Out-Law Analysis 3 min. read

AEPD approves ‘EU first’ clinical research code of conduct on personal data


The Spanish Data Protection Authority (AEPD) has recently approved a new code of conduct for the processing of personal data in clinical research contexts, the first such industry-specific code since the entry into force of the General Data Protection Regulation (GDPR).

The industry code (153-page / 1.02MB PDF, in Spanish) has been produced by Farmaindustria (the National Business Association of the Pharmaceutical Industry) and governs the processing of personal data in the fields of clinical research and pharmacovigilance when conducted in Spain. Although its scope of application is limited to Spain, this code of conduct aspires to be an EU-level benchmark, as it is the first sectorial code of conduct approved in Europe.

One of the basic principles of the GDPR is the principle of ‘accountability’, or proactive responsibility of the data controller. In this context, adhering to sector-specific codes of conduct may allow entities in that sector to demonstrate their compliance with the obligations set out in the GDPR, and even mitigate possible sanctions in cases of non-compliance.

The code, as an instrument to reduce uncertainty in the interpretation of the data protection regulations, is applicable to marketing authorisation holders or their representatives in Spain (pharmaceutical companies), as well as other sponsors of medical clinical studies, whether or not associated with Farmaindustria adhering to the code, and to clinical research organisations (CROs) that voluntarily adhere to the code.

The objective and territorial scope of application of the code of conduct are personal data processing activities carried out in Spain within the framework of clinical research in general, and clinical trials in particular; as well as those related to compliance with the obligations imposed by current regulations on pharmacovigilance.

Applicability to clinical research

The legal basis for the processing of data in this field is the compliance with legal obligations, without the consent of the research subject being necessary for the processing of their data, without prejudice to the informed consent that must be obtained for the subject’s participation in a clinical trial.

The code clarifies the roles of the different parties involved in the processing, specifying that the promoter of the research and the health centre or principal investigator will be independent data controllers, responsible for the obligations arising from their respective data processing activities.

The code regulates secondary use of the data obtained for research purposes for future research, without requiring, as a general rule, the consent of the participants in that research.

The concept of a ‘trusted third party’ is introduced in the code. This person can be appointed to carry out the procedure for codifying the personal data of the research participants, so that the sponsor cannot re-identify them either alone or with the researcher’s assistance, in line with industry practice that the sponsor does not process personal data without it being codified.

The code also covers execution of data protection impact assessments by each independent data controller (institution and sponsor) prior to clinical research, considering that the processing activity poses a high risk to the fundamental rights and freedoms of research participants.

Applicability to pharmacovigilance

Pharmaceutical companies are obliged to maintain a pharmacovigilance record and traceability of adverse effects, including relevant personal data. In this sense, similar to clinical research, the legal basis for data processing is the compliance with a legal obligation, linked to the duty to guarantee high levels of quality and safety of health care, medicines and medical devices.

The code retains the distinction between cases where pharmaceutical companies process personal data previously codified or not, clarifying the rules applicable in each case.

It establishes a uniform pharmacovigilance protocol, distinguishing the subject that carries out the notification of adverse effects and the notification channels, including social networks.

A detailed protocol is included for the management and processing of requests to exercise rights of access, rectification, erasure or limitation of processing.

Templates and penalties

The code incorporates a series of annexes, including practical templates for companies within scope. These cover topics such as the minimum content required to comply with certain information duties; data processing agreements; records of processing activities; and clauses between the different parties to a clinical trial.

A penalty system is also established in the event of non-compliance with the code, without prejudice to and independently of the liabilities that may arise from their actions before the AEPD.

Although the interpretation of data protection provisions in this field is not harmonised from the EU perspective, this code of conduct approved by the AEPD in Spain contributes to providing legal certainty in the GDPR application in favour of scientific progress and may be the first step towards achieving a uniform approach throughout the EU.

In order to support personal data processing in the health sector, considered as a priority area of action, the AEPD has also recently published a specific section on its website (in Spanish) covering the processing of health data. The aim of this section is to respond to common queries raised by health sector representatives and user associations in the absence of a full compendium of legislation, criteria, doctrine and case law on this topic.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.