Clinical trials and the EU General Data Protection Regulation (GDPR): The European Data Protection Board (EDPB) has issued a much-awaited opinion on the legal basis for processing clinical trial data.
Key takeaways:
- The legal basis for processing operations expressly provided by the Clinical Trial Regulation and by relevant national provisions, as related to reliability and safety purposes is “legal obligation(s) to which the controller is subject” (Art 6(1)(c)). – This specifically includes:
- performance of safety reporting
- archiving of the clinical trial master file
- the medical files of subjects
- any disclosure of clinical trial data to the national competent authorities in the course of an inspection
- The legal basis for processing operations purely related to research activities in the context of a clinical trial would, depending on the facts of the case, be:
- the data subject’s explicit consent (Art 6(1)(a) + Art 9(2)(a)),
- a task carried out in the public interest (Article 6(1)(e)),
- the legitimate interests of the controller (Art 6(1)(f)) + Article 9(2)(i) or (j))