Subject to the exceptions set out in our answer to Question 1, the collection of sensitive information (including health information) requires the individual’s consent.
The applicable provision is found in APP 3.3.
An agency or organization (an APP entity) must not collect sensitive information about an individual unless:
- The individual consents to the collection of the information and:
- If the entity is an agency – the information is reasonably necessary for, or directly related to, one or more of the entity’s functions or activities; or
- If the entity is an organisation – the information is reasonably necessary for, or directly related to, one or more of the entity’s functions or activities;
- Or subclause 3.4 applies in relation to the information (Note: Subclause 3.4 provides various carve outs for law enforcement, court orders, and most relevant to this enquiry is 3.4(c) a permitted health situation exists.
Permitted health situations are defined section 16B of the Privacy Act and set the circumstances where the collection, use or disclosure of health information is permitted without obtaining the individual’s consent.
Use or disclosure of personal information
APP 6 sets out the conditions by which an APP entity may use or disclose personal information.
- 6.1 In general, If an APP entity holds personal information about an individual that was collected for a particular purpose (the primary purpose), the entity must not use or disclose the information for another purpose (the secondary purpose) unless:
- The individual has consented to the use or disclosure of the information; or
- Subclause 6.2 or 6.3 (note 6.3 only applies to government agencies) applies in relation to the use or disclosure of the information.
Note: APP 8 sets out requirements for the disclosure of personal information to a person who is not in Australia.
- 6.2 This subclause applies in relation to the use or disclosure of personal information about an individual if:
- The individual would reasonably expect the APP entity to use or disclose the information for the secondary purpose and the secondary purpose is:
- If the information is sensitive information (e.g. health information) directly related to the primary purpose; or
- If the information is not sensitive information--related to the primary purpose; or
- The use or disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order; or
- Not applicable
- The APP entity is an organisation and a permitted health situation exists in relation to the use or disclosure of the information by the entity; or
- Not applicable.
- The individual would reasonably expect the APP entity to use or disclose the information for the secondary purpose and the secondary purpose is:
Consent – the regulator has published non-binding guidelines on consent to the handling of personal information, and the following recommendations are also consistent with findings from the regulator’s investigatory powers. In general consent must be informed, voluntary, current and specific, the individual must also have capacity to provide consent.
In Austria, the preferred legal processing ground is the participants’ consent (Article 6 (1) (a) and Article 9 (2) (a) GDPR). This is because in clinical trials, health data are predominantly processed and there is no other practical legal basis available. Usually, sponsors provide an “Informed Consent Form” to the clinical trial site which the clinical trial sites use to obtain participants’ consent.
The Belgian Data Protection Authority has adopted the view that the legal basis for the processing of (sensitive) health data in the context of clinical trials is to be found in a combination of Article 6(1)(e) GDPR ("task carried out in the public interest") or Article 6(1)(f) GDPR ("legitimate interest"), and Article 9(2)(j) GDPR ("archiving in the public interest, scientific and historical research or statistical purposes"). Article 6(e) is relevant both to the public and private sector sponsors (for the latter, when governmental tasks are outsourced to private entities). Both sectors may rely on this processing ground. Article 6(f) may not be relied upon by a public sector sponsor in the performance of their tasks. This processing ground is thus only relevant for private sector sponsors.
In practice, the processing of the data of clinical research participants is based on the necessity for compliance with a legal obligation to which the data controller is subject pursuant to the Article 6 paragraph 1, item a) of the Law. However, in case of processing of other categories of personal data which fall outside the scope of the data necessary to be processed in a clinical trial, pursuant to the legislation applicable to clinical trials, it is necessary to obtain the data subject’s consent.
The Croatian legislator has not regulated this matter directly nor has the Croatian Personal Data Protection Agency issued any official opinions on this topic. In addition, currently there is no relevant practice dealing with the legal basis for the processing of personal data in the clinical trials.
However, we are of the opinion that an appropriate legal ground for the processing of personal data would be the existence of a legal obligation to process such data, pursuant to the Article 6.1 c) in connection with the Article 9.2 i) and j) of the GDPR.
