Role of sponsor, principal investigator and others

Indicate the role from a data protection perspective of various parties involved (i.e in respect of the processing of the personal data of the clinical trial).

Role Notes
Sponsor

Data controller of the participants' data.

Principal Investigator

Data controller of the participants’ data in connection to data processing activities that arise from the performance of investigation activities.

Clinical Trial Site

Data controller for the purpose of helping the investigation.

Monitor

Sponsor's data processor monitoring the investigation.

CRO Sponsor's data processor when performing activities that involve access by the CRO to the participants data.

Last modified 18 Oct 2022

Role Notes
Sponsor

The Privacy Act does not contain the concept of controller and processor, to the extent the Sponsor is an APP entity with an Australian link (as described more fully in our answer to Question 3) collecting or handling personal information, the Sponsor will be bound by the Privacy Act and the APPs.

Principal Investigator

The Privacy Act does not contain the concept of controller and processor, to the extent the Principal Investigator is an APP entity with an Australian link (as described more fully in our answer to Question 3) collecting or handling personal information, the Sponsor will be bound by the Privacy Act and the APPs.

Clinical Trial Site

The Privacy Act does not contain the concept of controller and processor, to the extent the CTS is an APP entity with an Australian link (as described more fully in our answer to Question 3) collecting or handling personal information, the Sponsor will be bound by the Privacy Act and the APPs.

Monitor

The Privacy Act does not contain the concept of controller and processor, to the extent the Moniotor is an APP entity with an Australian link (as described more fully in our answer to Question 3) collecting or handling personal information, the Sponsor will be bound by the Privacy Act and the APPs.

CRO The Privacy Act does not contain the concept of controller and processor, to the extent the CRO is an APP entity with an Australian link (as described more fully in our answer to Question 3) collecting or handling personal information, the Sponsor will be bound by the Privacy Act and the APPs.

Last modified 18 Oct 2022

Sponsor

(Joint) Controller

Principal Investigator

No own role (employee of the Clinical Trial Site)

Clinical Trial Site

(Joint) Controller

Monitor

Depends on the specific circumstances and the tasks of the Monitor. Usually, the Monitor is a processor of the Sponsor since it acts on behalf and under the instructions of the Sponsor.

CRO

Depends on the specific circumstances and the tasks of the CRO. Usually, the CRO is a processor of the Sponsor since it acts on behalf and under the instructions of the Sponsor.

Last modified 27 Feb 2023

Role Notes
Sponsor

(Joint) controller; Any joint controllership would be in relation to the principal investigator where the sponsor would (jointly with the principal investigator) determine the essential means and purposes of the clinical trials.

Principal Investigator

(Joint) controller or processor depending on the degree of involvement in the decision and design process of the clinical trial.

Any joint controllership would be in relation to the sponsor (as per above).

If the principal investigator just accepts the protocol drafted by the sponsor, the investigator can be considered as a processor.

Clinical Trial Site

Data controller of the participants’ personal data for the purposes of providing adequate healthcare assistance which is independent/must be distinguished from the processing of this data for research purposes.

Monitor

Sponsor’s data processor, in charge of supervising the correct development of the research.

CRO

Typically acts as a processor because of the intermediary function between a number of investigators (trial centers) and the sponsor in the clinical trial.

However, to the extent the CRO becomes more involved in the decision and design process of the trial, it may also be considered a joint controller.

As a general note: we have indicated above the most likely qualifications. However, this remains largely a factual determination based on the specifics of the case.

Last modified 15 Sep 2022

Role Notes
Sponsor

Data controller of the key-coded data of participants.

Principal Investigator

Data controller of the participants personal data in connection with the data processing activity that arise because of performing the investigation activities.

Clinical Trial Site

Data controller of the participants personal data for the purpose of providing adequate healthcare assistance within the scope of the investigation.

Monitor

Sponsor’s data processor, in charge of supervising the correct development of the investigation.

CRO Sponsor’s data processor when (i) performing monitoring tasks, and (ii) in the event that the Sponsor subcontracts other tasks to the CRO that involve access by the CRO to encrypted participant data.

Last modified 18 Oct 2022

Role Notes
Sponsor

Data controller.

Principal Investigator

Data controller (jointly with the sponsor) but may only be a data processor depending on the structure of the clinical trial.

Clinical Trial Site

Sponsor's data processor, in charge of providing adequate healthcare assistance within the scope of the clinical trial.

