and apply the principles described in the well known ISO 27001 norm, or the Code of Conduct from professional association ISACA, which are recognised globally. Not implementing such security measures is a breach of privacy principles, especially for an organisation processing patient data, even encoded.

Italy:

Fact:

After non-compliance with a patient’s request for access to pictures taken before and after their surgery, the DPA fined a doctor €4,000 for a violation of Article 15 GDPR. Read more or edit on GDPRhub...

Takeaway:

The right to access is a basic right of every person in EU/EEA/UK/CH, and the medical doctor should have answered promptly to this request.

UK:

Fact:

DNA testing company Atlas Biomed allegedly closed, leaving consumers to question what happened to their sensitive genetic data. 

The U.K. Information Commissioner's Office said it received complaints that the company did not inform users of its data deletion process or provide information about how consumer information was handled after the company ceased trading. Read the article from the BBC here: https://www.bbc.com/news/artic...

Takeaway:

Consumers took a risk when they shared their DNA with a start up company like Atlas Biomed. People should share sensitive personal data only with companies that they trust and which have a record track on the market. Now that this happened, let's hope the ICO will get back with a positive answer to the clients of Atlas Biomed. Because of such risk, genetic tests done by consumers over the web are prohibited in some European countries.

US:

Fact:

Cyberattacks on Albany ENT & Allergy Services ('AENT') Compromised the Medical Records of Over 200,000 New Yorkers,
The health care provider AENT agreed to pay USD2.75 million to resolve claims of failing to protect patient information and failing to respond adequately to a cyberattack. 

The New York attorney general's office said USD500,000 of the amount is penalty-related while the rest (2.25 million USD) will be invested into information security infrastructure.

Full story/ https://ag.ny.gov/press-releas...

Takeaway:

While there is no 100% protection against cyberattacks, organisations should implement the basic security measures recommended by their country's cybersecurity agency, like NIST Cybersecurity Framework in the USA, The National Cyber Security Centre (NCSC) in the UK, ANSSI in France, etc. Organisations can also read and apply the principles described in the well known ISO 27001 norm, recognised globally. Not implementing such security measures is a breach of privacy principles, especially for an organisation processing patient data, even encoded.

Fact:

The U.S. Department of Health and Human Services' Office for Civil Rights settled two cybersecurity cases related to ransomware attacks. The Plastic Surgery Associates of South Dakota agreed to pay USD500,000 for allegedly failing to adequately secure patient information under the Health Insurance Portability and Accountability Act Security Rule ('HIPAA'). 

The other resolution was with Bryan County Ambulance Authority, which settled for USD90,000 after the service allegedly did not conduct a security risk assessment as required under the HIPAA.

Read the article: https://www.hhs.gov/about/news...

Takeaway:

All organisations collecting or processing patient data, even encoded, should conduct a security and a privacy risk assessment, and come to the conclusion that the risk for the private life of patients is negligible. They should keep such documents as evidence in case of audit/inspection.

Fact:

How women's phones became a tool for abortion surveillance: U.S. Sen. Ron Wyden, D-Ore., said in an article on MSNBC that data brokers' access to sensitive personal information including location tracking data could mean women's reproductive health information is unnecessarily monitored. Wyden called for stronger privacy laws to protect consumers' personal information from being collected and sold. He said technology companies that sell consumers' personal information should also be held accountable.

Takeaway:

In the US, it is current practice that people's personal data are sold without their consent, and in some cases, even without people being informed. That's an area where European privacy laws in Europe provide more protection for the private life of people: it is forbidden to collect personal data of people, even encoded, unless you have a valid legal basis and you informed the persons. And it is forbidden to resell personal data unless you have the explicit consent of the persons.

As of 5 August 2024., Israel entered a new era with a unique framework for data protection and governance, shielded by significant penalties.

