the eu general data protection regulation: implications ... · effective may 25, 2018, the european...

The EU General Data Protection Regulation: Implications for Research

Leslie Thornton, PhD, JDAssociate, Ropes & Gray

Nick Wallace, JDAssociate, Ropes & Gray

June 13, 2018

About Advarra

North America’s premier provider of IRB, IBC and global research compliance servicesLeverage strengths in technology, regulatory expertise and customer service to serve increasingly complex research needs

About Advarra

Combined 50+ years of experience

Access to over 2,000 unique institutional research sites

Global consulting services

The industry’s most comprehensive and efficient technology

www.advarra.com

http://www.advarra.com/

About Today’s Presenters


Practices in the health care group.Advises clients on a broad range of compliance, regulatory and transactional issues, with a primary focus on research, including pre-clinical and clinical trials, federal grants and contracts, research misconduct, government enforcement, and privacy (HIPAA, GDPR).Completed secondments within the in-house research and development legal divisions of two manufacturers. Works with academic medical centers, universities, research institutes, hospitals, pharmaceutical and medical device manufacturers, managed care plans, health-focused startups, long-term care providers and other health care organizations.PhD from Johns Hopkins Bloomberg School of Public HealthJD from University of California, Berkeley School of Law• Served as supervising editor of California Law Review

About Today’s Presenter


Practices in the health care group.Advises clients on investigations, audits and regulatory matters, especially in the research and reimbursement spaces.Works on a variety of issues, including privacy regulations (HIPAA and GDPR), federal grant issues, informed consent, good clinical practice, research misconduct, and health care provider reimbursement.Works with clinical trial sponsors, universities, hospitals, research sites and other health care and life sciences organizations.JD from Yale Law School• Served as editor of Yale Journal on Regulation

The EU General Data Protection Regulation:Implications for Research

Leslie Thornton, Ph.D., [email protected] Wallace, [email protected]

Introduction to the GDPR Jurisdictional Scope of the GDPR Bases for Processing Personal Data Consent under the GDPR Bases for Transferring Personal Data Implications if GDPR Applies to U.S.-Based

Entities Hypotheticals/Examples

AGENDA

2



AGENDA

3

Introduction

Effective May 25, 2018, the European Union’s General Data Protection Regulation (the “GDPR”) has implemented a number of changes to privacy law in the European Economic Area (“EEA”).

This presentation provides an overview of certain situations in which GDPR may affect the research-related activities of U.S.-based entities, including companies, academic medical centers (“AMCs”), universities, and other research organizations.

GDPR compliance will be especially relevant to Institutional Review Boards (“IRBs”) and Ethics Committees (“ECs”), charged with ensuring the ethical conduct of research, one dimension of which is respect for the privacy of subjects and the confidentiality of data.

4

GDPR and Superseded Data Protection Directive

GDPR superseded the prior EU Data Protection Directive, which was adopted in 1995. See EU Data Privacy Directive (Directive 95/46/EC) (the ‘‘Directive’’)

The Directive and GDPR apply in the 28 EU member states and 3 additional countries (Iceland, Liechtenstein and Norway) that together make up the EEA.

– The United Kingdom is preparing for GDPR implementation despite “Brexit.”

As a regulation under EU law, the GDPR will apply directly across all of the EEA’s member states, unlike the Directive, which supplied general principles that required implementation in the national legislation of each member state.

5

Map of EEA Member States

6

“Personal Data” under the GDPR

“Personal data’’ are defined broadly to include:

– “[A]ny information relating to an identified or identifiable natural person (“data subject”).” GDPR, Art. 4(1)

“An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.’’ GDPR, Art. 4(1)

7


Set of data to which GDPR applies is broader than that covered under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

– Applies to all “personal data” across all sectors of the economy, not only health care; no concept of “covered entity.”