Monitor

Data processor engaged by the sponsor to supervise the correct development of the clinical trial.

CRO Sponsor's data processor but can be a joint data controller if CRO and the sponsor jointly determine why and how personal data is processed.

Last modified 18 Oct 2022

Role Notes
Sponsor

Data controller of the key-coded data of participants.

Principal Investigator

Data controller of participants' personal data in connection with data processing activities, for the purpose of carrying out research activities.

Clinical Trial Site

Data Controller of participants' personal data for the purposes of providing healthcare within the scope of investigation.

Monitor

Sponsor’s data processor, in charge of supervising the correct development of the investigation.

CRO Sponsor’s data processor in performing monitoring tasks and other tasks involving CRO access to encrypted participant data.

Last modified 15 Sep 2022

Role Notes
Sponsor

Data controller.

Principal Investigator

Data controller.

Clinical Trial Site

Data controller.

Monitor

Presumably a data controller for personal information about research staff – does usually not process data of participants in the study.

CRO Depends on the actual role assigned to the CRO, in particular with regards to the level of responsibility. Where the CRO is merely performing analyses specified by others and returning the "raw" results, the CRO would generally be considered a data processor, while broader instructions, requiring the CRO to interpret results and possibly make own decisions on (parts of) the processing would indicate that the CRO would be a data controller.

Last modified 15 Sep 2022

Role Notes
Sponsor

Data controller / joint controller

Principal Investigator

Data controller / joint controller / processor

Clinical Trial Site

Data controller / joint controller / processor

Monitor

Processor

CRO Processor
Note: The assessment on the roles of the parties needs to be made on a case-by-case basis. The controller alone determines the purposes and means of processing personal data. If several parties act as joint controllers, they define the purposes and methods of personal data processing together and share the controller’s responsibility. A processor processes personal data on behalf of a controller. Processors operate according to the controller’s instructions and under its supervision.

Last modified 18 Oct 2022

Role Notes
Sponsor

The MR-001 and MR-003 state that the sponsor is the data controller.

Principal Investigator

Processor for the purposes of performing the protocol defined by the Sponsor or joint controller if the Principal Investigator launches the clinical trial with the Sponsor.

The MR-001 and MR-003 do not specify whether Principal Investigators should be considered as data controllers or data processors. 

In the absence of specific guidance in France, the  EDPB guidance (guidelines 07/2020 on the concepts of controller and processor in the GDPR) is followed: i.e., if the investigator does not participate to the drafting of the protocol (he just accepts the protocol already elaborated by the sponsor), and the protocol is only designed by the sponsor, the investigator should be considered as a processor and the sponsor as the controller for this clinical trial.  This is to be distinguished from the investigator’s processing of patient data outside of the context of the clinical trial / performance of the protocol, where the investigator will be acting as a controller.

Clinical Trial Site

The MR-001 and MR-003 state that the clinical site is a data processor.

Monitor

Not clearly mentioned in the MR-001 and MR-003 but should act as data processor since they are in charge of supervising the correct development of the investigation on behalf of the sponsor.

CRO The MR-001 and MR-003 state that the CRO is a data processor.

Last modified 18 Oct 2022

Role Notes
Sponsor

(Joint) Controller

Principal Investigator

Employee of the Clinical Trial Site – no own role from a data protection perspective

Clinical Trial Site

(Joint) Controller

Monitor

Depends on the specific circumstances and the tasks of the Monitor in regard to the data processing. Usually the Monitor is acting on behalf and under the instructions of the sponsor and is therefore to be considered as processor of the sponsor.

CRO Depends on the specific circumstances and the tasks of the CRO in regard to the data processing. Usually the CRO is acting on behalf and under the instructions of the sponsor and is therefore to be considered as processor of the sponsor.

Last modified 25 Oct 2022

Role Notes
Sponsor According to the above-mentioned National Ethics Committee document, sponsor shall act under its capacity of data controller.
Principal Investigator

Pursuant to the aforementioned document, investigator shall act as data processor.

In practice, in most clinical trial agreements principal investigator is considered as data controller of the clinical trial participants’ personal data in connection with the data processing operations performed in conducting the investigation activities set forth in the Protocol.

Clinical Trial Site

Pursuant to the aforementioned document, clinical trial site shall act as data processor, acting on behalf of the sponsor.

In practice, in most clinical trial agreements the clinical trial site is qualified as data controller of clinical trial participants’ personal data for the purposes of providing adequate healthcare assistance within the scope of the investigation.