Following the important update, the law will include administrative fines of up to 5% of annual turnover, statutory and exemplary damages in civil actions, severe criminal penalties, new definitions for foundational terms, enhanced notice requirements, mandatory appointments of chief information security officers and data protection officers, notification and submissions duties, registration and specific provisions for data brokers and special provisions for law enforcement and national security agencies. It is a major reform to the Protection of Privacy Law, 5741-1981. 

Titled Bill No. 13, the reform takes effect a year following its enactment by the Israeli Parliament, the Knesset. It is primarily driven by the need to enhance the protection and security of personal data, especially considering the large increase in cyberattacks amid the current armed conflict in the region. 

The new reform is expected to significantly impact the entire market, including public authorities. Everyone will be affected and will need to tune-up personal data practices. 

One of the first laws — One of the last to face modernization 

The history of privacy laws in Israel started in 1981. Soon after the Organisation for Economic Co-operation and Development published its first set of guidelines, Israel enacted the PPL. At that time, 43 years ago, it was one of the first global attempts to create a comprehensive statutory framework for privacy protection. Eleven years later, Israel enshrined the right to privacy as a constitutional right in the Basic Law: Human Liberty and Dignity. Four years passed, and in 1996, a comprehensive chapter on data protection was added to the law. There have since been very few and relatively minor amendments to the PPL. 

The Protection of Privacy (Data Security) Regulations. 

In May 2018, while the world focused on the newly effective EU General Data Protection Regulation, Israel enacted the Data Security Regulations, taking a cybersecurity-oriented approach. 

Unlike other sector-specific cybersecurity regulations, these regulations govern the entire private market and all public authorities. The regulations include a detailed, layered set of requirements for deploying specific security measures and establishing an appropriate information security management system. 

Six years later, the new Bill No. 13 reform introduces hefty fines for violations of these regulations. 

Emergence of the Privacy Protection Authority. 

Amid years of uncertainty around modernizing the outdated law, the PPA has become a dominant force, introducing GDPR-like concepts and AI ethics to fill the void. Over a five-year period, despite weak enforcement powers, the PPA conducted wide-scale supervision campaigns and released 71 sets of guidelines, opinions, recommendations and market compliance reports. These address modern data protection concepts such as privacy-by-design and privacy impact assessments. They also analyze and provide recommendations related to modern smart cities, autonomous drones, deepfakes, telemedicine and machine learning. When the Bill No. 13 amendments take effect, the PPA will have immense powers, making it one of the most formidable regulators in the country. The PPA will use its power to enforce its interpretation of the law, as outlined in its published guidelines and directives.

Partial alignment with the GDPR

On 15 January 2024, the European Commission concluded that Israel, continues to provide an adequate level of protection for personal data transferred from the EU. While Israel has made significant efforts to maintain the adequacy recognition, its privacy laws differ in several keyways from the GDPR, including:

• Information security plays a dominant role, including detailed regulations, mandatory annual programs and management and mandatory appointment of information security officers. 

• There are multiple rules for managing "databases," not just personal data, including registration and notification duties. 

• In addition to engaging under data processing agreements, controllers must maintain a vendor management framework, including pre-engagement vetting procedures, ongoing monitoring and receiving annual vendors' reports. 

• Mandatory appointment of privacy protection officers with different roles than the DPO under the GDPR.

• Mandatory notification requirements for controllers with large sensitive databases.

• Database registration obligations for data brokers and public entities.

• Mandatory periodic procedures, such as an annual evaluation of data retention, periodic cyber incidents review, updates to statutory asset management documentation and review of annual vendor reports.

The reform under Bill No. 13 brings the PPL closer to modern legal terminology, introducing GDPR-like definitions for personal data and processing. However, other definitions remain distinct. For example, a "controller" (of a database) is the entity that determines the purposes of processing, without the need to determine the means of processing. This approach reflects better the reality of relationships between controllers and processors. The term "data with special sensitivity," in addition to categories similar to those under Article 9 of the GDPR, includes additional data types such as payroll data, financial activities, professional personality reviews, intimate family matters, location data, and personal data subject to a legal duty of confidentiality. Processing data with special sensitivity requires substantial information security controls, and violations involving such data are subject to higher fines.

