Processing of personal data for pharmacovigilance

What is the legal ground for the processing of the personal data in respect of pharmacovigilance in your jurisdiction?

The processing of patients’ personal data in respect of pharmacovigilance activities is based on the existence of a legal obligation based on Article 6.1. of the Data Protection Law.

In cases of adverse effects of a certain medicine/drug, the legal ground for conducting data processing activities can also be considered the protection of vital interests of the data subject (Article 6.1.c of the Data Protection Law).

Last modified 18 Oct 2022

The legal grounds for processing personal data in respect of pharmacovigilance are as set out in Local laws.

Last modified 18 Oct 2022

Article 6 (1) (c) GDPR in connection with the respective provisions of the Austrian Medicine Act (Arzneimittelgesetz).

Last modified 27 Feb 2023

The processing of personal data in respect of pharmacovigilance obligations is based on the existence of a legal obligation (article 6(1)(c) GDPR). The personal data is processed on the basis of obligations laid down in Directive 2010/84/EU, transposed into Belgian law via the Act of 3 August 2012 amending the Act of 25 March 1964 on medicines for human use, and Regulation 726/2004 (as amended). The corresponding legal ground for lawful processing of special categories of data in the context of these obligations is in principle Article 9(2)(i) GDPR (“reasons of public interest in the area of public health”). Therefore, the guidance does not to rely on consent. Article 6(e) is relevant both to the public and private sector sponsors (for the latter, when governmental tasks are outsourced to private entities). Both sectors may rely on this processing ground. Article 6(f) may not be relied upon by a public sector sponsor in the performance of their tasks. This processing ground is thus only relevant for private sector sponsors.

Last modified 15 Sep 2022

The processing of the data within the scope of pharmacovigilance activities is based on the necessity for compliance with a legal obligation to which the data controller is subject pursuant to the Article 6 paragraph 1, item a) of the Law, and in cases where there is an adverse effect, it is understood that the legal ground for the data processing can also be considered the protection of vital interests of the data subject pursuant to the Article 6 paragraph 1 item c), however in this case the consent of the data subject must be obtained without delay.

Last modified 18 Oct 2022

Processing of trial participants’ personal data within the scope of pharmacovigilance activities is based on the existence of a legal obligation of a medical worker to inform the competent authority (Agency for Medicinal Products and Medical Devices of Croatia) of a medication’s side-effects.

The obligation to process personal data of trial participants experiencing the side-effects of medications is prescribed, inter alia, by the Croatian Ordinance on pharmacovigilance (Official Gazette no. 83/2013, 145/2021). Therefore, the Article 6.1 c) of the GDPR is applicable to such data processing.

In addition, in certain cases, processing personal data may be considered as performance of a task carried out in the public interest pursuant to the Article 6.1 e) of the GDPR.

Last modified 18 Oct 2022

Czech law does not provide an explicit answer as to what is the legal ground for the processing of the personal data in respect of pharmacovigilance, as there are no Czech regulations or guidelines specifically addressing privacy matters on pharmacovigilance.

However, it could be considered that the processing of patients’ personal data within the scope of pharmacovigilance activities is based on the existence of a legal obligation (pharmacovigilance obligation under the Czech Act No. 378/2007 Coll., on pharmaceuticals, as amended) within the legal basis of Article 6(1)(c) of the GDPR.

Moreover, in the situation where there is an adverse effect to the health of the patient (i.e., the data subject), the legal ground for the processing of the personal data can also be considered to be the protection of vital interests of the patient under Article 6(1)(c) of the GDPR.

Last modified 15 Sep 2022

GDPR article 6(1)(c), as the processing is necessary in order for the data controller to comply with chapter 5 of the Danish Medicines Act.

Last modified 15 Sep 2022

It is Article 6(1)(c) (‘performance of a legal obligation’) in conjunction with Article 9(2)(i) (‘reasons of public interest in the area of public health’) of the GDPR. There is a legal obligation to process personal data (Medicines Act section 30e). 

Last modified 18 Oct 2022

As per the CNIL’s standard, the appropriate legal basis for health monitoring is the data controller’s legal obligations, as set out in the Articles R5121-150 and following French Public Health Code.

Last modified 18 Oct 2022

The legal basis for the processing of the patients personal data for the purpose of pharmacovigilance is the legal obligation under Art. 6 (1) (c) GDPR in connection with the respective provisions of the German Medicine Act (Arzneimittelgesetz) or respective laws of the German federal states.

Last modified 25 Oct 2022

According to market practice, the processing of clinical research participants’ data within the scope of pharmacovigilance activities is based on the need to comply with a legal obligation (Article 6(1)(c) of the GDPR).

