Standard Contractual Clauses between Trial Sponsors and Hospitals
The reason why I’m writing this post is because I’ve seen multiple positions on the need or not to sign Standard Contractual Clauses (SCC’s) between Non-EU Trial Sponsors and EU Hospitals; but many do not align with what the competent authorities have said about the subject.
I have seen Sponsors that are subject directly to the GDPR signing Standard Contractual Clauses (SCC’s) with Hospitals in the EU, to receive patient’s data even though the European Commission (EU Commission) has clarified that the SCC’s do not apply in such situations, hence SCC’s are not a valid mechanism to transfer data in such cases.
And the argument to justify the continuing signature of SCC’s with Sites, even against the EU Commission Decision is: “to play it safe”.
Honestly, I think such position of “paying it safe” can hide potential risks. On one hand, if you adduce in adequate safeguards to lawfully share data abroad, but such safeguards are an invalid mechanism to transfer data, in your case, as it violates a Decision of the EU Commission, then this means you lack of adequate safeguards or mechanism to transfer the data. This not only exposes you as you’re not relying on a valid mechanism to transfer the data, which per se is a direct violation of the GDPR, but also demonstrates a lack of accountability and understanding of the issues and provisions of the EU law on the protection of personal data.
But before we go deeper on this issue, let’s see what has been said about the subject by the different European Bodies:
European Commission (EU Commission): The EU Commission has clarified its position about the use of SCC’s and its applicability to exporters and importers directly subject to the GDPR in two different documents:
EU Commission Implementing Decision 2021/914 of 4 June 2021; on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council:
Recital 7:
A controller or processor may use the standard contractual clauses set out in the Annex to this Decision to provide appropriate safeguards within the meaning of Article 46(1) of Regulation (EU) 2016/679 for the transfer of personal data to a processor or controller established in a third country, without prejudice to the interpretation of the notion of international transfer in Regulation (EU) 2016/679. The standard contractual clauses may be used for such transfers only to the extent that the processing by the importer does not fall within the scope of Regulation (EU) 2016/679. This also includes the transfer of personal data by a controller or processor not established in the Union, to the extent that the processing is subject to Regulation (EU) 2016/679 (pursuant to Article 3(2) thereof), because it relates to the offering of goods or services to data subjects in the Union or the monitoring of their behavior as far as it takes place within the Union.
Article 1 of the Implementing Decision:
The standard contractual clauses set out in the Annex are considered to provide appropriate safeguards within the meaning of Article 46(1) and (2)(c) of Regulation (EU) 2016/679 for the transfer by a controller or processor of personal data processed subject to that Regulation (data exporter) to a controller or (sub-)processor whose processing of the data is not subject to that Regulation (data importer).
Questions and Answers for the two sets of Standard Contractual Clauses issued on May 25, 2022
24. Can these SCCs be used for data transfers to controllers or processors whose processing operations are directly subject to the GDPR?
No (see Article 1 of Decision (EU) 2021/9144 ). These SCCs provide a comprehensive data protection framework that has been developed to ensure continuity of protection in case of data transfers to data importers that are not subject to the GDPR. They do not work for importers whose processing operations are subject to the GDPR pursuant to Article 3, as they would duplicate and, in part, deviate from the obligations that already follow directly from the GDPR. The European Commission is in the process of developing an additional set of SCCs for this scenario, which will take into account the requirements that already apply directly to those controllers and processors under the GDPR.
While Article 1 of the Implementing Decision is clear and clarify that SCC’s shall only apply when importer is not directly subject to the GDPR, Recital 7 explains us the rules of SCC’s applicability by clarifying three simple things:
An exporter (controller or processor) may use SCC’s to provide appropriate safeguards to transfer personal data to an importer (controller or processor) established in a third-country.
Number one applies except when the importer is directly subject to the GDPR; in which case SCC’s shall not be used.
