• Contact DPO Centre
  • 0203 797 1289
  • hello@dpocentre.com
DPO CentreDPO CentreDPO CentreDPO Centre
  • Services
    • Outsourced Data Protection Officer
    • Article 27 EU and UK Representation
    • Consultancy
    • Interim Data Protection Officers
    • Return to Work Compliance Check
    • Training
    • Advice Line
    • The Data Security and Protection Toolkit (DSPT) Audit
    • Caldicott Guardians
    • Services for Schools
  • Sectors
    • Finance &
      Insurance
    • Medical &
      Healthcare
    • Software &
      Technology
    • Retail &
      eCommerce
    • Data Protection for Education
    • Charities &
      not-for profit
  • Case Studies
  • About Us
    • About Us
    • Our Team
    • Benefits of Outsourcing
    • *Join the Team*
    • Events
    • News
  • Blog
  • Resources
    • UK Data Protection Index
    • DSAR White Paper
    • CCTV White Paper
    • COVID-19 Remote Working Tips
    • GDPR Basics
    • Why you need a Data Protection Officer
    • Why you need GDPR Representation
    • GDPR Policy Toolkit
    • The impact of Brexit on GDPR
    • The Full GDPR Text
  • Contact us
  • * Join Us *
  • Home
  • Data Protection
  • EU & UK GDPR Representation for sponsors of European clinical trials
New EDPB guidance clarifies when you should report a data breach, sort of…
February 8, 2021

EU & UK GDPR Representation for sponsors of European clinical trials

February 22, 2021
Categories
  • Data Protection
  • EU Representation Services
  • GDPR
  • Special Category Data
  • UK Representation Services
Tags

The General Data Protection Regulation (GDPR) came into force in the EU on 25th May 2018 and has since been a driving force for improving data protection standards worldwide. The GDPR was created to protect EU citizens’ personal dataInformation which relates to an identified or identifiable natural person..... The term ‘personal data’ refers to any information relating to an individual that can be used to identify that individual, either on its own or when combined with other information. Obvious examples include name, email address and passport number. However, less obvious examples also exist such as IP address or CCTV recordings of individuals. 

Crucially for clinical trials, health and medical data is classed as personal data so it is a requirement to comply with the requirements of the GDPR. Furthermore, under the GDPR, health and medical data is deemed special category dataPersonal data which requires more protection because it is sensitive in nature. GDPR defines special category data as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, and data concerning health, a person's sex life, or sexual orientation...., meaning that additional layers of protection are required for processing. It is also important to note that even if you pseudonymise the personal data used in trials so that individuals are not immediately identifiable, if it is possible to re-identify trial participants using any additional data that you hold, the GDPR will still apply.    

Although an EU Regulation, many organisations established outside of the EU are still bound by the GDPR’s rules. This is because it applies whenever the personal data of individuals located within the EU is processed, regardless of the organisation’s location. It is referred to as ‘extra territorial scope’.  Therefore, clinical trials run by non-European organisations must comply with the GDPR if any of your trial participants are located within the EU, even if you have no establishment in the EU and even if you are using a European based Contract Research Organisation (CRO).  

 

Article 27 Representation 

If you do not have an establishment in the EU, as part of complying with the GDPR, you must appoint an EU Representative. Additionally, courtesy of Brexit, since the 1st of January 2021, there is now a separate requirement for organisations that processA series of actions or steps taken in order to achieve a particular end.... the personal data of UK residents, but do not have an establishment in the UK, to appoint a UK Representative. These Representation requirements are the focus of this blog post, which endeavours to help you determine whether your organisation needs either Representative and, if so, how they can help you. 

