Local laws

Has the local regulator published any guidelines/regulations addressing privacy matters on clinical trials and/or pharmacovigilance? ('Regulator' may mean either the local data protection authority, or the local medicines authority.)

Yes, with regard to clinical trials. The Albanian Data Protection Commissioner (“Commissioner”) has approved Instruction no. 18 as of 03.07.2012 “On the processing of personal data in the context of clinical trials of drugs” (“Instruction no. 18”).

The instruction is available online.

No guidelines or regulations have been published with regard to pharmacovigilance.

Last modified 18 Oct 2022

Yes.

The Privacy Act 1988 (Cth) (Privacy Act) makes provision for circumstances where the handling of personal information and health inform may take place where it is impracticable for researchers to obtain the individual’s consent.

This recognizes:

  • The need to protect health information from unexpected uses beyond individual healthcare.
  • The important role of health and medical research in advancing public health.

To promote these ends, the Privacy Commissioner (the regulator) has approved two sets of legally binding guidelines, issued by the National Health and Medical Research Council (NHMRC):

  • Guidelines under Section 95 of the Privacy Act 1988, which set out procedures that Human Research Ethics Committees (HRECs) and researchers must follow when personal information is disclosed from a Commonwealth agency for medical research purposes.
  • Guidelines under Section 95A of the Privacy Act 1988, which provide a framework for HRECs to assess proposals to handle health information held by organisations for health research (without individuals' consent). They ensure that the public interest in the research activities substantially outweighs the public interest in the protection of privacy.

Last modified 18 Oct 2022

No.

Last modified 27 Feb 2023

No.

The Belgian Data Protection Authority has not (yet) published specific guidelines on clinical trials or pharmacovigilance. It has, however, published guidelines on the more general topic of ‘Research’ which are available in Dutch and French. 

Last modified 15 Sep 2022

No.

Last modified 18 Oct 2022

No, the Croatian Personal Data Protection Agency has not published such a document.

The Agency for Medicinal Products and Medical Devices of Croatia has published a Guide for patients on clinical trials. In this guide it is briefly stated that the clinical trials involve processing of special categories of personal data and is additionally noted that most trials use codes instead of the name of the data subjects to ensure anonymity. The Guide is available only in Croatian language and can be found on the following link.

Last modified 18 Oct 2022

There is no such guideline or regulation in the Czech Republic addressing privacy matters on clinical trials and / or pharmacovigilance specifically.

Please note, in 2004 the Czech Data Protection Authority (UOOU) issued an opinion addressing privacy matters on clinical trials (which was revised in 2013).

However, due to the adoption of the GDPR and the effectiveness of the Czech Act No. 110/2019 Coll., on the processing of personal data, this opinion has become invalid and, thus, is no longer applicable.

It is further to be noted that, currently, the Czech Data Protection Authority is relying mostly upon the Opinion No. 3/2019, on questions and answers on the interaction between the Clinical Trials Regulation and the General Data Protection Regulation, issued by the European Data Protection Board (“EDPB”).

Last modified 15 Sep 2022

No.

A brief introduction to the area can be found on the Datatilsynet website. This text does, however, not provide any supplementary guidance, but is merely an overview of the fundamental rules and the interplay with other legislation, such as the Act on Research Ethics Review of Health Research Projects (Act no 1338 of 1 September 2020), according to which clinical trials in Denmark must be preapproved by the Ethical Committee.

Last modified 15 Sep 2022

Yes.

The Finnish national legislation addresses privacy matters in relation to clinical trials.

The Data Protection Act regulates processing of special category data in scientific research in section 6. The English translation of the act is available here.

The Medical Research Act regulates clinical trials, and it addresses processing of personal data in clinical trials in section 21a. The English translation of the act is available here.

The Act on Clinical Drug Trials regulates clinical drug trials, and it addresses processing of personal data in the trials in section 33. The act is only available in Finnish here.

The Medicines Act regulates medicinal products and their safe and proper use. It also regulates pharmacovigilance in chapter 4 a. The act does not address privacy directly, but it creates a legal obligation to collect personal data and a specific retention period for the data collected in section 30e. The current version of the act is only available in Finnish here.