Number one applies even when the exporter (controller or processor) is not established in the EU, if its directly subject to the GDPR; in which case exporter may use SCC’s to transfer personal data to an importer located in a third country not subject to the GDPR.
In addition to this, EU Commission has confirmed again in its Q&A Document, what has been clarified in the Implementing Decision, which is that SCC’s shall not be used to transfer data from exporters subject to the GDPR to importers subject to the GDPR as well, since SCC’s would duplicate some and deviate, in other cases, from already applicable GDPR provisions.
If SCC’s are not applicable in the Hospital-Sponsor relationship how can Sites comply with Chapter V GDPR and lawfully transfer data to Sponsors?
The European Data Protection Board (EDPB) has issued some Guidelines on the interplay between the rule of art. 3/2 (direct applicability of the GDPR to non-EU entities) and cross-border transfers provisions (Chapter V GDPR). In such Guidelines, the EDPB makes an important clarification, which is crucial to the understanding of the applicability of Chapter V GDPR, to the processing activities in the scope of clinical trials. Such clarification creates the link between the offering of goods/services to EU individuals (reason why sponsor is directly subject to the GDPR when processing such data) and the direct collection of the data from such EU individuals while providing the goods/services.
See below what’s said in the Guidelines:
Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR
Example 1: Controller in a third country collects data directly from a data subject in the EU (under Article 3(2) GDPR) Maria, living in Italy, inserts her name, surname and postal address by filling in a form on an online clothing website in order to complete her order and receive the dress she bought online at her residence in Rome. The online clothing website is operated by a third country company that has no presence in the EU, but specifically targets the EU market. In this case, the data subject (Maria) passes her personal data to the third country company. This does not constitute a transfer of personal data since the data are not passed by an exporter (controller or processor), but directly collected from the data subject by the controller under Article 3(2) GDPR. Thus, Chapter V does not apply to this case. Nevertheless, the third country company will be required to apply the GDPR since its processing operations are subject to Article 3(2).
the concept of “transfer of personal data to a third country or to an international organization” only applies to disclosures of personal data where two different (separate) parties (each of them a controller, joint controller or processor) are involved. In order to qualify as a transfer, there must be a controller or processor disclosing the data (the exporter) and a different controller or processor receiving or being given access to the data (the importer).
To support such position, and to confirm that in fact in the scope of clinical trials, there’s a direct collection of data from the Sponsors, the Health Research Authority in the UK (HRA) has provided some clarifications between what a direct collection of data and an indirect collection of data in the scope of clinical trials. This helps to make the link between what EDPB has said about the non-applicability of chapter V GDPR when data is collected directly from the individuals and how to apply such assessment to clinical trials. The following is confirmed by the HRA:
Health Research Authority (HRA):
Example 1 – indirectly obtaining personal data from a third party
Where a sponsor (B) obtains personal data collected previously for research purposes by a different sponsor (A), then sponsor B is obtaining the personal data indirectly. In this scenario, sponsor A is controller for the first research activity and sponsor B is the controller for the second research project.
Example 2 – obtaining personal data directly from the data subject
In some cases, particularly interventional research, information will be collected from participants and recorded in both the medical records for care purposes and in the Case Report Form or equivalent for research purposes. In this situation the sponsor is obtaining the data directly from the data subject and is the controller for processing for research. If a sponsor re-uses for research purposes personal data that the sponsor previously obtained directly from a data subject, even if the original purpose was different, the personal data is still classed as being obtained directly, because it is the same controller. During interventional studies, participants may have tests undertaken. This personal data would be classed as being obtained directly.
To conclude, in the scope of clinical trials, not only SCC’s between EU Hospitals (exporters) and Non-EU Sponsors (importers) do not apply, because Non-EU Sponsors are directly subject to the GDPR; but moreover, there are no transfers between EU Hospitals and Non-EU Sponsors, as per the meaning of Chapter V of the GDPR, because the Sponsor collects directly the data from the research participant while offering goods and services to such individuals (art. 3/2).