EU Representation is governed by Article 27 of the GDPR. Organisations for which Article 27 applies must appoint an EU Representative to act as a point of contact in the EU for data subjects and supervisory authorities. Your Representative can be a person or an organisation but must be established in one of the EU member states where your trial participants – referred to as data subjects – reside. EU Representatives have a number of responsibilities:  

  • To cooperate with supervisory authorities 
  • To facilitate communication between your organisation and data subjects 
  • To maintain a Record of Processing Activities (RoPA) for your organisation, in accordance with GDPR Article 30 

 Aside from these key responsibilities, they should also work with you on a number of other tasks including: 

  • Ensuring their details are clearly displayed on your privacy notice 
  • Understanding your data flows 
  • Translating and responding to queries from data subjects and supervisory authorities 
  • Logging and reporting data breaches relating to your EU/UK data subjects 
  • Advising on data protection issues that impact your organisation 

 

If you only process the personal data of data subjects residing in one EU member state, your EU Representative must be based in that member state. However, if you process the personal data of individuals residing in multiple member states, you can choose to have your EU Representative located in any one of those countries. It is recommended that you choose the country from which the most data is collected and processed. This is simply because it is where you are most likely to receive queries or complaints from, so having an EU Representative that is easily accessible and speaks the same language as these data subjects is likely to prove very useful.  

 

UK Representation 

As of the 1st of January 2021, the UK is no longer part of the EU. However, as the UK has transposed the GDPR into its domestic law, the ‘UK GDPR’ is now in force under UK law. The UK GDPR has a similar requirement to Article 27 GDPR, meaning that organisations established outside of the UK, that process the personal data of UK residents, must appoint a UK Representative to fulfil the same role, and perform the same tasks, as mentioned above. This is in addition to the EU Representative required under the EU GDPR for when processing the data of EU Residents.

So, if you have trial participants located in both the UK and any of the EU27 member states, but you are established in neither location, you will require both types of Representative.  

 

Next Steps 

Considering the information above, clinical trial companies need to take the following steps for both the UK and the EU separately: 

Step 1: Determine whether the EU GDPR/UK GDPR applies to your organisation 

        • Do you process the personal data of anyone residing in the EU or UK? 

Step 2: If yes, the EU GDPR/UK GDPR applies and you must consider whether you have any suitable establishments in the EU or UK? 

        • If yes, (and the establishment is willing to adopt the responsibility and potential liability for acting as your Representative) then you won’t need to appoint a separate Representative 
        • If no, you will likely need to appoint a Representative 

Step 3 (EU only): Do you process the personal data of individuals from just one, or multiple EU member states? 

        • If one, you must appoint an EU Representative in that state 
        • If multiple, consider where you collect and process the majority of personal data, and appoint an EU Representative in that state 

 

Finally, it is important to note that both the requirement to appoint an EU Representative, and the requirement to appoint a UK Representative, regardless of the UK’s positive Adequacy decision, are in force now. Therefore, if you have not already appointed one, then it is of great urgency that you do. Thankfully, appointing a Representative is a simple process that you can implement within days.  

If you require any more information or advice about EU and UK Representation, please contact us. 

Enquire

Fill in your details below and we’ll get back to you as soon as possible

Alternatively click one of the options below to speak to us

 

Email Call

Share

Related posts

February 8, 2021

New EDPB guidance clarifies when you should report a data breach, sort of…


Read more
February 5, 2021

Updated EDPB Guidance on Controllers and Processors – Part 2


Read more
January 25, 2021

What is Adequacy?


Read more

Contact us

The DPO Centre Ltd
Head Office: 50 Liverpool Street, London, EC2M 7PR
The DPO Centre (Europe): Alexandra House, 3 Ballsbridge Park, Dublin, D04 C7H2, Ireland
Registered Office: Suffolk Enterprise Centre, Felaw Street, Ipswich, IP2 8SJ
Telephone: +44 (0) 203 797 1289
Company Number: 10874595 VAT: GB 275694357

More information

  • Contact us
  • Sitemap
  • Privacy Policy
  • Cookie Notice

 

© 2021 DPO Centre. All Rights Reserved.