Spain approved a code of conduct regulating personal data processing in the field of clinical trials and other clinical research and pharmacovigilance

The Spanish Data Protection Agency approved the “Code of conduct regulating the processing of personal data in the field of clinical trials and other clinical research and pharmacovigilance” (“the Code”). The Code is the first sectoral code of conduct approved since the entry into force of the General European Data Protection Regulation.

It regulates how the sponsors of clinical studies and the contract research organizations (“CRO”), that decide to adhere to it, must apply the data protection regulations. Although the scope of application of the Code is limited to Spain, its effects might be extraterritorial considering that clinical studies of this nature tend to have a global reach.

Regarding processing of personal data in the framework of clinical research, the most relevant aspects introduced by the Code are:

• it only regulates the processing of encrypted data by the sponsors, since the practice of the sector, according to the Code, shows that they do not carry out, in any case, data processing with unencrypted personal data.

 

• it establishes compliance with legal obligations as the legal basis for data processing. Consent would be unnecessary, without prejudice to the informed consent that must be given for their participation in a clinical trial.

 

• it establishes the need to provide information on data protection separately from that contained in the patient information document that must be provided to the patient in accordance with the regulations.

 

• it clarifies the roles of the different parties involved in the processing of personal data, specifying that the sponsor of the research and the health center or principal investigator will have the status of data controller for their respective processing, assuming the obligations derived from their activity, but without  incurring joint and several liability for any breaches committed by the other party.

 

• it regulates the secondary use of the data obtained in the framework of an investigation for future investigations, without requiring, as a rule, the consent of the participants in the investigation.

 

• it includes the figure of the trusted third party, to whom the encoding procedure of the personal data of the participants in the research can be entrusted, in such a way that the sponsor cannot, either alone or with the mere assistance of the researcher, reidentify them.

 

• It regulates accountability in relation to the processing of data in the framework of the investigation. Certain issues related to the notification of security breaches that could have been incurred by third parties whose services were contracted by the sponsor are resolved.

 

• it establishes clarifications regarding international transfers of personal data, indicating that, to the extent that it is completely impossible for the recipient of a data transfer located in a third country or international organization to reidentify the participants in the investigation, since a previous anonymization of the data has been produced by the sponsor sending the data, personal data regulations would not be applicable.

 

• It incorporates model clauses to govern the legal relations between the different participants.