So, why are Trial Sponsors, on many occasions, required to sign SCC’s with Hospitals?
Reason number one is the lack of awareness and privacy training provided to site contract teams at Hospitals. Also, on many occasions, Hospitals provide a template and give instructions to people negotiating the contracts on their behalf, to not accept any modifications to the contract. Because privacy compliance is complex, contract teams tend to reject any modifications, as they don’t feel comfortable to review them.
In addition, Hospitals also use their power to pressure Sponsors on signing contracts according to their standards, otherwise contract is not executed and site is not activated.
Such pressure will lead sponsors to give up signing adequate contracts, because there’s a priority to activate sites and enroll patients in the study, and so they agree to execute SCC’s even when these are not applicable.
What are the risks of signing SCC’s with Hospitals?
From a legal perspective, considering that there’s no transfer of personal data between the Hospital and the Sponsor, as Sponsor collects the data directly from the research participants, the signature of SCC’s has no purpose or value, as there’s no obligation to adduce in adequate safeguards, so these SCC’s are void.
Nonetheless, from an accountability perspective, the signature of SCC’s between Hospitals and Sponsors may lead authorities to think that Hospitals and Sponsors didn’t perform an assessment on the applicability of Chapter V GDPR nor have been following the EU Commission Decisions or relevant authority’s guidance; which could result in investigating GDPR compliance, in particular DPO role in advising and monitoring compliance within the Organization or the performance by Hospital and/or Sponsor of necessary assessments, including a transfer impact assessment, to address Chapter V applicability.
So, my opinion, when negotiating site contracts, Sponsors should have a standard position regarding the signature of SCC’s where arguments about the non-applicability of chapter V should be included. If Hospitals reject Sponsor’s standard position and still require the signature of SCC’s, despite the efforts of Sponsors to provide the rational of why such SCC’s would not be applicable, Sponsors could agree to execute SCC’s, for the sake of activating the site, but should include in their accountability tools the following or an equivalent note as follows, “despite several efforts to explain the non-applicability of chapter V GDPR to the processing of research participant’s personal data by the Sponsor, in the scope of the clinical trial, Hospital has rejected Sponsor’s position and in order to activate site to initiate the conduct of the clinical trial according to study timelines, Sponsor has agreed to execute SCC’s”. In addition, Sponsors should have a rational on the applicability of Chapter V to the processing of personal data in the scope of the trial, which would clarify the non-applicability of SCC’s between Hospital and Sponsor and the mandatory signature of SCC’s with any controller or processor located in a third country that would receive the data from the Sponsors.
Conclusion:
To summarize and conclude, contract teams that negotiate clinical trial agreements at Hospitals lack of privacy training to properly negotiate privacy provisions, which leads in many occasions to Sponsors signing non-adequate contracts for the sake of activating the research site and enroll patients in the clinical trial. When negotiating contracts with Hospitals, for the conduct of a clinical trial, Sponsor should clarify that SCC’s should not be signed between Hospital and Sponsor because chapter V GDPR does not apply to the processing of personal data performed by the Sponsor; such processing constitutes a direct processing by the Sponsor, hence there’s no transfer of personal data from the Hospital to the Sponsor as per the meaning of chapter V GDPR. If Hospitals reject Sponsor arguments and demand the signature of SCC’s, in order to execute the Clinical Trial Agreement, the Sponsors can proceed with the signature of SCC’s, knowing they would be null and void, but should add to the accountability records the reason why such SCC’s were signed on the first place. In addition, Sponsors should perform an assessment to the applicability of chapter V in the scope of the clinical trial, which would clarify the non-applicability of cross-border provisions to the processing activities of the Sponsor, but would reinforce the need to sign SCC’s with any controller/processor located in a third-country, which are not subject to the GDPR, for the purposes of further processing the data transferred by the Sponsor.
If you have any queries or would like to discuss this or any other GDPR provision in more detail do not hesitate in contacting us at info@rdprivacy.com