In addition, the Finnish data protection authority has issued guidelines on its website on scientific research, which follow the requirements arising from the GDPR. These guidelines can be found here.

Last modified 18 Oct 2022

Yes.

Notably:

The French data protection authority (CNIL) has issued a methodology of reference (“MR”) on 3 May 2018 on personal data processing carried out in health research with the data subject’s consent (MR-001) which covers, notably clinical trials as defined by Regulation (EU) 536/2014 of the European Parliament and of the Council of April 16, 2014 on clinical trials of medicinal products for human use, and repealing Directive 2001/20/EC, except for clinical trials the person does not object to participating in, in accordance with the terms of Article 30 of the Regulation (cluster trials).

The MR-001 is available here in French.

The French data protection authority (CNIL) has issued a methodology of reference on 3 May 2018 on the personal data processing carried out in health research that does not require the data subject’s consent (MR-003) which covers, notably clinical trials in which the research subject does not object to participating, in accordance with Article 30 of Regulation (EU) 536/2014 of the European Parliament and of the Council of April 16, 2014 on clinical trials of medicinal products for human use, and repealing Directive 2001/20/EC (cluster trials).

The MR-003 is available here in French.

Controllers that commit to comply with a methodology of reference are authorized, without further formalities, to conduct their processing if they satisfy the criteria set out in said methodology of reference.

Any personal data processing that exceeds the framework of the methodology requires a specific authorization from the CNIL.

Up to 5 MR exist to date to cover various research in the health sector.

The CNIL has also published a standard on 18 July 2019 concerning the processing of personal data for the purpose of vigilance in the health sector, including pharmacovigilance. Controllers that commit to comply with this standard shall be authorized to conduct processing if they satisfy the criteria set out in these provisions. Any personal data processing that exceed the framework of the standard should filed a specific authorization request to the CNIL.

This standard is available here in French.

The French Ministry of Solidarities and Health has published Q&A on its website regarding the impact of the GDPR on clinical trials.

Last modified 18 Oct 2022

Not specifically.

There is a guideline on joint controllership issued by the German data protection conference (Datenschutzkonferenz) where the sponsor and the clinical trial site are exemplarily mentioned as joint controllers in accordance with Art 26 GDPR. However, without deeper legal justification. Moreover, the guideline is currently under revision. The current version can be found online (German version only).

Last modified 25 Oct 2022

No.

The Hellenic Data Protection Authority (“HDPA”) has not issued any guidance οn clinical trials or pharmacovigilance.

The National Ethics Committee has issued a guidance for protocols and the document with clarifications on the implementation of GDPR in the framework of clinical trials. Please note that the aforementioned documents are available only in Greek language.

On the other hand, no pharmacovigilance specific guidance / statute has been issued in the Greek jurisdiction.

Last modified 14 Sep 2022

No. However, the Hungarian Data Protection Authority (“NAIH”) would most probably rely on the Opinion 3/2019 of the European Data Protection Board concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection regulation (GDPR) (art. 70.1.b)) adopted on 23 January 2019. Additionally, the European Commission (DG SANTE) issued a document on “Questions and Answers on the interplay between the Clinical Trials Regulation (CTR)1 and the General Data Protection regulation (GDPR)” (available at this link) after a consultation with the EDPB.

The Hungarian National Institute of Pharmacy and Nutrition also published certain answers to frequent questions related to healthcare services, which include some general recommendations related to clinical trials in line with the above-referred Opinion 3/2019. Such recommendations are available at the following link (in Hungarian only).

In addition to the above, the Clinical Pharmacology Ethical Committee of the Medical Research Council (ETT KFEB) has also published a guidance on data protection requirements for clinical trial package leaflets (available at the following link – in Hungarian only).

Last modified 14 Sep 2022

In Ireland, data controllers engaged in Health Research, including processing of any personal data (regardless of whether the data includes individually identifiable health data), are subject to Health Research Regulations 2018 (“HRRs”)1 and must comply with mandatory suitable and specific measures for processing of personal data for the purposes of health research.

