18
Wed, May
69 New Articles

Czech Republic: Data Privacy in Clinical Trials

Czech Republic: Data Privacy in Clinical Trials

Czech Republic
Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

The COVID-19 pandemic has accelerated the digital evolution of clinical trials. Introducing new technologies and ways of working with clinical data, improving clinical data access, review, and monitoring processes, and making better use of the data for further scientific research are trends that are here to stay. Side by side with these developments come legal questions about personal data protection. The aim of this article is to shed light on the core legal issue in data processing within clinical trials: its legal basis.

Clinical trials involve the processing of an extensive amount of personal data, including health data and other special categories of personal data regulated under EU General Data Protection Regulation no. 2016/679. The particularity of this processing activity deserves special attention by controllers and their data protection officers. The appropriate legal basis for processing trial participants’ personal data and determining whether explicit consent is necessary under the GDPR has been a hot topic of debate. But Opinion no. 3/2019 of the European Data Protection Board confirms that explicit consent is merely one of the possible legal grounds for processing personal data in clinical trials, and that several others may be appropriate, in specific situations, and should be considered by the controllers. The Czech Data Protection Authority has expressed a similar view, stating that informed consent to participate in a clinical trial should not be confused with the explicit consent required by the GDPR. In addition, guidelines issued by the Czech Institute for Drug Control recommend that the written request for informed consent regarding participation in a clinical trial and the privacy notice (or written request for consent to data processing, if applicable) required by the GDPR be provided to trial participants as two separate documents.

According to the EDPB’s Opinion, the legal grounds for processing should be determined on a case-by-case basis, taking into consideration the purpose for which the data will be processed in the course of a clinical trial. Therefore, the appropriate legal basis should be determined separately for processing operations that relate to protecting the patient’s health and safety, on one hand, and processing performed purely for research, on the other. Alternative legal bases for research-processing activities may be the legitimate interests of the trial sponsor or a task carried out in the public interest, and health data may be processed based on public interest in the area of public health or scientific research purposes. Processing activities related to protection of patient health and safety may be based on the legal obligations of the trial sponsor, while processing of health data may be based on public interest in the area of public health.

Controllers should also separately assess the appropriate legal basis for a secondary use of personal data collected in the course of clinical trials for scientific research purposes, as it may differ from the primary use. In this context, it is worth mentioning that Czech law on data processing provides certain derogations from the GDPR and additional safeguards for the processing of data for scientific research purposes. In particular, Czech law imposes additional obligations on controllers performing scientific research, including the obligation to appoint a data protection officer and adopt specific technical and organizational measures.

The position of the EDPB related to the personal data processing for scientific research purposes was further clarified in the context of the COVID-19 outbreak. The EDPB adopted Guidelines no. 03/2020, which reiterated that explicit consent may be an appropriate legal basis, but depending on the context of the processing, other alternative legal bases should be considered as well. When consent is relied upon, it must be freely given, active, specific, informed, and unambiguous. Controllers should also take into account that data subjects have the right to withdraw their consent. Upon withdrawal of consent, controllers may have to delete the personal data concerned, unless further retention is justified on other lawful bases.

To conclude, controllers should take the time to properly identify the data processing purposes of clinical trials, and carefully assess the applicable legal basis for each processing activity. Explicit consent may be the first one that comes in mind, but other alternatives may be more appropriate, depending on the specific context.

By Monika Maskova, Partner, and Ivana Rosenzweigova, Attorney, PRK Partners

This Article was originally published in Issue 8.5 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.

PRK Partners at a Glance

PRK Partners, one of the leading Central European law firms, has been helping clients achieve their business objectives almost 30 years. Our team of lawyers, based in our Prague, Ostrava, and Bratislava offices, has a unique knowledge of Czech and Slovak law and of the business environment. Our lawyers studied at top law schools in the United States, United Kingdom, Switzerland and elsewhere. They also have experience working for leading international and domestic law firms in a number of jurisdictions. We speak your language, too. Our legal team is fluent in more than 15 languages, including all the key languages of the region.

PRK Partners has one of the most experienced legal teams on the market. We are consistently rated as one of the leading law firms in the region. We have received many significant honours and awards for our work. We represent the interests of international clients operating in the Czech Republic in an efficient way, combining local knowledge with an understanding of their global requirements in a business-friendly approach. We are one of the largest law firms in the Czech Republic and Slovakia. Our specialised teams of lawyers and tax advisors advise major global corporations as well as local companies. We provide comprehensive legal advice drawing on our profound knowledge of local law and markets.

Our legal advice delivers tangible results – as proven by our strong track record. We are the only Czech member firm of Lex Mundi, the world's leading network of independent law firms. As one of the leading law firms in the region, we have received many national and international awards, in some cases several years in a row. Honours include the Chambers Europe Award for Excellence, The Lawyer and Czech and Slovak Law Firm of the Year. Thanks to our close cooperation with leading international law firms and strong local players, we can serve clients in multiple jurisdictions around the globe. Our strong network means that we can meet your needs, wherever you do business.

PRK Partners has been repeatedly voted among the most socially responsible firms in the category of small and mid-sized firms and was awarded the bronze certificate at the annual TOP Responsible Firm of the Year Awards.

Our work is not only “business”: we have participated on a longstanding basis in a wide variety of pro bono projects and supported our partners from the non-profit sector (Kaplicky Centre Endowment Fund, Tereza Maxová Foundation, Czech Donors Forum, etc.).

Firm's website: www.prkpartners.com