Namely, conducting clinical trials is necessary for placing medicinal products on the market. Persons who choose to participate in a clinical trial have to, inevitably disclose their personal data to the sponsor, i.e., the investigator. Simultaneously, the sponsor and investigator are obliged to keep data on the clinical trial for at least 25 years pursuant to the Article 58 of the Regulation (EU) No 536/2014.
Czech law does not provide an explicit answer as to what is the preferred legal ground for the processing of the personal data of the participants in a clinical trial, as there are no Czech regulations or guidelines specifically addressing privacy matters on clinical trials.
The previous practice based on the opinion issued by the Czech Data Protection Authority has preferred the clinical trial participant’s consent as the legal ground for processing of his/her personal data. However, due to the adoption of the GDPR and the effectiveness of the Czech Act No. 110/2019 Coll., on the processing of personal data, the abovementioned opinion has become invalid and, thus, is no longer applicable.
We have consulted the Czech Data Protection Authority and they have assured us that, currently, they are relying mostly upon the Opinion No. 3/2019, on questions and answers on the interaction between the Clinical Trials Regulation (Regulation (EU) No. 536/2014) and the GDPR issued by the EDPB. For the sake of completeness, it is further to be noted that the Directorate-General for Health and Food Safety of the European Commission has also issued the document which aims to explain the interplay between the abovementioned regulations.
Therefore, the preferred legal grounds for the processing of the personal data of the clinical trial participants recommended by the EDPB and the Directorate-General for Health and Food Safety and, most importantly, accepted by the Czech Data Protection Authority are:
- For the processing activities related to reliability and safety purposes a legal obligation within the legal basis of Article 6(1)(c) of the GDPR in conjunction with Article 9(2)(i) of the GDPR;
- For all other processing activities purely related to research activities:
- The public interest under Article 6(1)(e) in conjunction with Article 9(2)(i) or Article 9(2)(j) of the GDPR;
- The legitimate interests under Article 6(1)(f) in conjunction with Article 9(2)(j) of the GDPR; or
- Under specific circumstances, when all conditions are met, the clinical trial participant’s explicit consent under Article 6(1)(a) and 9(2)(a) of the GDPR.
The Danish Data Protection Act section 10 (“Data as mentioned in Article 9(1) and Article 10 of the General Data Protection Regulation may be processed where the processing takes place for the sole purpose of carrying out statistical or scientific studies of significant importance to society and where such processing is necessary in order to carry out these studies”) is probably the most frequently used legal basis (see Act No. 502 of 23 May 2018 for further details).
However, we are aware that at least some of the larger medical companies are switching to GDPR article 6(1)(f) as the legal basis where possible (no special categories of data involved) due to restrictions on transfer of personal data processed under the above mentioned section 10.
It is Article 6(1)(c) (‘performance of a legal obligation’) or (e) (‘task carried out in the public interest’) in conjunction with Article 9(2)(i) (‘reasons of public interest in the area of public health’) of the GDPR. This is defined in the relevant national legislation (Medical Research Act section 21a and Act on Clinical Drug Trials section 33).
Either (i) the performance of a task carried out in the public interest, (ii) the legitimate interests pursued by the data controller, or (iii) (less preferably) consent (under Article 6 GDPR) and scientific research purposes (under Article 9).
The French Data protection Law (FDPA) provides that processing of data in the health sector can only be rolled out when justified by public interest. Ensuring high standards of quality and safety of healthcare and medical products or medical devices is a public interest purpose. The MR-001 and MR-003 provide that the only purpose for which research subjects’ personal data may be processed is to conduct research in the public interest.
Taking into account the EDPB opinion, the French Ministry of Solidarities and Health indicates in its Q&A that there is no pre-determined legal basis, which can depend on the trial. The legal basis available for the processing of the personal data of the participants in a clinical trial could be (i) the performance of a task carried out in the public interest, (ii) the legitimate interests pursued by the data controller, or (iii) consent. In addition, for certain processing operations which are mandatory by law, compliance with a legal obligation is another possible legal basis, in particular for clinical trials of medicinal products falling within the scope of EU Regulation 536/2014, for purposes related to data reliability and individuals' safety.