Last modified 14 Sep 2022

Since the NAIH has not yet adopted any guidance or definite practice in this matter, reference should be made to the above-mentioned European Data Protection Board’s Opinion 3/2019.

According to this Opinion 3/2019, the preferred legal ground for the processing of patients’ personal data within the scope of pharmacovigilance activities would be the existence of a legal obligation (Article 6(1)(c) in conjunction with the provisions of Article 9(2)(i) of the GDPR).

Last modified 14 Sep 2022

The Health Products Regulatory Authority (“HPRA”)1 collects pharmacovigilance personal data and operates the national system for recording and reporting details of suspected adverse reactions occurring in Ireland which are notified in association with the use of medicines.

The legal basis for processing of personal data in adverse reaction reports is firstly, Article 6(1)(c) of the GDPR: compliance with legal obligation to which the controller is subject.

Secondly, in terms of special categories of personal data, the HPRA relies on the exception provided by Article 9(2)(i) of GDPR, (processing special category data for reasons of public interest).  

As part of its statutory role in the regulation of medicines (pharmacovigilance), the HPRA is legally obliged to collect adverse reaction reports to human medicines. The legal basis for such collection is processing data in compliance with a legal obligation, Article 6(1) (c), and the relevant piece of legislation is the Medicinal Products (Control of Placing on the Markets) Regulations 2012. These Regulations require the HPRA is to transmit details of adverse reaction reports to the EudraVigilance Database.

[1] Privacy Notice – Pharmacovigilance and EudraVigilance Database

Last modified 14 Sep 2022

According to the EDPB’s Q&A on Clinical Trials, the processing of patients’ personal data performed for reliability and safety purposes (as per the CTR and/or relevant national provisions) is based on the existence of a legal obligation according to Article 6(1)(c) of the GDPR or Article 9(2)(i), depending on the nature of the personal data processed.

Moreover, in cases of adverse effect, the legal ground for the data processing activity may also be considered the protection of vital interests of the data subject, as per Article 6(1)(d) of the GDPR.

Last modified 31 Aug 2022

The legal basis for the processing of the personal data in respect of pharmacovigilance in not explicitly specified either in Luxembourg legal texts or guidelines.

A Data protection notice for pharmacovigilance declarations (Notice de protection des données concernant les déclarations de pharmacovigilance) indicates that the Division de la pharmacie et des médicaments – Direction de la santé, which is the authority that collects and processes pharmacovigilance declarations in Luxembourg has to comply with the requirements of the GDPR. However, this notice does not identify any specific article of the GDPR as the legal basis for the processing of the personal data in respect of pharmacovigilance.

From our point of view, these three options may be considered:

  • Consent (article 6)(1)(a) of the GDPR): A pharmacovigilance declaration form is available on the official website Guichet.lu. Prior to filing this form, the person reporting adverse reactions has to give its consent to the processing of its personal data. Although it is not clearly stated by the Luxembourg law, it seems that the legal basis for the processing of the personal data related to pharmacovigilance in Luxembourg is consent, in accordance with article 6(1)(a) of the GDPR.
  • Performance of a task carried out in the public interest (article 6)(1)(e) of the GDPR): Pursuant to Recital 17 of the Regulation (EU) No 520/2012 of 19 June 2012 on the performance of pharmacovigilance activities, the purpose of the processing of personal data in pharmacovigilance activities is safeguarding public health which “constitutes a substantial public interest”. Therefore, we believe that the ground for the processing of the personal data in respect of pharmacovigilance could also be European regulations and more precisely the Recital mentioned above together with article 6(1)(e) of the GDPR.
  • Fulfilment of a legal obligation (Article 6)(1)(c) GDPR) in the case of notification of adverse effects, as the entity concerned is obliged to register them and analyse the notifications made according to Section 45-4 of the Grand Ducal Decree of 15 December 1992, as amended by Grand Ducal Regulation 10 September 2012.

In most cases, for pharmacovigilance, fulfilment of a legal obligation, alone or in combination with other legal basis, could be a valid legal basis for processing.

Last modified 14 Sep 2022

Subject to the argumentation laid down in the answers to the previous question, the controller should be able to rely on fulfillment of legal obligation of the controller as an adequate legal basis. This is because the Law on Medicines, inter alia, provides for a wide set of reporting obligations associated with pharmacovigilance with respect to participants in a clinical trial.

Last modified 19 Oct 2022

Processing of personal data in respect of pharmacovigilance is based on the existence of a legal obligation to implement a pharmacovigilance system under the Law on Medicines.

The protection of the vital interests of the participants as data subjects can also be considered as a legal ground for processing in case of the occurrence of any adverse effects which have to be notified to the local authority supervising the market of medicinal products.