– Personal data under GDPR include, for example, identifying information on EEA health care providers (“HCPs”), such as principal investigators, and other persons who are not patients. Research sponsors likely will also obtain this data from non-human subjects, such as those conducting the study.

IRBs/ECs will need to consider protection of a broader range of research subjects’ personal data under the GDPR.

8


Under GDPR, no anonymisation “safe harbor” akin to HIPAA removal of identifiers.

– Whether data are anonymized such that they are no longer identifiable is judged on a facts and circumstances test, taking into account “all the means reasonably likely to be used . . . [e]ither by the controller or by another person to identify the natural person directly or indirectly.” GDPR, Recital 26

– “Pseudonymised” data (e.g., key-coded data) remain “personal data.”

9

“Special Categories of Personal Data” under the GDPR

Prohibition on processing “special categories” of personal data absent an applicable exception.

“Special categories” of personal data include:– Racial or ethnic origin– Data concerning health – Data concerning a natural person’s sex life or sexual orientation– Genetic data– Biometric data used for the purpose of uniquely identifying an individual– Political opinions, religious or philosophical beliefs, or trade union

membership GDPR, Art. 9

10

Controller vs. Processor

Controller: Alone or jointly with others determines the purposes and meansof processing personal data.

Processor: Processes personal data on behalf of the controller.

Both controllers and processors regulated directly under GDPR.

Controllers have more responsibilities, for example:

– Providing notices to data subjects, responding to exercise of subject rights, appointing representative in EEA, notifying supervisory authorities and data subjects of data breaches, maintaining records of processing.

11



AGENDA

12

Directive’s Application to U.S.-Based Organizations

GDPR applies apply extraterritorially in a broader range of circumstances than those in which the Directive had applied.

– Typically, the Directive had applied to U.S.-based entities only in those scenarios in which the entity was “established in” the EEA.

– An entity could be deemed “established in” the EEA by virtue of:

Operating a subsidiary or campus in the EEA; or

Operating an office in the EEA.

13

GDPR’s Application to U.S.-Based Organizations

GDPR applies if:

Organization offers goods or services to individuals in the EEA

Organization is established in the EEA

and acts as a data controller or processor

Organization monitors the behavior of

individuals in the EEA

14

GDPR and Citizenship

GDPR is agnostic to the citizenship of the data subject.

– EU citizens who obtain employment and reside in U.S. generally not covered by GDPR.

– U.S. citizens who work at EU branch of U.S. entity and reside in EU generally would be covered.

15

Offering Goods or Services

GDPR provides that, ‘‘[i]n order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union.’’ GDPR, Recital 23

– The goods or services offered should be considered ‘‘irrespective of whether connected to payment.’’

Little guidance has been offered on the meaning of ‘‘offering goods or services’’ to persons located in the EEA.

16

Offering Goods or Services

GDPR clarifies that ‘‘mere accessibility of the controller’s, processor’s or an intermediary’s website’’ in the EEA is insufficient to ascertain an intention to offer goods or services in the EEA. GDPR, Recital 23

– GDPR jurisdiction therefore requires that a website be somehow directed to EEA data subjects, such as translating the website into an EEA member state language, using an EEA member state currency, or mentioning customers or users in the EEA. GDPR, Recital 23

17

U.S. Organizations Offering Goods or Services

Arrangements in which a U.S.-based entity may be determined to “envisage” offering services to EEA data subjects:– Clinical Trial Agreement between U.S.-based sponsor and EEA study site; – U.S.-based sponsor’s translation of informed consent documents, FAQs

and its webpage into one or more EEA languages.– U.S.-based sponsor’s provision of investigational product to an EEA study

site as part of a multi-site clinical trial; – U.S.-based entity’s provision of a mobile application to EEA residents for

collection of research data; or– Collaboration agreements with universities in EEA member states to

develop educational platforms and share data.

18

U.S. Organizations Offering Goods or Services

Terms of research arrangements involving European governmental grants or contracts may require compliance with GDPR.