The French Ministry of Solidarities and Health also mentions that the “recommended” legal basis are (i) the performance of a task carried out in the public interest (for public entities, like public hospitals), (ii) the legitimate interests pursued by the data controller (for private entities, like pharmaceutical companies).
In addition, article 9.2(j) of the GDPR is applicable.
Consent is not considered as the most appropriate legal basis, notably since a person may be constrained to participate in a clinical trial, for example when suffering from a serious illness for which there is still no cure. In such a case, the person’s consent to the data processing may not satisfy the criteria set forth in the GDPR (i.e., be freely given, specific, informed and unambiguous). To be noted, consent for participation to the clinical trial (regulatory consent based on French Public health Code) and consent to the processing of personal data should not be confused and should be separately requested.
It is common practice in Germany that the legal ground for the processing of personal data of the participants is their consent according to Art. 6 (1) (a) GDPR and Art. 9 (2) (a) GDPR. This is because of the excessive processing of health data as special categories of personal data and the lack of another legal basis which is appropriate to justify such processing. In Germany it is common market standard that the sponsor provides an “Informed Consent Form” to the clinical trial site which the clinical trial sites provides to the participants of the clinical trial.
According to market practice, the processing of clinical research participants’ data is based on their consent (Article 6(1)(a) of the GDPR).
Since the NAIH has not yet adopted any guidance or definite practice in this matter, reference should be made to the above-mentioned European Data Protection Board’s Opinion 3/2019.
According to this Opinion 3/2019, the preferred legal ground may differ depending on the purpose pursued:
- Processing operations purely related to research activities in the context of a clinical trial may either fall under the data subject’s explicit consent (Article 6(1)(a) in conjunction with Article 9(2)(a)), or a task carried out in the public interest (Article 6(1)(e)), or the legitimate interests of the controller (Article 6(1)(f)) in conjunction with Article 9(2)(i) or (j) of the GDPR.
- Processing operations expressly provided by the Clinical Trial Regulation (CTR) and by relevant national provisions, and which are related to reliability and safety purposes, can be considered as falling within a legal obligation (Article 6(1)(c) of the GDPR in conjunction with the provisions of Article 9(2)(i)).
Explicit consent is the required legal ground for processing personal data for health research purposes in Ireland.
This is the preferred ground as expressly indicated by:
The Guidance
The Guidance expressly requires explicit consent to process personal data for health research purposes:
“A person proposing to process personal data for health research purposes requires the explicit consent of any individual (data subject) whose data he or she is proposing to process and in order that such consent should be valid and lawful it must be (a) informed and (b) appropriately recorded (thereby making it explicit).”
There are specific requirements included in the Guidance for this consent to be “informed” and therefor valid. In addition, the Amendments introduce further requirements for explicit consent (as detailed below).
Guidance from the EU Commission1
In addition, the EU Commission has stated the importance of consent in research and indicated the need to keep records of consent and consent procedure.
“You must keep records documenting the informed consent procedure, including the information sheets and consent forms provided to research participants, and the acquisition of their consent to data processing.”
The Amendments
The Amendments further re-state the importance of explicit consent in the context of health research and provides that explicit consent is obtained from the data subject:
- As a suitable and specific measure;
- Recorded and retained by the controller, and a copy of which is provided to the data subject prior to the commencement of the health research; and
- In accordance with international best practice on the ethical conduct of health research (which includes informed consent, transparency and independent ethical oversight).
The Amendments specifically puts in place the requirement that:
"explicit consent has been obtained from the data subject, as a suitable and specific measure recorded and retained by the controller, and a copy of which is provided to the data subject prior to the commencement of the health research in accordance with international best practice on the ethical conduct of health research (which includes informed consent, transparency and independent ethical oversight) for the processing of his or her personal data for the purpose of specified health research, either in relation to a particular area or more generally in that area or a related area of health research, or part thereof.”