Monitor

Το the extent such party would be in charge of supervising the correct development of the investigation on behalf of the sponsor, said party shall qualify as data processor.

Normally, this role is assumed by the CRO.

CRO

Pursuant to the aforementioned document, CRO shall be the data controller.

However, in practice most clinical trial agreements are formulated as tri-party agreements between sponsor or CRO, principal investigator and clinical trial site. Therefore, either sponsor or CRO are appointed as data controllers.

Last modified 14 Sep 2022

Role Notes
Sponsor Data controller.
Principal Investigator

Sponsor’s data processor

(However, in accordance with Guidelines 07/2020 of the European Data Protection Board on the concepts of controller and processor in the GDPR, the PI may qualify as a joint controller with the sponsor if they collaborate together to the drafting of the study protocol (i.e. purpose, methodology/design of the study, data to be collected, subject exclusion/inclusion criteria, database reuse (where relevant) etc.) as they jointly determine and agree on the same purpose and the essential means of the processing. (see example 4 after paragraph 66))

Clinical Trial Site

Joint controller with the sponsor, or sponsor’s data processor, for the same reasons specified above with respect to the PI.

Monitor

Sponsor’s data processor, in charge of supervising the correct development of the investigation. 

CRO Sponsor’s data processor when (i) performing monitoring tasks, and (ii) in the event that the Sponsor subcontracts other tasks to the CRO that involve access by the CRO to encrypted participant data.

Last modified 14 Sep 2022

In Ireland, there is no specific guidance which determines the role of the various parties involved in clinical trials. The Irish Health Service Executive Research and Development Framework sets out the Key Roles in the Governance and Management of Health Research, however, does not give specific indication on the data protection roles. Rather, it is noted that the legal responsibility for the various aspects of the study (including data protection), may reside with one or several parties (i.e., the organisation responsible for accepting and managing the research funding, the clinical investigators and their employers, and the data controller(s) may be any one or all of the participating organisations).

It is noted that a clear, factual and formal identification of controller (e.g., independent / joint controllers) and/or data processors is required on a case-by-case basis. 

Role Notes
Sponsor

‘Sponsor’ is the term used for the responsible legal entity for regulated clinical trials means an individual, company, institution or organisation which takes responsibility for the initiation, for the management and for setting up the financing of the clinical trial.1

All clinical trial information shall be recorded, processed, handled, and stored by the sponsor or investigator, as applicable, in such a way that it can be accurately reported, interpreted and verified while the confidentiality of records and the personal data of the subjects remain protected in accordance with the applicable law on personal data protection. Appropriate technical and organisational measures shall be implemented to protect information and personal data processed against unauthorised or unlawful access, disclosure, dissemination, alteration, or destruction or accidental loss, in particular where the processing involves the transmission over a network.2

A statement by the sponsor or his or her representative that data will be collected and processed in accordance with Directive 95/46/EEC (which has been repealed by the GDPR) shall be provided.3

In light of the responsibilities of the Sponsor, it is likely that the Sponsor will be controller of personal data of participants in health research / clinical trials. This is also confirmed by the Guidelines 07/2020 of the European Data Protection Board on the concepts of controller and processor in the GDPR, where it is stressed that the PI / Trial Site may be qualified as a joint controller with the Sponsor if they collaborate together to the drafting of the study protocol (i.e. purpose, methodology/design of the study, data to be collected, subject exclusion/inclusion criteria, database reuse (where relevant) etc.), as they jointly determine and agree on the same purpose and the essential means of the processing (see example 4 after paragraph 66).

Principal Investigator

‘Principal investigator’ means an investigator who is the responsible leader of a team of investigators who conduct a clinical trial at a clinical trial site;4 and is responsible for the day-to-day management of the research study at the research site. The Principal Investigator retains ultimate responsibility for the management of the research study, even if tasks are delegated to other research staff. A principal investigator shall ensure compliance of a clinical trial at a clinical trial site with the requirements of the Regulation. The principal investigator shall assign tasks among the members of the team of investigators in a way which is not compromising the safety of subjects and the reliability and robustness of the data generated in the clinical trial at that clinical trial site.5

In light of the responsibilities of the Principal Investigator, it is likely that they can be controllers of personal data of participants in health research / clinical trials, whether they are individuals or organisations.

