A reminder of the accountability principle and the need for Data Processing Agreements and Standard Contractual Clauses in clinical trials

Clinical trials by their nature consist of two basic elements: processing of the health data of study participants and the cooperation between the sponsor, most often the CRO, and study sites spread over the world. From a data protection perspective, those elements may be challenging in themselves. Last summer’s Schrems II ruling by EU’s Court of Justice, the subsequent recommendations by the European Data Protection Board and the new Standard Contractual Clauses adopted by the European Commission added further challenges to any sponsor initiating studies with parties outside the European Union.

Based on a recent decision by Datatilsynet, the Norwegian Data Protection Authority, this article aims to address the challenges and provide a reminder of the need for data processing agreements and – when applicable – standard contractual clauses regarding the transfer of personal data to third countries.

One of the basic principles of the GDPR is the accountability principle defined in the regulation’s Article 5.2. According to the article, the controller shall be responsible for, and able to demonstrate compliance with, the principles relating to the processing of personal data. In simple terms, the controller is legally required to ensure that its processing activities comply with the GDPR.

In order to be able ensure compliance, the controller needs to be familiar with its processing activities, the nature of the personal data that are processed and the entities that are involved in the processing chain. Clinical trials by their nature involve processing of the health data of study participants. A person’s health data is classified as special categories of personal data according to Article 9 of the GDPR. Such special categories of data are subject to additional requirements that must be met prior to any processing. The nature and sensitivity of the personal data are thus factors that must be considered in every part of the processing chain.

As mentioned, clinical trials mostly involve three parties that are collaborating to achieve the goals of the study: the sponsor, the CRO and the study sites. The sponsor is the controller of the personal data processed for the purpose of the study. The CRO acts as the sponsor’s processor and the general understanding, in Sweden and several other EU Member States, is that the site should also be understood as serving as a processor for the sponsor. According to Article 28 of the GDPR, the relationship between controller and processor must be governed by a contract stipulating the terms for the processing performed by the processor – “data processing agreements”. Since the controller is obligated to ensure compliance with the GDPR, the controller is required to ensure that a data processing agreement is in place governing the processor’s processing of personal data.

Furthermore, if the processor is based in a country outside the EU/EEA that does not offer an adequate level of protection for the personal data, the controller needs to ensure that an appropriate safeguard is in place for the processing, such as the standard data protection clauses (in the following “SCCs”) adopted by the European Commission. A new set of such clauses were adopted this summer. The new version of the SCCs implements last year’s Schrems II ruling by the EU’s Court of Justice, as clause 14 of the new SCCs states that the parties must warrant that they have no reason to believe that the laws of the recipient’s country prevent the parties from fulfilling their obligations under the clauses. In addition, clause 14 states that the parties must declare that in providing their warranty they have taken into account certain areas, such as the specific circumstances of the transfer, the laws and practices of the third country and organisational safeguards securing the personal data. Hence, by signing the SCCs, the parties acknowledge they have made a thorough assessment of both the actual processing activities and the laws of the receiving country. Such a transfer impact assessment is both time-consuming and costly and a challenge in itself, but is according to SCCs and the European Data Protection Regulation a mandatory stage before transferral of the personal data.

In a recent decision by Datatilsynet, the Norwegian Data Protection Authority, the authority highlighted the need for data processing agreements and – where applicable – appropriate safeguards such as the SCCs. The decision concerned a Norwegian hospital that over a period of several years had appointed laboratories in different countries to analyse different samples from patients suffering from rare diseases. Since the laboratories had processed the personal data of the patients on behalf of the hospital, Datatilsynet found that they had acted as a processor on behalf of the hospital. Hence, the hospital should have ensured that the processing was covered by the relevant agreements. In most cases, no data processing agreements were in place and no SCCs. Against that background, Datatilsynet stated that the lack of relevant agreement constituted a breach of the parties obligations under GDPR, since, without a data processing agreement, the laboratories had no legal basis for the processing of the patients’ personal data and the hospital had not fulfilled its obligations to ensure that the processing was covered by a data processing agreement and, when applicable, SCCs.

Furthermore, Datatilsynet also notes that the laboratories were appointed to process special categories of personal data, since the samples disclosed data concerning the patients’ health. Hence, the hospitals needed to review all of its agreement to ensure that its processing was compliant with the GDPR.

As stated, Datatilsynet’s decision highlights the need for data processing agreements and appropriate safeguards such as the SCCs. Data processing agreements and, when applicable, SCCs are both mandatory requirements under the GDPR for the processing performed by a processor within and outside the EU/EEA. Both agreements are necessary, since the purposes of the agreements differ. The data processing agreement governs the terms for the processing performed by the processor and instructs the processor to process the personal data on behalf of the controller. The purpose of the SCCs is to secure a level of protection for the personal data, a level that is essentially equivalent to the level of protection ensured by the GDPR when the personal data are processed in a third country. Thus, in order to ensure compliant data processing, controllers appointing processors outside the EU/EEA need to implement both data processing agreements and SCCs. The lack of such agreements constitutes a breach of the GDPR.

For an EU-based entity involved in clinical trials, Datatilsynet’s decision serves as a reminder of the need to ensure that the required agreements are in place. For CROs, it is a reminder that, without a data processing agreement, the CRO has no basis for processing the personal data pertaining to the study participants. For sponsors, the decision serves as a reminder of the accountability principle. Without data processing agreements and SCCs, the sponsor does not fulfil its obligations pursuant to the accountability principle to ensure that the processing complies with the GDPR.