– U.S. universities or AMCs may be direct awardees or sub-recipients through EEA institutions of European governmental grants or contracts to perform research services.

– Data flows with EEA direct grant awardees should be scrutinized to see if they involve offering services to EEA data subjects.

19

GDPR Recitals on “Monitoring Behavior”

GDPR’s recitals provide that “[i]n order to determine whether a processing activity can be considered to monitor the behavior of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviors and attitudes.” GDPR, Recital 24

20

“Monitoring Behavior” and Clinical Trials / Human Subjects Research Conducting clinical research with research sites or research subjects

located in the EEA could involve activities that may constitute ‘‘monitoring of the behavior of data subjects.’’– Multi-Site Research: A U.S.-based sponsor, or a U.S. university or AMC that

serves as a lead site, of a clinical trial with sites located in the EEA could be seen as monitoring the behavior of data subjects in the EEA, for example, by reviewing data regarding subjects’ adherence to trial requirements or monitoring data collection and adverse events.

– Mobile Application Research: Mobile applications (or “apps”) may be used by a site that enrolls subjects in a study remotely, with the app collecting data on subjects’ physical condition or geographic location through subjects’ mobile phones. If such arrangements transmit data to the study site or to the sponsor or its vendors, this activity could be seen as the data recipient’s “monitoring behavior” of data subjects in the EEA.

21

GDPR Application to Sponsor with Sites in EEA

U.S.-Based Sponsor that is:Established in EEA,

Offering Goods/Services in EEA, and/or

Monitoring Behavior of EEA Data Subjects

Sites in EEAPersonal D

ata

Need GDPR Basis for Processing Needs GDPR Basis for Transfer

22

GDPR Application to Multi-Site Trial

EEA-Based Sponsor

Sites in EEASites in U.S.

Sites need GDPR Basis for Processing

Needs GDPR Basis for Processing Personal Data

from U.S.

Sites do NOT Need GDPR Basis for Processing

Needs GDPR Basis for Processing Personal Data

from EEA

23

NIH-Funded Lead Site in U.S.

NIH-Funded, U.S.-Based Lead Site

EEA Sites

U.S.-Based Data Coordinating Center

Personal Data

1. EEA site, lead U.S. site, and DCC need GDPR Basis for Processing

2. EEA site needs GDPR Basis for Transfer

GDPR Does Not Apply

24



AGENDA

25

Authority for Processing Personal Data

Processing of personal data that is subject to GDPR requires a legal basis.

– Cf. HIPAA and need for legal basis to use or disclose PHI.

Different legal bases are available for processing of regular personal data as opposed to “special categories” of personal data.

The consent of the data subject is a basis for processing both regular personal data and special categories of personal data.

Consent will often prove useful in the research context, and is likely to be the basis for processing most seen by IRBs.

26

Bases for Processing Personal Data

Bases for processing personal data include:– Data subject has given consent to processing.– Processing necessary for the performance of a contract to which the data

subject is a party.– Processing necessary for compliance with a legal obligation.– Processing necessary to protect vital interests of the data subject or a

natural person.– Processing necessary for a task carried out in the public interest.– Processing necessary for the legitimate interests of the controller or a third

party, except where such interests are overridden by the interest or fundamental rights and freedoms of the data subject.

GDPR, Art. 6(1)

27

Bases for Processing Special Categories of Personal Data

Bases for processing special categories of personal data include:– Explicit consent GDPR notes that more restrictive laws of the EU or an individual EEA

member state may provide that the data subject may not lift, even by consent, the general prohibition on processing special categories of personal data. GDPR Art. 9(2)(a) Disparities could emerge across EEA member states.