The Department of Health in Ireland issued “Guidance on Information Principles for informed consent for the processing of personal data for health research” (the “Guidance”) which is available here. This guidance sets out the requirement to obtain explicit consent where health data are processed for health research purposes and lists a comprehensive inventory of information which is required to be provided to the individual for such consent to be valid when they provide their personal data for health research purposes.

In January 2021, amendments to the HRRs were published (the “Amendments”)2, along with a suite of guidance prepared by Department of Health, the Secretariat to the Health Research Consent Declaration Committee (HRCDC)3 and the Health Service Executive and in consultation with the Irish Data Protection Commission (“DPC”):

  • Guidance on Explicit Consent Amendment
  • Guidance on Pre-Screening Amendment
  • Guidance on Retrospective Chart Review Amendments
  • Guidance on Deferred Consent Amendments
  • Guidance on Informed Consent under EU Directive Amendments
[1] S.I. No. 314 of 2018 Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018
[2] S.I. No. 18/2021 – Data Protection Act 2018 (Section 36(2)) (Health Research) (Amendment) Regulations 2021
[3] The HRCDC was established as part of the Health Research Regulations made under the Data Protection Act, 2018.

Last modified 14 Sep 2022

Yes.

The Italian Data Protection Authority (“Italian DPA”) has issued the Guidelines for Data Processing within the Framework of Clinical Drug Trials on 24 July 2008 (“Guidelines”). Although the Guidelines have been issued before the GDPR entered into force, most of their provisions are still valid and effective.

The Guidelines are available at the following link.

Last modified 31 Aug 2022

No, the Commission National pour la Protection des Données (National Commission for Data Protection – “CNPD”) has not published any guidelines concerning clinical trials or pharmacovigilance.

However, the CNPD refers to the European Data Protection Board’s Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (“CTR”) and the General Data Protection regulation (“GDPR”) (art.70.1.b)) on its website, which is used as basis for interpretation of the questions herein.

Another relevant document that is taken into account by the CNPD is the Question and Answers on the interplay between the Clinical Trials Regulation and the General Data Protection Regulation published by the European Commission.

It should be taken into account that according to Grand Ducal Regulation of 30 May 2005 concerning the application of good clinical practice in conducting clinical trials for medicinal products for human use (the “GDRCT”) “detailed indications concerning the filing of the application and documents to be furnished to apply for the opinion of the ethics committee, in particular in regards to information provided to participants, as wells as the appropriate guarantees to ensure the protection of personal data, formulated by the Commission, are applicable in Luxembourg from its publication at the European Union Official Journal”.

In addition, it should be noted that Sections 63 to 65 of the Act of 1 August 2018 (the “Data Protection Act”) set general rules for processing for the purposes of scientific or historical research that can be applicable to clinical trials.

Last modified 14 Sep 2022

No laws in Montenegro address privacy matters specifically in clinical trials and/or pharmacovigilance as such.

Privacy matters in the context of clinical trials are not specifically regulated under healthcare or similar laws which would specifically deal with the interplay between data protection and healthcare, but enjoy only the general protection under the Personal Data Protection Law of 2008, as amended (the “DP Law”). The DP Law is at the moment unharmonized with the GDPR, even though Montenegro expects a harmonized law to be passed in the foreseeable future.

Exceptionally, the Law on Medicines (the “Law on Medicines”), as the main law dealing with medicines (including clinical trials thereof) stipulates that clinical trial of the drug is conducted in compliance with the principles of medical ethics and mandatory protection of privacy and data of participants in accordance with the regulations adopted on the basis of the Law on Medicines and the Guidelines of Good Clinical Practice. Nevertheless, mentioned regulations were not adopted and the Guidelines do not go into further detail on this matter.  

On the other hand, the relevant authorities which are associated with data protection or clinical trials have not yet adopted any specific guidelines which would explain the interplay between the two. In the absence of such, it is reasonably expected that acting in accordance with (i) the general principles of the DP Law and (ii) the international standards of data protection in clinical trials (such as the European Data Protection Board’s Opinion concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the GDPR) would be a good way to go.

Last modified 19 Oct 2022

No.

The regulator of North Macedonia has not published any guidelines/regulations that address privacy matters on clinical trials and/or pharmacovigilance so far.