[1] European Commission: Ethics and data protection
The preferred legal ground is consent, because of market practice. Indeed:
- The Italian Medicines Agency (“Agenzia Italiana del Farmaco” – “AIFA”) issued a clinical trail agreement template (“Template Agreement”) according to which the principal investigator shall obtain patients’ consent to the processing of their data; and
- The Italian DPA’s Guidelines specify that the sponsor obtain patients’ consent to the processing of their personal data for the purpose of the trial.
Nonetheless, according to the European Data Protection Board (“EDPB”) Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection regulation (GDPR) (art. 70.1.b)) of 23 January, 2019 (“Q&A on Clinical Trials”), although all processing operations carried out in the context of a specific clinical trial protocol during its whole lifecycle are to be considered as primary use of clinical trial data, not all processing operations relating to such “primary use” of this data pursue the same purposes and fall within the same legal basis.
In particular, processing operations purely related to research activities in the context of a clinical trial may either fall under:
- The data subject’s explicit consent (Article 6(1)(a) in conjunction with Article 9(2)(a) of the GDPR);
- A task carried out in the public interest (Article 6(1)(e) of the GDPR); or
- The legitimate interests of the controller (Article 6(1)(f)) in conjunction with Article 9(2)(i) or (j) of the GDPR.
Therefore, controllers should rely on different legal grounds to process personal data in the context of a clinical trial.
The legal basis for the processing of data would depend on the purpose of the processing.
According to Opinion 3/2019 of the European Data Protection Board, where processing within the context of a clinical trial has as purpose safety and reliability, then the “fulfilment of a legal obligation” (6)(1)(c) GDPR) basis can apply. This would be the case of reporting obligations under Articles 41-43 of the Clinical Trial Regulation or Sections 14 and 15 of the GDRCT.
Other processing, those conducted for the purpose of the research itself, may fall under the following legal basis:
- Consent (6)(1)(a) GDPR)
- Public interest (6)(1)(e) GDPR). It should be noted that regarding special categories of data, Section 64 of the Data Protection Act expressly provides for the possibility to process such data for the purposes of scientific research or in the public interest, if the requirements of Section 65 (which requires the adoption of additional appropriate measures, such as appointment of a DPO, encryption, anonymisation or pseudonymisation techniques, DPIA) are met.
- Legitimate interest of the data controller (6)(1)(f) GDPR)
In practice, entities carrying out clinical trials rely on all of them without making special distinctions. See, for instance, the Privacy Notice of the Luxembourg Institute of Health (p. 2).
There is no legally mandated legal basis or court decision for the processing of personal data in clinical trials, i.e., the legal basis is determined in accordance with the general principles of the DP Law.
The appropriateness of a particular legal basis depends on the activities within the clinical trial to which the processing activities are related to, i.e., one legal basis may be appropriate for some of the activities, and not for the others.
In particular, in case of processing operations which are necessary for compliance with a legal obligation to which the controller is subject to (i.e., any obligation under the Law on Medicines), such controller can rely on compliance with a legal obligation (Article 10 (2)(1) of the DP Law) as an appropriate legal basis.
On the other hand, processing activities in the context of clinical trials purely associated with research purposes, with no underlaying legal obligations of the controller under the applicable laws, should rely on one of the remaining legal basis, depending on the particularities of the case, including public interest, legitimate interest of the controller or consent.
It is important to note that consent as a legal basis for processing should not be confused with consent which is a precondition for participants to participate in a clinical trial. In that sense, consent of the participants is a non-negotiable requirement under the Law on Medicines, which stipulates that a participant must provide an informed, freely-given, revokable prior consent. Such consent should always be regarded separately from consent as a legal basis for processing of personal data. Nevertheless, given that the practice in Montenegro is rather scarce, it is not unusual that controllers rely on informed consent of a participant as a legal basis for processing of his personal data. Similarly to the approach taken in the EU under the relevant EDPB guidelines, controllers in Montenegro should carefully assess the circumstances of the clinical trial before relying on consent as a legal basis for the processing of personal data for the purposes of the research activities of that trial.