The Article 29 Data Protection Working Party (the “Working Party”), a body that provides non-binding guidance on EU data protection law, has advised that “‘explicit consent’ is understood as having the same meaning as express consent” and that “[u]sually, explicit or express consent is given in writing with a hand-written signature.” Opinion No. 15/2011 (WP197), Article 29 Data Protection Working Party

28

Bases for Processing Special Categories of Personal Data

(continued)– Necessary for scientific or historical research purposes

However, GDPR provides that EEA member states should provide for appropriate safeguards for the processing of personal data for research purposes, which could lead to disparate requirements across EEA member states.

Unclear if member states must take affirmative action to permit reliance on this basis.

– Public interest in the area of public health Most directly relates to processing by health professionals to protect public health

in the event of epidemics or pandemics, or reporting of adverse events by life sciences companies to regulatory authorities.

It is not clear that the life sciences community could/should rely on this basis without a direct link between the research and public health.

See GDPR Art. 9(2)

29



AGENDA

30

Working Party Guidance on Consent

The Working Party issued draft guidelines on consent under GDPR on December 12, 2017, and final guidelines on April 16, 2018.– Final guidelines retain many of the provisions that made the draft

guidelines problematic. The guidance highlights several key consent principles:

– Consent has 4 elements: Freely given Specific Informed Unambiguous indication by a statement or a clear affirmative action

– Consent should be as easy to withdraw as to give.

31


Addresses scientific research specifically, containing several potentially problematic interpretations, of which IRBs should be aware:– Breadth of Consent

GDPR recitals recognize that “[i]t is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research. . . .” GDPR, Recital 33

However, the Working Party guidance limits the application of this helpful recital: “Recital 33 does not disapply the obligations with regard to the requirement of specific consent.” Final Guidelines, 28

Final Guidance removes a provision that had been included in the Draft Guidance, which stated that “[w]here purposes are unclear at the start of a scientific research programme, controllers will have difficulty to pursue the program in compliance with the GDPR.” Draft Guidelines, 27

– Removal could suggest that the Working Party determined that broad consent to future research uses is not categorically incompatible with the GDPR.

Yet, other problematic recommendations remain . . .

32


Breadth of Consent (continued)– Special categories of data processed on the basis of explicit consent will

be subject to a stricter interpretation of Recital 33 and require a high degree of scrutiny.

– Obtain additional consent as research advances and more details are known about future research activities.

– If details of research are not known with specificity at outset, updates regarding details of the research should be provided to subjects as the information becomes known so that subject can determine whether to exercise right to withdraw.

– Suggests making available a “comprehensive research plan” to subjects at the outset of the research.

33


Withdrawal of Consent– Guidance recognizes that “withdrawal of consent could undermine types of scientific

research that require data that can be linked to individuals.”– Nonetheless, guidance continues:

“[T]he GDPR is clear that consent can be withdrawn and controllers must act upon this – there is no exemption to this requirement for scientific research. If a controller receives a withdrawal request, it must in principle delete the personal data straight away if it wishes to continue to use the data for the purposes of the research.” Final Guidelines, 29–30

– Final guidance modified the above by: Removing “or anonymise” after “delete.” This appears to be an editing error, as

removing anonymization as an option would result in a nonsensical interpretation that controllers should delete personal data to continue using them. Further, the Working Party cites its guidance on anonymization techniques in a footnote to this provision.

Replacing “should” with “must in principle.” This suggests a slightly more flexible approach regarding the instances in which data may be retained for future research purposes.

34


Possible reconciliation of withdrawal of consent and legal requirements to maintain data:– “Controllers have an obligation to delete data that was processed on the basis of

consent once that consent is withdrawn, assuming that there is no other purpose justifying the continued retention. . . . In that case, the other purpose justifying the processing must have its own separate legal basis. This does not mean the controller can swap from consent to another lawful basis.”

– “Controllers should therefore be clear from the outset about which purpose applies to each element of data and which lawful basis is being relied upon.”

– Once personal data have been collected for research, maintenance of data to meet adverse event monitoring and trial integrity requirements relies on basis that processing is “necessary for reasons of public interest in the area of public health, such as . . . ensuring high standards of quality and safety of health care and of medicinal products or medical devices . . . .”