Controllers processing this data for at least 100,000 data subjects must submit a notice to the PPA, including details of the controller and the privacy officer, and a copy of the data definitions document — a mandatory documentation of the controller's processing activities.

Mandatory appointment of officers

A duty under a data protection law to appoint an information security officer is quite unique. It has been mandated by the PPL since 1996. Bill No. 13 redefines this requirement and extends it to various entities including: controllers and processors of at least five databases subject to a registration obligation — public bodies and data brokers — or notification to the PPA — large sensitive databases; government ministries, authorities, municipalities and statutory corporations; data brokers; and banks, insurers and credit scoring service providers.

Bill No. 13 also mandates the appointment of Privacy Protection Officers (for simplicity, they will be referred to as DPOs). The terms mandating the appointment of a DPO are similar to those under the GDPR, with the additional requirement that data brokers must appoint one as well. Yet, all other provisions overlap only in part with those under the GDPR. DPOs must be experts in privacy laws, but they also need to possess appropriate knowledge in technology and information security.

Furthermore, the DPO's roles include:

• Ensuring compliance with all provisions of the PPL, including privacy protection requirements unrelated to personal data — such as a complaint against an employer for conducting a bag search at work.

• Preparing a plan for ongoing compliance control with the provisions of the PPL and verifying the plan's implementation.

• Ensuring that the mandatory information security policy follows the Data Security Regulations. The law's emphasis on appointing professional officers underscores the importance of the synergy between data protection and data security management. It highlights the need for designated personnel to establish and maintain compliant corporate data governance, particularly focusing on entities and practices that pose a higher level of risk. 

AI ethics enforcement:

In its 13 Dec. 2023 policy paper on AI principles, regulation and ethics, the Israeli government opted to forgo formal artificial intelligence legislation. Instead, it established a strategic policy grounded in existing regulatory frameworks, "soft law," and globally accepted principles. This approach reflects an intent to align with international regulatory trends while avoiding overly burdensome local regulations. The policy provides a foundation for local regulators to enforce the responsible development, deployment and use of AI systems within their respective regulatory boundaries. 

More than a year earlier, on 18 July 2022, the PPA published its first AI-related opinion. Based on the interpretation of existing law, the PPA introduced enhanced transparency and disclosure duties associated with the use and development of AI systems for collecting personal data and for automated decision-making.

PPA officials have expressed a specific interest in the intersection of data protection and AI ethics, and it is expected the PPA will continue to publish additional opinions and guidelines on this matter. No doubt that with Bill No. 13 providing substantial enforcement powers, the PPA will enforce its published interpretation of the law on AI-related personal data processing.

Data subjects rights

Israeli privacy laws provide narrower rights to individuals compared to the GDPR. 

These include the right of access and rectification, and limited rights to deletion, objection to processing, and to data portability. 

Access and rectification:

Bill No. 13 introduces specific fines for violations of the existing rights of access and rectification, which will likely enhance awareness to the exercise of these rights. This is the only change related to data subjects' rights under the current reform.

Right to delete.

The right to be forgotten is offered only in part. Published on 7 May 2023, the Privacy Protection Regulations (Instructions for Data Transferred to Israel from the European Economic Area), 5783-2023 were enacted to support Israel's efforts to maintain the EU Commission's adequacy recognition. They set out enhanced protections for personal data originating in the EEA and processed in Israel. One such protection is the right to delete, which by 1 Jan. 2025 will apply to any personal data residing with EEA-originated data in the same database. Consequently, the right to delete will extend to a significant number of databases governed by Israeli laws.

Data portability rights.

There is no general right to data portability under Israeli laws. However, specific laws created portability rights in certain contexts: 

The Financial Information Services Law, 5781-2021 establishes data portability for financial data as part of the open banking framework; The Medical Data Portability Law, 5784-2024, enacted 24 July, allows individuals to consent to the transfer of their medical information between health organizations of their choice; and, the Electricity Authority's Decision No. 61610 (13 Oct. 2021) provides data portability rights for electricity services data management.

