Yes, but only in limited circumstances.
This is because under APP 6.1 if an APP entity holds personal information about an individual that was collected for a particular purpose (the primary purpose), the entity must not use or disclose the information for another purpose (the secondary purpose) unless:
- The individual has consented to the use or disclosure of the information; or
- Subclause 6.2 or 6.3 (note 6.3 only applies to government agencies) applies in relation to the use or disclosure of the information.
Note: APP 8 sets out requirements for the disclosure of personal information to a person who is not in Australia.
6.2 This subclause applies in relation to the use or disclosure of personal information about an individual if:
- The individual would reasonably expect the APP entity to use or disclose the information for the secondary purpose and the secondary purpose is:
- If the information is sensitive information (e.g. health information) directly related to the primary purpose; or
- If the information is not sensitive information--related to the primary purpose; or
- The use or disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order; or
- Not applicable
- The APP entity is an organisation and a permitted health situation exists in relation to the use or disclosure of the information by the entity; or
- Not applicable.
Generally, it is possible to re-use such data with (additional) consent. Apart from that, re-use must be justified by an appropriate legal basis both under Article 6 and Article 9 GDPR. On one hand, re-use for clinical trials is possible if participants granted so-called “broad consent” for certain broader defined research areas in advance. On the other hand, re-use outside of clinical trials is possible for scientific purposes and / or for scientific institutions, both under rather narrow requirements which are challenging to fulfil in practice.
Yes. The re-use of personal data constitutes a further use which must meet the requirements of Articles 5(1)(b) and 6(4) GDPR.
If clinical trial data are further used for statistical and research purposes, a presumption of compatibility applies to such further use subject to compliance with the conditions of Article 89(1) GDPR which states that ‘appropriate safeguards’ must be implemented (Recital 50 GDPR).
Aside from the exceptions to data subject rights under the GDPR, the Belgian Act of 30 July 2018 on the protection of personal data (“Data Protection Act”) also contains an ‘exception regime’ that allows to derogate from certain data subject rights (i.e. access, rectification, restriction and objection) for processing of data for statistical and research purposes to the extent that such rights are likely to render impossible or seriously impair the achievement of the specific purposes. This ‘exception regime’ can apply to further processing. However, it only applies when specific conditions are met, some of which differ depending on whether the original controller is the controller for the further processing of the data (Title 4 Data Protection Act). General requirements include the appointment of a DPO if the processing can constitute a high risk, and the inclusion of additional justifications in the record of processing activities. Other requirements (applicable depending on the scenario) concern, for example, the obligation to conclude an agreement with the original controller and requirements to anonymise and pseudonymise the data.
Yes.
Yes, to the extent that there are legal grounds for this processing.
In cases where the participants’ consent has been previously obtained for the processing of his/her personal data within the scope of conducting a clinical trial, the data can be re-used for further research related to the same field.
Yes, the clinical trial data can be reused.
Such processing of the trial participants’ personal data needs to follow GDPR’s principles relating to processing of personal data, especially the principle of transparency (when data is collected), data minimisation and the principle of integrity and confidentiality.
If there are legal grounds for re-use, yes, even without the need for subject consent.
In relation to GDPR, yes. Personal data can be re-used for scientific research purposes (without having to establish a separate lawful basis) provided a controller complies with the safeguards under Article 89(1) GDPR.
However, if data is being re-used in other clinical trials than the one for which they were originally collected, the new trials must be approved by the Ethical Committee, and data subjects may be required to consent to the use of their data for such new trials. This consent is a consent to participate in the clinical trial and should not to be confused with a consent for the processing of personal data, even though the consent must meet the criteria for a valid consent as per GDPR.
Furthermore, disclosure of data processed on the basis of section 10 of the Danish Data Protection Act requires prior authorization from the Data Protection Agency if the disclosure
- Is made for the purpose of processing outside the territorial scope of the General Data Protection Regulation, see Article 3 of the General Data Protection Regulation;
- Relates to biological material; or
- Is made for the purpose of publication in a recognised scientific journal or similar.