General laws and bylaws regulating these issues are applicable to clinical trials and/or pharmacovigilance as well, including:

  • The Law on Medicines and Medical Devices (“Law on Medicines”);
  • The Law on Personal Data Protection (“DP Law”);
  • The Rulebook on the Necessary Documentation and the Manner of Reporting Clinical Trials of Medical Devices and Changes Occurred and, Reporting on Adverse Reactions and Events, i.e., Incidents, as well as the Conditions to be Fulfilled by Legal Entities that Perform Clinical Trials of Medical Devices (“Rulebook on Clinical Trials of Medical Devices”);
  • The Rulebook on the Manner of Reporting, the Content of the Form for Reporting the Adverse Reactions to Medicines and the Manner of Organization of the Pharmacovigilance System (“Rulebook on Reporting of Adverse Reactions to Medicines”);
  • The Rulebook on the manner and Procedure for Pharmacological-Toxicological and Clinical Examination of Medicines (“Rulebook on PT and Clinical Examination of Medicines”);
  • The Guidelines on the Principles of Good Clinical Practice (“Principles of Good Clinical Practice”).

Last modified 18 Oct 2022

Yes.

The Norwegian Medicines Agency has published information regarding the Regulation (EU) No. 536/2014 which is implemented as a Norwegian regulation. They have published answers to frequently asked questions and information about transitional rules. They will provide updated information but for the time being they provide a link to the information on EMA- and European commission web pages (Clinical trial guidelines). The information can be found on this page.   

In Norway all clinical trials must be pre-authorised by the Norwegian Medicines Agency as well as by the Norwegian Research Ethics Committees (REK).

The Norwegian DPA has no guidelines regarding clinical trials in particular, but clinical trials are like all medical research regulated in the Health Research Act in addition to the clinical trials regulation.

All medical and health research projects need ethical prior approval from REK. The project manager / researcher is responsible for consulting with his or her own institution, and to clarify whether the processing of information is of such a nature that it requires a special assessment of privacy consequences.

Last modified 31 Aug 2022

Yes.

The primary piece of legislation governing the processing of personal data in clinical trials of medicinal products for human use is the Act on clinical trials of medicinal products for human use of March 2023. Article 8 of this Act concerns limitation of the application of the GDPR provisions in the case of the conduct of clinical trials that are scientific studies. In addition, on 11 December 2023 Polish local data protection authority (“The President of Personal Data Protection Office”, or “PUODO”) has approved the “Code of Conduct for the Healthcare Sector” prepared by the Polish Federation of Hospitals.

Last modified 17 Dec 2024

There are no updated guidelines issued by Data Protection Supervisory Authority “CNPD”. However, prior to General Data Protection Regulation (GDPR), CNPD published the resolution no. 1704/2015 which addresses personal data processing related aspects within the context of clinical research and resolution no. 219/2009 which addresses personal data processing related aspects within pharmacovigilance context. Although both resolutions remain accurate in terms of general principles, certain aspects are not aligned with GDPR.

In 2018 the Commission of Ethic for Clinical Trials (‘CEIC’) published a paper (hereinafter ‘CEIC Paper’), briefly addressing certain data protection issues that might arise with the processing of personal data, within the context of clinical trials. However, this seemed to be more of an informative nature, even if, considering CEIC attributions and involvement in clinical trials matters, it can be understood as a guideline for the processing of personal data in this context.

Last modified 31 Aug 2022

No.

Last modified 31 Aug 2022

No laws in Serbia address privacy matters specifically in clinical trials and/or pharmacovigilance as such.

Privacy matters in the context of clinical trials are not specifically regulated under healthcare or similar laws which would specifically deal with the interplay between data protection and healthcare, but enjoy only the general protection under the Personal Data Protection Law of 2018, which represents a general data protection law and is a copy of the GDPR in most of its text (the “DP Law”).

Exceptionally, the Law on Medicines and Medical Devices (the “Law on Medicines”), as the main law dealing with medicines and medical devices (including clinical trials thereof) stipulates that clinical trials may only be undertaken provided that, inter alia, privacy and data protection of subjects participating in the clinical trial is ensured. Nevertheless, the Law on Medicines does not go into further detail to explain any such mechanism.

