EU & UK GDPR Representation for sponsors of European clinical trials

The General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).... (GDPR) came into force in the EU on 25th May 2018 and has since been a driving force for improving data protection standards worldwide. The GDPR was created to protect EU citizens’ personal dataInformation which relates to an identified or identifiable natural person..... The term ‘personal data’ refers to any information relating to an individual that can be used to identify that individual, either on its own or when combined with other information. Obvious examples include name, email address and passport number. However, less obvious examples also exist such as IP address or CCTV recordings of individuals. 

Crucially for clinical trials, health and medical data is classed as personal data so it is a requirement to comply with the requirements of the GDPR. Furthermore, under the GDPR, health and medical data is deemed special category dataPersonal data which requires more protection because it is sensitive in nature. GDPR defines special category data as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, and data concerning health, a person's sex life, or sexual orientation...., meaning that additional layers of protection are required for processing. It is also important to note that even if you pseudonymise the personal data used in trials so that individuals are not immediately identifiable, if it is possible to re-identify trial participants using any additional data that you hold, the GDPR will still apply.    

Although an EU Regulation, many organisations established outside of the EU are still bound by the GDPR’s rules. This is because it applies whenever the personal data of individuals located within the EU is processed, regardless of the organisation’s location. It is referred to as ‘extra territorial scope’.  Therefore, clinical trials run by non-European organisations must comply with the GDPR if any of your trial participants are located within the EU, even if you have no establishment in the EU and even if you are using a European based Contract Research Organisation (CRO).  

Article 27 Representation 

If you do not have an establishment in the EU, as part of complying with the GDPR, you must appoint an EU Representative. Additionally, courtesy of Brexit, since the 1st of January 2021, there is now a separate requirement for organisations that processA series of actions or steps taken in order to achieve a particular end.... the personal data of UK residents, but do not have an establishment in the UK, to appoint a UK Representative. These Representation requirements are the focus of this blog post, which endeavours to help you determine whether your organisation needs either Representative and, if so, how they can help you. 

EU Representation is governed by Article 27 of the GDPR. Organisations for which Article 27 applies must appoint an EU Representative to act as a point of contact in the EU for data subjects and supervisory authorities. Your Representative can be a person or an organisation but must be established in one of the EU member states where your trial participants – referred to as data subjects – reside. EU Representatives have a number of responsibilities:  

• To cooperate with supervisory authorities 
• To facilitate communication between your organisation and data subjects 
• To maintain a Record of Processing Activities (RoPA) for your organisation, in accordance with GDPR Article 30 

 Aside from these key responsibilities, they should also work with you on a number of other tasks including: 

• Ensuring their details are clearly displayed on your privacy notice 
• Understanding your data flows 
• Translating and responding to queries from data subjects and supervisory authorities 
• Logging and reporting data breaches relating to your EU/UK data subjects 
• Advising on data protection issues that impact your organisation 

If you only process the personal data of data subjects residing in one EU member state, your EU Representative must be based in that member state. However, if you process the personal data of individuals residing in multiple member states, you can choose to have your EU Representative located in any one of those countries. It is recommended that you choose the country from which the most data is collected and processed. This is simply because it is where you are most likely to receive queries or complaints from, so having an EU Representative that is easily accessible and speaks the same language as these data subjects is likely to prove very useful.  

UK Representation 

As of the 1st of January 2021, the UK is no longer part of the EU. However, as the UK has transposed the GDPR into its domestic law, the ‘UK GDPR’ is now in force under UK law. The UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU.... has a similar requirement to Article 27 GDPR, meaning that organisations established outside of the UK, that process the personal data of UK residents, must appoint a UK Representative to fulfil the same role, and perform the same tasks, as mentioned above. This is in addition to the EU Representative required under the EU GDPR for when processing the data of EU Residents.

So, if you have trial participants located in both the UK and any of the EU27 member states, but you are established in neither location, you will require both types of Representative.  

Next Steps 

Considering the information above, clinical trial companies need to take the following steps for both the UK and the EU separately: 

Step 1: Determine whether the EU GDPR/UK GDPR applies to your organisation 

• • • • Do you process the personal data of anyone residing in the EU or UK? 

Step 2: If yes, the EU GDPR/UK GDPR applies and you must consider whether you have any suitable establishments in the EU or UK? 

• • • • If yes, (and the establishment is willing to adopt the responsibility and potential liability for acting as your Representative) then you won’t need to appoint a separate Representative 
      • If no, you will likely need to appoint a Representative 

Step 3 (EU only): Do you process the personal data of individuals from just one, or multiple EU member states? 

• • • • If one, you must appoint an EU Representative in that state 
      • If multiple, consider where you collect and process the majority of personal data, and appoint an EU Representative in that state 

Finally, it is important to note that both the requirement to appoint an EU Representative, and the requirement to appoint a UK Representative, regardless of the UK’s positive AdequacyA status granted by either the EU Commission (EU) or UK government (UK) to third countries that provide personal data protection that is essentially equivalent to that provided in EU or UK law.... decision, are in force now. Therefore, if you have not already appointed one, then it is of great urgency that you do. Thankfully, appointing a Representative is a simple process that you can implement within days.  

If you require any more information or advice about EU and UK Representation, please contact us.