1. Data Protection Officer (DPO)’ s role

A Data Protection Officer (DPO) is responsible to ensure that an organization processes the personal data of its staff, customers, providers or any other individuals (also referred to as ‘data subjects’) in compliance with the applicable data protection rules.

2. When is a DPO designation required?

2.1 Regulation

Article 37 (1) GDPR : ‘The controller and the processor shall designate a data protection officer in any case where:

a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity.

b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or

c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 (Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited).

Paragraph 1 shall not apply if one of the following applies:

the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;) or personal data relating to criminal convictions and offences referred to in Article 10.

2.2 From corroborating Articles 9, 10 and 37 in the GDPR we can summarize the situations where the Data Protection Officer is to be designated:

1. When processing is done by a public authority.

2. When the controller or processor’s core activities consist in systematic monitoring of data subjects on a large scale.

3. When the controller or processor’s core activities consist in processing special categories of data.

The exception to above 3 points is when the data subject has given explicit consent to the processing for one or more specific purposes.

3.Interpreting DPO requirement for clinical studies

3.1 The key players in the clinical trials environment are: the Sponsor, the CRO, any service provider for the Sponsor or CRO (It can be a software, payments, contracts, laboratory, data management etc. provider) or the Study site.

3.2 If we take the 3 points (section 2.2 (1,2,3) above) the Sponsor, the CRO or any service provider can generally find themselves in situation at point 2 or at point 3, as very rarely one of these stakeholders is a public entity. However, if they are a public authority, then it is certain that a DPO is required.

3.3 One the other hand, it happens often that a study site is a public health institution and if they are then, there is a requirement in the GDRP that they engage a DPO.

3.4 To support point 2 (Section 2.2 “when the controller or processor’s core activities consist in systematic monitoring of data subjects on a large scale”) the European Commission issued a Working Party under Article 29 of Directive 95/46/EC (WP29). This document tries to explain what could constitute “systematic monitoring of data subjects on a large scale”.

A) ‘Large scale’ – WP29 recommends that the following factors be considered when determining whether the processing is carried out on a large scale:

i) the number of persons concerned – an exact number or a percentage of the relevant population,

ii) the volume of data and/or range of different data items being processed,

iii) the duration or permanence of the data processing activity,

iv) the geographical area of the processing activity.

B) ‘Regular and systematic monitoring’ – WP29 interprets ‘regular’ as meaning one or more of the following:

i) Ongoing or occurring at particular intervals for a particular period

ii) Recurring or repeated at fixed times

iii) Constantly or periodically taking place

– WP29 interprets ‘systematic’ as meaning one or more of the following:

a) Occurring according to a system

b) Pre-arranged, organized or methodical

c) Taking place as part of a general plan for data collection

d) Carried out as part of a strategy.

3.5 In order for the Study site, the Sponsor, the CRO or any service providers for clinical trials to determine if their core activities consist in systematic monitoring of data subjects on a large scale, they are to analyze Section 3.4 and see if their main activities fall within this category. (For example, if the site is a private practice of one physician, then Article 37 (1) b) is not applicable as processing of patient data by an individual physician is not consider being processing of data on a large scale.)

3.6 In respect to point 3 (Section 2.2 point 3) when core activities of the controller or the processor consist of processing on a large scale of special categories of data, here we note that “data concerning health”, “genetic data”, “biometric data” are the categories primarily processed during a clinical trial.

3.7 “Data concerning health” is defined by the GDPR as “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.”

3.8 “Genetic data” is defined by the GDPR as “personal data relating to inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.”

3.9 “Biometric data” is “personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.”

3.10 In order to determine if the core activities of the controller/the processor consist of processing on a large scale of special categories of data (“data concerning health”, “genetic data”, “biometric data”) we recommend a Data Protection Impact Assessment (DPIA) that will not only evaluate any potential risks any clinical trial key player might take for a specific program, but also if they fall within the frame work of Article 37 (1) c). When determined that this section of the GDPR is applicable then a DPO is required.

4. Conclusion

A DPO’ role is to ensure an organization is aligned with GDPR requirements, assess risk and maintain a stable privacy framework for the company. If any organization recognized the scenarios described in Article 37 (1) as their own, even with the explicit informed consent (exception to Article 37 (1)), they are to proceed with care and consult with privacy and data protection experts. To the same point, they are recommended to keep a constant oversight for their internal policies and processes pertaining to GDRP requirements.

With an upcoming short article, we will dive into the exception in Article 10 from GDPR and the explicit consent.

Next up:

Consent versus explicit consent

A savvy reader may have noticed that GDPR’s health data use conditions calls for “explicit consent,” but the general definition just calls for “consent.” This has led to an endless debate about whether there is a difference between “unambiguous” consent and “explicit” consent, and if so, what constitutes that difference. Irrespective of the final clarifications and legal interpretation, it is clear that “explicit consent” for healthcare purposes will need the strongest forms of agreement, with explicit use(s) of data listed when getting such consent. Healthcare consent will also need to cover the case of many potential transfers of health data, including international data transfers and cloud storage.