Furthermore, the Data Protection Agency may lay down further terms and restrictions for disclosure of data processed under section 10; even if the disclosure is not covered by the three scenarios described above.
The Finnish national legislation does not give any national level guidance on this, and the EU approach is followed. Therefore, personal data can be re-used for scientific research purposes (without having to establish a separate lawful basis) provided a controller complies with the safeguards under Article 89(1) GDPR. There are no additional safeguards prescribed under Finnish law.
If the above is not applicable, any processing would require another specific legal ground, other than the one used for the primary purpose. The chosen legal basis can be the same as the one for the primary use.
Further to the CNIL guidance on distinction between research and health data storage dated 28 November 2019 (accessible here), the answer is yes, provided the re-purposing addresses a specific question and is made on a one-time basis, and subject, in particular, to the following requirements:
- Compliance with the appropriate methodology of reference or otherwise the specific authorization of the CNIL;
- Notice to the data subjects.
In general it is possible to re-use the personal data obtained for the purposes of conducting the clinical trial. Such re-use, however, must be justified by an appropriate legal basis both under Art. 6 and Art. 9 GDPR.
It is, for example, possible to include a certain re-use of the personal data of the data subjects in the informed consent form in order to obtain valid consent of the data subjects for such processing activities. Please note that the requirements on consent under the GDPR must be met, in particular, consent must be granted for a specific processing activity and may not constitute a general consent for various processing activities in the future.
Yes, to the extent that there are legal grounds for this processing, key-coded clinical trial data can be re-used without having to obtain the data subjects’ consent.
In particular, personal data can be re-used for scientific research purposes (without having to establish a separate lawful basis) provided a controller complies with the safeguards under Article 89(1) GDPR.
Under Article 89(1), safeguards must take the form of technical and organizational measures, in particular to ensure respect for the principle of data minimization. This may involve pseudonymizing data, where possible in connection with the research.
Otherwise, personal data can be re-used to the extent that such use is compatible with the original purpose of processing (i.e., closely related to the clinical trial purpose) or there are legal grounds for this processing, clinical trial data can be re-used without having to obtain the data subjects’ consent.
Yes, to the extent that there is a relevant legal ground for this processing. Anonymized clinical trial data can be further re-used without having to rely on a legal basis.
Furthermore, due account must be taken to Article 5(1)(b) of the GDPR which provides for a presumption of compatibility of purposes, subject to the conditions set for in Article 89(1) GDPR, when further processing is carried out for purposes of scientific research. In any event, even when the presumption of compatibility applies, data used outside the protocol of the clinical trial must be processed in compliance with all other applicable data protection provisions, as stated under Article 28(2) CTR. Therefore, the controller must comply with other obligations set forth by data protection law in any case, for example with regard to fairness, lawfulness (i.e. in accordance with applicable EU and national law), necessity and proportionality, as well as data quality (see paragraph 31 of the Opinion 3/2019 issued by the European Data Protection Board).
Yes, subject to conditions set out in HRRs s1. The HRRs limit processing and mandate that a controller processing (or further processing) personal data for the purposes of health research must ensure suitable and specific measures are taken to safeguard the fundamental rights and freedoms of the data subject. One of those measures is to ensure that arrangements are in place so that personal data shall be processed as necessary to achieve the objective of the research and, to ensure that personal data are not processed in such a way that damage or distress is or is likely be caused by the data subject.1
In addition, the controller must provide written confirmations demonstrating that the collection and use of the personal data will go no further than is necessary for the attainment of the research objective, and there will be no disclosure of the personal data unless that disclosure is required by law, or the data subject has given his or her explicit consent to the disclosure.
[1] S.I. No. 314 of 2018 Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018 (Sections 3(1)(a) and 26(c))
Personal data can be re-used for scientific research purposes (without having to establish a separate lawful basis) provided a controller complies with the safeguards under Article 89(1) GDPR.
