Use of Personal Data Implications Outside Clinical Trial Protocol Within GDPR - Florence (2024)

What is the meaning of Article 28(2) of the CTR and what are the implications for the use of personal data outside the protocol of the clinical trial (secondary use) within the scope of the GDPR?

The CTR explicitly refers to the situation where consent may be sought from the clinical trial subject for the use of personal data concerning that subject outside that clinical trial protocol for future scientific purposes (Article 28(2) of the CTR).

Secondary use of data which is anonymised does not fall within the scope of the GDPR. By contrast, in case of processing of personal (including pseudonymised) data outside of the CT protocol the following must be considered:

If a sponsor/investigator would like to use the personal data gathered for any other purposes than the one defined by the clinical trial protocol (e.g. medical data collected to conduct a clinical trial on breast cancer used to run a study aiming to identify new biomarkers, but which was not foreseen in the clinical trial protocol), it would require a valid legal ground under Article 6 of the GDPR (16) (see question 3 for the legal basis). The chosen legal basis may or may not differ from the legal basis of the primary use.

Due account must be taken of Article 5(1)(b) of the GDPR which provides for a presumption of compatibility of purposes, subject to the conditions set for in Article 89(1) GDPR, when further processing is carried out for purposes of scientific research. In any event, even when the presumption of compatibility is found to apply , the scientific research making use of the data outside the protocol of the clinical trial must be conducted in compliance with the relevant legal basis and all other relevant applicable provisions of data protection law as stated under Article 28(2) CTR. Therefore, the controller is not exempt from the other obligations under data protection law, for example with regard to fairness, lawfulness, necessity and proportionality, as well as data quality.

Where consent (Article 6(1) (a) of the GDPR) is sought to be used as a legal basis for the processing of personal data for secondary use, the following considerations should be taken into account:

The GDPR requires that personal data is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for scientific research purposes shall, in accordance with Article 89(1), not be considered incompatible with the initial purposes (Article 5(1) (b)).

• Pursuant to Article 4(11) of the GDPR, consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her (17.)
• Pursuant to Article 7(3) of the GDPR, an individual has the right to withdraw his/her consent at any time during the conduct of the clinical trial. Data subjects should be given this information prior to giving consent to participate in the clinical trial.
• As regards consent for processing personal data for the purpose of scientific research, it is further clarified in Recital 33 of the GDPR: “It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.”
• Recital 33 brings some flexibility to the degree of specification of consent and allows that the purpose may be described at a more general level. Yet it must be interpreted in a strict manner and requires a high degree of scrutiny. It should be noted that the obligations with regard to the requirement of specific consent still apply, despite the flexibility of recital 33. This means that, in principle, scientific research projects can only include personal data on the basis of consent if they have a well-described purpose.
• Therefore, the sponsor may either seek consent of the subject for a secondary use already in the beginning of the clinical trial (the first use). Here it is important to note that this form of consent must strictly be distinguished from the informed consent in the context of the CTR. The sponsor must ask separately for consent of data processing within a secondary use (using different consent sheets) and has to indicate the specific research purposes of this use.
• On the other hand if the aim of using the data for further research outside the protocol of the CT arises after the clinical trial has been completed, the sponsor must go back to the data subjects for specific consent.
• In any case the sponsor/investigator must inform the subject according to Article 13 of the GDPR (e.g. on the legal basis and the right to withdraw consent) (see Q&A5).

Download all questions and answers in the Florence Beginner’s Guide to GDPR for Clinical Trials.

The information presented in our library is for informational purposes only, they are not for implementation in operations. Please consult official GDPR guidance documents for operational use.

This information was sourced from the European Commission Directorate-General For Health And Food Safety: Question and Answers on the interplay between the Clinical Trials Regulation and the General Data Protection Regulation.

Return to Florence Library of GDPR and Clinical Trial Resources

Download Now

Learn More