Clinical Trial Site

In Ireland this is commonly referred to as the Research Site or Host Site and is a facility, location or service (e.g. hospital) where the research is being conducted. This includes:

  • the organisation or organisations where the research is taking place; and/or,  
  • the organisation whose service users, patients or staff are involved in the research; and/or 
  • the organisation that provides research staff, primary data, infrastructure or premises to facilitate the research.

Given the involvement of the Research Site, it is likely to be a controller of the participants personal data for the purposes of providing adequate healthcare assistance within the scope of the investigation. This is also confirmed by the Guidelines 07/2020 of the European Data Protection Board on the concepts of controller and processor in the GDPR, where it is stressed that the PI / Trial Site may be qualified as a joint controller with the Sponsor if they collaborate together to the drafting of the study protocol (i.e. purpose, methodology/design of the study, data to be collected, subject exclusion/inclusion criteria, database reuse (where relevant) etc.), as they jointly determine and agree on the same purpose and the essential means of the processing (see example 4 after paragraph 66).

Monitor

The HPRA Guidance does not provide for a “monitor” per se but does provide that a sponsor is required to carry out monitoring procedures. These include plans for on-site monitoring, central monitoring and data committee monitoring.

The sponsor must be able to demonstrate that it has oversight of trial conduct and GCP compliance and has mechanisms in place to continuously monitor the benefit-risk balance.

The HPRA, in their review of adequate Clinical Trial protocols, may request documents including risk assessment, monitoring plans, follow-up letters, GCP non-compliance escalations, data committee charters and meeting minutes.6

CRO (Chief Research Organization) A CRO can contractually assume one or more of a clinical trial sponsor's obligations if that sponsor does not have particular expertise.

The services that CROs provide include:

  • Preclinical research activities
  • Clinical research monitoring
  • Protocol design
  • Clinical trial management
  • Preparation and submission of regulatory materials to the relevant regulatory agency
  • Completing post approval regulatory obligations and reports.

The CRO mainly acts as the Sponsor’s data processor when (i) performing monitoring tasks, and (ii) in the event that the Sponsor subcontracts other tasks to the CRO that involve access by the CRO to encrypted participant data.

 

[1] Article 2(14) Regulation (EU) No 536/2014
[2] Article 56 Regulation (EU) No 536/2014
[3] 1.3 R. 73 Regulation (EU) No 536/2014
[4] Article 2(16) Regulation (EU) No 536/2014
[5] Article 73 Regulation (EU) No 536/2014
[6] HPRA Guide to Clinical Trials in Ireland: 8.9

Last modified 14 Sep 2022

Role Notes
Sponsor

Data controller.

In particular, according to the DPA’s Guidelines the Sponsor may act as controller or joint controller, together with the Clinical Trial Site. This is also confirmed by the Guidelines 07/2020 of the European Data Protection Board on the concepts of controller and processor in the GDPR, where it is stressed that the PI / Trial Site may be qualified as a joint controller with the Sponsor if they collaborate together to the drafting of the study protocol (i.e. purpose, methodology/design of the study, data to be collected, subject exclusion/inclusion criteria, database reuse (where relevant) etc.), as they jointly determine and agree on the same purpose and the essential means of the processing (see example 4 after paragraph 66).As a consequence, a case-by-case analysis is necessary.

That said, the default position provided for in the Template Agreement issued by the AIFA is that Sponsor is qualified as independent controller.

Principal Investigator

In most cases (i.e., where the PI is an employee of the Clinical Trial Site) the PI will be treated as an agent of the Clinical Trial Site, pursuant to Art. 29 of the GDPR.

Where this is not the case, then the PI will either the Sponsor’s data processor or, where the PI needs to process personal data to provide medical care outside of the context of the trial protocol, they will be an independent controller.

That said, the default position provided for in the Template Agreement issued by the AIFA qualifies the Principal Investigator as person in charge of the processing of participants’ data, pursuant to Art. 29 of the GDPR.  

Clinical Trial Site

According to the Italian DPA’s Guidelines, Clinical Trial Site is qualified as controller or joint controller, together with the Sponsor, of participants’ data, for the purposes of providing adequate healthcare assistance within the scope of the investigation.

However, the Guidelines 07/2020 of the European Data Protection Board on the concepts of controller and processor in the GDPR stress that the Clinical Trial Site may be qualified either as a joint controller with the Sponsor or processor acting on behalf of Sponsor, depending on factual circumstances.

As a consequence, a case-by-case analysis is necessary.