Under Article 89(1), safeguards must take the form of technical and organisational measures, in particular to ensure respect for the principle of data minimisation. This may involve pseudonymising data, where possible in connection with the research.
Otherwise, personal data can be re-used to the extent that such use is compatible with the original purpose of processing (i.e., closely related to the clinical trial purpose) or there are legal grounds for this processing, clinical trial data can be re-used without having to obtain the data subjects’ consent.
Moreover, as per the Ministerial Decree of 30 November 2021 issued by the Italian Ministry of Health (“Decree”), personal data collected or otherwise obtained in the context of non-profit clinical trials can be lawfully transferred for registration purposes.
Anonymized clinical trial data can be further re-used without having to rely on a legal basis.
Since there are no specific guidelines or case law in Luxembourg regarding this topic, we should consider the general EU-level framework.
The secondary uses are expressly foreseen in Section 28(2) of the CTR and require the specific informed consent (within the meaning of the CTR, not GDPR) of the participant. Secondary uses are possible, but only for scientific purposes.
According to the European Commission in its Q&A, consent for the secondary use must be sought from the data subject either before the beginning of the trial or at a later stage.
However, it is the opinion of the EDPB that, relying on the presumption of compatibility of Article 5(1)(b) GDPR, it could be possible to continue to process the data for secondary uses relying on the same legal basis, without the need for a new one.
Personal data obtained for the purposes of conducting the clinical trial may be used only for the purposes for which it was primarily obtained, and the participant duly informed of. Re-use of such personal data is only permissible provided that there is an adequate legal basis for such “extended” processing, and provided that the participant was duly informed of any such subsequent purpose prior to the initiation of processing.
On the other hand, key-coded personal data which does not have status of personal data is not subject to any restrictions for reusage from privacy perspective. Nevertheless, this key-coded non-personal data is subject to regulatory requirements (e.g., protection of secrecy under the Law on Medicines and Law on Rights of the Patients).
Yes. One of the main principles for data processing is the principle of purpose limitation. This means that personal data must be collected for specific, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Therefore, it would not be possible to re-use the personal data for any purpose other than the initial purpose for which the same were collected. However, further processing of the collected personal data for scientific purposes (pursuant to certain conditions and safeguards), is possible, since this will not be considered to be incompatible with the initial purposes.
The safeguards should ensure that technical and organizational measures are in place, in a particular order to ensure respect for the principle of data minimization. Such measures may include pseudonymization, provided that the purposes can be fulfilled in such manner. In situations where those purposes can be fulfilled by further processing which does not permit (or no longer permits) identification of data subjects, those purposes can be fulfilled in such manner.
It is regarded inconsistent with a consent to re-use data based on a consent to purposes not included in the initial information. If necessary, one would need a new consent.
REK the ethical committees may allow re-use based on the Medical Research Act § 15 if the new purpose is of significant interest of the society and the integrity and wellbeing of the individuals are ensured.
It is possible to give a broad consent to research – this would mean a consent to within a certain branch of medicine and it requires updated information to the data subject to make sure the consent still can be seen as informed an freely given.
Key-coded datasets are used for medical research on a daily basis without consent, but these data normally are collected from health registries based on special regulations with legal grounds to export data for the purpose of research, but not necessarily clinical trials These datasets can be reused in the extent that the new purpose has the necessary approvals.
No, if the legal ground for the processing was data subject’s consent for particular trial, unless the data subject was provided with sufficient information on re-use and appropriate safeguards prior to giving consent. Otherwise, a separate consent for re-use would be necessary.
However, in the light of EDPB Opinion 3/2019, to the extent that there are other legal grounds for this processing, such as Article 6(1)e of the GDPR in conjunction with Article 9(2)(i) and/or (j) of the GDPR, in line Article 89(1) and Article 6(4) of the GDPR, key-coded clinical trial data can be re-used without having to obtain the data subjects’ consent.
Generally, re-use is possible for scientific research and when the data is kept key-coded.