Consent is the preferred legal ground for processing of personal data of participants in a clinical trial.
The Law on Medicines and the Principles for Good Clinical Practice stipulate that the clinical trials can be conducted only if the investigator obtains written consent from the participant.
Explicit consent is also one of the conditions for processing of special categories of personal data, including health data. The DP Law defines consent as any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
In addition to consent, performance of a contract can also be considered as a legal ground for processing in case the participants have signed a contract with the investigator.
Finally, the existence of a legal obligation can also represent legal grounds for processing.
While the local data protection authority has not published any guidelines in regard to clinical trials, the above indicated grounds for processing can be considered as the usual market practice when processing special categories of personal data (such as health data).
Additionally, the local data protection authority needs to issue prior approval for the processing of health data, even when the participant as data subject has given explicit consent.
The Health Research Act applies consent as the main legal ground for participation in clinical trials. Regarding the processing of personal data the Act refers to the GDPR.
The Norwegian Personal Data Act § 9 is a national regulation opening for the processing of article 9 data without consent when necessary for research purposes on certain conditions.
A decision giving the trial dispensation from duty of confidentiality is considered to serve as a guarantee according to article 89, in addition to the Health research act regulating the ethical and organizational part of the trial.
The Health Research Act sets out a general rule of consent in order to be able to research human biological material and health information. This applies whether data is collected directly from those to whom the information applies, or is obtained from patient records, other health registers, observations, biobanks or other research projects.
All research is subject to the main rule of consent. However, exceptions are permitted in studies where data being used is already collected – especially when data are collected from health registries.
If, however the patient group in the study is in such a state that makes it hard to consider a consent as freely given, for instance if your life depends on this trial-case, it may be hard to argue a consent can be used as a legal ground for participating and for the processing of personal data. If so, (also if the patient is not capable to consent) someone close to the patient consents to the trial on his behalf. The legal grounds for processing the data may in these cases be article 6 (c) or (e) and article 9.2 i) and j) as it is mandatory for those executing the trial to document the data collected form the trial when the patient has agreed to participate in the trial.
In typical market practice, the legal ground for processing of personal data in clinical trials is Article 6(1)(a) in conjunction with Art. 9(2)(i) of the GDPR.
Informed consent as the main legal ground is also suggested by the wording of the paragraph 7 point 13 of the Regulation on Good Clinical Practice (issued on the basis of the Pharmaceutical Law) which requires the Principal Investigator to collect participants’ consent on processing their personal data in a clinical trial separately from the consent to participate.
Under the findings in EDPB Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (“CTR”), alternative legal basis may be cited as well, i.e.
- Art. 9(2)(i) of the GDPR (“processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy”).
- In relation to scientific research, Art. 9(2)(j) of the GDPR may also be used (“processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject”).
A similar position has been presented in the governmental draft of the Act on clinical trials adjusting Polish regulations to the CTR. The draft has been published along with a formal justification, however at the moment it has not yet been presented to the Parliament and it is unclear when it will be finalized.
According to the draft’s justification, the preferred legal ground for clinical trials may also be Article 9(2)(j) of the GDPR.
Hence, while an informed voluntary consent is a valid and permitted legal ground for processing and currently may be the preferred legal basis due to market practice, depending on the actual details of the clinical trial, the legal ground may also be necessity of the processing for the performance of a task carried out in the public interest from Article 6(1)e of the GDPR in conjunction with Article 9(2)(i) and/or (j) of the GDPR.
Depending on the specific circumstances of the case, the lawful basis for the processing the participants in a clinical trial may be the compliance with legal obligation under Article 6(1)(b) and the public interest in the area of public health under Article 9 (1) (i) of GDPR or the explicit consent of the data subject under Articles 6(1)(a) and 9(2)(a). This should be assessed in a case-by-case basis.