Right to object.

There is no general right to object to processing under Israeli laws. 

However, the Communications Law (Telecommunications and Broadcasting), 5742-1982 mandates an unsubscribe right from receiving "advertisement material" (spam) via email, text messages, fax and automated dialing systems. The PPL further provides individuals the right to demand the deletion of personal data from a database used for direct mailing. It is yet to be seen if additional bills to amend the PPL will enhance the set of rights under the existing law.

A complex structure of fines, criminal procedures and other enforcement powers

Bill No. 13 introduces a complex structure of fines for various statutory obligations. Each obligation comes with a specific penalty, which the PPA may reduce by up to 70% based on certain considerations defined in the PPL, such as a first-time violation. Examples of fines include: Processing without permission. For example, a processor can be fined ILS40 million (about 10 million euros) for processing personal data without the controller's permission in a database with 5 million customers (ILS8 per customer). Similar fines apply to other violations, such as failing to provide a privacy notice or disobeying a PPA order to stop processing personal data.

Data Security Regulations violations.

For example, violation of a provision under the Data Security Regulations will cost ILS320,000 (about 80,000 euros) if the database contains personal data about a million individuals. Reduced fines apply to smaller databases.

Small and micro businesses: Fines for small and micro businesses are capped at ILS140,000 (about 35,000 euros) per annum. Maximum fine. All fines are capped at 5% of the business’ annual turnover.

The reform equips the PPA with additional substantial enforcement powers, including:

• Offering the violating entity to submit a written no-violation undertaking, with a bond.

• Ordering the cessation of violations.

• Issuing administrative warnings.

• Suspending or canceling database registrations.

• Conducting administrative inquiries.

• Seizing computer material under a court order.

• Conducting supervision campaigns on multiple entities in designated sectors.

• Providing prior consultations.

• Imposing immediate, complete deletion of a database under a court order.

Criminal offences under the PPL include: Offences subject to three years imprisonment — Processing without the controller's permission, providing intentionally misleading information in the privacy notice and unauthorized disclosure of personal data from a public authority's database. Other offences subject to penalties ranging from six months to five years imprisonment — A breach of confidentiality, certain intentional privacy violations, and interference with PPA officials' activities. 

These enforcement measures reflect the comprehensive approach of Bill No. 13 in enhancing data protection in Israel.

Civil action and class actions

Israel is a highly litigious country. Privacy violations are subject to statutory and exemplary damages in civil actions, and to class actions. Under the PPL, a privacy violation is considered a tort and can result in statutory damages of up to ILS100,000 (about 25,000 euros), following a 2007 amendment to the law. Bill No. 13 introduces an additional layer of exemplary damages of up to ILS10,000 (about 2,500 euros) for database-related violations, such as: Failure to provide a privacy notice (subject to a 30-day warning); and failure to comply with requests to exercise the right of access and rectification. Additionally, the reform extends the statute of limitations for civil actions to seven years, compared to the previous two years only. 

Furthermore, in recent years, filing privacy class actions has become common practice. The current Class Actions Law, 5766-2006 does not explicitly include provisions under the PPL as grounds for filing a class action. As a result, claimants have used closely related laws, such as the Consumer Protection Law, 5741-1981, to file their claims. However, a current bill to amend the Class Actions Law proposes adding explicitly violations of the PPL to the list of causes of action. Once enacted, privacy class actions will have a more solid statutory foundation which will likely increase the volume of such actions. Looking ahead The Ministry of Justice has already drafted a bill to further amend the PPL, aiming to continue aligning the law with modern laws such as the GDPR.

The draft bill introduces, inter-alia, new lawful grounds for processing, expands data subject rights, and includes provisions for conducting privacy impact assessments and ensuring privacy by design. It remains uncertain when or if the government will advance this bill, and if Israel will maintain its different regulatory scheme, or rather align it with the GDPR. 