GDPR, Art. 9(i)

35


Working Party notes that, even if the controller relies on another basis to retain data, the controller must still respect data subjects’ requests for erasure, which is a separate right of data subjects under the GDPR.

Requests for erasure under the GDPR are subject to an exception that permits controllers to retain data for compliance with legal obligations or for scientific research purposes if deletion would be likely to render impossible or seriously impair the achievement of the objectives of such processing. GDPR, Art. 17(3)

36


Duration of Consent– GDPR sets no time limit on how long consent is valid.– Working Party guidance notes that “[h]ow long consent lasts will depend

on the context, the scope of the original consent and the expectations of the data subject” and recommends “as a best practice that consent should be refreshed at appropriate intervals.”

– GDPR Articles 13 and 14 contain notice requirements, mandating that subjects be told the length of storage period. Cannot state “as long as necessary for legitimate interests of the

processing.” If it is not possible to state a specific period, must describe the criteria

used to determine that period.

37


Need to Re-consent Subjects in Ongoing Research– GDPR recitals state that “it is not necessary for the data subject to

give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation. . . .” GDPR, Recital 171

– Working Party guidance clarifies that if existing consent meets requirements of explicit consent but fails to contain notice requirements of Articles 13 and 14, this alone would not require re-consent. Information required by Articles 13 and 14 can be provided in a

separate privacy notice.

38


Finally, the Working Party guidance on consent notes that consent is not the only legal basis under which the GDPR permits data to be processed in connection with scientific research, even in instances in which consent is collected to satisfy “an ethical standard or procedural obligation” related to the research itself. Working Party notes, in particular:

– Art. 6(1)(e) – Processing for performance of a task carried out in the public interest.

– Art. 6(1)(f) – Processing for the legitimate interest of the controller.

– Arts. 9(2)(j) – Processing necessary for scientific research purposes.

39



AGENDA

40

Requirements for Transfer of Personal Data to U.S.

Both the Directive (prior law) and GDPR require that a legal basis be in place to permit the transfer of personal data from the EEA to jurisdictions lacking adequate data protection legislation (e.g., the United States). Directive Ch. IV; GDPR Ch. V

Transfer requirements apply even if GDPR does not apply directly to receiving entity.

The intent is to ensure that GDPR-level protections are extended to personal data notwithstanding their transfer.

41

White Listed Jurisdictions

Certain countries have been “white listed” as offering adequate data protection, including:– Argentina– Canada– Israel– New Zealand– Switzerland– Uruguay– Andorra, Faeroe Islands, British Crown Dependencies

(Guernsey, Jersey, Isle of Man)– Post-Brexit United Kingdom?

42

Legal Bases for Data Transfer

Obtaining the explicit consent of the data subject to the transfer of personal data to the U.S. for processing. – Requires advising the data subject of the risks of the transfer

resulting from the absence of adequate data protection legislation in the recipient jurisdiction. GDPR, Art. 49(1)(a)

Entering into model contractual clauses approved by the European Commission with the EEA entity transferring personal data. – Two sets of controller-controller clauses.– One set of controller-processor clauses.– No processor-controller clauses.

GDPR, Art. 46(2)

43


Transfer necessary for performance of a contract between the data subject and the controller, implementation of pre-contractual measures taken at the data subject’s request, or contract concluded in the interest of the data subject.

Transfer necessary for important reasons of public interest. Transfer necessary for establishment, exercise or defense of legal

claims. Data transfers necessary to protect the “vital interests” of the data

subject. Generally, “life and death” situations.GDPR, Art. 49(1)

44


U.S.-based companies that are for-profit entities may have an additional option of applying for certification under the EU-U.S. Privacy Shield, a program administered by the U.S. Department of Commerce.

– Permits personal data to be transferred from the EEA to U.S. for-profit entities that self-certify for the program after implementing various data protection measures consistent with EU privacy law.