Ever since the Personal Data Protection Law came into force in 2019, it sought to initiate a chain of reaction with other, sectorial laws (such as the Law on Medicines), by stipulating that they too shall be adjusted to fit the specifics of the data protection regime. However, this did not yet occur and therefore, there are no specific rules which apply to the processing in clinical trials and/or pharmacovigilance.   

On the other hand, the relevant authorities which are associated with data protection or clinical trials have not yet adopted any specific guidelines which would explain the interplay between the two. In the absence of such, it is reasonably expected that acting in accordance with (i) the general principles of the DP Law and (ii) the international standards of data protection in clinical trials (such as the European Data Protection Board’s Opinion concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the GDPR) would be a good way to go.

Last modified 19 Oct 2022

Yes.

The Spanish Data Protection Commissioner (“AEPD”) in collaboration with Farmaindustria - the industry association that brings together the majority of pharmaceutical companies established in Spain – has approved the “Code of conduct regulating the processing of personal data in the field of clinical trials and other clinical research and pharmacovigilance” (the “Code”).

The Code is available in the following link.

Last modified 31 Aug 2022

No.

The Swedish Authority for Privacy Protection does however state on its website that a data protection impact assessment should be done with respect to processing of pseudonymized sensitive personal data relating to data subjects from research projects or clinical trials (checked 26 May 2022).

Last modified 31 Aug 2022

Yes.  The Health Research Authority (“HRA”) published GDPR guidance for researchers and study coordinators in 2018 that covers the following areas: (i) consent; (ii) controllers and personal data in health and care research; (iii) transparency; (iv) safeguards; (v) data subject rights; and (vi) data protection impact assessments.

In April 2022, the Information Commissioner’s Office (“ICO”) published draft guidance on the research provisions under the UK GDPR and Data Protection Act 2018 (including scientific research). This guidance covers issues including: (i) the definition of scientific research; (ii) legal basis; (iii) data subject rights; and (iv) purpose limitation / re-purposing personal data for scientific research.

Last modified 31 Aug 2022

Albania

Albania

Has the local regulator published any guidelines/regulations addressing privacy matters on clinical trials and/or pharmacovigilance? ('Regulator' may mean either the local data protection authority, or the local medicines authority.)

Yes, with regard to clinical trials. The Albanian Data Protection Commissioner (“Commissioner”) has approved Instruction no. 18 as of 03.07.2012 “On the processing of personal data in the context of clinical trials of drugs” (“Instruction no. 18”).

The instruction is available online.

No guidelines or regulations have been published with regard to pharmacovigilance.

Last modified 18 Oct 2022

Albania

Albania

Do the privacy laws and regulations applicable to clinical trials in your jurisdiction provide for extraterritorial applicability?

No.

Law no. 9887 “On the Protection of Personal Data”, as amended (Data Protection Law) does not provide an extraterritorial applicability. 

However, the domestic Data Protection Law does extend to controllers located outside the territory of the Republic of Albania who process personal data with “means” located within the territory of the Republic of Albania. The law does not provide any definition of “means” however the Commissioner has confirmed verbally on several occasions that “means” shall be understood as anything from equipment (i.e., servers), apps or persons located in Albania to collect personal data.

In case the controller (i.e., sponsor) is located outside the Republic of Albania, it must appoint a designated representative located within the territory of the Republic of Albania.

Last modified 18 Oct 2022

Albania

Albania

What is the preferred legal ground for the processing of the personal data of the participants in a clinical trial in your jurisdiction?

Article 4.2 of the Instruction no. 18 states that personal data is processed only if consented by the test subject. Therefore, consent is a mandatory legal ground for processing of the personal data. Further, based on article 4.3 of Instruction no. 18, personal data of clinical trial participants can be processed only for the following purposes:

  • If necessary for granting the registration permit of a drug;
  • To prove the clinical effect and safety of a drug during the scientific research process;
  • To reassess the efficiency and safety of a drug after its release in the market.