Monitor

According to the Italian DPA’s Guidelines, processor acting on Sponsor’s behalf, in charge of supervising the correct development of the investigation. 

CRO Processor acting on Sponsor’s behalf when (i) performing monitoring tasks, and (ii) in the event that the Sponsor subcontracts other tasks to the CRO that involve access by the CRO to participant data.

Last modified 31 Aug 2022

Role Notes
Sponsor

Data controller, as it defines the selection criteria of the participants in the trial and the overall purpose of the processing.

This is also confirmed by the Guidelines 07/2020 of the European Data Protection Board on the concepts of controller and processor in the GDPR, where it is stressed that the PI / Trial Site may be qualified as a joint controller with the Sponsor if they collaborate together to the drafting of the study protocol (i.e. purpose, methodology/design of the study, data to be collected, subject exclusion/inclusion criteria, database reuse (where relevant) etc.), as they jointly determine and agree on the same purpose and the essential means of the processing (see example 4 after paragraph 66).

Principal Investigator

He/she could be considered data controller, as they will determine the purposes of the processing of the data for the immediate actions related to the clinical trial (participant assistance and development of the investigation).

It should be noted that in most cases (i.e., where the PI is an employee of the Clinical Trial Site) the PI will be treated as an agent of the Clinical Trial Site, pursuant to Article 29 of the GDPR.

Depending on the circumstances, he/she might also be considered as data processor for the Clinical Trial Site, where he/she only processes data on behalf and upon instructions of the Clinical Trial Site (and he/she is not an employee thereof), but this has to be assessed on a case-by-case basis

Clinical Trial Site

Data controller for the same reasons as the principal investigator.

This is also confirmed by the Guidelines 07/2020 of the European Data Protection Board on the concepts of controller and processor in the GDPR, where it is stressed that the PI / Trial Site may be qualified as a joint controller with the Sponsor if they collaborate together to the drafting of the study protocol (i.e. purpose, methodology/design of the study, data to be collected, subject exclusion/inclusion criteria, database reuse (where relevant) etc.), as they jointly determine and agree on the same purpose and the essential means of the processing (see example 4 after paragraph 66).

Monitor

Usually, they will be considered data processor as they process the data on behalf of the Sponsor.

CRO Usually, they will be considered data processor as they process the data on behalf of the Sponsor.

Last modified 14 Sep 2022

Role Notes
Sponsor

Data controller*.

Principal Investigator

Data controller, with respect to processing activities which represent Principal Investigator’s responsibilities in the specific clinical trial*.

Clinical Trial Site

Data controller, with respect to processing activities which represent Clinical Trial Site’s responsibilities in the specific clinical trial*.

Monitor

Data processor on behalf of the Sponsor, with respect to processing activities which represent Monitors’ responsibilities in the specific clinical trial*.

CRO

Data processor on behalf of the Sponsor, with respect to processing activities which represent CRO’s responsibilities in the specific clinical trial*.

* Please note that the roles for each of the involved parties depend also greatly on the circumstances of each particular trial, i.e., the extent of the roles awarded to each of them. In that sense, whenever a party is authorized to (or in fact is) determining the purposes and means of the processing of personal data, such a party would bear the role of a controller. This note applies to other roles in clinical trials respectfully.

Last modified 19 Oct 2022

Role Notes
Sponsor

Data controller.

Principal Investigator

Data controller.

Clinical Trial Site

Data controller.

Monitor

Data processor.

CRO Data processor.

Last modified 18 Oct 2022

Role Notes
Sponsor

According to the Clinical trials Regulation the sponsor has a legal obligation (the responsibility) to make sure the trial is performed in accordance with the regulation and that the data involved is processed in accordance with relevant regulation. (GDPR and national legislation). By definition this would make the Sponsor the controller of the data processed in the trial. If the sponsor isn't involved in any data-processing it would be necessary to discuss if in fact the role as a controller should be shared with the P.I. or if it is the P.I who is the controller alone.   

Principal Investigator

Normally the P.I would be the controller in a medical trial or any research-project if he/she is not an employee of the Clinical Trial Site.

Clinical Trial Site

The Data controller of the participants personal data for the purposes of providing adequate healthcare assistance within the scope of the investigation.

Monitor

Sponsor's data processor, in charge of supervising the correct development of the investigation. 

CRO Sponsor's data processor when performing monitoring tasks, and in the event that the Sponsor subcontracts other tasks to the CRO that involve access by the CRO to encrypted participant data.