Associations may create codes of conduct setting forth rules on data processing. Such codes must be approved by the supervisory authority in the relevant EEA jurisdiction or the European Data Protection Board, if operable in multiple jurisdictions. GDPR, Art. 46(2)(e)

45


Binding corporate rules for intra-company transfers – Must be approved by competent supervisory authorities– Lengthy list of requirements, including: Categories of personal data and type of processing Application of general data protection principles Rights of data subjects and means to exercise rights Complaint procedures Description of how notice of binding corporate rules provided to data subjects Cooperation mechanism with supervisory authorities Data protection training for persons who have permanent or regular access to

personal dataGDPR, Art. 47

46



AGENDA

47

Data Subject Rights

GDPR provides subjects several rights regarding their data, including:– Right of access*– Right to rectification*– Right to erasure (“right to be forgotten”)*– Right to restriction of processing*– Right to data portability– Right to object*– Right not to be subject to automated individual decision-making

GDPR, Arts. 15–22

* = Exceptions possible under EU or Member State law for research context. See GDPR, Art. 89

48

Data Subject Rights

Right of Access (Article 15)

– Extent of right Right to obtain confirmation of and information about processing as

well as access to data processed. First copy must be free but may charge reasonable fee for subsequent

copies.– Data affected All personal data about subject regardless of how collected.

– Exceptions Cannot adversely affect rights and freedoms of other. If large amount of data can ask data subject to specify subset.

49

Data Subject Rights

Right to Rectification (Articles 16 and 19)

– Extent of right Right to have personal data rectified if inaccurate or incomplete.

– Data affected All personal data about the data subject regardless of how

collected.– Exceptions Controller may keep earlier collected data if required for

legitimate purpose provided subjects are informed of this.

50

Data Subject Rights

Right to Erasure (“Right to be Forgotten”) (Articles 17 and 19)

– Extent of Right Right to have personal data deleted or removed, if:

– Personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

– Data subject withdraws consent on which the processing is based;.– Data subject objects to processing that was based on legitimate interest

of the controller and the controller cannot demonstrate compelling legitimate grounds for the processing;

– Personal data have been unlawfully processed; or– Personal data have to be erased for compliance with a legal obligation

in EU or member state law to which the controller is subject.

51

Data Subject Rights

Right to Erasure (Articles 17 and 19) (continued)– Data affected

All personal data held by controller. If personal data made public, controller must use best efforts to contact third

parties to inform them of the erasure request.– Exceptions

Exercising the right of freedom of expression. Compliance with legal obligations that require processing by Union or member

state law. Reasons of public interest in the area of public health. Scientific or historical research purposes if erasure is likely to render impossible or

seriously impair the achievement of the research. Establishment, exercise or defense of legal claims.

– NB: Withdrawal of consent can require erasure of data even if an exception to right of erasure applies.

52

Data Subject Rights

Controllers who do not need to know identity of data subject are not required to learn identity to comply with exercise of rights of access, rectification, erasure, restriction of processing, or portability.

GDPR, Art. 11

– Often will be the case for research entities that hold only pseudonymised data.

Joint controllers must, in a “transparent manner,” apportion their respective responsibilities for compliance with the GDPR, “in particular as regards the exercising of the rights of the data subject.”

GDPR, Art. 26

53

Required Privacy Notice Content

Identity and contact details of data controller and, where applicable, of data controller’s representative;

Contact details of data protection officer, where applicable; Purposes of processing for which the personal data are intended and legal basis for processing; The legitimate interests pursued by data controller or third party (if legal basis relied upon is

legitimate interests); Recipients or categories of recipients of the personal data, if any; Where the personal data was not obtained from the data subject, the source from which the

personal data originated, and if applicable, whether it came from publicly accessible sources; Where applicable, information about international data transfer, and reference to appropriate or

suitable safeguards, and the means by which to obtain a copy of them or where they have been made available;

The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period; and

The existence of automated decision-making, including profiling, where applicable, and, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.