Last modified 18 Oct 2022

The Norwegian Medicines Agency is responsible for the pharmacovigilance and is actively contributing to the European Medicines Agency's Committee for pharmacovigilance, Pharmacovigilance Risk Assessment Committee (PRAC).

Any processing of personal health data for the purpose of pharmacovigilance would be based on article 6 (e) and 9 (2)(i) or (j) and the Medicines Act with regulations like the Adverse Effect Registry regulating the processing of personal data for the purpose of collecting data for pharmacovigilance purposes.

Last modified 31 Aug 2022

In the light of EDPB Opinion 3/2019, the relevant legal ground for the processing of the personal data in respect of pharmacovigilance may be Article 6(1)(c) of the GDPR in conjunction with Article 9(2)(i) of the GDPR.

Last modified 31 Aug 2022

The processing of personal data within the scope of pharmacovigilance activities is based on the compliance with a legal obligation under Article 6 (1) (c) of GDPR in connection with Article 9 (1) (i) of GDPR. In those cases where there is an adverse effect, it is understood that the legal ground for the data processing activity can also be considered the protection of vital interests of the data subject Article 6 (1) (d) of GDPR, but this would have to be assessed on a case-by-case basis.

Last modified 31 Aug 2022

No formal opinion from the supervisory authorities was issued.  The processing of patients' personal data by the marketing authorization holder within the scope of pharmacovigilance activities should be based on the existence of a legal obligation (Article 6.1 c) of the GDPR in conjunction with Article 9.2 i) of the GDPR.

Further to the above, and in those cases where there is an adverse effect, we believe that the legal ground for the data processing activity may also be considered the protection of vital interests of the data subject (Article 6.1 d in conjunction with Article 9.2 c)).

We are aware however of a still ongoing preference of the market for the use of consent – especially for processing of personal data for follow up contacting of the data subject.

Preliminary note

Clinical trials in Romania are performed in public or private sites. In private sites, the sponsor usually engages the site for all clinical trial related services: site, PI, study staff.

In case of public sites, the sponsor contracts separately with the main actors in the clinical trials (site, PI) for the services each provide. This means that each of them needs to be qualified from a data protection point of view.  

Last modified 31 Aug 2022

Subject to the argumentation laid down in the answers to the previous question, the controller should be able to rely on fulfillment of legal obligation of the controller as an adequate legal basis. This is because the Law on Medicines, inter alia, provides for a wide set of reporting obligations associated with pharmacovigilance with respect to participants in a clinical trial.

Last modified 19 Oct 2022

According to the Code, the processing of patients’ personal data within the scope of pharmacovigilance activities is based on the existence of a legal obligation (Article 6.1 c) of the GDPR.

Further to the above, and in in cases of adverse effect, the legal ground for the data processing activity may also be considered the protection of vital interests of the data subject as per Article 6 (1( (d), according to the Code.

Last modified 31 Aug 2022

The processing of patients' personal data within the scope of pharmacovigilance activities is based on the existence of a legal obligation (Article 6.1 c) of the GDPR1.

[1] Medical Products Agency's regulations (LVFS 2012: 14) on safety monitoring of medicinal products for human use

Last modified 31 Aug 2022

Safety reporting which is required by the Clinical Trials Regulations 2004 should be based on legal obligation (Article 6(1)(c)) in conjunction with Article 9.2 (i) UK GDPR.

Last modified 31 Aug 2022

Albania

Albania

Has the local regulator published any guidelines/regulations addressing privacy matters on clinical trials and/or pharmacovigilance? ('Regulator' may mean either the local data protection authority, or the local medicines authority.)

Yes, with regard to clinical trials. The Albanian Data Protection Commissioner (“Commissioner”) has approved Instruction no. 18 as of 03.07.2012 “On the processing of personal data in the context of clinical trials of drugs” (“Instruction no. 18”).

The instruction is available online.

No guidelines or regulations have been published with regard to pharmacovigilance.

Last modified 18 Oct 2022

Albania

Albania

Do the privacy laws and regulations applicable to clinical trials in your jurisdiction provide for extraterritorial applicability?

No.

Law no. 9887 “On the Protection of Personal Data”, as amended (Data Protection Law) does not provide an extraterritorial applicability. 

However, the domestic Data Protection Law does extend to controllers located outside the territory of the Republic of Albania who process personal data with “means” located within the territory of the Republic of Albania. The law does not provide any definition of “means” however the Commissioner has confirmed verbally on several occasions that “means” shall be understood as anything from equipment (i.e., servers), apps or persons located in Albania to collect personal data.

In case the controller (i.e., sponsor) is located outside the Republic of Albania, it must appoint a designated representative located within the territory of the Republic of Albania.

Last modified 18 Oct 2022

Albania

Albania

What is the preferred legal ground for the processing of the personal data of the participants in a clinical trial in your jurisdiction?