Last modified 31 Aug 2022

Role Notes
Sponsor Data controller of the key-coded data of participants, as it determines the purposes and means of the processing of personal data during the clinical trial.
Principal Investigator

For the purpose of patient care within the clinical trial and performance of its own legal obligations or interests in this regard, Principal Investigator is a data controller.

Depending on the role in drafting of the research protocol and trial agreement, where the PI is not an employee of the trial site it might also be considered either a joint controller along with the Sponsor or a data processor on behalf of the Sponsor.

Clinical Trial Site

Data controller of the participants’ personal data for the purposes of providing adequate healthcare assistance within the scope of the investigation and data processor subject to the Sponsor within the investigation itself. 

Monitor

Sponsor’s data processor, in charge of supervising the correct development of the investigation. 

CRO Sponsor’s data processor when (i) performing monitoring tasks, and (ii) in the event that the Sponsor subcontracts other tasks to the CRO that involve access by the CRO to encrypted participant data.

Last modified 31 Aug 2022

Role Notes
Sponsor Data controller of the personal data of participants.
Principal Investigator

Where the PI is not an employee of the trial site it is generally considered a processor. However, the qualification as (joint) data controller or processor should be assessed in a case-by-case basis depending on the level of participation on the clinical trial.

Clinical Trial Site

Data controller of the participants personal data for the purposes of providing adequate healthcare assistance within the scope of the investigation.

Monitor

Sponsor’s data processor, in charge of supervising the correct development of the investigation.

CRO Sponsor’s data processor when (i) performing monitoring tasks, and (ii) in the event that the Sponsor subcontracts other tasks to the CRO that involve access by the CRO to encrypted participant data.

Last modified 31 Aug 2022

Role Notes
Sponsor Data controller of the personal data of clinical trial participants.
Principal Investigator

(When contracted separately from the site) Data controller of the personal data of the clinical trials participants. 

Clinical Trial Site

Data controller of the personal data of the clinical trials participants during the provision of healthcare assistance within the clinical trials.

Monitor

If they are a separate legal entity, the monitor company is the Sponsor’s data processor.

CRO

Sponsor's data processor.

Last modified 31 Aug 2022

Role Notes
Sponsor

Data controller*.

Principal Investigator

Data controller, with respect to processing activities which represent Principal Investigator’s responsibilities in the specific clinical trial*.

Clinical Trial Site

Data controller, with respect to processing activities which represent Clinical Trial Site’s responsibilities in the specific clinical trial*.

Monitor

Data processor on behalf of the Sponsor, with respect to processing activities which represent Monitors’ responsibilities in the specific clinical trial*.

CRO

Data processor on behalf of the Sponsor, with respect to processing activities which represent CRO’s responsibilities in the specific clinical trial*.

* Please note that the roles for each of the involved parties depend also significantly on the circumstances of each particular trial, i.e., the extent of the roles awarded to each of them. In that sense, whenever a party is authorized to (or in fact is) determining the purposes and means of the processing of personal data, such a party would bear the role of a controller. This note applies to other roles in clinical trials respectfully.

Last modified 19 Oct 2022

Role Notes
Sponsor Data controller of the key-coded data of participants.1


Principal Investigator Data controller of the participants personal data in connection with the data processing activity that arise because of performing the investigation activities set forth in the Protocol.
 Clinical Trial Site

Data controller of the participants personal data for the purposes of providing adequate healthcare assistance within the scope of the investigation.

However, in accordance with Guidelines 07/2020 of the European Data Protection Board on the concepts of controller and processor in the GDPR, the PI / Trial Site may qualify as a joint controller with the sponsor if they collaborate together to the drafting of the study protocol (i.e. purpose, methodology/design of the study, data to be collected, subject exclusion/inclusion criteria, database reuse (where relevant) etc.) as they jointly determine and agree on the same purpose and the essential means of the processing. (see example 4 after paragraph 66).

As a consequence, a case-by-case analysis is necessary.

 Monitor Sponsor’s data processor, in charge of supervising the correct development of the investigation.
CRO Sponsor’s data processor when (i) performing monitoring tasks, and (ii) in the event that the Sponsor subcontracts other tasks to the CRO that involve access by the CRO to encrypted participant data.
[1] Although the Code considers that key-coded clinical trial data could not be considered personal data, it sets forth the role of the Sponsor as data controller of the participants key-coded data, but modulates its responsibility accordingly, and in particular in comparison with the responsibilities held by the Principal Investigator and the Clinical Trial Site.