GDPR Arts. 13 and 14

54

Controller-Processor Agreement Requirements

GDPR provides that processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller, and that stipulates that the processor:– Processes the personal data only on documented instructions from the controller,

including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject…;

– Ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

– Takes all measures required pursuant to Article 32 (security of personal data);– Respects the conditions referred to in paragraphs 2 and 4 for engaging another

processor;

55

Controller-Processor Agreement Requirements

(continued)– Taking into account the nature of the processing, assists the controller by appropriate

technical and organizational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights…;

– Assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 (i.e., security; Data Protection Impact Assessments), taking into account the nature of processing and the information available to the processor;

– At the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data; and

– Makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller. The processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions.

GDPR Article 28(3)

56

Subprocessor Agreements

The processor shall not engage another processor without prior specific or general written authorisation of the controller.

In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.

Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor as referred to in paragraph 3 shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this Regulation.

Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor’s obligations.

GDPR Art. 28(2) and -(4)

57



AGENDA

58

Hypothetical 1: Question

If a clinical trial initiated before May 25, 2018 is ongoing as of and/or after May 25, 2018, and the trial relies on subjects’ consent to process their personal data, does the GDPR require that trial subjects be re-consented?

59

Hypothetical 1: Answer

Re-consent likely is not necessary. The GDPR permits controllers who consented subjects under the

Directive to continue to rely on the consents obtained thereunder. GDPR, Recital 171

However, data controllers relying on pre-GDPR consents should ensure that such consents were “in line” with the conditions of the GDPR.– For example, any consents for the processing of special categories of

personal data must have been “express,” typically meaning that the consent is in writing.

– Often in clinical trials, express consents to the processing of personal data already have been obtained from study subjects prior to the implementation of the GDPR.

61


Is a clinical trial site in the EU considered a controller or a processor?

62


Likely a joint controller, if the EU site, together with the U.S.-based entity, determine the purposes and means of processing.

GDPR provides that “[w]here two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers.”

GDPR, Art. 26(1)

Joint controllers should “in a transparent manner determine their respective responsibilities for compliance with the obligations under” the GDPR, “in particular as regards the exercising of the rights of the data subject and their respective duties to provide” notices to the data subject.

GDPR, Art. 26(1)

– The “essence of the arrangement” must be made available to data subjects.

64


May personal data collected during standard of care procedures be used secondarily for research purposes?

65


Consent to processing in connection with the research would permit such processing, both as an Article 6 basis for processing and an Article 9 condition for processing special categories of personal data.

If consent has not been obtained, a basis (Art. 6) and condition (Art. 9) that may permit the processing for research purposes include:– Legitimate Interests (Art. 6)

“Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.” GDPR, Art. 6(f)

(continued)67


(continued)– Scientific Research Purposes (Art. 9)

“Processing is necessary for . . . scientific . . . research purposes . . . in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.” GDPR, Art. 9(2)(j)

Article 89(1) requires that safeguards “shall ensure that technical and organizational measures are in place in particular in order to ensure respect for the principle of data minimization,” particularly pseudonymisation, if the data processing can be completed with pseudonymized data.

Also, processing for additional purposes must be compatible with processing for the initial purposes. Processing for scientific research purposes “shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes.”

GDPR, Art. 5(1)(b)

68


May data collected during a previous study be used for secondary research purposes?

69


Likely yes. If consent was the basis for processing the data in the prior study, then the consent

should be evaluated to determine whether it authorizes the use of the data for the future research in question. – As noted, consent may authorize use of personal data for some specified future

research projects.– Also, the processing for the future research must be compatible with the purposes

of the processing for the initial research. This test presumably can be met: Processing for scientific research purposes “shall, in accordance with Article

89(1), not be considered to be incompatible with the initial purposes.” GDPR, Art. 5(1)(b)

Could rely on Article 6 basis of legitimate interests and Article 9 condition of scientific research.