The market practice varies, and we are aware of cases where consent is (still) the legal ground of choice. However, pursuant to EDPB guidance, we consider that the processing of the personal data of clinical trials participants should be based on the existence of a legal obligation (Article 6.1 c) of the GDPR in connection with the provisions of Article 9.2 i) and j).
There is no legally mandated legal basis or court decision for the processing of personal data in clinical trials, i.e., the legal basis is determined in accordance with the requirements of the DP Law.
The appropriateness of a particular legal basis depends on the activities within the clinical trial to which the processing activities are related to, i.e., one legal basis may be appropriate for some of the activities, and not for the others.
In particular, in case of processing operations which are necessary for compliance with a legal obligation to which the controller is subject to (i.e., any obligation under the Law on Medicines), such controller can rely on compliance with a legal obligation (Article 12 (1)(3) of the DP Law) as an appropriate legal basis.
On the other hand, processing activities in the context of clinical trials purely associated with research purposes, with no underlaying legal obligations of the controller under the applicable laws, should rely on one of the remaining legal basis, depending on the particularities of the case, including public interest, legitimate interest of the controller or consent.
It is important to note that consent as a legal basis for processing should not be confused with consent which is a precondition for participants to participate in a clinical trial. In that sense, consent of the participants is a non-negotiable requirement under the Law on Medicines, which stipulates that a participant must provide an informed, freely-given, revokable prior consent. Such consent should always be regarded separately from consent as a legal basis for processing of personal data. Nevertheless, given that the practice in Serbia is rather scarce, it is not unusual that controllers rely on informed consent of a participant as a legal basis for processing of his personal data. Similarly to the approach taken in the EU under the relevant EDPB guidelines, controllers in Serbia should carefully assess the circumstances of the clinical trial before relying on consent as a legal basis for the processing of personal data for the purposes of the research activities of that trial.
According to the Code, the processing of the data of clinical research participants is based on the existence of a legal obligation (Article 6.1 c) of the GDPR in connection with the provisions of Article 9.2 i) and j).
The Code considers that the processing has two main purposes: (i) to ensure compliance with the legal obligations imposed to ensure a high level of quality and safety of the medicinal product; and (ii) it is carried out for scientific research purposes on the basis of the rules of Spanish and European Union law, which impose the legal obligation to carry out the research activities prior to the marketing of a drug, as well as the performance of post-authorization studies.
There is no "preferred legal ground". Each processing activity and its purpose should be analyzed separately.
In our experience, for Sponsor and Clinical Trial Site, legal obligation (Article 6.1 c) of the GDPR in conjunction with the provisions of Article 9.2 i) and j) of the GDPR would be relevant for the purposes of conducting the Clinical Trial at hand.
Both the HRA and the ICO agree that the most appropriate lawful bases for processing personal data of clinical trial participants are either a task carried out in the public interest (Article 6(1)(e)) (for public sector sponsors), or the legitimate interests of the controller (Article 6(1)(f)) (for private sector sponsors) in conjunction with Article 9(2) (j) of the UK GDPR and Section 19 of the Data Protection Act 2018. Therefore, the guidance in the UK is not to rely on consent.
Albania
Has the local regulator published any guidelines/regulations addressing privacy matters on clinical trials and/or pharmacovigilance? ('Regulator' may mean either the local data protection authority, or the local medicines authority.)
Yes, with regard to clinical trials. The Albanian Data Protection Commissioner (“Commissioner”) has approved Instruction no. 18 as of 03.07.2012 “On the processing of personal data in the context of clinical trials of drugs” (“Instruction no. 18”).
The instruction is available online.
No guidelines or regulations have been published with regard to pharmacovigilance.
Albania
Do the privacy laws and regulations applicable to clinical trials in your jurisdiction provide for extraterritorial applicability?
No.
Law no. 9887 “On the Protection of Personal Data”, as amended (Data Protection Law) does not provide an extraterritorial applicability.
However, the domestic Data Protection Law does extend to controllers located outside the territory of the Republic of Albania who process personal data with “means” located within the territory of the Republic of Albania. The law does not provide any definition of “means” however the Commissioner has confirmed verbally on several occasions that “means” shall be understood as anything from equipment (i.e., servers), apps or persons located in Albania to collect personal data.