Last modified 31 Aug 2022

Role Notes
Sponsor

Data controller for the processing of key coded (pseudonymized) personal data needed to fulfill the Sponsor's processing purposes and responsibilities set forth in the Protocol and by applicable law.

Joint-controller together with Clinical Trial Site for conducting the study, at least where the Protocol has been jointly decided.

Principal Investigator

Where the PI is an employee of the trial site, it will be considered:

  • Data controller for the data processing activity that arises because of the performance of the investigation activities set forth in the Protocol.
  • Joint-controller with Sponsor for conducting the study if the Principal Investigator together with the Sponsor decides the purpose and the means for the trial.1
Clinical Trial Site

Data controller for the processing of the participants' personal data for the purposes of providing adequate healthcare assistance within the scope of the investigation.

Monitor

Sponsor’s data processor, in charge of supervising the correct development of the investigation.

CRO

Sponsor’s data processor when (i) performing monitoring tasks, and (ii) in the event that the Sponsor subcontracts other tasks to the CRO that involve processing of personal data on behalf of the Sponsor, e.g. access by the CRO to encrypted participant data.

[1] Please see EDPB's guidelines s 07/2020 on the concepts of controller and processor in the GDPR p. 23.

Last modified 31 Aug 2022

Role Notes
Sponsor Data controller.
Principal Investigator

In most cases (i.e., where the PI is an employee of the trial site) the PI will be treated as an agent of the Clinical Trial Site and not a controller / processor in its own right.

Where this is not the case, then the PI will be the Sponsor’s data processor (see comments below in relation to clinical trial site).

However, where the PI needs to process personal data to provide medical care outside of the context of the trial protocol, they will be an independent controller.

Clinical Trial Site

Sponsor’s data processor. This is the default position provided for in the HRA’s Model Clinical Trial Agreement.

However, in accordance with Guidelines 07/2020 of the European Data Protection Board on the concepts of controller and processor in the GDPR (which remain highly influential in the UK post-Brexit), the PI / Trial Site may qualify as a joint controller with the sponsor if they collaborate together to the drafting of the study protocol (i.e. purpose, methodology/design of the study, data to be collected, subject exclusion/inclusion criteria, database reuse (where relevant) etc.) as they jointly determine and agree on the same purpose and the essential means of the processing. (see example 4 after paragraph 66)

Monitor

Sponsor’s data processor, in charge of supervising the correct development of the investigation.

CRO

Sponsor’s data processor when (i) performing monitoring tasks, and (ii) in the event that the Sponsor subcontracts other tasks to the CRO that involve access by the CRO to encrypted participant data.

Last modified 31 Aug 2022

Albania

Albania

Has the local regulator published any guidelines/regulations addressing privacy matters on clinical trials and/or pharmacovigilance? ('Regulator' may mean either the local data protection authority, or the local medicines authority.)

Yes, with regard to clinical trials. The Albanian Data Protection Commissioner (“Commissioner”) has approved Instruction no. 18 as of 03.07.2012 “On the processing of personal data in the context of clinical trials of drugs” (“Instruction no. 18”).

The instruction is available online.

No guidelines or regulations have been published with regard to pharmacovigilance.

Last modified 18 Oct 2022

Albania

Albania

Do the privacy laws and regulations applicable to clinical trials in your jurisdiction provide for extraterritorial applicability?

No.

Law no. 9887 “On the Protection of Personal Data”, as amended (Data Protection Law) does not provide an extraterritorial applicability. 

However, the domestic Data Protection Law does extend to controllers located outside the territory of the Republic of Albania who process personal data with “means” located within the territory of the Republic of Albania. The law does not provide any definition of “means” however the Commissioner has confirmed verbally on several occasions that “means” shall be understood as anything from equipment (i.e., servers), apps or persons located in Albania to collect personal data.

In case the controller (i.e., sponsor) is located outside the Republic of Albania, it must appoint a designated representative located within the territory of the Republic of Albania.

Last modified 18 Oct 2022

Albania

Albania

What is the preferred legal ground for the processing of the personal data of the participants in a clinical trial in your jurisdiction?