71


Can personal data be shared among separate entities for research?

72


Personal data could be shared with other entities to carry out research. Some common reasons for sharing could include: – Processing/analysis by another entity. For example, a controller might engage a third-party

data coordinating center to assist with collecting and analyzing data collected in a study. The parties should enter into a controller-processor agreement.

– Research collaborators. A consortium could sponsor a clinical trial, with each consortium member receiving the data. The consortium members likely would be joint controllers, in which case the parties

should enter into a joint controller side letter, or similar agreement.– Researchers engaged in additional research. The data controller might wish to share the

collected data with other researchers to conduct their own, separate research. The additional research would need to be compatible with the purposes of the initial

research. See GDPR, Art. 5(1)(b)

The additional research would need a basis for processing personal data and a condition for processing special categories of personal data. These could be, respectively, legitimate interests (GDPR, Art. 6(1)(f)) and scientific research (GDPR, Art. 9(2)(j)).

74


How may the GDPR affect biospecimen banking and research?

75


On its face, GDPR Recital 33 is best read to permit researchers to obtain a general consent for future processing in connection with “areas of scientific research.”

However, guidance would limit the ability of the research community to collect biospecimens for biobanks that can be accessed for future research purposes when those purposes are not known at the time of initial collection.– Phenotypic data associated with biospecimens likely are “personal data” under the

GDPR.– Key-coded (pseudonymized) data remain personal data under the GDPR.

Working Party guidance proposes “rolling consent” process as the research advances.– This would impose a continual (and perhaps frequent) burden on researchers to re-

contact research subjects to obtain additional consent.– Biobanks may lose contact with data subjects in multi-year studies, making re-

contact and additional consent impossible.

76

Hypothetical 7: Multiple Choice

What additions should be made to an Informed Consent Form to make it compliant with the GPDR?

a. Notice requirements

b. Withdrawal

c. Pseudonymization

d. Transfer outside EEA

e. All of the above

78


GDPR Notice Requirements– e.g., the identity and contact details of the controller and, where applicable, of the data

processor, the recipients or categories of recipients of personal data, the purposes of processing, etc.

Withdrawal– Anticipated continued retention of data for study integrity/legal obligations, even if subject

withdraws consent to processing.– Possibility of personal data being anonymized and continuing to be used following

withdrawal of consent. Pseudonymization

– Whether personal data will be pseudonymized and, if so, the fact that the subject should contact the research site, and not the sponsor, to exercise his or her data subject rights (as sponsor will not know subject’s identity).

Transfer– Consent to transfer personal data from the EU to the U.S., including notice that the U.S.

has not been found by the European Commission to have adequate protections.

79


For ongoing studies, what agreements might a sponsor and an existing research site need to enter now that the GDPR is effective?

80


Joint Controller Side Letter to Clinical Trial Agreement– If the sponsor and its research sites determine that they are joint controllers who

together determine the purposes and means of processing the personal data, then they should enter into an additional agreement delineating their respective responsibilities with respect to processing and the exercise of the data subjects’ rights. GDPR, Art. 26

Controller – Processor Agreement– Alternatively, if the sponsor is the controller and research sites (or other entities

such as data coordinating centers) are processors, then the sponsor should enter into controller-processor agreements with the sites.

– Agreements should set out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller, and bind the processor to certain conditions specified by the GDPR. GDPR, Art. 28(3)

81

Leslie Thornton, Ph.D., [email protected]

Nick Wallace, [email protected]

Thank You

Thank You!

We hope you found today’s webinar informative and usefulPlease complete our survey to provide feedback on this sessionIn the survey, you can also request a certificate of attendance for this eventStay tuned for more information on our next webinar

The EU General Data Protection Regulation: Implications for Research



June 13, 2018

the eu general data protection regulation: implications ... · effective may 25, 2018, the european...

Documents