Privacy Pills – Clinical trials and data protection: Efficiently defining the roles & responsibilities of each stakeholder involved in the clinical trial

Our third Privacy Pill on the topic "Clinical trials and data protection" is dedicated to a critical step in the clinical trials' execution, the definition, in advance, of the roles, obligations and responsibilities of each stakeholder involved in clinical trials' execution (sponsors, study centres, investigators, CROs, laboratories, depot and other subcontractors).

When it comes to the processing of personal data, there are two main actors that the Regulation (EU) 2016/679 ("GDPR") defines as the data controller (that determines purposes and means of the data processing) and the data processor (that processes data on behalf of the controller). These two entities both have distinct obligations and responsibilities (see GDPR art.4 § 7 and § 8). Specifically, a written contract must be signed between the controller and the processor to regulate data processing. Data controllers are also responsible for the selection and evaluation of any third-party suppliers involved in the processing of patient data as data processors or sub-processors (see GDPR art. 28).

Based on circumstances linked to the specific research project, sponsors and study centres will have a distinct responsibility in the context of the clinical studies and, therefore, they may be configured as independent data controllers or, as the case may be, joint data controllers (GDPR art.26). In the event of a joint controllership (e.g., in the case of a collaborative study protocol drafting – see the EDPB guidelines 07/2020 on the concepts of controller and processor in the GDPR), it will be necessary to establish the roles and responsibilities of each party in a contract. For example, by determining who will inform patients about the use of their data, who will be in charge of the notification obligations in case of a personal data breach, what will be the legal basis of the processing carried out by each controller and so on for all the obligations applicable to controllers (see Chapter IV of the GDPR).

At the local level, EU member states have the possibility to implement specific and additional requirements to govern the processing of special categories of data. For example, the Italian data protection authority (“DPA”) highlights the need to establish the relationship between sponsors and study centres, as data controllers, as well as with any other stakeholders accessing patients' data (see the guidelines for data processing within the framework of clinical drug trials of 24 July 2008). Furthermore, the Italian DPA’s guidelines offer further specifications regarding the involvement of other subjects involved in clinical trials (CROs, monitoring staff, laboratories, patient transport companies, etc.), and specify that controllers are also required to contractually regulate the roles and processing activities carried out by any supplier who has access to the data of the participants in a clinical study (even coded patients’ data). This occurs, for example, in the event that suppliers are engaged to collect, validate the study data, perform statistical analysis, or if they are responsible for data monitoring or for the obligations related to pharmacovigilance (see section 6 of the aforementioned guidelines of the Italian DPA).