Spain, as a Member State of the European Union (EU) applied, starting with January 31, 2022, the new Regulation (EU) No 536/2014 of the European Parliament and of the Council of 16 April 2014 on clinical trials on medicinal products for human use, and repealing Directive 2001/20/EC Text with EEA relevance (the “Regulation”). This Regulation is now the legal benchmark for the EU concerning clinical trials on medicinal products for human use.

Together with the Regulation, Spain also complies to the General Data Protection Regulation (GDPR), applicable throughout the EU. Beside these two regulations, Spain also relies on its national regulations and laws regarding personal data and clinical trials.

Why is it relevant? Clinical trials concern the heavy involvement of the data processing, whether it is about the actual study and medicinal products tested, and the data collected from the experiments, but it also means the participation of people, a lot of people, nation-wide or European-wide.

Considering that so many people participate in a clinical trial, the question is how is their personal data protected? Consider just the informed consent given by subjects participating in the clinical trial, their personal data is collected during selection process for including them in a clinical trial. The Regulation states this data collected must be protected and secured.

Aside the Regulation, separate but related and relevant, there is the GDPR. Applicable for all that involves personal collection, manipulation, and storage it also impacts clinical trials, because the personal data collected for a clinical trial fall under the GDPR requirements.

Starting this year, Farmaindustria, has introduced the New Code of Conduct (the “Code”) replacing the previous one from 2009. The text can be consulted here (in Spanish).

This Code of Conduct applies to clinical trials conducted in Spain, as its title implies “Código de Conducta regulador del tratamiento de datos personales en el ámbito de los ensayos clínicos y otras investigaciones clínicas y de la farmacovigilancia (Regulatory Code of Conduct of the treatment of personal data in the field of clinical trials and other research clinical and pharmacovigilance).

This change occurred because of the need to better comply with the GDPR. The Code is a rule book voluntarily adopted by the members of Farmaindustria and approved by the Spanish Data Protection Authority (AEPD) on 25 February 2022.

Why was it adopted? GDPR and the Regulation obliges parties involved in processing personal data to insure that, when requesting the subject informed consent or submitting for a clinical trial (see article 25 and article 29) the personal data be secured and stored in a way that will not harm the subjects right to privacy or unwanted disclosure or the right to have access to the collected data. Data controllers must insure who has access or not, to this kind of information.

The Code, though applicable to a specific sector – Pharma Industry, helps and guides interested parties on how to comply with the GDPR and with specific laws governing the data processing such as the Spanish – Organic Law 3/2018, of December 5, on Data Protection and Guarantee of Digital Rights (LOPDGDD). However, the Code will not be applicable to clinical trials already started prior to the adoption of this Code.

Some insights about the Code of Conduct

• The Code clarifies the use of data, in its primary and secondary use and the responsibilities of the Sponsor of the research and the health center or principal investigator setting them as independent data controllers. Considering secondary use of data for further future research purposes, it will not be required to ask again for the consent of participants.

• The Code includes the new concept of Trusted Third Party, defined in its article 1 Definition point 23: “is the natural or legal person not involved in conducting the clinical research that is contracted by the Sponsor for the purpose of carrying out the coding procedure of the personal data of the participants in the same.”

• Regarding its applicability to pharmacovigilance, pharmaceutical companies must keep a record about adverse effects and the relevant personal data of the participants on who it occurred and for this reason the necessity to comply with the GDPR with a distinction between cases were codification was prior or after the introduction of the Code. It provides a pharmacovigilance protocol to be observed by interested parties.

Aspects about coding

The Code brings an updated procedure considering security measures undertaken by Sponsor in section 2.2 Medidas de seguridad, that protects the identity of the participant in the trial by ensuring that staff and Sponsor do not have access to any personal data of the participants in the study that could lead to their identification. Or by internal audit to check if the data is properly manipulated by the Sponsor. The inclusion of the Trusted Third Party by a contract and a confidentiality agreement signed by all employees who process the encrypted data.

Another aspect present by Section 3.1 Procedimiento de codificación is – the Code restates that the Sponsor must not have access to the personal data of the participant in the trial and this must be ensured by the Principal Investigator or by a Trusted Third Party. For this reason, Sponsor must respect the Good Clinical Practice Standards and for clinical trials and the document “Introduction to hash as a pseudonymization technique of personal data” issued jointly by the AEPD and the EDPS. Accessible here.

SITE CONTRACTS IMPACT

The contract signed between Sponsor and the health care center or, where appropriate, the Trusted Third Party, must include at least these clauses:

• Obligation on the part of the Principal Investigator or the Trusted Third Party to carry out the coding process in such a way that the Sponsor cannot re-identify the participants, even indirectly, without the latter’s intervention.

• Express commitment on the part of the Sponsor not to ask the Principal Investigator or the Trusted Third Party for information on the participants aimed at their re-identification.

• Compliance by the Principal Investigator or the Trusted Third Party with the GDPR, LOPDGDD coding process, as well as with the guidelines on anonymization that the data protection authorities have published.

• Commitment by the Principal Investigator or the Trusted Third Party not to provide the indications related to the actions carried out to codify the data of the participants to the Sponsor.

• Guarantee by the Principal Investigator or the Trusted Third Party that the operations or treatments subsequent to encoding do not entail an alteration of the real data.

The above-mentioned contract and procedure for coding are also integrated by the Code in the following appendixes:

• Appendix 2: SPONSOR CONTRACT CLAUSE – TRUSTED THIRD PARTY

• Appendix 3: DATA PROTECTION CLAUSE CONTRACT SPONSOR-CENTER/PRINCIPAL RESEARCHER

– [Option A, in case the obligation corresponds to the Center/Principal Investigator]

– [Option B, in case the obligation corresponds to the Sponsor]

• Appendix 4: CLAUSE TO BE INCLUDED IN THE SPONSOR’S CONTRACT WITH THE MONITOR AND AUDITOR

• Appendix 5: CLAUSE TO BE INCLUDED IN THE SPONSOR’S CONTRACT WITH THE CRO WHEN PROVIDING SERVICES OTHER THAN MONITORING

• Appendix 6: GENERAL CLAUSE CONTRACT OF THE SPONSOR WITH SERVICE PROVIDERS.