The General Data Protection Regulation (GDPR) came into force in the EU on 25th May 2018 and has since been a driving force for improving data protection standards worldwide. The GDPR was created to protect EU citizens’ Information which relates to an identified or identifiable natural person..... The term ‘personal data’ refers to any information relating to an individual that can be used to identify that individual, either on its own or when combined with other information. Obvious examples include name, email address and passport number. However, less obvious examples also exist such as IP address or CCTV recordings of individuals.
Crucially for clinical trials, health and medical data is classed as personal data so it is a requirement to comply with the requirements of the GDPR. Furthermore, under the GDPR, health and medical data is deemed Personal data which requires more protection because it is sensitive in nature. GDPR defines special category data as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, and data concerning health, a person's sex life, or sexual orientation...., meaning that additional layers of protection are required for processing. It is also important to note that even if you pseudonymise the personal data used in trials so that individuals are not immediately identifiable, if it is possible to re-identify trial participants using any additional data that you hold, the GDPR will still apply.
Although an EU Regulation, many organisations established outside of the EU are still bound by the GDPR’s rules. This is because it applies whenever the personal data of individuals located within the EU is processed, regardless of the organisation’s location. It is referred to as ‘extra territorial scope’. Therefore, clinical trials run by non-European organisations must comply with the GDPR if any of your trial participants are located within the EU, even if you have no establishment in the EU and even if you are using a European based Contract Research Organisation (CRO).
Article 27 Representation
If you do not have an establishment in the EU, as part of complying with the GDPR, you must appoint an EU Representative. Additionally, courtesy of Brexit, since the 1st of January 2021, there is now a separate requirement for organisations that A series of actions or steps taken in order to achieve a particular end.... the personal data of UK residents, but do not have an establishment in the UK, to appoint a UK Representative. These Representation requirements are the focus of this blog post, which endeavours to help you determine whether your organisation needs either Representative and, if so, how they can help you.
EU Representation is governed by Article 27 of the GDPR. Organisations for which Article 27 applies must appoint an EU Representative to act as a point of contact in the EU for data subjects and supervisory authorities. Your Representative can be a person or an organisation but must be established in one of the EU member states where your trial participants – referred to as data subjects – reside. EU Representatives have a number of responsibilities:
Aside from these key responsibilities, they should also work with you on a number of other tasks including:
If you only process the personal data of data subjects residing in one EU member state, your EU Representative must be based in that member state. However, if you process the personal data of individuals residing in multiple member states, you can choose to have your EU Representative located in any one of those countries. It is recommended that you choose the country from which the most data is collected and processed. This is simply because it is where you are most likely to receive queries or complaints from, so having an EU Representative that is easily accessible and speaks the same language as these data subjects is likely to prove very useful.
As of the 1st of January 2021, the UK is no longer part of the EU. However, as the UK has transposed the GDPR into its domestic law, the ‘UK GDPR’ is now in force under UK law. The UK GDPR has a similar requirement to Article 27 GDPR, meaning that organisations established outside of the UK, that process the personal data of UK residents, must appoint a UK Representative to fulfil the same role, and perform the same tasks, as mentioned above. This is in addition to the EU Representative required under the EU GDPR for when processing the data of EU Residents.
So, if you have trial participants located in both the UK and any of the EU27 member states, but you are established in neither location, you will require both types of Representative.
Considering the information above, clinical trial companies need to take the following steps for both the UK and the EU separately:
Step 1: Determine whether the EU GDPR/UK GDPR applies to your organisation
Step 2: If yes, the EU GDPR/UK GDPR applies and you must consider whether you have any suitable establishments in the EU or UK?
Step 3 (EU only): Do you process the personal data of individuals from just one, or multiple EU member states?
Finally, it is important to note that both the requirement to appoint an EU Representative, and the requirement to appoint a UK Representative, regardless of the UK’s positive Adequacy decision, are in force now. Therefore, if you have not already appointed one, then it is of great urgency that you do. Thankfully, appointing a Representative is a simple process that you can implement within days.
If you require any more information or advice about EU and UK Representation, please contact us.
Fill in your details below and we’ll get back to you as soon as possible