Takeaways:

For years, privacy enforcement in Israel was limited. The recent reform makes a drastic change and requires greater attention to the processing of personal data, as the regulatory, civil and criminal risks become high. GDPR compliance work does not cover all mandatory requirements under Israeli laws. It calls for a reassessment of data processing activities in Israel and for a reallocation of time and resources to be prepared for a new era of regulation. 

There is no doubt that sensitive types of processing, mass-scale databases, and the use of personal data with advanced technologies, including AI systems, will be the top priorities for supervision, enforcement and litigation. 

On 13 November 2024, the Spanish DPA, the AEPD, released a technical document on the possibility to delete personal data in a Blockchain environment, and highlights the Interplay between Privacy and Blockchain.

The AEPD publishes a technical note regarding Blockchain and the right to erasure.

The Proof of Concept included in the note demonstrates the feasibility of building Blockchain infrastructures that allow compliance with the General Data Protection Regulation ('GDPR').

The document is complemented with additional technical information and a demonstration video

The technical note describes the fundamentals of Blockchain infrastructures and clarifies concepts used within the framework of this technology from a data protection perspective. It also analyzes real cases of applying changes and managing the governance common in such infrastructures.

Policies are then developed, including organizational and technical measures, to implement the right to erasure in a Blockchain infrastructure.

Finally, after analyzing and documenting the components of a real Blockchain infrastructure in widespread use, they are applied in a practical way in a use case of deleting a user's activity, including information related to Smart-Contracts.

Although there are previous works to manage the deletion of information in a Blockchain infrastructure, this Proof of Concept constitutes a fully functional, documented and specifically GDPR-compliant demonstrator, without pretending to be a commercial solution for direct application in the market. In addition, it contemplates the management of personal information stored throughout the Blockchain, that is, not only the information in the block transactions, but other information such as that recorded in transaction receipts.

This document is complemented with additional technical information and a demonstration video:

Read the article in Spanish here: https://www.aepd.es/prensa-y-c...

Vídeo in Spanish: https://youtu.be/DSRxcKhVdrE
Vídeo in English: https://youtu.be/H7gnoI3B7SY

1. A startup biotech dissolves after an unsuccessful phase 2 clinical study: the biotech didn't find an organization to buy its assets; the biotech should:
2. Transfer the ownership of the clinical study data to an academic not for profit organisation.
3. Just delete all clinical data and documents.
4. Put all (redacted) clinical data and documents on the public web as open data accessible to all the public, so researchers can reuse health data to conduct additional research if they wish so.
5. Put the clinical database on a hard drive and store it at the home of the former CEO of the biotech, in the cellar.
6. Notify the Research Ethics Committees and wait for their opinion.
   
   ANSWER: e): in all cases, the start-up biotech should notify the Research Ethics Committees and wait for their opinion. At this occasion, solution a) (Transfer the ownership of the clinical study data to an academic not for profit organisation) could be envisaged.
   
   

   2. In the situation described above, how can the patients exercise their rights on their personal data?
             a. They contact the hospital where they did the visits.

             b. Patients cannot exercise their rights anymore.

             c. They need to contact the CEO of the dissolved biotech at his/her home.

ANSWER: a) whatever the solution identified by the dissolving biotech with the Research Ethics Committees ('RECs'), the patients can always exercise their rights by contacting the clinical sites. But if the dissolving biotech transfers the ownership of the clinical study data to another organisation, then all the patients need to be informed that they can exercise also their rights on such data.

Remember that as a sponsor of a clinical study, you must keep the clinical study data for 25 years after the submission of the Clinical Study Report (rule for the EU: storage duration guidelines can vary in other geographies). And as the sponsor, you will be held responsible if you deleted the data base, or if you didn't inform the patients on how they can exercise their rights on their personal data.

The best practice is to inform the RECs.

You are thinking on winding down your activity and you wonder what to do with your clinical study data and the TMF? Contact Bertrand at b.p.lebourgeois@pharmarketing.net