Additionally, according to Article 28(2) of the CTR the Sponsor might ask for the participant’s consent to the use of their data outside the protocol of the clinical trial exclusively for scientific purposes.
Yes, to the extent that there are lawful grounds for this processing under GDPR, key-coded clinical trial data can be re-used.
In cases where the participants’ consent has been previously obtained for the processing of their personal data within the scope of conducting a clinical trial, prior to re-using the data for further investigations, it shall be exactly ascertained to what the data subject has consented to.
Furthermore, according to Law no. 58/2019, the processing for scientific research purposes shall respect the principle of data minimization and include the anonymization or pseudonymization of such data, whenever the referred purposes can be achieved by one of these means.
Yes, to the extent that the sponsor is able to rely on legal ground(s) for this processing and all the other privacy safeguards are put in place (such as the proper information of the clinical trials participants, appropriate technical and organizational measures, etc).
Personal data obtained for the purposes of conducting the clinical trial may be used only for the purposes for which it was primarily obtained, and the participant duly informed of. Re-use of such personal data is only permissible provided that there is an adequate legal basis for such “extended” processing, and provided that the participant was duly informed of any such subsequent purpose prior to the initiation of processing.
Exceptionally, the DP Law recognizes the so-called presumption of compatibility, whereby further processing of data solely for research shall 'not be considered to be incompatible with the initial purposes' for which the data was collected. This provision enables re-use of data for further research purposes.
On the other hand, key-coded personal data which does not have status of personal data is not subject to any restrictions for reusage from privacy perspective. Nevertheless, this key-coded non-personal data is subject to regulatory requirements (e.g., protection of secrecy under the Law on Medicines and Law on Rights of the Patients).
Yes, to the extent that there are legal grounds for this processing, key-coded clinical trial data can be re-used without having to obtain the data subjects’ consent.
In those cases where the participants’ consent has been previously obtained for the processing of his/her personal data within the scope of conducting a clinical trial, the same can refer to a research branch, and not to a concrete investigation. That would permit re-using the data for further investigations related to the same health branch (e.g. oncological research).
Re-use of personal data obtained for the purposes of conducting the clinical trial for other purposes requires a new consent.
Yes.
Personal data can be re-used for scientific research purposes (without having to establish a separate lawful basis) provided a controller complies with the safeguards under Article 89(1) UK GDPR and section 19 Data Protection Act 2018.
Under Article 89(1), safeguards must take the form of technical and organisational measures, in particular to ensure respect for the principle of data minimisation. This may involve pseudonymising data, where possible in connection with the research.
Under section 19 of the DPA 2018 research related processing will not satisfy Article 89 if the processing: (i) is likely to cause substantial damage or substantial distress to data subjects; or (ii) is carried out for the purposes of measures or decisions about particular individuals, except in the case of approved medical research
Anonymized clinical trial data can be further re-used without having to rely on a legal basis.
All other re-use of clinical trial data must either: (i) be compatible with the original purpose of processing (i.e., closely related to the clinical trial purpose) (Article 6(4) UK GDPR); (ii) be based on the data subject’s consent; or (iii) benefit from an exemption under Schedules 2 – 4 Data Protection Act 2018.
Albania
Has the local regulator published any guidelines/regulations addressing privacy matters on clinical trials and/or pharmacovigilance? ('Regulator' may mean either the local data protection authority, or the local medicines authority.)
Yes, with regard to clinical trials. The Albanian Data Protection Commissioner (“Commissioner”) has approved Instruction no. 18 as of 03.07.2012 “On the processing of personal data in the context of clinical trials of drugs” (“Instruction no. 18”).
The instruction is available online.
No guidelines or regulations have been published with regard to pharmacovigilance.
Albania
Do the privacy laws and regulations applicable to clinical trials in your jurisdiction provide for extraterritorial applicability?
No.
Law no. 9887 “On the Protection of Personal Data”, as amended (Data Protection Law) does not provide an extraterritorial applicability.