Article 4.2 of the Instruction no. 18 states that personal data is processed only if consented by the test subject. Therefore, consent is a mandatory legal ground for processing of the personal data. Further, based on article 4.3 of Instruction no. 18, personal data of clinical trial participants can be processed only for the following purposes:

  • If necessary for granting the registration permit of a drug;
  • To prove the clinical effect and safety of a drug during the scientific research process;
  • To reassess the efficiency and safety of a drug after its release in the market.

Last modified 18 Oct 2022

Albania

Albania

What is the legal ground for the processing of the personal data in respect of pharmacovigilance in your jurisdiction?

The processing of patients’ personal data in respect of pharmacovigilance activities is based on the existence of a legal obligation based on Article 6.1. of the Data Protection Law.

In cases of adverse effects of a certain medicine/drug, the legal ground for conducting data processing activities can also be considered the protection of vital interests of the data subject (Article 6.1.c of the Data Protection Law).

Last modified 18 Oct 2022

Albania

Albania

Indicate the role from a data protection perspective of various parties involved (i.e in respect of the processing of the personal data of the clinical trial).

Role Notes
Sponsor

Data controller of the participants' data.

Principal Investigator

Data controller of the participants’ data in connection to data processing activities that arise from the performance of investigation activities.

Clinical Trial Site

Data controller for the purpose of helping the investigation.

Monitor

Sponsor's data processor monitoring the investigation.

CRO Sponsor's data processor when performing activities that involve access by the CRO to the participants data.

Last modified 18 Oct 2022

Albania

Albania

Is key-coded clinical trial data considered personal data under your jurisdiction’s data protection laws? (Key-coded clinical trial data is where the identity of the individual clinical trial participant is replaced with a unique subject identification code, and the ‘key’ which can be used to re-identify the participant is held by the Principal Investigator.)

Yes.

There is no definition of key-coded information under the Data Protection Law, however as long as the key-coded information is accessible through a “key”, data subjects are at some point or somehow identified/identifiable regardless of who is holding the key to access the information, therefore key coded information is considered personal data under the Data Protection Law.

Last modified 18 Oct 2022

Albania

Albania

Is it possible to re-use the personal data obtained for the purposes of conducting the clinical trial? If so, what requirements need to be satisfied?

Yes.

It is possible to re-use the personal data obtained for the purpose of conducting clinical trials conditional as a general rule only upon consent of the data subject. Other legal grounds for the processing need to be satisfied in a case-by-case basis (e.g., protection of vital interests of the data subject).

Hence, if the consent and/or the legal ground for processing of data extends to the re-use/ re-processing scenario, there is no need to obtain a second consent or to conduct processing on different legal grounds as there is already a valid legal ground in place for processing of personal data i.e., in case of research for the same purpose.

In light of the above, please consider that the consents given and/or the legal ground allowing the processing of data obtained for the purpose of conducting clinical trials do not automatically and in any case, extend to the re-use of the personal data for other/latter purposes unless those are specified.

Last modified 18 Oct 2022

Albania

Albania

What requirements, if any, need to be satisfied if clinical trial data is transferred internationally?

As with health data, clinical trial data are considered sensitive data. Any processing (including transfer) of sensitive data is expressly prohibited. However, processing of sensitive data is allowed in certain exceptional cases prescribed by the Data Protection Law, among others, if the data subject has given his/her consent.

Generally speaking, international data transfer is only limited to those countries offering adequate levels of data protection as provided by the Decision of the Council of Ministers no.934, dated 2 September 2009 “On the determination of the countries which have a sufficient level of personal data protection” i.e., EU and EEA member states; signatory countries of the Strasbourg convention etc.

However, as an exception, international data transfer may take place freely even if made to a country which does not provide adequate protection provided the data subject has granted consent. Other exceptions include scenarios where the international transfer is necessary for the performance of a contract between the data subject and the data controller or in case the transfer is a legal obligation of the controller; the international transfer is necessary for protecting vital interests of the data subject; the transfer constitutes a legal requirement over an important public interest or, for exercising and protecting a legal right; the transfer is done from a register that provides information to the general public etc.

Exceptionally, if none of the scenarios above are applicable, international data transfer is also possible with the prior authorization of the Commissioner, if the Commissioner is satisfied that adequate safeguards with relation to privacy and other fundamental rights of the data subject are in place. The Commissioner can additionally provide for conditions and obligations under which the data transfer should take place.

Last modified 18 Oct 2022

Albania

Albania

Anisa Rrumbullaku

Partner

Karanovic & Partners

T: +355 69 20 42 722[email protected]
Sirius Tartari

Karanovic & Partners

[email protected]