Article 4.2 of the Instruction no. 18 states that personal data is processed only if consented by the test subject. Therefore, consent is a mandatory legal ground for processing of the personal data. Further, based on article 4.3 of Instruction no. 18, personal data of clinical trial participants can be processed only for the following purposes:

  • If necessary for granting the registration permit of a drug;
  • To prove the clinical effect and safety of a drug during the scientific research process;
  • To reassess the efficiency and safety of a drug after its release in the market.

Last modified 18 Oct 2022

Albania

Albania

What is the legal ground for the processing of the personal data in respect of pharmacovigilance in your jurisdiction?

The processing of patients’ personal data in respect of pharmacovigilance activities is based on the existence of a legal obligation based on Article 6.1. of the Data Protection Law.

In cases of adverse effects of a certain medicine/drug, the legal ground for conducting data processing activities can also be considered the protection of vital interests of the data subject (Article 6.1.c of the Data Protection Law).

Last modified 18 Oct 2022

Albania

Albania

Indicate the role from a data protection perspective of various parties involved (i.e in respect of the processing of the personal data of the clinical trial).

Role Notes
Sponsor

Data controller of the participants' data.

Principal Investigator

Data controller of the participants’ data in connection to data processing activities that arise from the performance of investigation activities.

Clinical Trial Site

Data controller for the purpose of helping the investigation.

Monitor

Sponsor's data processor monitoring the investigation.

CRO Sponsor's data processor when performing activities that involve access by the CRO to the participants data.

Last modified 18 Oct 2022

Albania

Albania

Is key-coded clinical trial data considered personal data under your jurisdiction’s data protection laws? (Key-coded clinical trial data is where the identity of the individual clinical trial participant is replaced with a unique subject identification code, and the ‘key’ which can be used to re-identify the participant is held by the Principal Investigator.)

Yes.

There is no definition of key-coded information under the Data Protection Law, however as long as the key-coded information is accessible through a “key”, data subjects are at some point or somehow identified/identifiable regardless of who is holding the key to access the information, therefore key coded information is considered personal data under the Data Protection Law.

Last modified 18 Oct 2022

Albania

Albania

Is it possible to re-use the personal data obtained for the purposes of conducting the clinical trial? If so, what requirements need to be satisfied?

Yes.

It is possible to re-use the personal data obtained for the purpose of conducting clinical trials conditional as a general rule only upon consent of the data subject. Other legal grounds for the processing need to be satisfied in a case-by-case basis (e.g., protection of vital interests of the data subject).

Hence, if the consent and/or the legal ground for processing of data extends to the re-use/ re-processing scenario, there is no need to obtain a second consent or to conduct processing on different legal grounds as there is already a valid legal ground in place for processing of personal data i.e., in case of research for the same purpose.

In light of the above, please consider that the consents given and/or the legal ground allowing the processing of data obtained for the purpose of conducting clinical trials do not automatically and in any case, extend to the re-use of the personal data for other/latter purposes unless those are specified.

Last modified 18 Oct 2022

Albania

Albania

What requirements, if any, need to be satisfied if clinical trial data is transferred internationally?

As with health data, clinical trial data are considered sensitive data. Any processing (including transfer) of sensitive data is expressly prohibited. However, processing of sensitive data is allowed in certain exceptional cases prescribed by the Data Protection Law, among others, if the data subject has given his/her consent.

Generally speaking, international data transfer is only limited to those countries offering adequate levels of data protection as provided by the Decision of the Council of Ministers no.934, dated 2 September 2009 “On the determination of the countries which have a sufficient level of personal data protection” i.e., EU and EEA member states; signatory countries of the Strasbourg convention etc.

However, as an exception, international data transfer may take place freely even if made to a country which does not provide adequate protection provided the data subject has granted consent. Other exceptions include scenarios where the international transfer is necessary for the performance of a contract between the data subject and the data controller or in case the transfer is a legal obligation of the controller; the international transfer is necessary for protecting vital interests of the data subject; the transfer constitutes a legal requirement over an important public interest or, for exercising and protecting a legal right; the transfer is done from a register that provides information to the general public etc.

Exceptionally, if none of the scenarios above are applicable, international data transfer is also possible with the prior authorization of the Commissioner, if the Commissioner is satisfied that adequate safeguards with relation to privacy and other fundamental rights of the data subject are in place. The Commissioner can additionally provide for conditions and obligations under which the data transfer should take place.

Last modified 18 Oct 2022

Albania

Albania

Anisa Rrumbullaku

Partner

Karanovic & Partners

T: +355 69 20 42 722[email protected]
Sirius Tartari

Karanovic & Partners

[email protected]