However, the domestic Data Protection Law does extend to controllers located outside the territory of the Republic of Albania who process personal data with “means” located within the territory of the Republic of Albania. The law does not provide any definition of “means” however the Commissioner has confirmed verbally on several occasions that “means” shall be understood as anything from equipment (i.e., servers), apps or persons located in Albania to collect personal data.
In case the controller (i.e., sponsor) is located outside the Republic of Albania, it must appoint a designated representative located within the territory of the Republic of Albania.
Albania
What is the preferred legal ground for the processing of the personal data of the participants in a clinical trial in your jurisdiction?
Article 4.2 of the Instruction no. 18 states that personal data is processed only if consented by the test subject. Therefore, consent is a mandatory legal ground for processing of the personal data. Further, based on article 4.3 of Instruction no. 18, personal data of clinical trial participants can be processed only for the following purposes:
- If necessary for granting the registration permit of a drug;
- To prove the clinical effect and safety of a drug during the scientific research process;
- To reassess the efficiency and safety of a drug after its release in the market.
Albania
What is the legal ground for the processing of the personal data in respect of pharmacovigilance in your jurisdiction?
The processing of patients’ personal data in respect of pharmacovigilance activities is based on the existence of a legal obligation based on Article 6.1. of the Data Protection Law.
In cases of adverse effects of a certain medicine/drug, the legal ground for conducting data processing activities can also be considered the protection of vital interests of the data subject (Article 6.1.c of the Data Protection Law).
Albania
Indicate the role from a data protection perspective of various parties involved (i.e in respect of the processing of the personal data of the clinical trial).
Role | Notes |
Sponsor |
Data controller of the participants' data. |
Principal Investigator |
Data controller of the participants’ data in connection to data processing activities that arise from the performance of investigation activities. |
Clinical Trial Site |
Data controller for the purpose of helping the investigation. |
Monitor |
Sponsor's data processor monitoring the investigation. |
CRO | Sponsor's data processor when performing activities that involve access by the CRO to the participants data. |
Albania
Is key-coded clinical trial data considered personal data under your jurisdiction’s data protection laws? (Key-coded clinical trial data is where the identity of the individual clinical trial participant is replaced with a unique subject identification code, and the ‘key’ which can be used to re-identify the participant is held by the Principal Investigator.)
Yes.
There is no definition of key-coded information under the Data Protection Law, however as long as the key-coded information is accessible through a “key”, data subjects are at some point or somehow identified/identifiable regardless of who is holding the key to access the information, therefore key coded information is considered personal data under the Data Protection Law.
Albania
What requirements, if any, need to be satisfied if clinical trial data is transferred internationally?
As with health data, clinical trial data are considered sensitive data. Any processing (including transfer) of sensitive data is expressly prohibited. However, processing of sensitive data is allowed in certain exceptional cases prescribed by the Data Protection Law, among others, if the data subject has given his/her consent.
Generally speaking, international data transfer is only limited to those countries offering adequate levels of data protection as provided by the Decision of the Council of Ministers no.934, dated 2 September 2009 “On the determination of the countries which have a sufficient level of personal data protection” i.e., EU and EEA member states; signatory countries of the Strasbourg convention etc.
However, as an exception, international data transfer may take place freely even if made to a country which does not provide adequate protection provided the data subject has granted consent. Other exceptions include scenarios where the international transfer is necessary for the performance of a contract between the data subject and the data controller or in case the transfer is a legal obligation of the controller; the international transfer is necessary for protecting vital interests of the data subject; the transfer constitutes a legal requirement over an important public interest or, for exercising and protecting a legal right; the transfer is done from a register that provides information to the general public etc.
Exceptionally, if none of the scenarios above are applicable, international data transfer is also possible with the prior authorization of the Commissioner, if the Commissioner is satisfied that adequate safeguards with relation to privacy and other fundamental rights of the data subject are in place. The Commissioner can additionally provide for conditions and obligations under which the data transfer should take place.