In case the controller (i.e., sponsor) is located outside the Republic of Albania, it must appoint a designated representative located within the territory of the Republic of Albania.
Albania
What is the legal ground for the processing of the personal data in respect of pharmacovigilance in your jurisdiction?
The processing of patients’ personal data in respect of pharmacovigilance activities is based on the existence of a legal obligation based on Article 6.1. of the Data Protection Law.
In cases of adverse effects of a certain medicine/drug, the legal ground for conducting data processing activities can also be considered the protection of vital interests of the data subject (Article 6.1.c of the Data Protection Law).
Albania
Indicate the role from a data protection perspective of various parties involved (i.e in respect of the processing of the personal data of the clinical trial).
Role | Notes |
Sponsor |
Data controller of the participants' data. |
Principal Investigator |
Data controller of the participants’ data in connection to data processing activities that arise from the performance of investigation activities. |
Clinical Trial Site |
Data controller for the purpose of helping the investigation. |
Monitor |
Sponsor's data processor monitoring the investigation. |
CRO | Sponsor's data processor when performing activities that involve access by the CRO to the participants data. |
Albania
Is key-coded clinical trial data considered personal data under your jurisdiction’s data protection laws? (Key-coded clinical trial data is where the identity of the individual clinical trial participant is replaced with a unique subject identification code, and the ‘key’ which can be used to re-identify the participant is held by the Principal Investigator.)
Yes.
There is no definition of key-coded information under the Data Protection Law, however as long as the key-coded information is accessible through a “key”, data subjects are at some point or somehow identified/identifiable regardless of who is holding the key to access the information, therefore key coded information is considered personal data under the Data Protection Law.
Albania
Is it possible to re-use the personal data obtained for the purposes of conducting the clinical trial? If so, what requirements need to be satisfied?
Yes.
It is possible to re-use the personal data obtained for the purpose of conducting clinical trials conditional as a general rule only upon consent of the data subject. Other legal grounds for the processing need to be satisfied in a case-by-case basis (e.g., protection of vital interests of the data subject).
Hence, if the consent and/or the legal ground for processing of data extends to the re-use/ re-processing scenario, there is no need to obtain a second consent or to conduct processing on different legal grounds as there is already a valid legal ground in place for processing of personal data i.e., in case of research for the same purpose.
In light of the above, please consider that the consents given and/or the legal ground allowing the processing of data obtained for the purpose of conducting clinical trials do not automatically and in any case, extend to the re-use of the personal data for other/latter purposes unless those are specified.
Albania
What requirements, if any, need to be satisfied if clinical trial data is transferred internationally?
As with health data, clinical trial data are considered sensitive data. Any processing (including transfer) of sensitive data is expressly prohibited. However, processing of sensitive data is allowed in certain exceptional cases prescribed by the Data Protection Law, among others, if the data subject has given his/her consent.
Generally speaking, international data transfer is only limited to those countries offering adequate levels of data protection as provided by the Decision of the Council of Ministers no.934, dated 2 September 2009 “On the determination of the countries which have a sufficient level of personal data protection” i.e., EU and EEA member states; signatory countries of the Strasbourg convention etc.
However, as an exception, international data transfer may take place freely even if made to a country which does not provide adequate protection provided the data subject has granted consent. Other exceptions include scenarios where the international transfer is necessary for the performance of a contract between the data subject and the data controller or in case the transfer is a legal obligation of the controller; the international transfer is necessary for protecting vital interests of the data subject; the transfer constitutes a legal requirement over an important public interest or, for exercising and protecting a legal right; the transfer is done from a register that provides information to the general public etc.
Exceptionally, if none of the scenarios above are applicable, international data transfer is also possible with the prior authorization of the Commissioner, if the Commissioner is satisfied that adequate safeguards with relation to privacy and other fundamental rights of the data subject are in place. The Commissioner can additionally provide for conditions and obligations under which the data transfer should take place.