IP - 07126-1/2020/29

From GDPRhub
IP - 07126-1 / 2020/29
LogoSI.png
Authority: IP (Slovenia)
Jurisdiction: Slovenia
Relevant Law: Article 4(7) GDPR
Article 4(8) GDPR
Type: Advisory Opinion
Outcome: n/a
Started:
Decided: 25.08.2020
Published:
Fine: None
Parties: n/a
National Case Number/Name: 07126-1 / 2020/29
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Slovenian
Original Source: Information Commissioner's webiste (in SL)
Initial Contributor: Marco Blocher

The Slovenian data protection authority (Information Commissioner) gave its non-binding opinion on the data protection roles under Article 4(7) and (8) GDPR of the entities involved in clinical trials in Slovenia , holding that a case-by-case analysis per processing operation is neccessary.

English Summary

Questions raised

The Information Commissioner had been asked on the data protection roles of the the sponsor of a clinical trial and the principal investigator (i.e. the entity conducting the trial) with regards to the data processed in the trial:

  • Do sponsor and principal investigator qualify as joint controllers or
  • do they qualify as idependent controllers or
  • does the sponsor qualify as controller and the investigator qualify as the sponsor's processor?

Opinion

The Information Commissioner held that national Slovenian law regulating clinical trials does not define the data protection roles of sponsor and principal investigator. EDPB Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection regulation (GDPR) also does not provide an answer on that question.

According to the Information Commissioner, the sponsor typically acts as a controller of personal data processed in the course of the trial. The principal investigator does not always have a role of a joint controller or a processor, as this depends on its tasks, assignments and level of autonomy in the particular clinical study. he Information Commissioner emphasised that a case-by-case analysis is neccessary, looking at the specific processing operations. Therefore, the principal investigator may qualify as (joint) controller for certain processing operations and as a processor for others.

Finally, the Information Commissioner mentioned that the EPDB will soon adopt guidelines on the concepts of controller and processor in the GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.

Date: 25.08.2020
Title: Roles of Data Controllers and Data Processors in the Context of Clinical Trials in Slovenia
Number: 07126-1 / 2020/29
Subject matter: Contractual data processing, Joint controllers, Statistics and research, Medical personal data
Legal act: Opinion

The Information Commissioner (Slovenian National Supervisory Body for Personal Data Protection) received your questions regarding the roles of data controllers and data processors in the context of clinical trials in Slovenia:

If a clinical trial is being conducted in Slovenia, would the Sponsor and the Principal Investigator be considered joint controllers of the personal data of the trial participants (data subjects)?

Alternatively:

Is the Sponsor the data controller while the Principal Investigator acts as a processor on behalf of the Sponsor? Is the Principal Investigator an independent data controller / controller in common with the Sponsor?

The Information Commissioner initially emphasizes that it is only possible to provide specific opinion and answers to your questions in the course of an inspection procedure where all aspects of data processing and its compliance with the relevant GDPR provisions are assessed in the context of a specific case. Hence, at this point it is only possible to provide general comments, as follows bellow.

Slovenian national legislation, which regulates clinical trials, does not define the roles of the sponsor and the principal investigator in the light of data protection rules, nor does EDPB Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation ( CTR) and the GDPR. In accordance with our national legislation, the sponsor is a business entity or an individual who assumes responsibility for initiating, conducting, or financing a clinical trial of a medicinal product; the principal investigator is the person responsible for the entire clinical trial course at the clinical trial site; and the investigator is the person responsible for the activities assigned to him in the clinical trial of the medicinal product at the particular trial site.

A controller determines the purposes and means of the processing, i.e. the why and how of the processing. The criterion for joint controllership to exist is the joint participation of two or more entities in the determination of the purposes and means of a processing operation. A processor is a separate entity in relation to the controller that processes personal data on the controller’s behalf.

There is no doubt that the sponsor typically acts as a controller of personal data. However, in our opinion, the principal investigator does not always have a role of a joint controller or a processor, as this depends on his tasks, assignments and level of autonomy in the particular clinical study. This needs to be evaluated on a case by case basis. It is also necessary to distinguish between roles according to the CTR and roles from the point of view of data processing.

So, the sponsor and the principal investigator may be considered as independent or joint controllers, and in certain cases the principal investigator may also act as a processor. We emphasize that the role of a (joint) controller or processor does not stem from the very nature of an entity that is processing data but from its concrete processing activities in a specific context. The same entity may therefore act at the same time as a (joint) controller for certain processing operations and as a processor for others. The qualification as (joint) controller or processor has to be assessed with regard to each specific data processing activity and it is not necessary for an actor to have only one role for all phases of a particular clinical trial. Hence, it is also possible that the sponsor and the principal investigator would be in a specific clinical trial (only) regarding certain processing activities considered joint controllers or, due to special agreements, in a controller-processor relationship. As we do not know the specific facts and circumstances of the concrete clinical trial, unfortunately we cannot give you a more precise answer to your question.

Finally, we would like to add that the EDPB will soon adopt guidelines on the concepts of controller and processor in the GDPR, which will further clarify the meaning of these concepts and the different roles between these actors.
Kind regards,

Mojca Prelesnik,

Information Commissioner of the Republic of Slovenia