Last modified 18 Oct 2022

Albania

Albania

What is the legal ground for the processing of the personal data in respect of pharmacovigilance in your jurisdiction?

The processing of patients’ personal data in respect of pharmacovigilance activities is based on the existence of a legal obligation based on Article 6.1. of the Data Protection Law.

In cases of adverse effects of a certain medicine/drug, the legal ground for conducting data processing activities can also be considered the protection of vital interests of the data subject (Article 6.1.c of the Data Protection Law).

Last modified 18 Oct 2022

Albania

Albania

Indicate the role from a data protection perspective of various parties involved (i.e in respect of the processing of the personal data of the clinical trial).

Role Notes
Sponsor

Data controller of the participants' data.

Principal Investigator

Data controller of the participants’ data in connection to data processing activities that arise from the performance of investigation activities.

Clinical Trial Site

Data controller for the purpose of helping the investigation.

Monitor

Sponsor's data processor monitoring the investigation.

CRO Sponsor's data processor when performing activities that involve access by the CRO to the participants data.

Last modified 18 Oct 2022

Albania

Albania

Is key-coded clinical trial data considered personal data under your jurisdiction’s data protection laws? (Key-coded clinical trial data is where the identity of the individual clinical trial participant is replaced with a unique subject identification code, and the ‘key’ which can be used to re-identify the participant is held by the Principal Investigator.)

Yes.

There is no definition of key-coded information under the Data Protection Law, however as long as the key-coded information is accessible through a “key”, data subjects are at some point or somehow identified/identifiable regardless of who is holding the key to access the information, therefore key coded information is considered personal data under the Data Protection Law.

Last modified 18 Oct 2022

Albania

Albania

Is it possible to re-use the personal data obtained for the purposes of conducting the clinical trial? If so, what requirements need to be satisfied?

Yes.

It is possible to re-use the personal data obtained for the purpose of conducting clinical trials conditional as a general rule only upon consent of the data subject. Other legal grounds for the processing need to be satisfied in a case-by-case basis (e.g., protection of vital interests of the data subject).

Hence, if the consent and/or the legal ground for processing of data extends to the re-use/ re-processing scenario, there is no need to obtain a second consent or to conduct processing on different legal grounds as there is already a valid legal ground in place for processing of personal data i.e., in case of research for the same purpose.

In light of the above, please consider that the consents given and/or the legal ground allowing the processing of data obtained for the purpose of conducting clinical trials do not automatically and in any case, extend to the re-use of the personal data for other/latter purposes unless those are specified.

Last modified 18 Oct 2022

Albania

Albania

What requirements, if any, need to be satisfied if clinical trial data is transferred internationally?

As with health data, clinical trial data are considered sensitive data. Any processing (including transfer) of sensitive data is expressly prohibited. However, processing of sensitive data is allowed in certain exceptional cases prescribed by the Data Protection Law, among others, if the data subject has given his/her consent.

Generally speaking, international data transfer is only limited to those countries offering adequate levels of data protection as provided by the Decision of the Council of Ministers no.934, dated 2 September 2009 “On the determination of the countries which have a sufficient level of personal data protection” i.e., EU and EEA member states; signatory countries of the Strasbourg convention etc.

However, as an exception, international data transfer may take place freely even if made to a country which does not provide adequate protection provided the data subject has granted consent. Other exceptions include scenarios where the international transfer is necessary for the performance of a contract between the data subject and the data controller or in case the transfer is a legal obligation of the controller; the international transfer is necessary for protecting vital interests of the data subject; the transfer constitutes a legal requirement over an important public interest or, for exercising and protecting a legal right; the transfer is done from a register that provides information to the general public etc.

Exceptionally, if none of the scenarios above are applicable, international data transfer is also possible with the prior authorization of the Commissioner, if the Commissioner is satisfied that adequate safeguards with relation to privacy and other fundamental rights of the data subject are in place. The Commissioner can additionally provide for conditions and obligations under which the data transfer should take place.

Last modified 18 Oct 2022

Albania

Albania

Anisa Rrumbullaku

Partner

Karanovic & Partners

T: +355 69 20 42 722[email protected]
Sirius Tartari

Karanovic & Partners

[email protected]